LGPD Compliance in WordPress: Checklist for Website Owners

Brazil’s Lei Geral de Proteção de Dados, the General Data Protection Law, is one of the most significant data privacy laws in the world. If your WordPress website collects, stores, or processes personal data from Brazilian users, LGPD compliance is not optional. It is a legal obligation that carries real financial and reputational consequences.

This guide breaks down exactly what LGPD means for your WordPress site and walks you through every step of the compliance process. Whether you run a business website, an e-commerce store, or a content-driven blog, this checklist gives you the actionable framework you need.

Why LGPD Compliance Matters for WordPress Websites?

LGPD compliance helps WordPress website owners protect user data, meet legal obligations, and build trust with visitors who share personal information online.

Understanding Brazil’s General Data Protection Law (LGPD)

Brazil enacted the LGPD in 2018, and it came into full enforcement in August 2021. The law governs how organizations collect, use, store, share, and delete personal data belonging to individuals in Brazil.

Under LGPD, personal data includes any information that can identify a person, directly or indirectly. This covers names, email addresses, IP addresses, location data, behavioral data collected through cookies, and even device identifiers.

The law is built around ten legal bases for data processing. These include consent, legitimate interest, contract performance, legal obligation, and the protection of life and health, among others. Organizations must identify and document a valid legal basis before processing any personal data.

LGPD also establishes clear data subject rights. Users have the right to access their data, correct inaccurate information, request deletion, withdraw consent, and receive their data in a portable format. Your WordPress website must be able to honor all of these rights.

Who Must Comply With LGPD?

LGPD applies to any organization, regardless of country, that:

• Processes personal data of individuals located in Brazil
• Offers or provides goods or services to individuals in Brazil
• Collects personal data in Brazil

This extraterritorial scope means a website based in the United States, Europe, or Asia must still comply with LGPD if it receives traffic from Brazilian users and processes their personal data.

Small businesses and individual website owners are not automatically exempt. If your analytics tool, contact form, or newsletter plugin captures data from Brazilian visitors, you fall within the law’s scope.

How LGPD Applies to WordPress Websites Worldwide?

WordPress websites interact with personal data in dozens of ways. Contact forms capture names and email addresses. Analytics platforms like Google Analytics collect IP addresses and behavioral data.

E-commerce checkouts process payment information and shipping addresses. Comment sections store names and email addresses. Membership plugins hold login credentials and subscription details.

Every one of these data touchpoints is subject to LGPD if the user is located in Brazil. As part of building WordPress privacy compliance into your site, you must understand each point where personal data enters, moves through, or exits your system.

Key Differences Between LGPD and GDPR

LGPD is often compared to the European Union’s General Data Protection Regulation (GDPR), and the two frameworks share significant structural overlap. Both require lawful bases for processing, mandate consent where appropriate, and provide robust data subject rights.

However, there are important distinctions. LGPD recognizes 10 legal bases, compared to GDPR’s 6. LGPD also includes “credit protection” as a standalone legal basis, which has no equivalent in GDPR.

The enforcement model differs, too: Brazil’s data protection authority (ANPD) has developed its own guidelines and adopted a phased approach to penalties.

LGPD also includes specific provisions regarding sensitive personal data, racial or ethnic origin, religious beliefs, political opinions, health data, biometric data, and sexual orientation. Processing this category of data requires explicit, specific consent in nearly all cases.

Penalties and Risks of LGPD Non-Compliance

The ANPD can impose significant administrative sanctions on organizations that violate the LGPD. Fines in Brazil can reach up to 2% of a company’s revenue in the prior fiscal year, capped at 50 million Brazilian Reais per violation. Repeat violations, negligence, and failure to cooperate with authorities can lead to higher penalties.

Beyond financial penalties, non-compliant organizations face the risk of:

• Suspension of data processing activities
• Partial or total prohibition on activities related to data processing
• Reputational damage and loss of user trust
• Mandatory public disclosure of violations

For any business that depends on website traffic and digital customer relationships, the reputational impact can be more damaging than the fine itself.

