Compliance on websites isn’t a fringe component. It’s a serious, legal matter, which can seriously affect your business.
Legal fees can be expensive, and add up quickly. Also, law is complicated, and can vary based on where you live and do business from. How does one accomplish compliance without getting their own law degree? (Or having a best friend who passed the bar exam?)
There is a way you can dot your I’s and cross your T’s, get all your ducks in a row, check all the boxes, cover your bases (this IS a post about full compliance, so one expression didn’t seem like enough ) – without draining your bank account, or losing your sanity.
Because WordPress is far and above the leading CMS, there are a good number of options when it comes to compliance regulation companion products.
We looked into the pool of offerings, picked the ones we thought were smart, solid, and sound, and are presenting them to you here.
Keep reading, or jump ahead to any section:
First up, let’s examine…
Privacy is a major factor in today’s world, and personal information is protected by a fast-growing assortment of legal rights.
Throughout the first three-quarters of the 20th century, collected data was relatively minimal, there were few ways to store it, and demand for its collective use wasn’t really a thing.
However, from the ’70s through today, as the inherent value of data grew – along with improved methods to collect, store, use, and profit from it – so has the need for legislation to protect it.
Living in the era of Big Data, where the sheer volume of data has increased to previously unimaginable amounts, a true premium has been put on an individual’s rights to protect it.
Non-compliance with the legal safeguards comes with steep fines and other serious penalties.
While data protections may have started slowly, they will continue to pick up speed as the by-product of ethical examination and pivotal litigations surrounding privacy.
Let’s take a peek at the landmark protections in the history of privacy legislation.
The Privacy Act of 1974 established the Code of Fair Information Practice on the collection, maintenance, use, and dissemination of personally identifiable information from US federal agencies.
The Data Protection Directive was adopted by The European Union in 1995. The principles set forth were aimed at the protection of fundamental rights and freedoms in the processing of personal data. This was superseded by the GDPR in 2018.
The Health Insurance Portability and Accountability Act (HIPAA) was established in 1996 to protect Personally Identifiable Information maintained by the healthcare and health insurance industries from theft and fraud, safeguarding people’s medical information from being used without their consent.
The Children’s Online Privacy Protection Act (COPPA) was enacted by Congress in 1998 and requires the Federal Trade Commission to issue and enforce regulations concerning children’s online privacy. The amended Rule became effective on July 1, 2013.
The General Data Protection Regulation (GDPR) for data protection and privacy became law in 2018 in the European Union (EU).
The GDPR applies to the transfer of personal data outside of the EU and EEA (the European Economic Area is the countries of Iceland, Norway, and Liechtenstein), and replaced the Data Protection Directive from 1995.
Shortly thereafter, State Privacy Legislations in the US started…
California Consumer Privacy Act (CCPA) – signed into law 2018; effective 2020
California Privacy Rights Act (CPRA) – also known as CCPA 2.0, enacted in 2020
Virginia Consumer Data Protection Act (VCDPA) – legislated in 2021; effective January 1, 2023
Colorado’s Privacy Act – will be effective July 1, 2023
Connecticut’s Personal Data Privacy and Online Monitoring Act – will be effective July 1, 2023
Utah’s Consumer Privacy Act – will be effective December 31, 2023
While the US does not have a single, comprehensive, internet privacy law, one is currently being proposed by federal privacy legislation: the American Data Privacy and Protection Act (ADPPA). If passed into law, it will supersede all state privacy laws. Until then, it’s up to individual states to pass legislation that protects customer data.
At this point you may be wondering, with so many already existing and soon-to-be-effective legal stipulations on data, which ones are you required to adhere to as a website or app owner?
That’s what we’ll lay out now in…
To best meet overall compliance, websites should minimally have:
… and …
Consent (Record of Consent)
Let’s put a pin in Consent for a bit, and come back to it after we look at the policies.
However, cookie policies need to be regularly updated (as cookies are dynamic and often change upon successive visits), whereas policy policies tend to be static.
Let’s dive a little deeper into both of these important policies.
Privacy policies are legally required agreements when collecting any personal data from users (e.g. payment details, address and phone number, cookie data), regardless of the platform used (e.g. website, mobile app, desktop app, etc).
