Privacy Policy for WordPress

WordPress is a very popular platform for creating websites, from elaborate e-commerce sites to basic informational blogs.

When it comes to needing a Privacy Policy for your WordPress website, you may need one, or you may not. The fact that you use a WordPress platform isn't the determining factor here.

Rather, what determines whether you're required by law to have a Privacy Policy is whether your website collects any personal information.

What is Personal Information?

Personal information has a specific definition when it comes to privacy law and legal requirements for a privacy policy.

In this arena, "personal information" means personally identifiable information such as any information that would be able to be used in an attempt to contact, locate, or identify an individual.

Information that can be used to determine an individual's identity includes things like a social security number, name, email address, mother's maiden name, home address, and other such pieces of information.

Other information that can be linked to an individual and used to identify him/her when combined with other personal or identifying information can also be considered personal information, such as medical records, education records, or financial information.

Who requires this?

A number of different countries and laws within those countries require a Privacy Policy to be in place on a website when personal information is collected through that website.

In the United States, the California Online Privacy Protection Act (CalOPPA) applies to any individual or business located within the United States that has a website that collects any personally identifiable information from consumers who are residents of California.

If an individual or business collects this information from California residents, a Privacy Policy must be in place.

Because of the nature of the internet where businesses and websites are so easily able to reach customers all over the world, chances are that most U.S.-based websites will reach California residents. Therefore, CalOPPA works to require this legal agreement for U.S.-based websites that collect any personal information from visitors or users.

Other countries also have requirements for businesses that collect personal information.

Canada Flag

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) works to keep customers' personal information safe from misuse by businesses.

One of the requirements of complying with PIPEDA is that businesses are open and honest with customers and clients about the collection of personal information, and provide them with policies and information on practices.

In other words, Canadian businesses that collect personal information from users, customers, clients, etc., must provide these users with a Privacy Policy agreement.

Flag of EU

In Europe, the Data Protection Directive works to ensure privacy requirements are met. One of the requirements of the regulation is that all European users need to be informed when personal information is collected through a website or mobile app.

A compliant way to inform users of this is to include a Privacy Policy on a website and mobile app.

But does it matter what platform I use?

These laws are triggered by the collection of personal information. There's no mention in any of the laws about the platform used for a website, or the type of website.

For example, a simple WordPress recipe blog that allows users to leave comments on the recipes and asks the users to enter their email addresses would need a Privacy Policy because it collects personal information (email addresses), NOT because it's a WordPress website.

If a WordPress recipe blog was setup to not ask for email addresses or any other personal information, a Privacy Policy would not be needed.

Similarly, the Shwood website is a successful eCommerce website on the Shopify that makes a ton of sales with their unique wooden eyeglasses frames collection.

These sales require the collection of many pieces of personal information, including financial details, shipping addresses, and others. Because of this collection of personal information, Shwood must have a Privacy Policy in place. This has nothing to do with WordPress or Shopify, and everything to do with the collection of personal information.

Shwood website footer: Highlight legal link

Here are a few examples of successful websites using the WordPress platform, and the way these sites structure their Privacy Policies based on the activities of the website.

First, Time Inc. uses WordPress for its extensive news website.

Time is powered by WordPress VIP

Time also includes a Privacy Policy page:

Highlight Privacy Policy in Time website footer

Time's Privacy Policy section includes different policies for different users depending on where they reside, such as a Canadian policy being separate from the European Union policy.

This is so that each legal agreement can include specific components that are required by each specific country:

Time links to EU and Canada policies

Time's "default Privacy Policy" has two main sections: The Information We Collect, and How We Use the Information.

Under the first section, The Information We Collect, Time outlines what information may be collected, and under what circumstances. Users are told that when they engage in various activities on the website, such as playing games, entering sweepstakes, or expressing opinions (leaving comments or participating in an online forum), personally identifiable information may be required.

