←back to Blog

WordPress GDPR compliance checklist covering cookie consent, privacy policy, and data rights for 2026

WordPress GDPR Compliance Checklist: What Your Site Actually Needs in 2026

WordPress does not make your site GDPR compliant just because you installed it. That’s the short version. The longer version is that GDPR compliance for a WordPress site is a checklist made up of a dozen or so separate pieces, most sites are missing at least three of them, and the one piece everyone remembers, the cookie banner, is often the one implemented worst. If your WordPress site gets visitors from the EU, the UK, or anywhere with similar privacy law, this WordPress GDPR compliance checklist covers what actually needs to be in place, not just what a plugin’s marketing page claims it fixes.

Is WordPress GDPR Compliant by Default?

No. WordPress core ships with a handful of privacy-related tools built in, but installing WordPress does not make a site GDPR compliant on its own. Compliance depends on what plugins, forms, and trackers get added on top of WordPress, and those are almost always the actual source of GDPR risk, not WordPress itself.

Since WordPress 4.9.6, released in 2018, WordPress core has included a privacy policy generator under Settings > Privacy, plus tools under Tools > Export Personal Data and Tools > Erase Personal Data for handling data subject requests. These are useful, but they only cover data WordPress itself stores, like comments and user accounts. They do nothing for the analytics script, the Facebook Pixel, or the third-party form plugin sending submissions to an external server, and those are exactly the tools GDPR investigations tend to focus on.

What GDPR Actually Requires From a WordPress Site

GDPR requires a lawful basis for collecting personal data, consent before loading non-essential cookies, an accessible privacy policy, a way for visitors to access or delete their data, and a plan for responding to a data breach. None of these are optional add-ons; they’re the baseline for any WordPress site handling EU visitor data, regardless of company size.

  • A documented, lawful basis for every category of personal data collected (consent, contract, legitimate interest, etc.)
  • Explicit, informed consent before any non-essential cookie or tracking script loads
  • A privacy policy page that accurately reflects every tool actually collecting data on the site
  • A working process for data access and erasure requests
  • Data processing agreements with any third-party service that touches visitor data (email marketing tools, form plugins, analytics)
  • A reasonable security setup, since a data breach on an insecure site is also a GDPR problem, not just a security one

How Do I Add a Cookie Consent Banner to WordPress?

Adding a cookie consent banner to WordPress means installing a consent management plugin that blocks non-essential scripts until a visitor actively clicks accept, then configuring it to cover every tracker actually running on the site. The two most established options for WordPress in 2026 are Complianz and CookieYes, and they take noticeably different approaches to the same problem.

Complianz is a WordPress-native plugin that blocks scripts and iframes using WordPress hooks, runs its scans and stores its logs locally on the WordPress database, and includes a wizard that generates a privacy policy and cookie policy tailored to the plugins detected on the site. CookieYes takes a hybrid cloud approach: it works across WordPress, Shopify, Wix, and custom sites through a single script tag, running its scans on external servers rather than the WordPress database itself.

FeatureComplianzCookieYes
PlatformWordPress and Shopify onlyAny site (WordPress, Shopify, Wix, custom HTML)
Data storageLocal, inside the WordPress databaseCloud-based, external servers
Setup styleWizard tailored to detected plugins and regionAutomatic cookie scan, typically under 10 minutes
Best forSites fully built on WordPress or ShopifyMulti-platform businesses or non-WordPress sites
Starting price (2026)From around €59/yearFrom around $100/year

Whichever plugin is chosen, the setup only works if scripts are loaded the way the plugin expects. Hardcoding a Google Analytics or Meta Pixel snippet directly into a theme’s header.php file bypasses the WordPress hook system entirely, which means a consent plugin has no way to intercept and block it before consent is given. Scripts need to load through the plugin’s tag manager or through WordPress hooks for consent blocking to actually function.

Google Consent Mode v2: Why It’s No Longer Optional

Google Consent Mode v2 is a signal that tells Google Ads and Google Analytics whether a visitor has consented to tracking, and as of 2026 it’s required for any WordPress site running Google Ads remarketing or conversion tracking in the EU. According to WPConsent’s 2026 cookie consent plugin guide, sites that don’t send the correct consent signals will have Google’s advertising platforms refuse to build remarketing audiences or track conversions at all, regardless of ad spend.

This matters beyond legal compliance: a WordPress site running Google Ads without proper Consent Mode v2 signals is effectively flying blind on conversion data, even if the ads themselves are running fine. Most modern cookie consent plugins, including both Complianz and CookieYes, support Consent Mode v2 configuration directly in their settings, so this is usually a checkbox rather than a developer task.

