Every piece of personal data your WordPress site touches — from a WooCommerce shipping address to a Wordfence security log — must rest on one of six lawful bases defined in GDPR Article 6. There are no exceptions, no workarounds, and no grace periods. Meta discovered the stakes in January 2023 when Irish regulators slapped the company with a €390 million fine for claiming “contractual necessity” as the basis for behavioral advertising. The European Data Protection Board’s binding decision made clear that showing users targeted ads based on their activity is never necessary to deliver a social networking service. If one of the world’s largest technology companies can misclassify its lawful basis, smaller WordPress operators face the same trap.
Article 5(1)(a) establishes lawfulness as the very first GDPR principle. Article 6(1) then specifies that processing is lawful “only if and to the extent that at least one of the following applies,” enumerating six exhaustive options: consent, contract, legal obligation, vital interests, public task, and legitimate interests. The ICO confirms no hierarchy exists among these six — none is inherently superior to another. The correct basis depends entirely on your specific purpose and relationship with the data subject.
Your choice of lawful basis shapes which rights users can exercise against you. Consent triggers withdrawal rights. Legitimate interests triggers objection rights. Legal obligation can block erasure requests entirely. Most WordPress sites need four or five different bases running concurrently across their various processing activities because no single basis covers everything a typical site does.
The basis must be determined before processing begins. The EDPB states this plainly: the legal basis must be identified at the outset of processing, and the information given to data subjects under Articles 13 and 14 must specify which basis applies. Retrofitting a basis after collection violates both the accountability and transparency principles. Equally important, you generally cannot switch bases later. The ICO warns that retrospectively switching lawful basis is likely to be inherently unfair to the individual. If you rely on consent and someone withdraws it, you cannot quietly pivot to legitimate interests to continue processing.
Documentation is non-negotiable. Article 30 requires Records of Processing Activities listing purposes, data categories, and recipients. While Article 30 does not explicitly mandate recording your lawful basis, the ICO recommends it as essential to accountability. Your privacy policy must also disclose the lawful basis for each processing purpose, and when relying on legitimate interests, you must additionally state the specific interests pursued.
Consent Demands Genuine Choice
Consent under Article 6(1)(a) is the most familiar basis to WordPress site owners and the most frequently botched. Article 4(11) defines valid consent as a “freely given, specific, informed and unambiguous indication” of agreement through a “clear affirmative action.” Each word carries legal weight that regulators enforce aggressively.
Freely given means the data subject has genuine choice and faces no detriment for refusing. Article 7(4) specifically flags situations where consent is bundled with service access. If signing up for your WooCommerce store requires consenting to marketing emails, that consent is presumed invalid because the user cannot obtain the service without surrendering additional data rights.
Specific means separate consent for separate purposes. One checkbox for newsletter subscription, another for sharing data with partners. Bundling multiple processing purposes into a single consent request violates this requirement.
Informed means disclosing your identity, what data you will process, and why — before the user acts. A checkbox that says “I agree to the privacy policy” without surfacing the key details fails this test.
Unambiguous means clear affirmative action. The CJEU confirmed in Planet49 (C-673/17, 2019) that pre-ticked checkboxes do not constitute valid consent. Silence, continued browsing, and inactivity also fail.
Article 7 adds operational requirements that trip up many WordPress implementations. You bear the burden of proving consent was given, so you must log timestamps, what exactly was consented to, and which version of the consent form was presented. Withdrawal must be as easy as giving consent: if users clicked one button to subscribe, an unsubscribe link must work just as simply. Consent requests must be clearly distinguishable from other matters — burying them in your Terms of Service violates Article 7(2).
Consent is the correct basis for newsletter and email marketing signups, marketing cookies and tracking pixels like the Facebook Pixel and Google Ads tags, optional data collection beyond what your service requires, and analytics using cookies. Most DPAs require consent for cookie-based analytics, though CNIL permits a narrow exemption for privacy-friendly tools like self-hosted Matomo when configured to truncate IPs, limit cookie lifetime to 13 months, and serve only aggregate single-site measurement purposes.
Consent is not the right choice when processing is necessary for contract performance, when you would continue processing regardless of withdrawal, or when a power imbalance exists between you and the data subject. Using consent for WooCommerce order fulfillment creates an absurd situation: if the customer withdraws consent mid-order, you technically cannot ship their purchase. Contract performance handles this cleanly.
