Privacy in WordPress: Properly checking privacy policy, SSL and typical data sources

Privacy in WordPress: Properly checking privacy policy, SSL and typical data sources

Privacy is an important part of every professional WordPress website. As soon as personal data is processed on your website, visitors should be informed clearly and understandably. This does not only apply to large online shops or member areas. Even a simple website with a contact form, comment function, analytics tool, embedded maps, newsletter registration or external fonts can trigger privacy-relevant processes.

WordPress offers built-in functions that help with creating and managing a privacy policy. However, these functions do not replace a legal review. The privacy policy must always match the actual website, the plugins used, external services, forms, cookies and hosting conditions.

Why privacy is important in WordPress

WordPress itself is only the technical basis. A website becomes relevant from a privacy perspective mainly through its specific use: forms, comments, user accounts, shop functions, tracking, newsletters, security plugins, embedded media and external services can process personal data.

Typical personal data on WordPress websites includes, for example:

• Name and email address: for example in contact forms, comments or user accounts.
• IP address: for example in server logs, security plugins or comment management.
• Order data: in WooCommerce shops.
• Usage data: in analytics, tracking or statistics tools.
• Cookie data: in marketing, analytics or convenience functions.
• Message content: in forms, support requests or comments.
• Payment and shipping data: in shops or booking systems.

The FDPIC describes the duty to inform in such a way that affected persons must be informed when their personal data is collected and processed. Without this information, affected persons cannot meaningfully exercise their rights.

1. Use the WordPress privacy page

WordPress comes with its own privacy function. You can find it in the dashboard under:

Settings > Privacy

There you can define an existing page as the privacy policy or create a new privacy page. WordPress also provides a privacy guide that gives information on possible content. According to Learn WordPress, you can create, change, view the privacy page and use the Privacy Policy Guide in this area.

This WordPress function is helpful because it makes the privacy page systematically manageable in the backend. However, it does not automatically create a complete, legally reviewed privacy policy for your specific website.

2. WordPress functions for access and deletion

WordPress includes integrated tools for privacy requests. Under Tools, you will find functions for exporting and deleting personal data. These can help process requests from affected persons technically.

Typical functions are:

• Export personal data: Creates an export of existing personal data for an email address.
• Erase personal data: Supports deleting or anonymising certain stored data.

These functions can be relevant, for example, for comments or user accounts. However, they do not automatically cover every data processing activity by every plugin or external service. Therefore, always also check the extensions used.

3. What content belongs in a privacy policy?

A privacy policy should explain clearly which data is processed and why. It should not consist only of general text modules, but should match the actual website.

Typical content includes:

• Controller: Who operates the website?
• Contact details: How can affected persons make contact?
• Hosting: Where and by whom is the website hosted?
• Server logs: Which technical data is stored when the website is accessed?
• Contact forms: Which data is processed during enquiries?
• Comments: Which data is stored when comments are submitted?
• Cookies: Which cookies are set and for what purpose?
• Analytics tools: Are statistics or tracking services used?
• Newsletter: How are subscription, sending and unsubscribe handled?
• External media: YouTube, Google Maps, social media, fonts or other services.
• Recipients and third parties: Is data passed on to service providers?
• Storage period: How long is data retained?
• Rights of affected persons: Access, rectification, deletion and further rights.

According to the transparency principles of the GDPR, information should be provided in a concise, transparent, understandable and easily accessible form. This basic idea is also practical: visitors should be able to understand what happens to their data.

4. Distinguish between the Swiss Data Protection Act and the GDPR

For Swiss websites, the Swiss Data Protection Act is relevant. If your website also addresses people in the EU or the EEA, the GDPR may also play a role. This is particularly important for multilingual websites, EU customers, EU tracking, EU shipping, digital products or targeted advertising in EU countries.

Therefore, check:

• Is your website aimed only at Switzerland or also at the EU?
• Do you have customers, users or newsletter subscribers from the EU?
• Do you use services involving data transfer to third countries?
• Are cookies, tracking or marketing tools used?
• Do you operate a shop with delivery to the EU?

If there is an EU connection, GDPR requirements should be checked carefully. This particularly concerns legal bases, consent, rights of affected persons, data processing agreements, third-country transfers and cookie/tracking topics.

5. Correctly classify hosting location Switzerland

The server location is an important point in the privacy policy. With CURIAWEB, you benefit from a server location in Switzerland. This can be an advantage for Swiss companies and customers because data processing and hosting infrastructure are more locally traceable.

However, it is important to note: a Swiss server location does not automatically make a website fully privacy-compliant. The entire setup is decisive. If, for example, you use Google Analytics, YouTube, Google Maps, external fonts, payment providers, newsletter services or social media plugins, external data processing and data transfers can still take place.