Key privacy policies or agencies, by country of origin are:
Europe/European Union – GDPR (businesses in or operating with EU/EEA)
United States – by state (CCPA, CPRA, CalOPPA, VCDPA)
Canada – PIPEDA
Australia – The Privacy Act 1988
Germany – BDSG, and DSGVO (German name for the GDPR)
France – CNIL (the commission overseeing privacy policies)
South Africa – The POPI Act (POPIA)
Brazil – LGPD (broadly aligns with the GDPR)
Lesser-known privacy laws exist around the world as well; the above is not to be considered an exhaustive list.
While privacy policies are generally referred to by location of origin, they can extend to any region that does business with them. Meaning, don’t assume that if you reside outside of Europe that the GDPR doesn’t apply to you.
The EU’s GDPR and US state laws (#1 and #2) are the most broadly reaching and widely followed privacy policies. But that’s not to say that the others don’t matter; it’s important to research any that might apply to your business.
Cookie policies are legally binding documents that inform website or app users how a company engages in data tracking and online privacy.
Cookie identifiers are considered to be personal data by the GDPR, so its rules apply to cookie usage as well. Also, any personal data collected by cookies falls under the GDPR’s jurisdiction.
The ePrivacy Directive (ePD) of the EU – nicknamed the “Cookie Law” – requires security measures be put in place to protect personal data. This regulates cookie usage, email marketing, data minimization, and other aspects of data privacy, and is largely responsible for the cookie consent forms that you encounter on most websites today. (Sidebar: This doesn’t replace the Cookie Law I grew up with; “Don’t ever serve chocolate chippers without milk.”)
The ePrivacy Regulation (ePR), the details of which are currently being hammered out by legislators, will replace the ePD once it’s passed into law.
Consent / Record of Consent
Taking out that pin that we placed earlier, it’s time to look at Consent.
Make sure you incorporate consent into your Privacy/Cookie policies. Full GDPR compliance means storing proof of Consent, and being able to demonstrate or retrieve details should they be requested.
I can’t stress this enough: having Privacy/Cookie policies without consent could cause major problems for you.
While protecting user data is of paramount importance, privacy isn’t the only concern for someone managing websites.
There are other important, legal considerations when it comes to engaging the public online.
We’ll take a look at them now.
Terms & Conditions
Unlike Privacy Policies, there are no laws that require you to have a Terms & Conditions agreement, though it is highly suggested to have one.
Without a T&C, it’s much more difficult to enforce your rules and community guidelines, copyright protection, or other issues that could arise from the misuse of your website/app content.
The majority of the public will act courteously, but that’s not who you’re protecting yourself from. It’s the small percentage of outliers who can sometimes do the most damage. Having explicitly stated Terms & Conditions can offer basic protections for you and your business, limiting your liability and declaring your rights over the content you create, in case anyone engages in abuse, intellectual property theft, or unlawful behavior.
The most common reasons for Terms & Conditions are to:
Protect your creative content
Limit your legal liability
Set your governing law
If you’ve ever seen a clause in a T&C stating where (geographic region) any dispute resolution must take place, that falls under governing law, and is quite useful if you don’t want to litigate legal matters in a country outside of your own.
Disclaimers can be used to offset liability from a business to a client in ambiguous or gray legal areas, or where they are required by law.
Without them, you are opening yourself up to legal liability or the possible endangerment of others, especially on sites that share advice, DIYs, or promote/sell products (most of which come with claims).
Websites and eCommerce stores benefit from disclaimers in that they:
Let users/customers know that the content is not legally binding advice, nor should it be solely relied on
Limit the liability of the website/store in the event someone has an unsatisfactory result from its advice or products
Some of the most common disclaimer types are:
Errors and Omissions
Affiliates / Affiliate Links
While we’re on the subject, here’s an example in actual use:
Disclaimer: WPMU DEV is not a legal entity, nor does it claim to be an authority on the laws of any region, country, or the internet. While this post contains well-researched content from respected sources, it is for informational purposes only and not intended as a substitute for professional legal advice. As such, we cannot be held liable for any omissions or errors contained within.
That said, let’s get to the tools and services of the compliance trade, with…
Some of these are actual WordPress plugins, while others are content generated directly in the company’s website.