Cookie Consent Runs on a Parallel Track
The ePrivacy Directive (2002/58/EC) operates as “lex specialis” alongside GDPR for cookies specifically. It requires consent before placing any non-essential cookies on a user’s device, while GDPR governs the subsequent processing of personal data those cookies collect. Your WordPress cookie consent banner must block analytics and marketing scripts until the user actively opts in — not after they scroll, not after they continue browsing, but after they click an affirmative acceptance.
Only strictly necessary cookies are exempt from consent: WordPress login sessions stored in cookies prefixed with wordpress_logged_in_, WooCommerce cart cookies, CSRF tokens, and load-balancing cookies. You must still inform users about these cookies even though consent is not required.
Your cookie banner must offer Accept All and Reject All buttons with equal visual prominence. CNIL fined Google €150 million and Facebook €60 million in January 2022 specifically for dark pattern cookie banners that made rejection harder than acceptance. Granular category controls covering functional, analytics, and marketing cookies are required. A persistent cookie settings link must remain accessible on every page to enable withdrawal at any time.
WordPress plugins like CookieYes, Complianz, and WPConsent handle the technical implementation including automatic script blocking before consent and consent logging for accountability purposes.
Contractual Necessity Covers What Your Service Literally Requires
Article 6(1)(b) permits processing that is “necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.” This is the workhorse basis for WooCommerce stores and membership sites.
The EDPB’s Guidelines 2/2019 interpret necessity strictly. Processing must be objectively necessary for delivering the contractual service, not merely useful or referenced in contract terms. The test asks whether the contract would fail without this specific processing.
WooCommerce order processing qualifies: collecting the customer’s name, shipping address, and payment details is objectively necessary to deliver purchased goods. Creating a customer account to manage paid membership access qualifies. Sending order confirmations and shipping notifications qualifies. Processing refund requests, delivering digital products, freelancer and agency client project management, and pre-contractual activities like gathering requirements for a quote all qualify.
Marketing to existing customers does not qualify. The EDPB was emphatic on this point in its binding decision against Meta. Behavioral profiling does not qualify. Service improvement analytics do not qualify. Collecting more data than objectively needed does not qualify. Fraud prevention generally belongs under legitimate interests rather than contract.
The principle is clean: if a reasonable person entering your WooCommerce store would not expect specific processing as essential to receiving their purchase, it is not contractual necessity.
Legal Obligation Handles Mandatory Record-Keeping
Article 6(1)(c) applies when EU or Member State law specifically requires the processing — not when law merely permits it. WordPress site owners most commonly encounter this basis through tax record retention.
EU VAT rules require transaction records be kept for ten years under Council Regulation 282/2011. Most Member States impose five to ten year retention requirements for financial records. WooCommerce invoicing records, payment documentation, and customer purchase data for tax purposes all fall squarely under this basis. Employment law obligations covering payroll processing, social security contributions, and workplace safety records also qualify.
The key test: you must identify a specific legal provision creating the obligation. General business best practices or industry standards do not count. Data subjects generally cannot exercise the right to erasure against data you are legally obligated to retain — a useful protection when customers demand deletion of transaction records you must keep for tax compliance.
Vital Interests and Public Task Fill Narrow Niches
Article 6(1)(d) protects life itself, literally. Recital 46 specifies it applies to monitoring epidemics, humanitarian emergencies, and situations where someone’s life is at risk and consent cannot be obtained. It is a last resort and essentially irrelevant to commercial WordPress sites. No standard ecommerce transaction, content delivery, or membership management involves life-or-death processing. Even healthcare WordPress sites would typically rely on consent, public task, or legal obligation for planned care rather than vital interests.
Article 6(1)(e) authorizes processing necessary for tasks carried out in the public interest or under official authority. It applies exclusively to public bodies: government WordPress sites, university portals, NHS and healthcare platforms, schools, and local councils. The task or authority must have a clear legal foundation — organizations cannot self-designate as performing a public task.
Universities rely on public task for student administration, research, and teaching activities grounded in their Royal Charter or statutory instruments. Private commercial WordPress sites cannot use this basis. Public authorities relying on public task cannot simultaneously use legitimate interests for those same core tasks.
Legitimate Interests Offers Flexibility with Strings Attached
Article 6(1)(f) is the most flexible basis and the one most WordPress site owners will rely on alongside consent. It permits processing “necessary for the purposes of the legitimate interests pursued by the controller or by a third party” but only where those interests are not “overridden by the interests or fundamental rights and freedoms of the data subject.”
This flexibility comes with a mandatory accountability mechanism: the Legitimate Interests Assessment, a documented three-part analysis you must conduct and retain.
