WordPress collects export and erase personal data when comments, fills a form or creates an account on the site. Now that rules like GDPR and CCPA have become strict, every website owner should give users control over their information.
WordPress has provided some simple tools through which you can export and even delete a user’s data. But it is important to use these tools in the right way, otherwise privacy rules can be violated.
In this guide, all this has been explained to you in a simple way:
- How to export peronal data
- How to delete information of a user
- How to keep your website in accordance with privacy rules
Want to stay ahead with AI-driven WordPress insights and stay updated with the latest trends? Subscribe for daily search insights at wpguidepro to improve your WordPress strategy!
Table of Contents
How to Accept Data Export and Erase Personal Data Requests
WordPress has provided an easy way in which a user can ask for or ask that his data be deleted. These requests are made either through the privacy policy page or through a separate form.
When a user sends a request, he receives an email confirming that he made the request. When he confirms, the request appears in the WordPress admin dashboard > Export Personal Data > Erase Personal Data.
This 2 step system is designed to prevent fraud and allow only real users to access or delete their data.
The system automatically notes the user’s email, request type, and time. Each request also gets a unique confirmation key, so that no one’s data is accessed without permission.
You can also change the email content to suit your brand style if you want, and even tell the user how much time the process takes.
How to Monitor Export and Erase Personal Data Requests
There is a simple place in your WordPress dashboard from where you can view and manage all privacy requests. If a user is asking for his data, check Tools > Export Personal Data. If someone is asking to delete his data, then that request will be found in Tools > Erase Personal Data.
Each request has the user’s email written along with it, on which day the request was sent, and its current status. Like Pending, Confirmed, In Progress or Completed. If you want, you can filter the status and see only urgent or only completed requests.
When the status changes, WordPress automatically sends an email to the user informing them that their request has been received, is under processing, or is complete. You also get an email when a new request comes in, so that you can take timely action.
It’s best to set up a routine check every week or every 2-3 days. Privacy rules often say that you must respond within 30 days. And if you have a team, assign a person who just looks at these requests, so that no one’s work is delayed.
How to Export Personal Data in WordPress
WordPress automatically exports user data when the user requests it. The system checks all personal information related to the email address such as comments, user profile, and data saved via plugins.
If you want to export a user’s data, go to Tools in the dashboard and open the Export and erase Personal Data option. Find the request that has been confirmed, then click on Send Export Link. WordPress creates a ZIP file that contains all the user data in JSON format. This data is arranged in such a way that each source looks different so it’s easy to understand.
This file contains user account details, a record of their comments, and other information collected by WordPress. If you have installed extra plugins like WooCommerce, Contact Form 7 or Gravity Forms, their data also comes in this file. Just make sure that the plugin is working properly with the WordPress system.
For security, WordPress automatically deletes this file after 72 hours. The user gets an email with a link to download the data and simple instructions. If the user does not use the link within three days, he has to send the request again.
How to Erase Personal Data in WordPress
When you export and erase personal data of any user, WordPress deletes that data permanently. For this, go to the Tools section and click on Erase Personal Data. Then look for the request which has already been confirmed.
From there, when you click on the Erase Personal Data button, the deletion process starts. WordPress also deletes user data such as comments, profile info and data of some plugins. If the user’s name or email is written in the comments, it is deleted and the name is displayed plainly so that the layout of the comment remains the same.
Sometimes there is some data which the system cannot delete on its own. This could be due to some technical issue or some legal rule. WordPress marks such data separately so that you can decide what to do with it later. This is usually admin user data or other information that needs to be recorded.
When data is deleted, the user receives an email informing him that the work has been completed. WordPress only remembers that the request was completed, but data that has been deleted is never saved again.
Ensure Your Site is Fully GDPR Compliant
In addition to exporting and deleting data, to comply with GDPR you need to have a proper privacy system in place on your entire WordPress site. First of all, make sure that whenever you collect data from the user for example, for a contact form or newsletter, you are getting explicit permission from them.
Informing the user about cookies is also important. You can use a cookie consent plugin, such as Cookie Notice, GDPR Cookie Compliance, and CookieBot. These plugins help you sort cookies, get proper approval from the user, and give them control over what data they want to share.
You should review all the data being collected on your site and understand why you are collecting that data. Update your privacy policy and explain in simple terms what data you are collecting, why you are collecting it, and what rights the user has to it. WordPress generates a built-in privacy policy which is helpful to get started, but it’s a better idea to get it checked by a legal expert.
Avoid collecting more data than necessary. Only collect information that is actually useful. Check your forms, analytics tools, and other third-party tools to make sure they are collecting too much personal data. Keep checking regularly so that you can delete unnecessary data and it becomes easy to follow the rules.
Bonus Tip: Create a Do Not Sell or Share My Personal Info Page
California law CCPA says that every website should have a simple option where people can ask not to share their personal information with anyone. Even if you don’t sell data, if you share information with an ad company or analytics tool, that still falls under this rule.
The solution to this is to create a separate page on your site where it is written in simple words what information you share, with whom you share it, and how people can stop that sharing. On that page, also mention links where people can turn off ads or tracking tools, such as the opt-out page for Google Analytics. This page should be easily accessible in your privacy policy and website menu.
If you want, make it part of a simple privacy settings where people can control their data. When people have this control, they trust their information more and don’t send many privacy requests.
FAQs About Personal Data Management in WordPress
How much time is required to respond to a data request?
Usually 30 days are given to respond, as in GDPR. If the request is a little difficult, then an additional 60 days can be given. 45 days are given in CCPA rules, and if needed, an extension of another 45 days is also given. The rules of each country can be slightly different, so it is important to check the local law.
What should I do if I cannot fulfill the data request?
If there is some technical or legal reason due to which it is not possible to provide the data, then a record of it should be kept. Tell the user in clear and simple terms what the issue is, and what you can do. If it is a complex case, it is best to seek guidance from a legal expert.
Does every plugin work with WordPress’s export and erase personal data tools?
No, not all plugins are compatible. In particular, for plugins that take personal user data – such as contact forms, shops, or membership systems. you should confirm with their developer whether they work well with WordPress’s data tools or not.
Can charges be taken for processing the data request?
In most cases, no fees should be taken. GDPR only allows when the request is useless or is being made repeatedly. CCPA allows reasonable fees in certain situations. But in general, it’s best practice to process genuine requests for free.
