You installed a privacy policy plugin. You added a cookie consent banner. You even checked the GDPR compliance box in WooCommerce settings. And none of that matters — because the GDPR accountability principle does not ask whether you comply. It asks whether you can prove it.
Article 5(2) is eleven words long: “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1.” Those eleven words shifted the entire burden of proof in European data protection law from regulators to you. A WordPress administrator who has done everything right but documented nothing is, by definition, in violation of the GDPR. Not hypothetically. Definitionally.
And European regulators are not waiting for data breaches to come looking. The Belgian DPA has conducted own-initiative investigations against websites with as few as 35,000 monthly visitors. If you think your WordPress site is too small to attract attention, the enforcement record says otherwise.
Why accountability exists — and why it changed everything
The GDPR’s predecessor, Directive 95/46/EC, operated on a notification model. Controllers registered their processing activities with regulators, and under-resourced authorities were supposed to monitor compliance. It did not work. The OECD had included accountability in its 1980 Privacy Guidelines, but the 1995 Directive transposed only six of its seven principles, leaving accountability on the cutting room floor. The Article 29 Working Party spent years arguing that the existing principles were sound but toothless without an enforcement mechanism. Their Opinion 3/2010 finally recommended making accountability explicit.
Article 5(2) is the result. It functions as a meta-principle — it does not prescribe what to do, but requires controllers to show they have done it. Article 24 operationalises this by requiring “appropriate technical and organisational measures” to ensure and demonstrate compliance, calibrated to the nature, scope, context, purposes of processing, and risks to individuals. A WooCommerce store processing payment data bears heavier obligations than a blog with a contact form. And Article 24(1) adds a requirement that most administrators overlook: measures must be “reviewed and updated where necessary.” Accountability is not a checkbox. It is a programme.
The recitals make the legislative intent unmistakable. Recital 74 establishes that the controller’s responsibility extends to processing done on the controller’s behalf — meaning you cannot outsource accountability even when you outsource processing to your hosting provider, your email service, or your analytics platform. Recital 78 links accountability to data protection by design and extends responsibility upstream to product developers, encouraging them to build tools that enable compliance. Recital 82 connects record-keeping under Article 30 directly to demonstrating compliance. And Recital 85 — the only recital to use the phrase “the accountability principle” by name — states that a controller can avoid breach notification only if it can demonstrate, in accordance with the accountability principle, that the breach is unlikely to result in risk.
The EDPB has reinforced this through Opinion 22/2024, clarifying that the accountability principle extends through the entire processing chain. Controllers must identify all processors and sub-processors, verify their “sufficient guarantees” under Article 28(1), and ensure that delegation does not lower the level of protection. As the EDPS has stated plainly: “Organisations, and not Data Protection Authorities, must demonstrate that they are compliant with the law.”
What your WordPress site actually collects — and where it hides
You cannot demonstrate compliance with data handling if you do not know what data your site handles. Most WordPress administrators have never audited their own database.
The wp_users table stores user_login, user_email, user_url, user_registered, display_name, and user_nicename — all personal data by any definition. The wp_usermeta table extends this with first_name, last_name, nickname, description, and critically, session_tokens — a serialised field containing IP addresses, user agents, login timestamps, and expiration times for every active session.
The wp_comments table captures six distinct personal data fields for every non-logged-in commenter: comment_author, comment_author_email, comment_author_url, comment_author_IP, comment_content, and comment_agent. Every comment from a visitor who has never created an account on your site stores their name, email, website, IP address, what they wrote, and what browser they used.
Then there is the REST API. The endpoint /wp-json/wp/v2/users publicly exposes user slugs (typically identical to login usernames), display names, biographical descriptions, website URLs, and Gravatar URLs for any user who has published a post. Since WordPress 4.7.1, only users with published posts are exposed to unauthenticated requests, but this still represents a personal data exposure point that you need to evaluate — and document in your records.
WordPress core itself sets no analytics or tracking cookies. Authentication cookies are strictly functional. Comment cookies (comment_author_{HASH}, comment_author_email_{HASH}, comment_author_url_{HASH}) store commenter details for approximately one year. Since WordPress 4.9.6, a consent checkbox can be enabled under Settings, Discussion — but it was changed to disabled by default in WordPress 4.9.8 after the community determined it was not legally required in all jurisdictions. Whether it is required for your site depends on your legal analysis, not on WordPress’s default setting.
WordPress gave you privacy tools — then left the hard part to you
WordPress 4.9.6, released on May 17, 2018 — eight days before the GDPR’s enforcement date — introduced a suite of privacy tools. These tools address specific accountability requirements. They do not address most of them.