The purpose test asks whether a genuine legitimate interest exists. The interest must be lawful, clearly articulated, and real rather than hypothetical. Vague claims like “we have a legitimate interest in processing customer data” fail immediately. Specific formulations work: “We have a legitimate interest in logging IP addresses and failed login attempts to prevent unauthorized access to our WordPress site.”
Recital 47 acknowledges direct marketing as a potential legitimate interest. Recital 48 covers intra-group data transfers for administration purposes. Recital 49 explicitly recognizes network and information security as legitimate interests — critical support for WordPress security plugins.
The necessity test asks whether the processing is the minimum needed to achieve that interest. Could you accomplish the same goal with less intrusive means? If server-side analytics without personal identifiers would serve your purpose, collecting granular user-level data fails the necessity test. The EDPB insists processing must be strictly necessary, not merely useful.
The balancing test weighs your interests against the data subject’s rights and freedoms. Factors favoring the controller include minimal privacy impact, reasonable expectations of the data subject, an existing relationship, clear safeguards like encryption and access controls, and an easy opt-out mechanism. Factors favoring the data subject include processing of children’s data, special category data, unexpected processing, large-scale profiling, and sharing data with multiple third parties. The EDPB Guidelines 1/2024 published in October 2024 emphasize that reasonable expectations of data subjects are paramount in this balance.
Website security logging is the clearest case for legitimate interests. Wordfence, Sucuri, and similar plugins logging IP addresses, failed login attempts, and suspicious activity enjoy explicit support from Recital 49. The privacy impact is low, the purpose is clearly legitimate, and users reasonably expect their visits to be logged for security.
Fraud prevention on ecommerce sites, analyzing transaction patterns to detect suspicious orders, is recognized in Recital 47 and widely accepted by DPAs.
Direct marketing to existing customers can rely on the soft opt-in concept from ePrivacy Directive Article 13(2). You may email existing customers about similar products or services if you collected their email during a sale, offered a clear opt-out at that point, and include an unsubscribe link in every message. The right to object to direct marketing is absolute under Article 21(2-3) — you must stop immediately upon any objection.
Contact form processing is typically justified under legitimate interests. The site owner has a legitimate interest in receiving and responding to inquiries, the user initiates contact voluntarily, and the privacy impact is proportionate.
Backup plugins storing personal data operate under legitimate interests for business continuity and data security. Live chat widgets can justify the chat functionality itself under legitimate interests, though any cookies the widget drops require separate consent.
Cookie-based tracking for advertising always requires consent regardless of how strong your legitimate interest argument might seem. The ePrivacy Directive requires consent for placing non-essential cookies on devices, and this cannot be circumvented by claiming legitimate interests under GDPR. The EDPB Guidelines 1/2024 confirm that consent is likely the appropriate legal basis for data processing related or subsequent to marketing cookies.
Standard Google Analytics implementations using cookies require consent. Cookieless server-side analytics with IP truncation have the strongest case for legitimate interests, but even this remains disputed among DPAs.
Legitimate interests is unavailable to public authorities for their core tasks and requires heightened justification when processing children’s data, where the EDPB notes that children’s interests very often outweigh controller interests.
Mapping WordPress Activities to Their Lawful Basis
A typical WordPress site runs multiple processing activities simultaneously, each requiring its own lawful basis. The following mapping reflects regulatory guidance and enforcement patterns:
| Processing Activity | Lawful Basis |
|---|---|
| Newsletter and email marketing signups | Consent |
| Google Analytics with cookies | Consent |
| Meta Pixel and Google Ads tracking | Consent |
| Embedded YouTube and Google Maps | Consent |
| Social share buttons loading external scripts | Consent |
| WooCommerce order processing | Contract |
| Customer account creation for purchases | Contract |
| Digital product delivery | Contract |
| Membership site access provision | Contract |
| Shipping and delivery communications | Contract |
| Freelancer client project work | Contract |
| Website security logging | Legitimate Interests |
| Fraud prevention | Legitimate Interests |
| Contact form processing | Legitimate Interests |
| Direct marketing to existing customers (soft opt-in) | Legitimate Interests |
| Backup operations | Legitimate Interests |
| Live chat functionality | Legitimate Interests |
| Cookieless analytics | Legitimate Interests |
| Tax record retention | Legal Obligation |
| VAT compliance records | Legal Obligation |
| Employment law processing | Legal Obligation |
Abandoned cart emails to existing customers who began checkout can rely on legitimate interests under strict conditions: the email was collected during checkout, you promote similar products, you include an unsubscribe link, and you limit follow-ups to one to three messages within 24 to 72 hours. Abandoned cart emails to non-customers who never completed a purchase require consent as the safer basis.