Information we collect in Default Privacy Policy of Time

In the next section, How We Use the Information, Time outlines the ways that both personal information and non-personally identifiable information can and may be used. This section is very long and covers a broad range of scenarios, from using information for marketing purposes, to what may happen to your information if Time is sold, merged with another business, etc.

How we use information in Default Privacy Policy of Time

An Opt-Out section is provided in Privacy Policy of Time. Users can quickly click the included link to opt-out of the sharing of any personal information with non-Time 3rd parties. This opt-out ability is a requirement of most privacy laws and is a good way to give your users control over their personal information.

Opt-out clause in Time

TechCrunch is also powered by WordPress and has a large international audience. They collect personal information on the home page by allowing users to enter email addresses to subscribe to a daily newsletter.

TechCrunch also has a Privacy Policy, the one from AOL, noted in the footer of the website:

TechCrunch website footer

Because TechCrunch is an AOL company, the AOL's Privacy Policy is used for TechCrunch. Large companies that own and operate smaller subsidiaries or companies will often have one large overarching legal agreement that covers everything.

As seen here, the legal agreement AOL includes a link to information about all of the AOL brands that will fall under this legal agreement. Because AOL is partnered with Verizon, AOL provides the Privacy Policy for Verizon as well.

A link to the full AOL's Privacy Policy agreement is also included for users who wish to delve deeper into the document:

AOL Privacy Policy Highlights

When you visit the full agreement, you'll find sections outlining what types of information is collected and received, and how this information may be used.

AOL includes a section called Choices where multiple different options are given to users for how they can change how AOL handles their personal information.

AOL Choice disclosure section

It's not just WordPress

While these are both WordPress websites, websites built on other platforms aside from WordPress still have Privacy Policies when personal information is collected.

In other words, if either Time or TechCrunch were built on Drupal, Joomla, or another website platform, their Privacy Policy agreements would look exactly the same, and still be required.

Here are a few websites using non-WordPress platforms that still have this legal agreement in place because it's required by law.

Heathrow Airport

The famous Heathrow Airport in London uses Joomla for its Heathrow Boutique.

Because personal information is collected on this website when people sign up for email newsletters and make purchases, there must be a Privacy Policy agreement visible for users.

Heathrow Airport: Highlight Privacy Policy in the website footer

The Privacy Policy of Heathrow has all of the sections within it linked in a list at the top of the policy. This makes it very easy for a user to see exactly what type of information is included in the policy, and be able to find it easily:

Heathrow Airport: Privacy Notice

Note how a section is included that tells users how their personal information is used, how it is disclosed, and how a user can access this information or ask questions about how the information is used.

In the very first section, How We Use Your Information, Heathrow makes it clear that this policy applies to LHR Airports Limited and its group companies, which means that the Privacy Policy applies not only to the airport but also to the boutique and any other group company.

Heathrow Airport: How We Use Your Information

City of Chicago Office of the City Clerk

The City of Chicago Office of the City Clerk uses the Drupal platform.

Note in the image of the footer below that there are no legal agreements linked. There's no Privacy Policy:

Website footer of City of Chicago

This is because this website is purely informational. It provides information, but does not collect or use any personal information from users.

If this website were to be on the Joomla or WordPress platform, it would not need a Privacy Policy then, either.

Note that while a Privacy Policy would not be required in a situation where no personal information is collected, it's a best practice to always include a Privacy Policy, even if your website doesn't collect or use any personal information.

This is because users look for this kind of agreements, and having one takes away any questions of what your practices are on collecting and using personal information from users. Even if your agreement is one sentence long and says simply that you do not collect or use any personal information, this is better than none.

Here's an example from the lxquick search engine of what can be included in a Privacy Policy even if your website doesn't collect personal information:

Screenshot of ixquick Privacy Policy page

While most WordPress websites will collect some piece of personal information, be it just a name and email address from users, thus triggering the requirement of a Privacy Policy, this requirement has nothing to do with the use of WordPress.

The same website on a different platform, such as Drupal, Joomla or any other, would still require a Privacy Policy.