The WordPress Plugin Directory requires plugins that collect user data to include privacy documentation. If your plugin stores form submissions, tracks user activity, connects to external services, sets cookies, or logs personal information, you must use the WordPress Privacy API to suggest policy text and implement data export and erasure hooks. Plugins that handle data without disclosure can be rejected or removed from the directory.
WordPress plugins run on millions of websites and often handle sensitive user data. Unlike standalone applications, plugins operate within the WordPress ecosystem where site owners are responsible for their site's overall privacy compliance. This creates a shared responsibility: plugin developers must clearly document what data their plugins handle, and site owners must incorporate that information into their site privacy policies.
The WordPress Plugin Directory review team actively checks plugins for undisclosed data collection, external connections that transmit user data, and missing privacy API implementations. Since WordPress 4.9.6 introduced the Privacy API, plugin developers have had standardized tools to help site owners comply with GDPR and other privacy regulations. Using these tools is not optional for plugins that handle personal data.
This guide covers the Plugin Directory requirements, what types of data plugins commonly collect, how to use the WordPress Privacy API, what the review process checks, GDPR compliance for plugin developers, how to handle external service connections, and where to document your privacy practices.
WordPress Plugin Directory Privacy Requirements
The WordPress Plugin Directory has specific guidelines about how plugins must handle user data. These guidelines are enforced during the plugin review process and through ongoing monitoring of published plugins. Violations can result in plugin removal and developer account restrictions.
What the Directory Requires
- Privacy policy text via the Privacy API: Plugins that collect personal data must use wp_add_privacy_policy_content to suggest privacy policy text that site administrators can add to their site policy.
- Data export implementation: Plugins that store personal data must register a personal data exporter using the wp_privacy_personal_data_exporters filter so site owners can fulfill data access requests.
- Data erasure implementation: Plugins that store personal data must register a personal data eraser using the wp_privacy_personal_data_erasers filter so site owners can fulfill deletion requests.
- Disclosure of external connections: Any plugin that connects to external servers, APIs, or third-party services must clearly disclose these connections in its readme.txt and through the Privacy API.
- No hidden data collection: Plugins must not collect or transmit data without the site administrator's knowledge. All data collection must be documented and, where appropriate, require explicit opt-in from the site administrator.
The WordPress Plugin Directory team reviews thousands of plugin submissions every month. Plugins that fail to meet these requirements receive feedback during the review process and must address all issues before being approved. Published plugins that are found to violate these guidelines can be closed without prior warning.
Required
For plugins handling personal data
Transparent
All data flows must be disclosed
Enforced
Rejection or removal from directory
Did you know?
The WordPress Plugin Directory has closed hundreds of plugins for guideline violations related to undisclosed data collection. The most common violations involve plugins that send usage data or telemetry to external servers without informing site administrators, plugins that load external resources like fonts or scripts from third-party CDNs without disclosure, and plugins that store personal data without implementing the Privacy API hooks.
Types of Data WordPress Plugins Collect
WordPress plugins collect a wide range of data depending on their functionality. Understanding what data your plugin handles is the first step toward proper privacy documentation. The following table covers the most common data types and their privacy implications.
| Data Type | Common Sources | Storage Location | Privacy Impact |
|---|---|---|---|
| Form submissions | Contact forms, registration forms, checkout forms | Custom tables, post meta, email | High |
| User activity logs | Login tracking, page views, admin actions | Custom tables, log files | High |
| IP addresses | Security plugins, comment forms, analytics | Custom tables, WordPress comments table | High |
| Cookies | Session management, preferences, tracking | Browser (client-side) | Medium-High |
| User meta data | Profile fields, preferences, settings | wp_usermeta table | Medium |
| Analytics data | Page views, referrers, device info, geolocation | External service or custom tables | High |
| Payment data | E-commerce, donations, subscriptions | External gateway, order tables | Very High |
| File uploads | Media library, form attachments, user avatars | wp-content/uploads directory | Medium |
| Telemetry / usage stats | Plugin settings, PHP version, active plugins | External server | Medium |
Many plugin developers underestimate how much personal data their plugins handle. Even a simple contact form plugin stores names, email addresses, and message content. A security plugin may log IP addresses, user agents, and login attempts. An analytics plugin may track page views tied to user sessions. All of this is personal data under GDPR and most other privacy laws.
