Privacy policy clauses for Gravatar
Gravatar is a service that displays user profile pictures across websites by matching email addresses to avatar images. Websites integrate Gravatar to automatically show commenter avatars without storing images locally, improving user experience and reducing server load.
Free scan · No signup · Results in 60 seconds
What data Gravatar collects
Your privacy policy must disclose each of the following data types when you use Gravatar.
When does Gravatar trigger privacy obligations?
Installation triggers data transfer immediately
The moment Gravatar is integrated into your site or app, MD5 email hashes begin flowing to Automattic's servers in the United States. This happens on every page load or user interaction that triggers avatar display—no waiting for explicit consent.
GDPR applies if you have EU users
If your audience includes EU residents, GDPR Article 6 requires a lawful basis for processing those email hashes. The hash itself is still personal data under GDPR (recital 26: hashing does not automatically anonymize). Article 5(1)(a) requires transparency—users must know their email is being hashed and sent to Automattic. This means your privacy policy must disclose Gravatar specifically, not hide it under generic 'third-party services.'
CCPA applies if you have California users
Under CCPA Section 1798.100, California residents have the right to know what personal information is collected. The IP address Gravatar logs during the request is personal information under CCPA. You must disclose this collection in your privacy policy and honor deletion requests that cascade to Gravatar (via DPA or contractual obligation).
First concrete step
Add a specific, honest privacy policy disclosure naming Gravatar and describing the email hash + IP address data flow to Automattic (US-based processor). Do not proceed without a Data Processing Agreement with Automattic if you have EU users (GDPR Article 28).