WordPress’s Built-In Privacy Tools You’re Probably Not Using

WordPress core includes a privacy policy generator and personal data export and erasure tools that most site owners never open. These live under Settings > Privacy for the policy generator, and Tools > Export Personal Data and Tools > Erase Personal Data for handling requests from visitors who ask what data is held about them or ask for it to be deleted.

The privacy policy generator produces a starting template covering data WordPress itself collects, such as comments, cookies set by WordPress core, and media uploads with embedded location data. It is a starting point, not a finished document. It needs to be edited to reflect every plugin, form, and third-party service actually running on the site, since a privacy policy that only describes WordPress core’s own behavior is misleading by omission.

The WordPress GDPR Compliance Checklist

This is the practical order to work through GDPR compliance on an existing WordPress site, from lowest to highest effort.

  1. Update WordPress core, theme, and all plugins to current versions before starting
  2. Install an SSL certificate if the site doesn’t already run on HTTPS
  3. Audit every plugin, form, and tracking script on the site and document what personal data each one collects
  4. Install a consent management plugin (Complianz or CookieYes) and configure it to block scripts until consent is given
  5. Enable Google Consent Mode v2 if running Google Ads or Analytics
  6. Generate and customize the privacy policy under Settings > Privacy so it reflects the actual audit from step 3
  7. Link the privacy policy from every page that collects personal data, including contact and checkout forms
  8. Test the Export Personal Data and Erase Personal Data tools under Tools in the WordPress dashboard
  9. Confirm the “Reject All” option in the cookie banner is as easy to click as “Accept All”
  10. Set a recurring calendar reminder to re-audit trackers and update the privacy policy, since new plugins and integrations quietly break compliance over time

Common WordPress GDPR Mistakes That Get Sites in Trouble

A common mistake is hiding or shrinking the “Reject All” button while making “Accept All” the obvious, prominent choice. Under the EU’s 2026 Digital Markets Act rules, this kind of dark pattern is explicitly forbidden, and under GDPR Article 7, consent has to be freely given and unambiguous, which a lopsided banner design undermines by default.

Another common mistake is treating the cookie banner as a one-time setup instead of ongoing maintenance. Every time a new plugin, embed, or ad pixel gets added to a site, it’s another script that may need to be added to the consent plugin’s blocking rules. A banner that was accurate at launch can quietly stop reflecting reality within a few months.

Security gaps compound GDPR risk rather than sitting separately from it, since a breach on an insecure WordPress site is a GDPR incident, not just a downtime problem. A WordPress security plugin and a properly configured Cloudflare setup both reduce the odds of a breach that would trigger GDPR’s mandatory notification requirements in the first place.

GDPR compliance follows the same pattern as other legal-risk checklists on WordPress: it’s not a single plugin install, it’s a set of pieces that all need to be right at once. The WordPress accessibility checklist covers the same logic applied to ADA lawsuit risk instead of privacy law, and the overlap in approach, audit first, fix systematically, then maintain, is worth applying to both.

Start With the Audit, Not the Plugin

The single takeaway from this WordPress GDPR compliance checklist is to audit what the site actually collects before installing a consent plugin, not after. A plugin configured against an incomplete list of trackers will leave gaps that look compliant on the surface but aren’t. For anyone building or fixing a WordPress site that needs to handle this correctly, a look at recent project work shows how compliance and site performance get handled together rather than bolted on separately.

Frequently Asked Questions

No. WordPress core includes some privacy tools, like a privacy policy generator and data export/erasure options, but full GDPR compliance depends on the plugins, forms, and trackers added on top of WordPress, which core does not control.

Yes, if the blog uses analytics, embeds, ads, or any tool that sets non-essential cookies and receives visitors from the EU or UK. Site size doesn’t exempt a site from GDPR; the deciding factor is whether personal data is collected from EU or UK visitors.

Google Consent Mode v2 is a signal that tells Google Ads and Analytics whether a visitor has given tracking consent. It’s required in 2026 for any site running Google Ads remarketing or conversion tracking to EU visitors, and most cookie consent plugins support it directly in their settings.

Complianz suits sites built entirely on WordPress or Shopify since it integrates deeply through WordPress hooks and stores data locally. CookieYes suits businesses running multiple platforms since a single setup covers WordPress, Shopify, Wix, and custom sites through one script.

Non-compliant sites risk regulatory fines, which can reach into the millions of euros for serious or repeated violations, plus loss of Google Ads remarketing and conversion tracking capability if Consent Mode v2 signals aren’t properly configured.

Leave a Reply

Your email address will not be published. Required fields are marked *