WordPress Privacy Policy: How To Create One

If you run your business using a WordPress website, you need to post a privacy policy outlining how you collect, store, handle, share, and sell the personal data you get from your users.

A privacy policy for your WordPress site can help shield your business from potential legal penalties and fosters trust and integrity with your users.

Read through our WordPress privacy policy guide below to find out what a privacy policy is and why you may need one; then, we’ll discuss how to make and add your own privacy policy to your WordPress website.

What Is a WordPress Privacy Policy?

A privacy policy for WordPress sites explains how a website hosted or built with WordPress collects, uses, stores, shares, and sells personal information about your visitors and helps you meet legal requirements outlined by laws like the:

• General Data Privacy Regulation (GDPR)
• California Consumer Privacy Act (CCPA)
• California Privacy Rights Act (CPRA)
• California Online Privacy Protection Act (CalOPPA)

While the legal definition does vary under the different data privacy laws, personal information essentially refers to data that can directly or indirectly be linked to an individual or household.

Some examples of personal information that WordPress sites might collect include:

• Names
• Email addresses
• Social media profiles
• Cookie data
• Geolocation information

Websites built with WordPress collect personal data directly or through third-party services. Some common data collection methods on WordPress sites include:

• Contact forms
• Account sign-ups
• User comment forms
• Social media plugins
• Third-party advertisers or analytics

Does My WordPress Site Need a Privacy Policy?

Your WordPress site needs a privacy policy because of one or more of the following reasons:

• It’s required by law
• WordPress requires you to post one
• Privacy policies build trust with your users
• It limits your company’s legal liabilities
• Posting a privacy policy is the right thing to do

Let’s go over each of these reasons in more detail in the next section.

It’s Required by Law

You need a WordPress privacy policy if you collect personal information from users, as you may be subject to comply with privacy laws around the world, including the:

• General Data Protection Regulation (GDPR)
• California Online Privacy Protection Act (CalOPPA)
• California Consumer Privacy Act (CCPA)
• California Privacy Regulation Act (CPRA)

The scope of these privacy laws extends beyond the countries they originate from.

In other words, if your WordPress site is accessible to users worldwide, you may still fall under the jurisdiction of these laws and should post a privacy policy on your WordPress site to avoid potential legal penalties.

Let’s look closer at the notable privacy regulations and how they apply to your WordPress website.

GDPR

Your WordPress site needs a privacy policy under the GDPR, which applies if you offer goods or services to or monitor the online behavior of consumers within the European Economic Area (EEA).

Before any data collection begins, you must provide your users with a privacy policy for your WordPress site that they can read and choose to consent to.

To fulfill the checklist for GDPR compliance, your privacy policy must:

• Be transparent in language and content
• Explain how and why you process, share, use, or sell personal data
• Address data transfers
• Explain your users’ rights regarding their data
• Explain your use of cookies or other trackers

See a WordPress privacy policy example below from the Obama Foundation’s website, which includes a section addressing EEA users and goes over the legal basis for processing data, users’ data rights, and contact information.

Like in the above example, a GDPR-compliant privacy policy for your WordPress website needs to explain the purpose of data collection and users’ rights using language that’s easy to understand for the average user and is free of confusing jargon or legalese.

Penalties for non-compliance under this law include fines of up to 4% of your gross annual revenue or up to €24 million ($23 million), whatever is highest.

CCPA/CPRA

Your WordPress website falls under the CCPA and the CPRA if you do business in California and meet any one of the following thresholds:

• Generates $25 million in gross annual revenue as of January 1st from the preceding calendar year
• Sells, buys, or shares the personal information of 100,000 California households or consumers
• Derives 50% or more of your revenue from sharing or selling personal user data

Under these laws, California users have the right to request to access, transfer, edit, or delete their personal data, and making a comprehensive privacy policy for your WordPress website helps you meet some of these requirements.

Penalties for not complying with these laws include fines of $2,500 per incident or up to $7,500 per intentional incident.

CalOPPA

CalOPPA applies to all WordPress sites collecting personal information from California residents, even if you’re not based in the state.

To meet CalOPPA requirements, you must:

• Post an easy-to-read privacy policy on the homepage of your website that addresses your data handling practices
• State whether or not you honor “do not track” requests
• Explain how you’ll notify users about any privacy policy changes

In the screenshot example below, see how the solar panel company Smartflower’s privacy policy includes a CalOPPA section explaining that “do not track” requests are honored, third-party behavioral tracking is allowed, and privacy policy updates are posted on the privacy policy page.

If your WordPress site collects personal information from California residents, you may need a California privacy policy that addresses the state’s various privacy requirements.

If you’re found in non-compliance with CalOPPA, you could face fines of up to $2,500 per incident.

