What to Include in a Privacy Policy for WordPress Websites

privacy policy shield
privacy policy shield

If your website collects personal data, you are now required by law to provide a privacy policy. A privacy policy should be accessible for your users (via a small text link in website footer) and kept in a plain and readable language. Failure to comply can result in heavy fines and even prosecution. In general, a privacy policy must include:

  • Your name (or business name), location, and contact information
  • What personal data you are collecting from users (i.e. names, email addresses, IP addresses, and any other information)
  • How you collect it
  • Why you collect it
  • Whether you share it or not
  • How you protect it
  • Whether it’s optional for them to share their information
  • How they can opt-out, and the consequences of doing so
  • And any third-party services you’re using to collect, process, or store that information — such as:
    • a contact form,
    • e-mail newsletter signup form,
    • google analytics,
    • eCommerce purchase,
    • blog post submission,
    • advertising network like Google AdSense, PPC,
    • social media sharing,
    • any other plugin that obtains info for signup/registration,
    • use of cookies,
    • etc.

WordPress creates a default Privacy Policy page automatically, so you can work off of that. And if you go to Settings > Privacy you can change that privacy policy page or check out their Privacy Policy Guide with more content you can copy and use. Below are examples of text you can also pull in that we found from various sources.

wordpress privacy policy settings page

Examples of General Privacy Policies for WordPress

Who We Are

This Privacy Notice applies to information we collect when you use [www.yourdomain.com] and any other websites, mobile applications (“app(s)”), or services that post a link to this Privacy Notice (collectively, the “Service”). This Privacy Notice describes how [Company Name], [Address] (“[Company Name],” “Company,” “we,” or “us”) collects, uses, and shares Service-related information about you.

What personal data we collect and why we collect it

    • We collect contact information to be able to communicate with you. For example, if you sign up for a mailing list, create an account, apply for a job, or enter a promotion, you may be asked to provide your name, address, email, cell phone number, and/or date of birth. We retain this information for [X amount of time] and do not use this information for any marketing purposes.
    • We collect basic visitor information through Google Analytics cookies (search queries, device type, geolocation, return visits, etc.) but you can opt out of cookies at any time via your browser settings. To learn how Google uses your information see Google’s privacy policy. We retain this information for [X amount of time] and use this information for our internal marketing purposes only.
    • We collect credit card information when you make a purchase on our website. In such event, it is our policy to redirect you to a payment processing portal hosted by a third party payment processor. Please read the privacy policy on our payment processor’s website regarding the use, storage and protection of your credit card information before submitting any credit card information.
    • We collect personal data to process and ship your orders, inform you about the status of your orders, correct addresses and conduct identity verification and other fraud detection activities. This involves the use of certain Personal Data and payment information.
    • We collect personal data when you interact with our third party social networking features, such as “Like” or “Share” functions, to serve you with advertisements and engage with you on third party social networks. You can learn more about how these features work, the profile data that we obtain about you, and find out how to opt out by reviewing the privacy notices of the relevant third party social networks.


When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.


If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.


If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Who we share your data with

In this section you should name and list all third party providers with whom you share site data, including partners, cloud-based services, payment processors, and third party service providers, and note what data you share with them and why. Link to their own privacy policies if possible.

We do not sell our users’ private personal information.

We share information about you in the limited circumstances spelled out below and with appropriate safeguards on your privacy:

    • Subsidiaries, Employees, and Independent Contractors: We may disclose information about you to our subsidiaries, our employees, and individuals who are our independent contractors that need to know the information in order to help us provide our Services or to process the information on our behalf. We require our subsidiaries, employees, and independent contractors to follow this Privacy Policy for personal information that we share with them.
    • Third Party Vendors: We may share information about you with third party vendors who need to know information about you in order to provide their services to us, or to provide their services to you or your site. This group includes vendors that help us provide our Services to you (like payment providers that process your credit and debit card information, payment providers you use for your ecommerce operations, fraud prevention services that allow us to analyze fraudulent payment transactions, postal and email delivery services that help us stay in touch with you, customer chat and email support services that help us communicate with you, registrars, registries, and data escrow services that allow us to provide domain registration services, and your hosting provider if your site is not hosted by Automattic), those that assist us with our marketing efforts (e.g. by providing tools for identifying a specific marketing target group or improving our marketing campaigns), those that help us understand and enhance our Services (like analytics providers), and companies that make products available on our websites (such as the extensions on WooCommerce.com), who may need information about you in order to, for example, provide technical or other support services to you.

Below are some privacy policies you can review or link to if you are using them:

How long we retain your data

In this section you should explain how long you retain personal data collected or processed by the web site. While it is your responsibility to come up with the schedule of how long you keep each dataset for and why you keep it, that information does need to be listed here. For example, you may want to say that you keep contact form entries for six months, analytics records for a year, and customer purchase records for ten years.

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

How to opt out of data collection

If you have a [Business Name] account, you can opt-out of receiving our marketing communications by modifying your preferences in the “view or change my profile” section of our Sites. You can also opt-out by modifying your email or SMS subscriptions by clicking on the unsubscribe link or following the opt-out instructions included in the message. Alternatively, you can contact us using our contact form to ask us to delete your information.


Additional Privacy Policies for Commercial Sites or more Complex Processing of Data

How we protect your data

In this section you should explain what measures you have taken to protect your users’ data. This could include technical measures such as encryption; security measures such as two factor authentication; and measures such as staff training in data protection. If you have carried out a Privacy Impact Assessment, you can mention it here too.