Q: Does storing data in WordPress options count as collecting personal data?
It depends on what you store. If your plugin stores site-level settings like color preferences or layout options, that is not personal data. But if your plugin stores API keys tied to a user account, email addresses for notifications, or any information that can identify a person, then yes, it is personal data and must be disclosed in your privacy documentation.
Q: What about transient data that expires automatically?
Transient data stored via the WordPress Transients API still counts as data storage, even though it expires. If a transient contains personal data such as cached user information or session tokens, it must be disclosed. The fact that it expires does not change the privacy obligation during the time it exists.
The WordPress Privacy API
WordPress introduced the Privacy API in version 4.9.6 to give plugin developers standardized tools for privacy compliance. The API has three main components: privacy policy content suggestions, personal data exporters, and personal data erasers. Every plugin that handles personal data should implement all three.
wp_add_privacy_policy_content
This function lets you suggest privacy policy text that site administrators should add to their site privacy policy. When called, your suggested text appears on the Privacy Policy Guide page in WordPress admin under Settings > Privacy. Site administrators can review your text and copy it into their privacy policy page.
You should call this function on the admin_init hook. The first parameter is your plugin name, and the second is the HTML content of your suggested policy text. Write clear, specific text that describes exactly what data your plugin collects, why it collects it, where it is stored, who it is shared with, and how long it is retained.
Personal Data Exporter Hook
The wp_privacy_personal_data_exporters filter lets your plugin register a callback function that exports all personal data your plugin stores for a given email address. When a site administrator processes a data export request through Tools > Export Personal Data, WordPress calls each registered exporter. Your callback receives an email address and a page number (for pagination) and must return an array of data items associated with that email address.
Personal Data Eraser Hook
The wp_privacy_personal_data_erasers filter works the same way but for data deletion. Your callback receives an email address and must delete or anonymize all personal data your plugin stores for that person. This powers the Erase Personal Data tool in WordPress admin under Tools > Erase Personal Data. You can choose to fully delete the data or anonymize it depending on your plugin's needs.
Did you know?
WordPress core itself implements all three Privacy API components for its own data handling. The comments system registers a privacy policy suggestion, a data exporter for comment author data, and a data eraser that anonymizes comments. You can look at the WordPress core source code in wp-includes/comment.php for a reference implementation of how to properly implement these hooks in your own plugin.
The Plugin Review Process
When you submit a plugin to the WordPress Plugin Directory, it goes through a manual review by the WordPress Plugin Review team. This team checks for security issues, guideline compliance, and privacy-related concerns. Understanding what they look for helps you prepare your plugin for a smooth review.
What Reviewers Check
- External HTTP requests: Reviewers scan your code for wp_remote_get, wp_remote_post, file_get_contents, cURL calls, and any other outbound HTTP requests. Every external connection must be documented and justified.
- Data storage patterns: Reviewers look at database queries, custom table creation, use of user meta, post meta, and the options table to understand what data your plugin stores and whether it includes personal data.
- Privacy API usage: If your plugin handles personal data, reviewers check whether you have implemented wp_add_privacy_policy_content, registered a data exporter, and registered a data eraser.
- Tracking and telemetry: Any usage tracking, analytics collection, or telemetry data transmission is closely scrutinized. Opt-in tracking is acceptable if properly disclosed. Opt-out or undisclosed tracking will result in rejection.
