GDPR has been enforceable since May 2018, yet enforcement actions and regulatory investigations consistently reveal the same compliance failures on website after website. WordPress powers more than 40% of all websites globally, which means a very large proportion of the non-compliant sites that supervisory authorities encounter are running on WordPress. Many of these sites are not deliberately evading the rules – they simply do not know what they are getting wrong.
This article identifies the most common GDPR mistakes made by WordPress site owners and explains exactly how to fix each one. If you work through this list, you will have addressed the majority of issues that typically come up in regulatory investigations and user complaints.
Mistake 1: Setting Cookies Before Consent Is Given
This is the single most widespread GDPR violation on WordPress sites, and it is also the most straightforward to understand. Under GDPR and the ePrivacy Directive, you cannot set non-necessary cookies until the user has actively consented to them. Yet the default behaviour of most WordPress analytics and marketing plugins is to load immediately on page load – before the user has had a chance to see any consent banner, let alone accept it.
The fix: Install a Consent Management Platform (CMP) plugin that supports prior blocking – meaning it intercepts the scripts of non-necessary services and prevents them from executing until consent is granted. After installation, test your site by opening it in a browser with cookies cleared and developer tools open. Check the Network and Application tabs: no analytics or advertising cookies should appear before you click “Accept”.
Mistake 2: Using a Cookie Banner That Does Not Offer a “Reject All” Option
A consent banner that only shows an “Accept All” button, or that hides the rejection option behind multiple clicks and sub-menus, is not compliant. Regulators in France, Italy, Belgium, and Spain have all issued decisions confirming that rejecting cookies must be as easy as accepting them. The classic dark pattern – a prominent “Accept All” button paired with a small grey “Manage Preferences” link – does not meet this standard.
The fix: Configure your CMP to display both an “Accept All” and a “Reject All” (or “Decline All”) button prominently at the first layer of the banner. Both buttons should be visually equivalent — the same size, the same visual weight, neither one greyed out or de-emphasised relative to the other.
Mistake 3: An Outdated or Generic Privacy Policy
Many WordPress sites have a privacy policy that was generated by a plugin years ago and has never been updated. Others have simply copied a template from another site. The problem is that GDPR requires your privacy policy to accurately reflect what your site actually does with personal data – not what a generic template says. If you have added new plugins, changed your email marketing provider, or started using a new analytics tool since you last updated your privacy policy, it is out of date.
The fix: Conduct a data mapping exercise: list every plugin, service, and form on your site and identify what personal data each one collects, for what purpose, and where it is sent. Then review your privacy policy against this list and update it to match reality. Set a recurring reminder to review and update your privacy policy whenever you make changes to your site’s data processing activities.
Mistake 4: Collecting More Data Than You Need
GDPR’s data minimisation principle (Article 5(1)(c)) requires that personal data is “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” In practice, this means contact forms that ask for a phone number, job title, and company name when all you actually need is a name and email address are in violation of this principle. So are analytics configurations that enable demographic tracking, interest tracking, and cross-device tracking when you only actually use basic page view data.
The fix: Audit every data collection point on your site. For each field in each form, ask: do I actually use this information? If the honest answer is “not really,” remove it. For analytics, disable features you do not actively use. Less data collected means less risk, less storage overhead, and simpler compliance.
Mistake 5: No Data Processing Agreements with Third-Party Services
When you use a third-party service that processes personal data on your behalf – your email marketing platform, your hosting provider, your form plugin’s cloud service, your analytics provider – you are acting as a data controller and that third party is a data processor. GDPR Article 28 requires you to have a Data Processing Agreement (DPA) in place with each of these processors.
The fix: Most major SaaS providers that process personal data will have a DPA available – either presented for acceptance during signup or available on request. Check the terms of service or privacy documentation for each service you use. Many services make this easy: Mailchimp, Google, and most other major platforms have standard DPAs you can accept directly in your account settings. Keep a record of which DPAs you have accepted and when.
Mistake 6: Sending Marketing Emails Without Valid Consent
If you send a newsletter or any marketing emails to subscribers, you need freely given, specific, informed, and unambiguous consent. Common violations include: adding people to your mailing list because they made a purchase (without a separate opt-in for marketing), using a pre-ticked checkbox on a contact form to enrol people in a newsletter, or importing a purchased email list. Any of these practices puts you at risk of both GDPR and ePrivacy Directive violations.
The fix: Use an explicit, unticked opt-in checkbox on any form where you collect email addresses, with clear wording that specifies what the person is signing up for. Run a re-engagement campaign for any existing subscribers whose consent history is unclear, and remove those who do not actively re-consent. Keep a record in your email marketing platform of when and how each subscriber consented.
Mistake 7: Not Responding to Data Subject Requests
GDPR gives individuals the right to access their data, request its deletion, correct it, and more. Under Article 12, you must respond to these requests within one calendar month. Many WordPress site owners receive such requests and do not know how to handle them – or, worse, do not respond at all. Ignoring a Subject Access Request (SAR) is a direct violation of GDPR and a common trigger for supervisory authority complaints.
The fix: Make your privacy contact email address clearly visible in your privacy policy and consider adding it to your site footer. When a request comes in, log the date received – the clock starts immediately. WordPress’s built-in privacy tools (Tools → Export Personal Data and Tools → Erase Personal Data) can help you gather and action data for registered users. For non-registered users, you may need to search your database, email marketing platform, and other systems manually.
Mistake 8: Ignoring Data Transfers Outside the EU
Many WordPress plugins and services route data to servers in the United States or other countries outside the European Economic Area. Unless those transfers are covered by an adequacy decision (the EU’s recognition that a country provides equivalent data protection), standard contractual clauses (SCCs), or another approved mechanism, they are potentially unlawful under GDPR Chapter V. This affects services ranging from email marketing platforms to analytics tools to the CDNs used by font providers.
The fix: For each third-party service you use, check where their servers are located and what transfer mechanism they rely on for EU data. Most US-based providers rely on SCCs following the invalidation of Privacy Shield in 2020. After the EU-US Data Privacy Framework came into force in 2023, certified US companies again benefit from an adequacy decision – check whether your providers are certified under this framework. Disclose all international transfers in your privacy policy.
Conclusion
GDPR compliance for a WordPress site is not a single task you complete once – it is an ongoing practice of reviewing, updating, and verifying that your site’s data practices remain aligned with both the regulation and your privacy policy. The mistakes listed above are all fixable without specialised legal knowledge. The most important thing is to look honestly at what your site actually does with personal data, correct what needs correcting, and build a habit of reviewing your compliance whenever you make changes to your site.