How LGPD Affects Data Collection on WordPress Websites?

LGPD fundamentally changes the relationship between your website and the personal data it handles. Before LGPD, many websites collected data passively, stored it indefinitely, and shared it with third parties without the user’s explicit knowledge. LGPD prohibits all of that.

Under LGPD, data collection must be purposeful, disclosed, and lawful. Users must understand what data is being collected, why it is being collected, how long it will be stored, and who will have access to it.

On a practical level, this affects nearly every standard WordPress feature. Your comment forms, contact pages, newsletter subscriptions, login systems, shopping carts, and analytics integrations are all impacted.

Cookie-based tracking deserves special attention. Tracking cookies, especially third-party cookies used for advertising, retargeting, and behavioral analytics, cannot be deployed without prior, informed, and explicit user consent. This means cookie banners must do more than display a notice. They must actively block non-essential cookies until the user gives consent.

Plugin integrations also come under scrutiny. If you use tools like Google Analytics, Facebook Pixel, HubSpot, Mailchimp, or similar platforms, you are transferring user data to a third party.

LGPD requires you to disclose this, verify that those third parties have adequate data protection measures in place, and, in some cases, sign data processing agreements with them.

LGPD Compliance Checklist for WordPress Website Owners

Use this practical checklist to identify compliance gaps and implement the essential privacy, security, and consent requirements outlined under Brazil’s LGPD.

Conduct a Personal Data Audit

Start by understanding exactly what personal data your WordPress site collects and where it lives. A data audit maps every data input point, every place where data is stored, every third-party to which it flows, and every person within your organization who can access it.

Log into your WordPress database and review stored data in user tables, comment tables, form submission records, and WooCommerce order tables.

Check your hosting account for server logs that may contain IP addresses. Review your email marketing integrations and CRM tools for data stored outside WordPress.

Document your findings in a data inventory. This forms the foundation of your entire LGPD compliance program.

Identify All Data Collection Points on Your Website

Once your audit is complete, map every point on your website where data enters. Common data collection points on WordPress sites include:

• Contact and inquiry forms
• Newsletter subscription forms
• User registration and login forms
• WooCommerce and other e-commerce checkout flows
• Comment sections
• Live chat widgets
• Social media login integrations
• Analytics scripts and tracking pixels

For each collection point, note what data fields are captured, what happens to that data after submission, and which plugin or service handles it.

Document the Legal Basis for Processing Personal Data

Every data processing activity must have a documented legal basis under LGPD. Do not assume consent covers everything. Review each activity separately.

For example, processing an email address to fulfill a product order is covered by contract performance. Sending a newsletter to that same address requires separate consent.

Running behavioral analytics on visitors requires consent. Maintaining records for tax compliance falls under a legal obligation.

Create a Record of Processing Activities (ROPA) document that lists each data activity, the type of data involved, the legal basis, the retention period, and the responsible party.

Update Your WordPress Privacy Policy for LGPD Compliance

Your privacy policy is a legally required document. LGPD mandates that it be written in clear, accessible language, not dense legal jargon. It must disclose:

• What personal data do you collect, and from whom?
• Why do you collect it, and the legal basis for each activity?
• Who do you share it with, including third-party services?
• How long do you retain personal data?
• The data subject rights users can exercise, and how to do so
• Contact details for your data protection officer or responsible party
• Information about international data transfers, if applicable

Update your privacy policy to include all of this information. Make it easy to find, link it in your website footer, on registration forms, and at every data collection point. A generic or outdated privacy policy does not satisfy LGPD requirements.

Create a Clear Cookie Policy

In addition to your main privacy policy, you need a dedicated cookie policy. This document explains the cookies your website uses, their categories (strictly necessary, functional, analytics, or marketing), who sets them, and how long they last.