New Plugins
Rejected
Must fix all issues before resubmission
Published Plugins
Closed
Can be removed from directory at any time
GDPR Compliance for Plugin Developers
GDPR applies to any software that processes personal data of EU residents, including WordPress plugins. As a plugin developer, you are not the data controller (the site owner is), but you are creating the tool that processes data. Your role is to make it possible for site owners to comply with GDPR when using your plugin.
This means your plugin must provide the mechanisms for site owners to fulfill their GDPR obligations. Specifically, your plugin must allow site owners to inform users about data collection (through the privacy policy content hook), respond to data access requests (through the data exporter hook), respond to data deletion requests (through the data eraser hook), and limit data collection to what is necessary for the plugin's functionality.
If your plugin sends data outside the EU (for example, to a US-based API), site owners need to know this so they can include appropriate data transfer disclosures in their privacy policies. Your suggested privacy policy text should mention any cross-border data transfers.
Did you know?
Under GDPR, site owners can be held liable for privacy violations caused by the plugins they use. This is why many enterprise WordPress users now audit plugin privacy practices before installation. Plugins that properly implement the WordPress Privacy API and provide clear documentation are increasingly preferred over those that do not. Good privacy practices can be a competitive advantage for your plugin.
Beyond GDPR, your plugin should also consider CCPA (for California users), PIPEDA (for Canadian users), LGPD (for Brazilian users), and other regional privacy laws. While the specific requirements differ, the core principle is the same: be transparent about data handling, give users control over their data, and minimize data collection to what is necessary. If your GDPR privacy policy template covers these fundamentals, it will satisfy most regulations.
External Service Connections
One of the most scrutinized aspects of WordPress plugins is external connections. Every time your plugin communicates with a server outside the WordPress installation, you are potentially transmitting user data. The Plugin Directory team takes undisclosed external connections very seriously.
Common External Connections That Require Disclosure
- License verification servers: Many premium plugins check a remote server to validate license keys. These requests typically send the site URL, the license key, and sometimes the WordPress version and PHP version. All of this must be disclosed.
- Update check endpoints: Plugins that manage their own updates outside of WordPress.org check a remote server for new versions. These requests typically include the current version, site URL, and sometimes PHP and WordPress version information.
- Third-party API services: Plugins that integrate with services like payment gateways, email providers, social media platforms, or analytics services transmit data to those services. Your policy must specify what data is sent and link to the third party's privacy policy.
- CDN and external resource loading: Loading fonts, scripts, stylesheets, or images from external CDNs exposes the user's IP address and browser information to those CDN providers. Even loading Google Fonts from Google's servers requires disclosure.
- Telemetry and usage statistics: If your plugin collects any usage data, active plugin lists, PHP version information, or error logs and sends them to your server, this must be explicitly opt-in and fully disclosed.
For each external connection, your privacy documentation should specify exactly what data is transmitted, why it is necessary, the URL or domain of the receiving server, the privacy policy of the third-party service, and whether the connection can be disabled by the site administrator. This level of detail protects both you and the site owners who use your plugin. If you are unsure about what happens without a privacy policy, the consequences can be significant for both developers and site owners.
Where to Document Your Privacy Policy
As a WordPress plugin developer, you need to document your privacy practices in multiple locations. Each location serves a different audience and purpose. Covering all of them ensures that site administrators, end users, and the Plugin Directory review team can all find the information they need.
- readme.txt file: Add a "Privacy Policy" section to your plugin's readme.txt. This is visible on your WordPress.org plugin page and is the first place many site administrators look. Describe what data your plugin collects, any external connections, and link to your full privacy policy.
- WordPress Privacy API: Use wp_add_privacy_policy_content to suggest policy text that appears on the Privacy Policy Guide page in WordPress admin. This is where site administrators go to build their site privacy policy.
- Plugin website or documentation: Publish a full, detailed privacy policy on your plugin's website or documentation site. This should be the most comprehensive version of your privacy documentation, covering every data flow, retention period, and third-party service.
