GetLegalPage
Platform Guides

How to Add a Privacy Policy to WordPress (And What It Should Say)

By the GetLegalPage Team··8 min read

WordPress and Privacy Policies

WordPress powers a significant share of the web, from personal blogs to large e-commerce stores. Since version 4.9.6, WordPress has included a built-in privacy policy tool that generates a basic template and provides a designated privacy policy page. While this is a helpful starting point, the built-in template is generic and does not account for the plugins you use, the analytics tools you have installed, or the specific ways you collect and process visitor data.

How to Add a Privacy Policy Page in WordPress

Using the Built-In Tool

WordPress makes it straightforward to create a privacy policy page. Go to Settings, then Privacy in your WordPress dashboard. Click "Create New Page" or select an existing page to designate as your privacy policy. WordPress will generate a template with placeholder text. Edit the content to accurately reflect your site's data practices. Once published, go to Appearance, then Menus (or use the Site Editor for block themes) to add the privacy policy page to your footer menu.

Setting the Privacy Policy Page

After creating the page, designate it as your official privacy policy page under Settings then Privacy. This allows WordPress to automatically link to it from login and registration forms. Some themes and plugins also reference this designated page.

What Your WordPress Privacy Policy Should Cover

WordPress Core Data Collection

Even a basic WordPress installation collects some personal data. Comments collect names, email addresses, and optionally websites. WordPress stores commenter IP addresses by default. Login cookies are set for registered users. The WordPress core sets a few first-party cookies for logged-in users and commenters.

Plugin-Specific Data Collection

This is where WordPress privacy policies get complicated. Each plugin can introduce new data collection. Common examples include contact form plugins (WPForms, Contact Form 7, Gravity Forms) that collect whatever information you ask for in the form, WooCommerce which collects extensive customer, payment, and order data, Yoast SEO which does not collect personal data directly but may integrate with Google Search Console, Jetpack which collects visitor statistics, security data, and may set third-party cookies, and caching plugins which may set cookies for performance optimization.

GDPR-conscious plugins include a privacy policy section that you can add to your main policy. Check each plugin's settings for a "Privacy" or "GDPR" section. When building your WordPress privacy policy, audit every active plugin for data collection behavior.

Analytics and Tracking

Most WordPress sites use some form of analytics. If you use Google Analytics, disclose the data collected (page views, session duration, demographics, device information), whether you use anonymized IP addresses, and link to Google's privacy policy. If you use Matomo, Plausible, or other analytics tools, describe their data collection practices. For blogs, analytics disclosure is often the most significant privacy consideration.

Third-Party Services

WordPress sites commonly embed or integrate with external services. Identify all third-party services and disclose them in your privacy policy. Frequent examples include Google Fonts (Google receives the visitor's IP address), YouTube or Vimeo embeds (these set cookies and collect viewing data), social media sharing buttons (can track visitors even without clicks), CDN services like Cloudflare (processes visitor requests and IP addresses), email marketing services like Mailchimp or ConvertKit, and advertising networks like Google AdSense or Mediavine.

Hosting Provider

Your hosting provider processes server access logs that contain visitor IP addresses, timestamps, and pages visited. Mention your hosting provider and link to their privacy policy, especially if they are located in a different jurisdiction than your visitors.

Cookie Compliance for WordPress

WordPress itself sets a few cookies (for comments and logged-in users), but third-party plugins and services often set many more. For GDPR compliance, you need a cookie consent mechanism that blocks non-essential cookies until consent is given. Popular WordPress cookie consent plugins include Complianz, CookieYes, and GDPR Cookie Compliance. Configure your cookie consent solution to actually block scripts and cookies before consent, not just show a notification banner.

Keeping Your Policy Updated

WordPress sites change frequently. Plugins get added and removed, themes change, and new integrations are added. Build a habit of reviewing your privacy policy whenever you install or remove a plugin that handles user data, add new forms or data collection points, change your analytics or advertising setup, switch hosting providers, or start selling products or services. At minimum, review your privacy policy every six months even if nothing has changed, to confirm it is still accurate.

Special Considerations for WordPress.com vs. WordPress.org

If you use WordPress.com (the hosted version), Automattic acts as a data processor and has its own privacy practices. Your privacy policy should reference this and link to Automattic's privacy policy. If you use WordPress.org (self-hosted), you are responsible for all data processing, including what happens at the server level.

This article is for informational purposes only and does not constitute legal advice.

Ready to get your legal pages sorted?

Generate a privacy policy for your WordPress site.

Free preview, no account required. Single document $14 · Bundle of 3 for $29.

Related Guides

Legal Basics

Do I Need a Privacy Policy? A Simple Guide for Website Owners

8 min read

Compliance Guides

Cookie Policy Explained: What It Is, Why You Need One, and What to Include

9 min read

Platform Guides

Privacy Policy Requirements for Google AdSense Approval

7 min read