Do I need to disclose WordPress in my privacy policy?

Yes. WordPress is a data processing technology integral to your website's operation. You must disclose it in your privacy policy because it collects user data through cookies and authentication mechanisms. This transparency is required under GDPR and CCPA regulations, even though WordPress itself is self-hosted and you control the data.

What specific data does WordPress collect?

WordPress collects user authentication data, including usernames and login credentials for administrative access. It sets session cookies (wordpress_*) to maintain user logins and wp-settings-* cookies to store user preferences like dashboard layout. The exact data collected depends on which plugins you install—plugins may collect additional information like form submissions, user activity logs, or personal details.

Does WordPress require a cookie consent banner?

Yes, you should implement a cookie consent banner. WordPress sets strictly necessary cookies for authentication and user preferences, which typically don't require explicit consent under GDPR. However, if you install plugins that use marketing or analytics cookies, you must obtain consent before those cookies are set. It's best practice to disclose all WordPress cookies transparently.

Who processes WordPress data and where is it stored?

You are the data processor and controller—WordPress is self-hosted on your own servers, meaning no third party processes core WordPress data. However, each plugin you install may introduce third-party processors. You must review every plugin's privacy practices, as many share data with external services for analytics, backups, or functionality, and you must have data processing agreements in place for GDPR compliance.

CMS

Privacy policy clauses for WordPress

WordPress is a self-hosted content management system that powers websites and blogs. Website operators install and run WordPress on their own servers, allowing them to create, manage, and publish content without relying on external hosting platforms.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data WordPress collects

Your privacy policy must disclose each of the following data types when you use WordPress.

Depends on plugins installed

When does WordPress trigger privacy obligations?

When WordPress Installation Triggers Obligations

Installing WordPress immediately creates two data flows that activate privacy and data protection rules:

### Session & Authentication Data

WordPress sets `wordpress_*` cookies for authentication the moment a user logs in or accesses wp-admin. This cookie contains session identifiers. Under ePrivacy Directive Article 5(3) (EU/EEA), you must obtain prior explicit consent before storing *any* cookie, even strictly necessary ones—though consent can be implicit through continued use if your privacy notice clearly discloses the cookie and its purpose. Under CCPA Section 1798.100, authentication data qualifies as personal information; you must disclose its collection in your privacy policy.

### Scope Triggers

–GDPR applies if your site processes data of EU residents (no threshold; see Article 3 territorial scope).
–CCPA applies if you operate a for-profit website accessible to California residents and meet one threshold: ≥$25M annual revenue, buy/sell personal information of ≥100K residents/households, or derive ≥50% revenue from selling personal data.

Common compliance pitfalls

Cookie	Duration	Category	Purpose
wordpress_*	session	strictly necessary	Authentication
wp-settings-*	1 year	strictly necessary	Preferences

Common WordPress Compliance Mistakes

### Pitfall 1: Plugin Blindness

The mistake: Operators install contact form, analytics, or backup plugins without reviewing their data-handling practices, then claim compliance because "WordPress itself" doesn't send data to third parties.

Why it happens with WordPress: The plugin ecosystem is vast (60k+ plugins) and WordPress core doesn't enforce privacy audits. A plugin like WPForms or MonsterInsights may transmit form data, IP addresses, or behavior logs to SaaS processors outside your control. Under GDPR Article 28, you become jointly liable with the plugin vendor if they process EU resident data without a Data Processing Agreement (DPA).

Consequence: Regulatory exposure. A DPA audit will request proof of contracts with every processor; missing DPAs can result in fines up to €10M or 2% of global turnover (Article 83(4)). You may also violate user consent if your privacy policy doesn't disclose the plugin's data flows.

### Pitfall 2: Miscategorizing `wp-settings-*` as Non-Essential

The mistake: Treating the `wp-settings-*` preference cookie as "marketing" or placing it behind an opt-in consent banner instead of allowing access without consent.

Why it happens with WordPress: The cookie stores user preferences (editor type, sidebar state). It looks like an analytics or UX tracking cookie, so operators assume it needs consent.

Consequence: Under ePrivacy rules and GDPR recital 32, strictly necessary cookies for functionality do not require prior consent. If you block `wp-settings-*` behind a banner, logged-in users experience broken preferences. This also triggers CCPA violations: you're artificially limiting service access to extract consent, which CCPA Section 1798.140(w) treats as a prohibited "option discrimination" practice.

### Pitfall 3: No Privacy Policy for Self-Hosted Data

The mistake: Assuming that because WordPress is self-hosted with "no third party," no privacy disclosures are required beyond mentioning HTTPS and backups.

Why it happens with WordPress: WordPress doesn't phone home to Automattic (for self-hosted versions). Operators wrongly infer this means no data collection occurs.

Consequence: You still collect: user login IPs, user registration email, admin email, post revision history, and database backups. GDPR Article 13 and CCPA Section 1798.100 require you to disclose what personal data you collect, why, and retention periods. Missing disclosures mean you cannot rely on lawful basis clauses (Article 6 GDPR) and expose users to claims that processing is unlawful. Regulators flag missing or incomplete privacy policies immediately in audits.

Privacy policy clauses for WordPress

What data WordPress collects

When does WordPress trigger privacy obligations?

When WordPress Installation Triggers Obligations

Cookies set by WordPress

Common compliance pitfalls

Common WordPress Compliance Mistakes

Legal note

Sample privacy policy clause

What regulators look for

Regulator Audit Priorities for WordPress Sites

Frequently asked questions

Do I need to disclose WordPress in my privacy policy?

What specific data does WordPress collect?

Does WordPress require a cookie consent banner?

Who processes WordPress data and where is it stored?

Don't ship without Bandit.