It’s Required by WordPress

Besides global privacy laws, WordPress also requires you to post a privacy policy as part of their terms of service.

Read the highlighted text in the screenshot below, which is from the WordPress terms of service and explains how anyone using their platform must comply with applicable data privacy laws and regulations, including posting a privacy policy.

WordPress makes it clear that you are expected to be aware of and comply with the relevant data privacy laws that your company falls under to use their services.

It Builds Trust With Users

Consumers today want to know they can trust your website with their personal information, and posting a privacy policy on your WordPress site helps build and maintain that trust.

Below, take a look at some surprising data privacy statistics that highlight the growing need from consumers for more data transparency online:

Making a WordPress privacy policy page can help address many of these privacy concerns.

So even if your WordPress site doesn’t track or store any personal information from users, it’s in your best interest to post an agreement stating as much as to maintain transparency and integrity between your company and your customers.

It Limits Your Legal Liability

Putting a privacy policy on your WordPress site helps limit your company’s liabilities, especially if you ask your users to consent to the agreement.

Many websites use the clickwrap method for consent, which means you provide a checkbox for users to click to express that they’ve read and agree to your WordPress website’s privacy policy.

If a user tries to pursue legal action against you for some reason, you can point to the relevant clauses in your privacy agreement, which acts as a binding policy that may hold up in a court of law.

It’s the Right Thing to Do

We believe that transparently telling your users what personal data you collect about them and how you use that information is simply the right thing to do.

Analyzing your users’ personal information can be an essential tool for small businesses and helps you develop better services, experiences, and resources for your customers.

But it’s also important to acknowledge that data privacy is a global human right, and people deserve to know what information you’re collecting about them, why, how you use that data, and who you share it with or sell it to for financial gain.

These days, it’s so easy to add a privacy policy to WordPress, there’s no excuse not to have one.

How to Create a WordPress Website Privacy Policy

There are several ways to create a privacy policy for your WordPress site, including:

• A managed solution
• WordPress privacy policy templates
• Use WordPress privacy policy plugins
• Do it yourself from scratch

Let’s go over the pros and cons of each of these potential solutions together in more detail.

Use a WordPress Privacy Policy Managed Solution

The easiest way to create a privacy policy for your WordPress website is to use a managed solution, like our WordPress-compatible Privacy Policy Generator.

By answering simple questions about your business, you can make a fully compliant privacy policy for your WordPress site in minutes.

We also ensure your privacy policy stays up to date even when data privacy laws change.

Our Privacy Policy Generator for WordPress takes all of the confusion out of data privacy compliance, so you can rest easy knowing your website and consumers are adequately protected.

Use a WordPress Privacy Policy Template

You also have the option to use a free WordPress privacy policy template, which you can download and customize to meet the specific needs of your business.

Templates complete some of the initial writing for you and provide you with the most common clauses, so you don’t have to start the entire process from scratch, saving you precious time.

Our free privacy policy template is compatible with WordPress websites and abides by laws like the GDPR, the CCPA, the CPRA, and CalOPPA.

Use WordPress privacy policy plugins

WordPress offers several privacy policy plugins that you can use to embed this legal agreement within your website that essentially work like templates or generators.

After choosing the privacy policy WordPress plugin you want to use, download it to your site, enter the proper information about your business, and make a legal agreement that’s ready to publish.

If you choose this route, be mindful of privacy law changes and ensure whatever plugin you use reflects the most recent versions of the laws.

Do It Yourself

Of course, you always have the option to write your own privacy policy for your WordPress website.

However, this may take a lot of your time, effort, and resources.

You should only take a do-it-yourself approach for your WordPress privacy policy if you have extensive data privacy knowledge or work with a lawyer to help you comply with all relevant data privacy laws.

Leaving something out, even by accident, could lead to trouble with the law if you’re ever found in non-compliance.

But if this is what you choose to do, keep reading as we cover the most common clauses you should include in your privacy policy for WordPress sites in the next section.

What to Include in Your WordPress Site’s Privacy Policy

Privacy policies for WordPress sites vary slightly in content depending on the applicable privacy law requirements. But in general, your privacy policy should have clauses addressing some or all of the information we cover in the following sections.

How You Collect and Use Personal Information

To abide by laws like the GDPR, the CCPA, the CPRA, and CalOPPA, you must explain what type of personal information you collect and what it’s used for in a clause in your WordPress website’s privacy policy.

You should also outline the direct and indirect ways your WordPress site collects personal information, such as through contact forms, comment forms, or plugins.

Below, see an example of how Yahoo handles this clause in their privacy agreement, which applies to their blog TechCrunch hosted on WordPress.