The Personal Data Export tool (Tools, Export Personal Data) implements Article 15 right of access and Article 20 data portability. It creates a user_request custom post type, sends a verification email, iterates through all registered data exporters via an AJAX loop, and generates a ZIP file in wp-personal-data-exports/ that expires after three days. The Personal Data Erasure tool follows the same flow but calls eraser callbacks instead. Core erasers anonymise comment data — replacing the author name with “Anonymous” and blanking email, URL, IP, and user agent — but the erasure tool does not delete user accounts. That remains a separate administrative action.
The Privacy Policy Page feature allows administrators to designate or create a privacy policy page, with a helper that aggregates suggested policy text from core, themes, and plugins via wp_add_privacy_policy_content().
These tools operate through two filters: wp_privacy_personal_data_exporters and wp_privacy_personal_data_erasers. Plugin developers register callbacks to include their data in export and erasure operations. The architecture is extensible but voluntary. And here is the accountability gap that most administrators never discover: these tools only cover plugins that have implemented the hooks. If you rely solely on WordPress’s built-in export and erasure tools without verifying that every active plugin has registered its exporters and erasers, your data handling is incomplete. Run a test export for a known email address. The results will tell you which plugins participate and which leave you exposed.
Every plugin you install is an accountability decision
Every plugin that touches personal data creates additional accountability surface area. The obligations vary dramatically.
WooCommerce creates the heaviest GDPR burden in the WordPress ecosystem. It collects names, email addresses, phone numbers, billing and shipping addresses, payment tokens, complete order histories, product reviews, and download permissions. Since version 3.4, WooCommerce integrates fully with WordPress’s privacy tools — customer data appears in exports, and erasure requests anonymise order data while preserving transaction records for accounting obligations. WooCommerce provides configurable data retention periods under Settings, Accounts and Privacy. But the accountability obligation does not stop at WooCommerce’s settings page. You must document the lawful basis for each processing activity — typically contractual necessity for order fulfilment, legitimate interest for fraud prevention, and consent for marketing — and maintain Data Processing Agreements with every payment gateway and shipping provider.
Jetpack creates the most significant third-party data transfer concerns. When connected, Jetpack syncs a near-complete clone of your site database to Automattic’s servers. A daily heartbeat sends site statistics. Each analytics event transmits IP addresses, user agents, referring URLs, timestamps, browser language, and country codes via invisible tracking pixels. Automattic offers a DPA that covers WordPress.com, Jetpack, Akismet, WooCommerce.com, and Crowdsignal. If you are using Jetpack without a signed DPA and without disclosing this data transfer in your privacy policy, you are in violation of both Article 28 and Article 13. That is not an edge case. That is a common WordPress installation.
Gravity Forms provides the most comprehensive built-in GDPR toolset among form plugins. Its Personal Data Settings tab allows preventing IP address storage, configuring retention policies, and selecting which fields to include in WordPress privacy exports and erasures. A purpose-built Consent Field records explicit agreement. Gravity Forms registers both exporters and erasers via the WordPress privacy hooks.
Contact Form 7 stores no form submissions in the database by default — it acts only as an email conduit. This reduces the accountability burden but also means data control ends once the email is sent. The companion plugin Flamingo adds database storage but does not integrate with WordPress’s privacy tools. The developer explicitly states: “No WordPress plugin in itself can provide legal compliance.” That is an honest position and a useful reminder.
Yoast SEO stores no visitor personal data whatsoever. The plugin processes only website data, not visitor data. GDPR obligations from Yoast are minimal.
GDPR-specific plugins like Complianz, CookieYes, and WPConsent address cookie consent management — banner display, script blocking until consent, consent logging. They address a necessary slice of compliance. They do not handle data mapping, Records of Processing Activities, DPIAs, or comprehensive data subject rights management. No single plugin solves GDPR accountability. Anyone who tells you otherwise is selling something.
The SME Exemption Will Not Save You From Article 30
Article 30 requires controllers to maintain Records of Processing Activities, and the SME exemption in Article 30(5) almost never applies to WordPress site operators. The exemption exists only for organisations with fewer than 250 employees whose processing is “occasional,” does not include special categories of data, and is unlikely to result in risk. The EDPB has clarified that “occasional” processing does not include routine business activities like running a website, keeping customer records, using analytics, or sending marketing emails. The Irish DPC’s 2023 guidance, based on a sweep of 30 organisations, confirms this interpretation.
Your ROPA should document every distinct processing activity on your WordPress site: contact form submissions, newsletter signups, web analytics, WordPress comments, user registration, WooCommerce orders, security plugin logging, cookie consent management, spam filtering through Akismet, and any embedded third-party content — YouTube, Google Fonts, Maps. Each entry must specify the purpose, categories of data subjects and personal data, categories of recipients including international transfers, envisaged erasure time limits, and a general description of security measures.