6. Enable SSL encryption

SSL or HTTPS encrypts the connection between browser and website. This is especially important when visitors submit data, for example via contact forms, login pages, comment forms, newsletter registrations or checkout processes.

Check:

• Is your website accessible via https://?
• Are all pages automatically redirected to HTTPS?
• Are the WordPress address and site address set to HTTPS?
• Are there no mixed contents via HTTP?
• Do forms and login areas work via HTTPS?

• Important: Enable SSL encryption for secure data transmission

7. Use contact forms with privacy in mind

Contact forms are among the most common data sources on WordPress websites. Visitors enter names, email addresses, phone numbers or message content there. This data is often sent by email and sometimes additionally stored in WordPress.

Check forms for:

• Which fields are really necessary?
• Is there a reference to the privacy policy?
• Is form data stored in the database?
• How long are stored enquiries retained?
• Is spam protection used?
• Are external services such as reCAPTCHA used?
• Is email delivery securely and correctly configured?

Data minimisation is a good principle: only request data that you really need to process the enquiry.

8. Consider comments and user accounts

If comments are enabled, WordPress typically processes data such as name, email address, website URL, IP address, comment content and timestamp. User accounts are also relevant from a privacy perspective, as access data, roles, email addresses and activities may be stored there.

Check:

• Are comments necessary at all?
• Are comments moderated manually?
• How long are comments stored?
• Are Gravatar or external avatar services used?
• Can user accounts be created independently?
• Which roles and rights do users receive?

If comments are not needed, you can disable them and thereby reduce privacy and spam risks.

9. Check cookies and consent management

Many WordPress websites use cookies. Some cookies are technically necessary, others are used for analytics, marketing, convenience functions or external services. Whether a cookie banner or consent management is required depends on the specific use.

Typical services that should be checked:

• Google Analytics or other statistics tools,
• Google Ads or Meta Pixel,
• YouTube or Vimeo embeds,
• Google Maps,
• newsletter and marketing services,
• chat widgets,
• social media plugins,
• external fonts,
• WooCommerce cookies.

If non-essential cookies or tracking services are used, prior consent may be required. The specific implementation should be legally reviewed.

10. Google Fonts, Maps, YouTube and external services

External services can transfer data to third parties when a page loads. This applies, for example, to embedded videos, maps, social media feeds, external fonts or analytics tools.

Check each external service:

• Is a connection to a third-party provider established when the page is accessed?
• Are IP addresses or other technical data transferred?
• Are cookies set?
• Is the service described in the privacy policy?
• Is consent required?
• Is there a local or more privacy-friendly alternative?

With Google Fonts, for example, it can make sense to host fonts locally in order to avoid external connections. For YouTube or Maps, two-click solutions or consent blockers can be useful.

11. Analytics tools and Google Site Kit

Many website operators use Google Analytics, Google Site Kit, Matomo or other statistics solutions. These tools can be very helpful, but they must be integrated in a privacy-compliant way.

Check:

• Which analytics tool is used?
• Are IP addresses shortened or anonymised, where possible?
• Is the tool loaded only after consent, if required?
• Is the tool described in the privacy policy?
• Is there a data processing agreement or suitable arrangement?
• Is data transferred to third countries?

Google Site Kit makes the technical integration of Google services easier, but does not replace a privacy review or consent management.

12. Check WooCommerce and shops particularly carefully

Privacy is particularly important for WooCommerce shops because significantly more personal data is processed. This includes orders, invoice data, delivery addresses, payment information, customer accounts and sometimes tax information.

Check shops for:

• Which customer data is collected?
• Which payment providers are used?
• Which shipping providers receive data?
• How long is order data stored?
• Are guest orders possible?
• Are customer accounts created mandatorily?
• Are marketing consents clearly separated?
• Are terms and conditions, privacy policy, cancellation rights and shipping information up to date?

For shops, an individual legal review is particularly recommended because privacy, tax law, consumer law and payment processing come together.

13. Document plugins as data sources

Many privacy risks do not arise from WordPress itself, but from plugins. Each plugin can store its own data, integrate external services or set cookies.

Check regularly:

• Which plugins are active?
• Which data does each plugin process?
• Are there external API connections?
• Does the plugin set cookies?
• Does the plugin store form entries?
• Is privacy information available from the plugin provider?
• Is the plugin still maintained?
• Is the plugin really necessary?

Deactivate and delete plugins that are not needed. Fewer plugins often mean fewer privacy, security and performance risks.