CRM integration depends on purpose. Managing contractual relationships falls under contract. Marketing uses require consent or legitimate interests depending on context and your documented assessment.
Your Privacy Policy and ROPA Must Work Together
Implementation requires two complementary documents serving different purposes.
Your privacy policy is the external transparency document satisfying Articles 13 and 14. It must disclose each processing purpose, its lawful basis, data retention periods, third-party recipients, and data subject rights. WordPress includes a Privacy Policy page at Settings then Privacy that provides a starting template, but the default text is incomplete for full GDPR compliance and requires extensive customization. A layered approach works well: a summary table mapping activities to lawful bases at the top, with detailed explanations following.
Your Records of Processing Activities is the internal accountability document required under Article 30. It should record each processing activity with its data subjects, data categories, lawful basis, recipients, retention periods, and security measures. The ROPA is not published on your website but must be available to supervisory authorities on request.
Article 30(5) exempts organizations with fewer than 250 employees from the ROPA requirement, but only if processing is occasional and does not involve special category data or rights risks. Most active WordPress sites fail these conditions and must maintain a ROPA regardless of size.
WordPress core privacy tools at Tools then Export Personal Data and Tools then Erase Personal Data support the rights of access, portability, and erasure but do not handle cookie consent management, consent logging, ROPA maintenance, or LIA documentation. GDPR plugins fill critical gaps for cookie consent while ROPA templates from the ICO and other regulators provide structured frameworks for internal documentation.
The Mistakes That Create Compliance Gaps
Using consent for everything sounds cautious but creates withdrawal landmines. If a WooCommerce customer withdraws consent that you used to justify order processing, you technically cannot ship their product. Use contract for what is contractually necessary, legitimate interests for security and operational needs, and reserve consent for genuinely optional processing like marketing.
Using legitimate interests for everything is equally dangerous. Without a documented LIA for each activity, you have no accountability defense when regulators come knocking. The balancing test genuinely does tip against the controller in many scenarios — cookie-based tracking, profiling, and processing children’s data frequently fail the balance regardless of how compelling your business case seems.
Not documenting before processing violates the fundamental GDPR requirement. Every new WordPress plugin, form, or feature that handles personal data needs its lawful basis determined and recorded before activation, not after a complaint arrives.
Conflating privacy policy disclosure with lawful basis documentation misses a key distinction. Publishing a privacy policy satisfies transparency obligations but does not prove you actually assessed your lawful basis. The ROPA and LIA are separate accountability documents that demonstrate you did the analysis.
Assuming one basis covers all activities ignores how WordPress sites actually work. A typical site with WooCommerce, a contact form, analytics, a newsletter, and security logging needs at minimum four different lawful bases operating concurrently. Each must be individually assessed, documented, and disclosed.
Ignoring the ePrivacy Directive alongside GDPR catches many site owners unprepared. Even if your GDPR analysis supports legitimate interests for analytics, the cookie itself likely requires consent under ePrivacy rules. These are separate legal instruments that apply independently, and compliance with one does not automatically satisfy the other.
What Enforcement Looks Like
Meta’s €390 million fine in January 2023 established that behavioral advertising can never qualify as contractual necessity. The EDPB’s binding decision overruled the Irish DPC’s more lenient approach and set a precedent that affects every WordPress site claiming contract as the basis for marketing-related processing.
Google’s €150 million fine and Facebook’s €60 million fine from CNIL in January 2022 targeted cookie consent dark patterns specifically. Both companies made rejection harder than acceptance through button design and placement. Any WordPress site with a cookie banner that nudges users toward acceptance faces the same violation.
The Planet49 CJEU decision in 2019 established that pre-ticked checkboxes do not constitute valid consent under any circumstances. This ruling invalidated consent mechanisms across thousands of websites that had relied on default-on checkboxes for newsletter signups and marketing permissions.
The pattern across enforcement actions is clear: regulators penalize misclassification of lawful basis, failure to document the assessment, and consent mechanisms that fail the freely given or unambiguous requirements. The lawful basis framework is not a one-time compliance checkbox but an ongoing structural requirement shaping every data processing decision on your WordPress site.
Three practices separate compliant sites from vulnerable ones. Conduct the lawful basis assessment before activating any new plugin or processing activity. Maintain a living ROPA that maps every activity to its basis and gets updated when your site changes. Recognize that cookie consent under the ePrivacy Directive operates as a parallel requirement that legitimate interests cannot bypass, no matter how solid your GDPR analysis appears.
— Comments 0
No comments yet. Be the first to share your opinion!
Comments are closed for this post.