The ROPA is not bureaucratic theatre. It forces you to map your actual data flows rather than assuming you know what your site collects. Many administrators discover during this exercise that their sites collect far more personal data than they realised — through plugins, themes, and embedded third-party scripts they installed without reviewing their data handling practices.
Data Processing Agreements across your entire supply chain
Article 28 requires a written contract between controller and processor containing specific mandatory provisions: that the processor acts only on documented instructions, ensures confidentiality, implements appropriate security, respects sub-processor conditions, assists with data subject rights, deletes or returns data after service ends, and makes information available for audits.
Most WordPress administrators have multiple processor relationships requiring DPAs. Your hosting provider is the most obvious. SiteGround, Kinsta, WP Engine, Cloudways, and Pantheon all publish DPAs. Google Analytics is covered by Google’s Ads Data Processing Terms. But several processor relationships create particular compliance challenges.
Google reCAPTCHA has no dedicated DPA, and the Austrian DPA has ruled that its cookies cannot be justified on legitimate interest alone. The CNIL has fined companies for using it without consent. Privacy-friendly alternatives like Friendly Captcha or hCaptcha sidestep this entirely. Google Fonts loaded remotely transmit visitor IP addresses to Google — the Munich Regional Court ruled in January 2022 that this violates GDPR without consent. Self-hosting Google Fonts eliminates this data transfer.
Not all third parties are processors. Social media embeds typically involve independent controllers or joint controllers, requiring disclosure in your privacy policy rather than a DPA. Misclassifying these relationships is among the most common mistakes WordPress administrators make.
What enforcement actions tell you about where this is heading
Enforcement data shows that accountability is independently sanctionable — regulators do not need a data breach to find you in violation. The pattern is instructive.
PricewaterhouseCoopers Greece received a EUR 150,000 fine in July 2019 from the Hellenic DPA, which explicitly found that PwC violated Article 5(2) by transferring the burden of proof to data subjects. PwC had required employees to sign consent forms while actually relying on a different, undisclosed legal basis.
Axpo Italia was fined EUR 10,000,000 by the Italian Garante in September 2023. Over 5,000 customers complained that contracts were activated in their names without their knowledge. The Garante rejected Axpo’s argument that accountability was an “obligation of means” rather than results, finding that the company’s technical and organisational measures were demonstrably inadequate.
IAB Europe — the organisation that designed the Transparency and Consent Framework used by thousands of websites — received a EUR 250,000 fine from the Belgian DPA in February 2022 citing nearly every accountability-related article: Article 24, 25, 30, 32, 35, and 37. The organisation responsible for building consent infrastructure failed its own accountability obligations across the board.
Most relevant to WordPress administrators: the Belgian DPA fined Jubel.be, a legal news website with approximately 35,000 monthly visitors, EUR 15,000 in December 2019 following an own-initiative investigation. The DPA explicitly stated that the enforcement was intended to demonstrate that small website operators are equally subject to GDPR. A second Belgian decision imposed EUR 50,000 on a website operator whose cookie consent mechanism placed 11 cookies before consent, used pre-ticked boxes, and made consent withdrawal impossible — issues directly analogous to misconfigured WordPress cookie plugins.
No enforcement action specifically targeting a WordPress site has been publicly reported. But the pattern is clear: supervisory authorities treat website operators as controllers subject to full accountability obligations regardless of CMS platform or organisation size. The EDPB’s 2026 coordinated enforcement action focuses on transparency and information obligations under Articles 12 through 14, which directly implicate privacy policies and consent mechanisms on websites. Enforcement against small and medium website operators is increasing, not decreasing.
The difference between compliance and demonstrable compliance
The accountability principle’s core insight is practical and unforgiving: compliance that cannot be demonstrated is indistinguishable from non-compliance.
For WordPress administrators, this means the difference between having a privacy policy and being able to show when it was last reviewed. Between using consent checkboxes and retaining timestamped consent records. Between installing a security plugin and maintaining a documented breach response procedure covering the 72-hour notification window under Article 33. Between knowing your hosting provider has a DPA and having actually signed it.
GDPR certification remains largely aspirational for WordPress professionals. Only two European Data Protection Seals have been approved — Europrivacy and EuroPriSe — and neither specifically targets website operators. No codes of conduct under Article 40 address the WordPress ecosystem. For the foreseeable future, accountability for WordPress administrators means documentation, not certification.
The GDPR does not demand perfection. It demands evidence of a programme proportionate to the risk — reviewed, updated, and ready to present when asked. Go back to those eleven words in Article 5(2). You installed the privacy plugin. You added the cookie banner. Can you demonstrate that you did? Can you show when you last reviewed whether they still work? Can you produce a record of every processing activity on your site, every processor relationship, every lawful basis?
If the answer is no, you know where to start.
— Comments 0
No comments yet. Be the first to share your opinion!
Comments are closed for this post.