Be specific. List the actual cookies your site uses, the purpose of each one, and whether they are first-party or third-party cookies. Users have a right to know exactly what is tracking them.

Your cookie policy should also explain how users can withdraw consent for non-essential cookies and how they can change their preferences at any time.

Implement a Cookie Consent Banner

A compliant cookie consent banner does two things: it informs users about cookies before any non-essential cookies are loaded, and it provides a genuine mechanism to accept or reject them.

Pre-checked consent boxes do not satisfy LGPD. Burying a rejection option in three layers of menus does not satisfy LGPD. Legitimate consent banners must present a clear accept and reject option at the first layer.

As part of implementing cookie consent in WordPress, use a consent management platform or a dedicated plugin. Tools like CookieYes, Complianz, or Borlabs Cookie can block non-essential scripts until the user gives consent, log consent records, and respect user preferences across sessions.

Obtain Explicit User Consent Before Data Collection

Consent under LGPD must be free, informed, specific, and unambiguous. This means users must actively opt in, not be opted in by default. A pre-ticked checkbox next to “I agree to receive marketing emails” does not count as valid consent.

For each consent-based data activity on your site, present a clear, standalone consent statement in plain language. Tell users what they are consenting to. Make sure they can decline without losing access to your core service. Store a timestamped record of every consent given, including what the user agreed to and when.

Enable Consent Management for Marketing and Analytics Cookies

Marketing and analytics cookies require separate, explicit consent under LGPD. This means your consent banner must allow users to accept or reject each category independently.

A user should be able to accept analytics cookies while rejecting marketing cookies, and vice versa. Your consent management system must honor these granular choices and apply them to every script, pixel, and tracking tag on your site.

Google Tag Manager can be a useful tool here. When paired with a compliant consent mode configuration, it can conditionally fire tags only after the relevant consent has been obtained. Ensure your Google Analytics, Facebook Pixel, and similar integrations respect consent status before loading.

Review Contact Forms and Lead Generation Forms

Contact forms are one of the most common sources of personal data on WordPress websites. They capture names, email addresses, phone numbers, and sometimes sensitive business or health-related information.

Audit every form on your site. Confirm that each form only collects the data it genuinely needs, a principle called data minimization. Remove any fields that are not strictly necessary for the stated purpose.

Review how form submissions are stored. Many popular WordPress form plugins store submissions in the database, where they can accumulate indefinitely. For LGPD compliance, you need a retention policy for these records and a process for deleting old submissions.

Add Consent Checkboxes to Forms

Every form that collects personal data for a purpose beyond fulfilling the immediate request, such as adding a user to a marketing list, must include a clearly worded, unchecked consent checkbox.

The checkbox text must describe what the user is consenting to in plain language. Avoid vague language like “I agree to the terms.”

Use specific language, such as “I consent to being contacted by email about products and services.” Do not link consent to form submission itself; users must be able to submit the form without also agreeing to marketing.

If you use the contact form to follow up on an inquiry, that’s contract performance; no separate marketing consent is needed. But if you use the email address to send newsletters, that requires a separate, optional consent checkbox.

Make Consent Records Accessible and Verifiable

Consent is only valid if you can prove it. Your WordPress system must store a complete record of every consent, including the user’s identifier, the exact consent text they agreed to, the date and time of consent, and the method by which it was given.

Some consent management plugins handle this automatically. If yours does not, implement a custom logging mechanism or integrate with a CRM that captures consent history.

These records become your audit trail. In the event of a complaint or investigation by the ANPD, you must be able to produce consent records promptly and accurately.

Configure User Data Access and Data Portability Requests

LGPD gives users the right to access all personal data you hold about them and to receive it in a portable format, typically a machine-readable file like CSV or JSON.

Your WordPress site needs a defined process for handling these requests. Consider implementing a dedicated data request form where users can submit access or portability requests.

Set a clear response timeline; LGPD does not specify an exact period, but 15 business days is a widely recommended benchmark aligned with ANPD guidance.