Plug-Ins and Third-Party Services

If your WordPress website falls under laws like the GDPR or the CCPA, you must identify all third-party plugins, services, or advertisers that collect information on your site and link to their individual privacy policies.

This way, your users can read the third-party privacy policies and choose if they consent to how the other services use, store, and process their personal data, which is part of their data privacy rights.

Below, see a screenshot of the privacy policy from Ripley’s Believe It Or Not!, which is hosted on WordPress, to see how they talk about sharing and disclosure with third-party services.

Cookie Usage and Preferences

Cookies count as personal information under data privacy laws like the GDPR, the CCPA, the CPRA, and CalOPPA, so you must describe your site’s use of cookies and explain how users can enable or disable them.

For example, see the screenshot below to learn how Yahoo informs their users about their use of cookies and other trackers within their privacy policy.

This is also a good place to link to your cookie policy like Yahoo does in the example above.

If you do business in the EEA and require more specific information, check out our guide on cookie compliance under the GDPR.

Security for Data Storage

Data privacy laws like the CCPA, the CPRA, and the GDPR require you to properly store the personal user data you collect to protect it from data breaches, so you should outline your practices in a clause in your WordPress website’s privacy policy.

The screenshot example below shows how Ripley’s Believe It Or Not! explains their use of Secure Sockets Layer (SSL) technology to encrypt the data their users transmit to them through the internet.

Users’ Rights Over Their Data

To comply with laws like the GDPR, CalOPPA, and the CCPA, you must list the rights that your users have over their data, such as:

• Requesting to access, update, or delete their data
• Your response to “Do Not Track” requests
• Access to a “Do Not Share or Sell My Personal Information” link

In the example below from Yahoo, see how they clearly list all CCPA rights their users have over their data using plain language that is easy to read and understand.

Contact Information

You must provide ways for users to reach you if they have questions or require more information about your WordPress website’s privacy policy.

We recommend including as many means of contact as possible, just ensure the information is accurate and up to date.

Below, see the contact information clause that Ripley’s Believe It Or Not! includes at the end of their WordPress website’s privacy policy.

How To Add a WordPress Privacy Policy Page To Your Site

Now that you know what to put in your WordPress website’s privacy policy, let’s go over how you can create a privacy policy page and add it to your site in four different ways.

• Use WordPress’s built-in privacy policy option
• Use your own pre-existing WordPress privacy policy page
• Create a new WordPress privacy policy page from scratch
• Use a WordPress privacy policy plugin

Use WordPress’s Built-In Privacy Policy

If you want to use the privacy policy WordPress automatically provides to users, then follow these easy steps.

Step 1

Go to your WordPress Admin Dashboard, navigate to Settings, and choose the Privacy tab, as shown below.

Step 2

On the next page, shown for you in a screenshot below, select Create next to the Create a new Privacy Policy Page option.

Step 3

You’ll be taken to a new WordPress Page that will feature some pre-filled information from your website, several common privacy policy clauses, and suggested text that you can adjust to accurately reflect the specifics of your company.

After you’ve personalized the information, hit Publish, as shown below.

Step 4

Next, you’ll want to display your privacy policy in one of your website menus, so navigate to Appearances > Menus on your dashboard, as pictured below.

On the next page, you should see your privacy policy appear in the Most Recent tab, select the checkbox next to it and choose Add to Menu.

Your privacy policy will now successfully appear on your WordPress website.

Use Your Own Pre-Existing WordPress Privacy Policy Page

If you already have an existing Privacy Policy page on your website, still navigate to Settings > Privacy in your Dashboard, as outlined in Step 1 above.

But instead of following the directions mentioned in Step 2, access the drop-down menu next to Change your Privacy Policy page and find your agreement, then click Use This Page, as shown in the screenshot below.

You can then follow the directions from Step 4 above to add the page to your WordPress menu and officially publish your privacy policy.

Create a New WordPress Privacy Policy Page

If you already have a privacy policy document, but it is not currently hosted on a page on your WordPress site, navigate to Pages in your WordPress menu and select Add New.

You’ll be brought to a blank page that you can fill out with the proper title and copy and paste your privacy policy from its original document directly into the body, as shown below.

After you finish formatting your privacy policy into the WordPress page, hit the Publish button, as shown below.

Now you can follow the directions from Step 4 mentioned above to add the privacy policy to one of your WordPress menus and successfully post your agreement.

Add a Privacy Policy to WordPress Using Plugins

The final way to add a privacy policy to your WordPress website is by using a plugin.

To do this, go to Plugins on your dashboard and select Add New, as pictured below.

On the next page, search for the plugin you’re interested in using directly in the search bar, select Install Now, then Activate Plugin.

You’ll be prompted to fill out all the information the same way you would using a WordPress privacy policy template. When you’re finished, select Create.