- Plugin admin settings page: Consider adding a privacy or data handling section to your plugin's settings page in WordPress admin. This gives site administrators quick access to information about what data the plugin handles without leaving the admin dashboard.
If your plugin connects to external services, the documentation approach is similar to what you would use for a SaaS privacy policy. Disclose every service, what data is shared, and provide links to each service's privacy policy. Site owners running WordPress sites depend on this information to keep their own privacy policies accurate.
Common WordPress Plugin Privacy Mistakes
These mistakes are the most common reasons WordPress plugins face review issues, directory closure, or complaints from site administrators. Each one represents a misunderstanding of the Plugin Directory guidelines or privacy regulations.
Mistake: "My plugin only stores data locally so no privacy policy is needed"
Storing personal data in the WordPress database is still data collection. Custom tables, user meta, post meta, and even the options table can contain personal data. If your plugin stores any information that can identify a person, you need privacy documentation, data exporter hooks, and data eraser hooks. The storage location does not change the privacy obligation.
Mistake: "Loading Google Fonts from Google's CDN does not need disclosure"
Every external resource your plugin loads exposes the site visitor's IP address and browser information to the external server. A German court ruled in 2022 that loading Google Fonts from Google's servers without consent violates GDPR. If your plugin loads any external resources, you must disclose this. Many plugin developers now bundle fonts locally to avoid this issue entirely.
Mistake: "Telemetry is fine as long as it is opt-out"
The WordPress Plugin Directory requires that any telemetry or usage tracking must be opt-in, not opt-out. Your plugin must not send any data to external servers by default. Site administrators must actively choose to enable telemetry. This is a common reason for plugin rejection. If you collect usage statistics, present a clear opt-in prompt during plugin activation or in the settings page.
Mistake: "The site owner is responsible for privacy, not the plugin developer"
While site owners are the data controllers under GDPR, plugin developers have a responsibility to make privacy compliance possible. If your plugin collects data but does not implement the Privacy API hooks, site owners cannot fulfill data access or deletion requests for your plugin's data. You are creating the tool, and the Plugin Directory requires that tool to support privacy compliance.
Mistake: "I do not need to update my privacy docs when I add features"
Every time you add a feature that changes how your plugin handles data, you must update your privacy documentation. New external connections, additional data storage, changed data retention periods, and new third-party integrations all require updates to your readme.txt, your Privacy API suggested text, and your website privacy policy. Failing to update creates inaccurate disclosures, which is a guideline violation.
How to Create a Privacy Policy for Your WordPress Plugin (6 Steps)
Follow this process to create privacy documentation that satisfies the WordPress Plugin Directory requirements, passes the review process, and helps site owners comply with GDPR and CCPA.
Audit all data your plugin collects and stores
Review every database table, option, user meta field, post meta field, and transient your plugin creates. Document what personal data is stored, why it is stored, and how long it is retained. Check for data in custom tables, the wp_options table, wp_usermeta, wp_postmeta, and any file-based storage in wp-content.
Map all external connections your plugin makes
Search your code for wp_remote_get, wp_remote_post, wp_safe_remote_get, wp_safe_remote_post, file_get_contents with URLs, cURL calls, and any other outbound HTTP requests. For each connection, document the destination URL, what data is sent, why it is necessary, and the privacy policy of the receiving service.
Implement wp_add_privacy_policy_content
Register your suggested privacy policy text using the wp_add_privacy_policy_content function on the admin_init hook. Write clear, specific text that describes what data your plugin collects, where it is stored, whether it is shared with external services, and how long it is retained. Site administrators will see this text on Settings > Privacy in their WordPress admin.
Implement the personal data exporter
Register a callback with wp_privacy_personal_data_exporters that exports all personal data your plugin stores for a given email address. Use a privacy policy generator to create the policy text, then implement the exporter to match. This powers the Export Personal Data tool in WordPress admin and is required for GDPR compliance.