While no online service is 100% secure, we work very hard to protect information about you against unauthorized access, use, alteration, or destruction, and take reasonable measures to do so, such as hosting our website with a secure webhost that monitors the servers for potential vulnerabilities and attacks, keeping up-to-date with our plugins, themes, and WordPress, and through installation of a SSL (Secure Socket Layer) certificate.

What data breach procedures we have in place

In this section you should explain what procedures you have in place to deal with data breaches, either potential or real, such as internal reporting systems, contact mechanisms, or bug bounties.

What third parties we receive data from

If your web site receives data about users from third parties, including advertisers, this information must be included within the section of your privacy policy dealing with third party data.

What automated decision making and/or profiling we do with user data

If your web site provides a service which includes automated decision making – for example, allowing customers to apply for credit, or aggregating their data into an advertising profile – you must note that this is taking place, and include information about how that information is used, what decisions are made with that aggregated data, and what rights users have over decisions made without human intervention.

Industry regulatory disclosure requirements

If you are a member of a regulated industry, or if you are subject to additional privacy laws, you may be required to disclose that information here.

Additional Privacy Policies for certain services

If you use any of the following services listed below, you should copy content from the Privacy Policy Guide linked from WordPress’s backend: Settings > Privacy page:

    • WooCommerce & WooCommerce Subscriptions
    • Other WooCommerce Services like Taxjar, USPS/Fedex/UPS Shipping Rates, Shipping Labels
    • Stripe & PayPal


When you signup for our mailing list and interact with an email campaign that you receive from us, we may collect information about your device and interaction with an email via Mailchimp cookies and other tracking technologies to collect some of this information. Mailchimp’s use of cookies and other tracking technologies is discussed more below, and in more detail in their Cookie Statement here.

    • Device information: We collect information about the device and applications you use to access emails sent through our Services, such as your IP address, your operating system, your browser ID, and other information about your system and connection.
    • Product usage data: We collect usage data about you whenever you interact with emails sent through the Services, which may include dates and times you access emails and your browsing activities (such as what pages are viewed). We also collect information regarding the performance of the Services, including metrics related to the deliverability of emails and other electronic communications our Members send through the Services. This information allows us to improve the content and operation of the Services, and facilitate research and analysis of the Services.

If you have opted in to our marketing emails, you can opt out of receiving marketing emails from us at any time by clicking the “unsubscribe” link at the bottom of our marketing messages.

Google Remarketing/Retargeting, Google Display Network Impression Reporting, Google Analytics Demographics and Interest Reporting

You must include:

    • The Google Analytics Advertising tools that you use, and how and why you use these features.
    • A notice that cookies are used by third-parties to display relevant advertising to the user.
    • Instructions on how users can opt-out of the Google Analytics Advertising features through Google’s Ad Settings.

Google AdSense

You must include the following in an informed consent pop-up or banner that alerts users and allows them to block this if they wish:

    • A statement that third-parties, including Google, use cookies to display relevant advertising to a user based on previous browsing behavior.
    • Information on Google’s DoubleClick cookies.
    • Instructions on how users can opt-out of the use of DoubleClick cookies through Google’s Ad Settings.

Additional Privacy Policy Requirements by State or Nations

California Online Privacy Protection Act (CalOPPA)

If your website collects any personal information from residents of the state of California, even though your business resides there or not, you must comply with the California Online Privacy Protection Act (CalOPPA) which means you must provide a Do Not Track policy like the one below:

“Do Not Track”
California law requires us to let you know how we respond to web browser Do Not Track (DNT) signals. Because there currently isn’t an industry or legal standard for recognizing or honoring DNT signals, we don’t respond to them at this time. We await the result of work by the privacy community and industry to determine when such a response is appropriate and what form it should take. To learn more about DNTs and how to turn on/off your DNT settings via your browser settings visit this webpage.

The EU’s General Data Protection Regulation (GDPR)

If you are based in the EU or providing services to EU citizens with a website that obtains their personal data, you must have a GDPR compliant privacy policy. This means providing a general Privacy Policy, similar to what is mentioned above, but ALSO – provide a check a box when creating a profile that says they agree to having their personal information saved. For example, something like “I agree to the [Business Name] Privacy Policy and to [Business Name] saving my personal information.”

GDPR also requires that you alert users whenever cookies are being used on a website/app. They require that users must give their informed consent, before any cookies may be placed on that user’s device. Active consent, also called informed consent, involves requiring the user to confirm consent with a checkbox or an “I agree” button via a popup at the bottom of the webpage. This includes listing the different types of cookies that are used, details of any cookies from third parties that may be used, and why cookies are used and how they are placed on devices.

The below Cookiebot service can test your website for cookies and help craft you a privacy policy compliant with GDPR and the ePrivacy directive (EPR) – it is FREE for one domain with less than 100 pages.

Test website for cookies

There are other Privacy Policies in Canada, Australia, and the UK but they seem pretty similar to what is required above.

Disclaimer: I am not a lawyer and do not intend to provide legal advice through this post. I am only making suggestions as a guideline for my clients to become educated on what is needed for their websites.

With all that said, feel free to either use the above recommendations, hire a lawyer to help you craft a legal privacy policy, use the following Free Privacy Policy Generator below, or purchase a privacy policy generator plugin like WPLegalPages Pro for $39/yr that will generate it for you.

FREE Privacy Policy Generator WPLegalPages Pro Plugin

back to top