Regardless of how you access them, all offer plenty of bang for the buck, and value for the venue (I’m coining this phrase to mean free products and their providers ).
CookieYes is one of the most used WordPress GDPR cookie compliance plugins, with 1 million+ active installations and 5 out of 5 stars.
Starting with the free WP.org plugin version, you get a goodly amount of features, including:
a cookie consent banner with Accept/Reject options
single click automatic scanning and categorization of cookies
adds a cookie banner to your WordPress website to show compliance with GDPR
fully customize the cookie notice so it blends with your existing website (change colors, fonts, styles, position on page; even how it behaves when you click “Accept All”)
has a Cookie List module so you can easily show what cookies your site uses and display them neatly in a table on your Privacy & Cookies Policy page
can be configured to have a CCPA/CPRA ‘Do Not Sell or Share My Personal Information’ control to the cookie notice
The free version also includes a connection (also free) with the CookieYes web app to access advanced features (cookie scan, consent log, etc) and manage all settings from the web app account. Note: You can still use most of the features from within the WP dashboard, without connecting to the web app.
One of the advantages here is the dashboard, which includes a Consent section. You can view or access details on user consent should you ever be audited and need to show this information. It even allows you to download this consent data in CSV format.
From the WP plugin dashboard, there’s a lot you can do:
Check banner status (active, inactive), regulation type (GDPR), last cookie scan, language
Maintain cookie list, add new cookies
Change/edit default banner language
Add the user guide provided for setup, along with a video walkthrough, and you can see why this plugin is so well loved.
CookieYes banner and consent customizations.
If you want to go for a CookieYes paid plan, you have three tier options, payable per domain, monthly or annually. Each tier adds more pages per scan (600, 4K, 8K) and pageviews (100K, 300K, unlimited), plus a couple of additional features – like custom branding, and geo-targeted cookie banners.
As a third option here, we have the paid, premium version of GDPR Cookie Consent Plugin (CCPA Ready) – available from WebToffee’s website.
The final offering in the WebToffee family of compliance options, GDPR Cookie Consent remains in the territory of fastest-growing WP consent plugins, verifiable by a mass of happy users.
GDPR Cookie Consent offers a variety of notices, all with customization.
As far as features, most are available and common to both the GDPR Cookie Consent and the CookieYes paid plans. However, the GDPR Cookie Consent plans do not have:
Global privacy control
Do not track
Monthly scheduled scan
GDPR Cookie Consent pricing has three tiers, based on the number of sites (1, 5, 25) you want to use it on. Each includes one year of updates and support, and a 30-day, money-back guarantee.
The primary difference between The GDPR Cookie Consent and CookieYes paid plans is the technology they rely on. The CookieYes web app is a SaaS that requires huge cloud computing, storage, and security facilities. (This is also why the CookieYes paid plans are based on scans and pageviews.)
Bonus points for their support: I reached out as a free user to clarify a few points in this section and got a detailed response in less than half a day. (High five to Mark!)
Iubenda has been quickly rising in the ranks of compliance with their all-in-one solution, currently sitting at 100K+ active installs and a 5/5 star rating on WP.
If you’re looking for that extra layer of comfort, iubenda has it, with attorney-level compliance solutions, all of which are fully WCAG Level AAA Compliant.
The free version of iubenda compliance solutions support the GDPR, LGPD, and US State Laws (CCPA/CPRA and VCDPA).
Content is auto-updated when laws change, so it’s always up-to-date. (Their built-in site scanner runs periodic scans on your site and alerts you if it detects something that should be added to your compliance documents.)
The free version comes with the following features:
a single policy, on one site, in one language
up to 4 (non-Pro) service clauses
Privacy Controls and Cookie Solution
up to 25K page views/month (for compliance with GDPR, LGPD & ePrivacy and US state laws)
iubenda privacy controls and cookie solution settings.
You can get the free version of iubenda from the WordPress plugin repository.
The majority of iubenda’s standout features are found in their paid/pro versions, trusted by over 90,000 clients in more than 100 countries. These allow for multiple policies, sites, and languages, as well as Privacy Control & Cookie Solutions, a Terms & Conditions generator, a Consent Database, and more.
