The WordPress GDPR Compliant Privacy Policy Template

The recent propagation of the General Data Protection Regulation (GDPR) across the internet has heavily impacted how data is dealt and treated online. While GDPR is a regulation in EU law and primarily directed towards citizens of the European Union (EU) and European Economic Area (EEA), it also affects the export of data outside EU and EEA.

As such, you can’t ignore the implications of GDPR. So you might as well get ahead of it, even if you’re not currently affected by it.

There are many different website components that you must consider (and possibly change) to become GDPR compliant. In this article, we’ll focus on just one of them: your website privacy policy.

Why Are Privacy Policies Important?

Collecting personal information from users can provide valuable data for businesses looking to continuously improve their offerings.

Some of the common types of personal data collected by business websites include:

  • First and last names
  • Email address
  • Phone numbers
  • Billing/shipping address
  • Credit card/Payment details
  • IP address
  • Cookies

The main thought process behind GDPR is that the personal data that every individual shares online should be regulated and protected. Without this law, the ability for online users to control and protect the personal information that websites collect would be limited (assuming they’d have any control at all).

Simply having a privacy policy demonstrates to visitors that they can trust your business with their personal data. A privacy policy should live on its own page, acting as a statement that discloses what kind of personal information is collected from visitors, where it will be used, and where it will be stored is important for websites.

What Should I Include In My Privacy Policy?

The following GDPR compliant privacy policy template factors will help you understand what to include in your privacy policy and why:

A Brief Introduction

Start by stating who you are and what you do, and include the purpose of your privacy policy. Include the date of when the privacy policy is effective, the legal business name, as well as the business address.

Address These GDPR Principles For Processing Personal Data

Under GDPR Article 5, there six principles around data collection that you must be aware of:

  • Lawfulness, fairness and transparency when it comes to the data processing.
  • Purpose limitation: Limitation of processing only to legitimate purposes.
  • Data minimization: Collect only what is necessary and relevant for the purpose of processing.
  • Accuracy: Data must be kept up-to-date.
  • Storage limitation: Collected information should be kept no longer than what is necessary for the purpose for which that data is processed.
  • Integrity and confidentiality: Ensure the security and protection of the collected data against unlawful and unauthorized processing.

Types of Data Collection & Process

It’s important to be very clear about what type of personal data (such as IP addresses and cookie data) you’re going to collect, as well as the process (such as specific tools) used for collection.

When disclosing the type of data you are collecting and processing, be as detailed as possible so as to be transparent with users.

Where & How the Data is Processed

This section of your privacy policy will support the principles of purpose limitation and data minimization.

Disclose the reasons for processing in terms of the types of data you’re collecting, how the data is processed, then where and why the data is being processed. Again, it’s important to be as detailed as possible about the purpose for collecting user data.

Data Storage

According to the principle of storage limitation, the data your website collects should only be kept for as long as necessary to process it. In other words, don’t keep data for longer than you need it.

Essentially, this section of your privacy policy should let users know how long you’ll be keeping the data you’ve collected from them.

Add Definitions

Under GDPR Article 12, your privacy policy should be communicated in transparent, concise, intelligible, and clear/plain language. Avoid using legal terminology and jargon wherever possible.

In unavoidable cases, provide a separate section that offers explanations via definitions.

Who Has Access to the Data

Under GDPR Article 15, personal data can be transferred and shared, as long as the users are informed and have the proper legal basis for doing so. This should also cover the international transfer of data.

One important aspect of GDPR is transparency — you should be transparent regarding who has access to user data and, if applicable, who you share data with.

Data Rights

Under GDPR Chapter 3, the rights of the user over their personal data are stated, which include:

  • Right to be informed (Article 12).
  • Right of access (Article 15).
  • Right to rectification (Article 16).
  • Right to erasure or to be forgotten (Article 17).
  • Right to restriction of processing (Article 18).
  • Right to data portability (Article 20).
  • Right to object (Article 21).
  • Right to automated individual decision-making (Article 22).

While not everything mentioned may be applicable to your business, getting familiar with these rights is a must when it comes to handling GDPR changes and updates.

Privacy Policy Changes

If you must make changes or updates to your Privacy Policy, users should be informed and notified about them. It may be useful to proactively mention there will be possible changes in the future so that users are aware, even before sharing their personal data with your website.

Putting it All Together: GDPR Compliant Privacy Policy Templates

Don’t use the existing WordPress-generated Privacy Policy (or other GDPR compliant privacy policy templates) — without taking the time to customize them.

Your privacy policy should be suitable for your own business needs and functionality. While there may be some prewritten sections that will mostly fit your business, you should still keep in mind your that your privacy policy must align with the needs of your industry.

Besides the built-in WordPress GDPR compliant privacy policy template (which we’ll discuss in the next section), consider these additional tools:

  • Privacy Policy Generator by Shopify: While Shopify is a competitor to WordPress, this handy tool is completely FREE and can be used on any website.
  • PrivacyPolicies.com: With this GDPR compliant privacy policy template, there are two options: 1.) A free generator with limited features or 2.) an international privacy policy generator available for a one-time fee.
  • TermsFeed: TermsFeed is not only a privacy policy generator — you can also use it to generate terms and conditions, disclaimers, return and refund policies, a cookie policy, and end-user license agreements. This tool is suitable for all types of online business, websites, and apps. As with PrivacyPolicies.com, both free and paid options are available.
  • Privacy Policy Online: This GDPR compliant privacy policy template is straightforward to use and completely free. It satisfies requirements for affiliate companies including Google AdSense, Amazon, Commission Junction, and more.
  • Termageddon: A website policy generator that automatically updates whenever the laws change. They offer web agencies a free set of policies for their own website as well as the ability to resell Termageddon to their clients. 

How to Use WordPress’s Built-In GDPR Compliant Privacy Policy Template

Starting with the WordPress 4.9.6 version update, which is known as the privacy and maintenance release, website administrators gained access to a privacy policy generator built into WordPress. As of this update, it is now easier to create a privacy policy page while taking advantage of other privacy features.

Here’s how to use WordPress’s GDPR compliant privacy policy template:

  • If you’re not using WordPress 4.9.6 or above, you’ll have to update WordPress. Make sure to backup your website before doing this.
  • Navigate to the updated WordPress dashboard and click Settings > Privacy.
The WordPress GDPR Compliant Privacy Policy Template
  • You can select an existing Privacy policy page or click Create a new page.
The WordPress GDPR Compliant Privacy Policy Template
  • You will then be redirected to the page editor that will prompt you with a GDPR compliant privacy policy template.
The WordPress GDPR Compliant Privacy Policy Template
  • Edit the page as you see fit for your business needs using the information shared earlier in this article.
  • Publish the page and link to it from somewhere on your website — like your navigation bar or footer.

Besides offering a GDPR compliant privacy policy template, there are some other simple steps you can take to ensure that your WordPress website is GDPR compliant.

Privacy WP by Amplify Plugins is a WordPress plugin that helps both users and website owners in accessing and handling their personal data. The plugin facilitates access on all ends, whether the data is stored on your website or somewhere else. It integrates with different third-party services such as MailChimp, Insightly, and ConvertKit.

Do you have a favorite GDPR compliant privacy policy template or recommended inclusions? We’d love to hear from you! Tweet your thoughts at @PrivacyWP and we’ll share our favorites.

Posted in

Maddy Osman

Maddy Osman is an SEO Content Strategist who works with clients like AAA, Automattic, Kinsta, and Sprout Social. Her background in WordPress web design contributes to a well-rounded understanding of SEO and how to connect brands to relevant search prospects.