Then add your privacy policy page to your WordPress menu by following the steps mentioned above

Just remember that data privacy laws like CalOPPA and the GDPR require you to display and link to your privacy policy in prominent locations on your site, such as in the footer, terms and conditions, and other pages where data is collected.

Where and How to Display Your WordPress Privacy Policy

You should display your WordPress privacy policy in some or all of the following locations, which we cover in more detail in the next section:

• Website footer
• Checkout or payment pages
• Login or new user pages
• In your WordPress menus
• WordPress widgets
• In your website’s privacy center

Website Footer

We already taught you how to add a privacy policy to your WordPress footer, but did you know that laws like CalOPPA require you to prominently display it in a static section of your website?

By putting a link to this agreement in the footer, you’re ensuring that your users can find and access the document no matter what page of your website they end up on.

Below, see an example of a link to a privacy policy in the footer of Ripley’s Believe It Or Not! website.

Payment Pages

Another ideal place to link to your privacy policy is on any payment pages, as this is often a point where personal data collection occurs, and laws like the GDPR require you to get consent before gathering data in this way.

Below, see how AARP uses the clickwrap consent method mentioned above for their privacy policy on their payment page for membership.

New User Creation and Login Pages

If your WordPress site allows users to create profiles or logins, you should include a link to your privacy policy on that page to ensure your users can read and consent to the agreement.

In the screenshot example below, see how clothing brand American Eagle links to their privacy policy on their new user login page.

Your WordPress Menu Options

Within your WordPress dashboard, you can choose to post a link to your privacy policy in various menus throughout your website, including:

• Desktop horizontal menu
• Desktop expanded menu
• Mobile menu
• Footer menu
• Social menu

We’ve already mentioned the importance of putting your WordPress website’s privacy policy in the footer, but you might also choose to put it in the horizontal menu or other relevant places throughout your site.

WordPress Widgets

You can also link to a privacy policy in WordPress through widgets, which is as easy as copying and pasting the URL link into the Link field in the Widget Editor within your WordPress dashboard.

For example, if you use our free WordPress-compliant privacy policy template, copy and paste the URL where you host the document directly into your Widget Editor, then click the Update button.

In Your Privacy Center

To ensure all of your website’s legal agreements are easy to find and always accessible, consider creating a privacy center on your website and link your privacy policy on that page.

Your privacy center acts as the central hub for all documents, policies, agreements, and disclaimers you want your users to be aware of.

For more information on creating one for your WordPress site, check out our privacy center guide.

Good Examples of WordPress Privacy Policies

Let’s look at some examples of real-world privacy policies to help inspire you when making one for your WordPress website.

Quartz’s Privacy Policy

We recommend looking at media outlet Quartz’s privacy policy, part of G/O Media, Inc., which has sections explaining what, how, and why they collect data written in plain language, as shown in the screenshot below.

In the next photo, read how the Quartz privacy policy explains how personal user information is shared with third parties and how third-party services collect data on their site, as required by laws like the GDPR and the CCPA.

Because the Quartz site has global visitors, their privacy policy also includes clauses directly addressing European privacy laws like the GDPR, as shown below.

We recommend you also add sections to your privacy that address specific privacy laws and their jurisdictions to ensure compliance with the different data laws that your business falls under.

Vogue’s Privacy Policy

Another great example of a WordPress privacy policy is from Vogue, a Conde Nast brand.

Vogue’s agreement is very easy to find because they link it directly in their website footer, as shown in the screenshot below.

But we also like how Vogue organizes their privacy policy because it’s easy for users to navigate.

Another unique feature of the Vogue privacy policy is their glossary, where they clearly define the different terms they use throughout their agreement.

Vogue puts the glossary information at the end of their policy, but we recommend you put definitions of the terms you use throughout your privacy policy for your WordPress site towards the beginning of your document.

WordPress Privacy Policy FAQ

Take a look at some of the most frequently asked questions we get about WordPress privacy policies and how to add them to a site.

Conclusion

A WordPress privacy policy explains to users how and why you collect their personal information and what precisely you collect.

Laws like the GDPR and CalOPPA mandate privacy policies for websites, and WordPress expects you to follow all relevant data privacy laws as part of their terms of use.

Your privacy policy for your WordPress site should be written using user-friendly language and be clearly displayed on your website. Even if you don’t collect user data, having a privacy policy helps you avoid legal penalties and establishes trust with your site visitors by showing that you take data protection seriously.

You now have a better understanding of what a WordPress privacy policy is, why you need one, and how to add a privacy policy to WordPress.

You can quickly create your privacy policy for WordPress in just a few minutes by using our free WordPress privacy policy template or accessing our comprehensive generator.

More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author