Privacy Control & Cookie Solutions helps you meet complex legal requirements at the click of a button, as well as create a fully customizable cookie banner.
Terms & Conditions offers powerful features like plug-and-go integrations for popular platforms and legislation monitoring. It’s customizable from hundreds of combinations, available in 10 languages, and capable of handling even the most complex, individual scenarios. Optimized for eCommerce, marketplace, SaaS, apps and more.
The Consent Database activates with one click to track, store, and manage consent and privacy preferences for each of your users all in one place, allowing you to easily upload proofs of consent and legal notices in PDF format.
They also offer an Internal Privacy Management, which documents all the data processing activity within your organization. To comply with privacy laws (particularly the GDPR), companies must record how they store and use the data they collect from their users.
Additional features in the paid plans are:
More Compliance Laws, like DSGVO, RGPD, UK-GDPR, CalOPPA, PECR
Cookie consent analytics provided for high-traffic sites
Detects bots/spiders and serves them a clean page so that your SEO efforts are never compromised
Built-in compatibility with WordPress comment form, Contact Form 7, and WP Forms; can also be manually integrated with any type of web-form
Pricing is offered as bundles with 3 tiers, based on number of license slots, with paid add-ons – Terms & Conditions, and Consent Database – available as extras.
iubenda’s pricing models with inclusions listed.
Head over to iubenda’s website for a more in-depth read about their compliance offerings, or to purchase one of their plans.
TermsFeed doesn’t have a plugin; everything is generated directly from their website. But in no way does that detract from their fantastic functions.
The TermsFeed website has an abundance of compliance offerings, most of which they charge nothing for.
Since 2012, TermsFeed’s all-in-one compliance software has helped businesses get (and stay) compliant with the law, and the multitude of glowing, five-star reviews corroborates that.
Popular free features include:
Terms & Conditions Generator
EULA Generator – gives users the right to use a copy of your product after they acquire it, through a granted license (with or without limitations)
Return and Refund Policy Generator
Shipping Policy Template – no generator for this, but a detailed, helpful template to assist businesses in creating
They also offer these additional, not-as-common free tools:
CCPA Opt-out – Free tool to manage opt-outs for CCPA
I Agree Checkbox – Free tool to enforce your legal agreements and policies on web forms
Embed Consent – Free tool to block embeds (YouTube, Twitter, Google Maps) from loading until you’ve got user consent
The TermsFeed site has a ton of helpful, visually appealing infographics.
All of the generators operate in the same, simple three-step: 1) Create a free account. 2) Choose what you need. 3) Download and integrate.
You answer a few quick questions, and your custom policy is ready in minutes, available to download in multiple file formats – which you can link to, edit, or update.
And the output isn’t limited to just websites; you can use it to create for mobile apps, eCommerce stores, third-party tools, SaaS, and even a Facebook page.
The TermsFeed website is well organized and chock full of helpful information, making an easy task out of finding what you need.
The majority of compliance agreements and policies on the TermsFeed website are essentially free. However, they do offer some optional, premium agreements with additional clauses to protect your business interests.
Paid items are available in two ways:
Privacy Consent Solution, which gives you access to all features, payable month-to-month, or yearly (with a discount).
Per Policy/Agreement, which allows you to select any number of policies from their huge compliance toolbox, and pay a one-time fee, per item
Both payment structures come with a 7-day refund policy, and 100% money-back guarantee.
As far as videos, walk-through processes, and documentation go, out of all the sites I reviewed in this article, they had the most. On YouTube alone, I counted close to 200 explainer videos (on their content specifically, and policy terminology in general), plus dozens of tutorials for using on a myriad of website types (Wix, Weebly, Squarespace, Webflow, Shopify, etc) in addition to WordPress.
My final thoughts: the TermsFeed website is an embarrassment of riches, with compliance offerings galore, and little to no limitations on their use. Even the premium, paid-for options won’t break the bank.
Complianz is another widely used compliance plugin, available for free on the WP repository: Cookie Consent – aka the Privacy Suite for WP. (They offer an additional one for Terms & Conditions as well.)
Active installations are at 600K (and climbing), and rated 5/5 stars.