14. Legal text generators and legal review

Privacy generators can be a good basis if they are reputable, up to date and suitable for your target markets. For Swiss websites, generators should be used that take the Swiss Data Protection Act into account. If there is an EU connection, the GDPR should also be covered.

When using generators, pay attention to:

• Is the generator suitable for Switzerland?
• Does it take the GDPR into account if there is an EU connection?
• Does it ask about specific services and plugins?
• Is the text updated regularly?
• Are there notes on data processing agreements and third-country transfers?
• Does the text really match your website?

For complex websites, shops, health data, member areas, tracking, international sales or sensitive data, legal advice is particularly recommended.

15. Link the privacy policy clearly visibly

A privacy policy should be easy to find. A link in the footer that is accessible from every page is common. In addition, the link can appear on forms, newsletter registrations, checkout pages or comment areas.

Good placements are:

• footer menu,
• contact form notice,
• newsletter registration,
• checkout,
• registration form,
• comment area,
• cookie banner or consent manager.

Do not hide the privacy policy on a hard-to-find subpage. Transparency is a central principle of data protection.

16. Privacy and security belong together

Privacy does not only mean good texts. Technical security is also important. When personal data is processed, the website should be adequately protected.

Important security measures:

• enable SSL,
• keep WordPress up to date,
• update plugins and themes,
• use strong passwords,
• check two-factor authentication,
• create regular backups,
• limit administrator rights,
• use spam protection,
• delete plugins that are not needed,
• keep an eye on server and error logs.

A privacy policy describes data processing. Technical security ensures that this data is adequately protected.

17. SEO and GEO: correctly classify privacy pages

Privacy policies are not classic SEO landing pages. They should not be overloaded with keywords. Clarity, completeness, up-to-dateness and easy accessibility are important.

Nevertheless helpful for SEO and GEO:

• clear page heading,
• understandable structure,
• footer linking,
• consistent company details,
• current information,
• no contradictory statements about tools and services,
• good readability on mobile devices.

GEO, meaning Generative Engine Optimization, benefits from clear, trustworthy information. A transparent privacy page can contribute to the trustworthiness of your entire website.

18. Common mistakes in WordPress privacy

• Using standard text unchanged: The WordPress draft rarely fully matches the real website.
• Not considering plugins: Forms, analytics, shops or security plugins are missing from the text.
• Forgetting external services: YouTube, Maps, Fonts or social media are not mentioned.
• No footer link: The privacy policy is difficult to find.
• No SSL: Forms or login run insecurely.
• Outdated texts: New tools are added, but the privacy policy is not updated.
• Cookie banner configured incorrectly: Tracking starts before consent.
• Overestimating Swiss hosting: Local server location does not replace checking external services.

Recommended procedure

1. Analyse the website: Which forms, plugins, cookies and external services are used?
2. Define the privacy page: Select the correct page under Settings > Privacy.
3. Describe hosting: Correctly list the Swiss server location and hosting provider.
4. Enable SSL: Operate the website fully via HTTPS.
5. Check forms: Request only necessary data and set privacy notices.
6. Check cookies: Distinguish between essential and non-essential cookies.
7. Check external services: Document analytics, Maps, YouTube, fonts, newsletters and payment providers.
8. Use a generator or specialist: Have legal text created to match Switzerland and, if applicable, the EU.
9. Set footer link: Link the privacy policy clearly visibly.
10. Update regularly: Check the text when new plugins, services or functions are added.

Frequently asked questions about privacy in WordPress

Does WordPress automatically create a complete privacy policy?

No. WordPress can create a privacy page and provide guidance. However, the content must be adapted to your specific website, plugins, forms and external services.

Where do I find the privacy settings in WordPress?

You can find the section under Settings > Privacy. There you can create a privacy page or define an existing page.

Do I need a privacy policy if I only have a simple website?

If personal data is processed, visitors should be informed. Even contact forms, server logs, comments, analytics or external services can be relevant from a privacy perspective.

Is Swiss hosting automatically privacy-compliant?

No. Swiss hosting is an important advantage, but it does not replace checking plugins, external services, cookies, forms and data transfers.

Do I have to mention Google Analytics in the privacy policy?

Yes, if you use Google Analytics or comparable analytics tools, they should be described in the privacy policy and, depending on the setup, loaded only after consent.

Is SSL important for privacy?

Yes. SSL protects data transmission between visitor and website. HTTPS is particularly important for forms, login, comments, shops and customer areas.

Should I use privacy texts from a generator?

A reputable generator can be a good basis. For complex websites, shops, EU connections or sensitive data, legal review is recommended.

How often should I update my privacy policy?

Whenever data processing, plugins, external services, tracking, forms, shop functions or legal requirements change. A regular review is advisable.