Implement the personal data eraser
Register a callback with wp_privacy_personal_data_erasers that deletes or anonymizes all personal data your plugin stores for a given email address. Decide whether to fully delete the data or anonymize it based on your plugin's functionality. This powers the Erase Personal Data tool and fulfills the right to erasure under GDPR.
Document your practices in readme.txt and your website
Add a Privacy Policy section to your plugin's readme.txt describing what data your plugin handles, any external connections, and a link to your full privacy policy. Publish the full privacy policy on your plugin's website. Keep both documents updated whenever you release a version that changes data handling. The legal requirement for a privacy policy applies to plugins just as it does to websites and apps.
Frequently Asked Questions
Does my WordPress plugin need a privacy policy?
If your plugin collects, stores, or processes any personal data, yes. This includes storing form submissions, logging user activity, tracking IP addresses, setting cookies, connecting to external services, or storing any information that can identify a person. The WordPress Plugin Directory requires privacy documentation for all plugins that handle personal data.
What is wp_add_privacy_policy_content and how do I use it?
It is a WordPress core function that lets plugin developers suggest privacy policy text to site administrators. Call it on the admin_init hook with your plugin name and the suggested HTML text. Your text then appears on the Privacy Policy Guide page in WordPress admin under Settings > Privacy, where site administrators can copy it into their site privacy policy.
What are the WordPress privacy exporter and eraser hooks?
WordPress provides wp_privacy_personal_data_exporters and wp_privacy_personal_data_erasers filter hooks. The exporter lets your plugin provide all personal data stored for a given email address when a site owner processes a data export request. The eraser lets your plugin delete or anonymize personal data for a given email address when a site owner processes a deletion request. Both power the built-in tools under Tools in WordPress admin.
Will my plugin be rejected without a privacy policy?
Plugins that handle user data without proper disclosure can be rejected during the review process. The review team checks for undisclosed external connections, missing Privacy API implementations, and hidden data collection. Plugins already in the directory can be closed for guideline violations. While not every plugin needs a standalone privacy policy, all plugins handling personal data must implement the Privacy API.
Does my plugin need a privacy policy if it only stores data in the WordPress database?
Yes. Storing personal data in the WordPress database is still data collection and storage under privacy laws. Whether your plugin uses custom tables, post meta, user meta, or the options table, if it stores information that can identify a person, you need privacy documentation and must implement the data exporter and eraser hooks.
How do I handle external API connections in my privacy policy?
For each external connection, disclose what data is sent, why it is sent, the receiving server or service, and link to that service's privacy policy. This applies to license servers, update endpoints, analytics services, payment gateways, CDN resources, and any other remote connection. The Plugin Directory team specifically checks for undisclosed external connections.
What is the difference between a plugin privacy policy and a site privacy policy?
A plugin privacy policy documents how your specific plugin handles data and is written by the plugin developer. A site privacy policy is the overall privacy policy for the WordPress website, written by the site owner. Plugin developers use wp_add_privacy_policy_content to suggest text that site owners should incorporate into their site policy. Both serve different audiences but work together for full compliance.
Related Resources
Privacy Policy for WordPress Sites
Complete guide for WordPress site owners
Privacy Policy for WooCommerce
WooCommerce-specific privacy requirements
Privacy Policy for SaaS
Privacy requirements for software services
GDPR Privacy Policy Template
All 12 required GDPR sections with a compliant template
Privacy Policy Generator
Generate a customized privacy policy in 60 seconds
What Happens Without a Privacy Policy
Real consequences of operating without one
Privacy Policy for Apps
App store requirements for mobile and desktop apps
Is a Privacy Policy Legally Required?
Legal requirements across jurisdictions
Ready to Publish Your WordPress Plugin?
Do not let missing privacy documentation block your Plugin Directory submission. Generate a compliant policy that covers data handling, external connections, and user rights. Takes under 60 seconds.
Covers GDPR, CCPA, and WordPress Plugin Directory requirements · Customized for plugins · Just $4.99