Free features include:
Cookie Notice configuration for your specific region (EU, UK, US, Australia, South Africa, Brazil, and Canada; or use one Cookie Notice worldwide)
Cookie Consent and Conditional Cookie Notice with custom CSS and customizable templates
Automatic configuration of your website based on wizard questions, WordPress scans, and dedicated service and plugin integrations
Proof of Consent for user registration (respects GDPR data minimization guideline)
Automatically detects if you need a Cookie Notice (aka Cookie Banner or popup)
Offers “Do Not Sell My Personal Information” (for CCPA/CPRA)
Complianz is one of the few WordPress native solutions, integrated with a wide variety of plugins and services. Once configured through the wizard, Complianz will work with most of your plugins and embedded content – right out of the box. Including our very own Forminator, Beehive, and the WPMU DEV Dashboard plugin (where you can integrate Complianz to allow site visitors to reject dashboard analytics statistics cookies).
Like iubenda, their policies are drafted by an IT Law Firm, and are WCAG Level AA and ADA Compliant. They closely follow the latest developments in ePrivacy regulation, the proposed Cookie Law for the EU, and other legislation worldwide, so you can be sure the content is spot-on, legally speaking.
Complianz also has premium, paid offerings for compliance, available from their own website.
Their website has documentation, and as a premium user, you get dedicated support from privacy professionals and developers who (and I quote) “don’t quit until a solution is reached”.
Complianz offers a full privacy suite for WordPress.
Legal docs and Consent Management offerings on Complianz, free vs paid.
Easily install the free Complianz Privacy Suite plugin from your WordPress dashboard. For the premium version, you’ll need to download from your account on Complianz.io, or use the link in your purchase confirmation, along with your license key.
In addition to the free version, paid plans are offered as 3 tiers, priced per number of sites (25, 5, 1). All include the full shebang of required legal documents, compliant in multiple regions, along with records of consent, data request processing, A/B testing and statistics, and detailed cookie descriptions.
While Termly does have a plugin on the WP.org repository, it’s outdated, and I don’t recommend using it. But that doesn’t make their compliance options any less capable or appealing.
Instead of the WP repo, head over to Termly’s website, where everything you need is easily accessible and kept fully up to date.
Compliance solution offerings from Termly.
The Termly website comes with a host of features, ranging from a single policy to a full suite of compliance solutions.
Here’s a breakdown of Termly’s top features:
Consent Management Platform
Manage consent on your website or app while providing a robust and flexible solution to compliment your business needs and regulatory requirements
Choose from the ever-expanding list of legally vetted policies to protect your business and meet your compliance needs
Additional Legal Protection Generators
Easily create other Agreements and Notices to further protect your website (like: Terms & Conditions, Disclaimers, EULAs, Shipping Policies, Refund and Return Generators)
Termly’s all-in-one cookie consent solution.
Termly’s free plan provides you with one legal policy, four edits, and 10K/month banner visitors, as well as their basic compliance tools, which are:
Privacy Regulation Monitoring
Cookie Script Auto Blocker
HTML Embeddable Policies
Quarterly cookie scans
In addition to their free/basic plan, Termly offers 3 paid tiers, priced per website. The first two go by number of policies, policy edits, and banner visits, and are payable per month or annually. The third tier is a custom “contact us” option.
With 4.5 out of 5 star rating on Trustpilot, Termly is trusted and revered by thousands.
As you can see, responsible data management is not only good business practice, it’s also the law.
In today’s landscape where massive amounts of data, along with infinitely more ways to store and use it are the norm, diligence is required in its care and handling, especially if you operate an online business (your own, or as an Agency for clients).
Regardless of what kind of business it is, where it is located, or where your visitors reside, you are bound by certain legalities.
Ignorance is not a defense, so compliance can be the difference between being successfully safe or professionally sunk.
Beyond research and recommendations for meeting compliance requirements, WPMU DEV works hard to keep your websites and web development business operating at peak efficiency.
That includes our free products and services, and our premium membership offerings – a suite of pro plugins (protection, optimization, form creation, SEO, and more), five-star always-on support, and sleek all-in-one site management tool. Plus our fast, dedicated, best-value-in-the-biz Hosting.
If you’re not a member yet, you can start your 7-day, no obligation free trial today, and instantly catch up on what you’ve been missing.