There are many options for making your WordPress site compliant with GDPR (EU), CCPA (CA, USA), PIPEDA (Canada), and other national and regional privacy laws. Almost too many options, making it hard to choose a solution.

There’s two basic approaches available. The simplest uses a plug-in to provide a way to present and manage the privacy compliance on your website, relying on you to determine and then fulfill what’s required. There are many free any relatively low cost plug-in. Many of these plug-ins have a free version, and also a paid version which provides a wider range of features (for example: geolocation integration to ensure your site shows users exactly what is required for their location).

Some of the more popular plug-ins are:

  1. GDPR Cookie Compliance — free version is here, and it also has a paid option.
  2. GDPR Cookie Consent — free version here, paid option here.
  3. Ninja WordPress GDPR + CCPA + DPA Compliance — has a free version, and a very inexpensive paid option (one-off US$19 license). As of Dec 2020, this is a relatively new plug-in.

The other approach uses a plug-in combined with buying into a subscription service, which will monitor your site to ensure you’re always presenting your viewers with all the necessary information, policies, cookie options, etc. necessary for their location. With so many laws to comply with, varying widely depending on the location of your site user, such a service may well be the best choice for any serious or larger online business.

It’s worth noting that some privacy laws really only impact online businesses over a certain size, or with a a specific mount of business activity in the region in question. The California Consumer Privacy Act (CCPA) is one that comes to mind.

The CCPA applies to any business, including any for-profit entity that collects consumers’ personal data, which does business in California, and satisfies at least one of the following thresholds:

• Has annual gross revenues in excess of $25 million;
• Buys, receives, or sells the personal information of 50,000 or more consumers or households; or
• Earns more than half of its annual revenue from selling consumers’ personal information.[11][12]

Organizations are required to “implement and maintain reasonable security procedures and practices”[13] in protecting consumer data.

Cookiebot and Complianz are two such service providers.

I haven’t gone into the details of the above options because each has its own specific feature set, and I think it’s best to read through the information on them both to get an idea of what’s possible, what’s required, and what meets your needs and budget.

New Zealand privacy act specific requirements

Being based in New Zealand, I’ve had a number of businesses ask me what’s required to make their site compliant with recent changes in the Privacy Act in New Zealand. The bottom-line is, this act does not enforce specific requirements for web sites. In terms of having to display consent forms, etc. Of course, if you’re not entirely sure what you must do, either read up online, or I suggest checking with your lawyer to be certain your site meets all your privacy obligations as a New Zealand business. It’s my understanding that, for now (late 2020), you won’t need a special plug-in or pop-up for your NZ site specific to New Zealand visitors. You will, however, need to comply with any number of foreign privacy requirements, depending on where your site users are located (GDPR in the EU being the main one, but not the only one).

Need help with implementation?

If you need help with implementing these plug-ins on your WordPress site, or with any other features you might need on your site, please let me know.