When a request comes in, gather data from every system where that user’s information is stored: your WordPress database, your email marketing platform, your CRM, your analytics tool, and any other integrated service.

Enable User Data Correction and Deletion Requests

Users also have the right to correct inaccurate personal data and to request deletion of their data in many circumstances. These are known as the right of rectification and the right of erasure.

Your process must allow authenticated users to correct their own data through the WordPress user profile or through a request form.

For deletion requests, you must be able to remove or anonymize all personal data associated with a user, including their comments, orders, form submissions, and any records in third-party tools.

WordPress security guide best practices recommend applying the principle of least privilege when managing access to user data; only those who need it should be able to view or modify it. This same principle supports LGPD’s data minimization requirements.

Note that deletion is not absolute. LGPD allows you to retain data when required by legal obligation, for the protection of legal rights, or for public interest reasons. Document your rationale for any retention exceptions.

Secure User Data With SSL and HTTPS

Securing personal data in transit is a baseline LGPD requirement. Every WordPress website that collects personal data must use HTTPS, the encrypted version of HTTP, to ensure that data transmitted between the user’s browser and your server cannot be intercepted.

If your site is still running on HTTP, forcing HTTPS on WordPress is a critical first step. Install an SSL certificate through your hosting provider; most managed WordPress hosts include free SSL certificates, and configure your site to enforce HTTPS for all pages.

HTTPS protects login credentials, form submissions, and payment data from interception. Without it, sensitive personal data travels across the internet in plain text, creating both legal and security risks.

Strengthen WordPress Login and Authentication Security

LGPD requires appropriate technical safeguards to protect personal data. Weak login security is one of the most common vulnerabilities that leads to unauthorized data access.

Implement two-factor authentication for WordPress on all administrator accounts and preferably on all user accounts. Two-factor authentication requires a second verification step beyond a password, making it significantly harder for attackers to gain unauthorized access.

Additionally, enforce strong password policies, limit login attempts to prevent brute force attacks, and consider using a custom login URL to reduce automated bot attacks on your default login page. Security plugins like Wordfence or All-in-One WP Security offer these protections as part of a comprehensive suite.

Limit Access to Personal Data Within Your Organization

LGPD’s principle of data minimization extends to internal processes. Not every member of your team needs access to personal data. A content editor does not need to see customer order data. A social media manager does not need access to your WooCommerce database.

Configure WordPress user roles carefully. Assign the lowest level of access needed for each person’s job function. Remove admin access from accounts that no longer need it. Conduct regular access reviews; quarterly is a reasonable cadence for most organizations.

WordPress website security policies should document who has access to what data and why. This internal governance document supports both LGPD compliance and general security best practices.

Secure WordPress Backups Containing Personal Data

WordPress backups frequently contain sensitive personal data, user records, order histories, form submissions, and database tables with personal identifiers. Under LGPD, backup files are subject to the same protection requirements as live data.

Use a reliable WordPress backup plugin to schedule automated, encrypted backups. Store backup files in a secure location, either an encrypted cloud storage service or a password-protected remote destination. Do not store unencrypted backups on your local computer or an insecure shared drive.

Apply the same access control principles to backups that you apply to your live database. If an attacker accesses an unencrypted backup file, they gain access to all the personal data your site has ever collected. Treat backups as high-value data assets, not afterthoughts.

Review Third-Party Plugins for LGPD Compliance

Every plugin you install on your WordPress site is a potential data processor. Plugins that handle personal data, form builders, email marketing integrations, CRM connectors, live chat tools, and membership systems must process that data in compliance with LGPD.

Review the privacy policies and data processing agreements of every plugin that handles personal data. If a plugin sends data to a third-party server, you need to know where that server is located, what data is transferred, and what the vendor does with it.

WordPress vulnerability awareness is also relevant here. Outdated or abandoned plugins can create security gaps that expose personal data to unauthorized access. Keep all plugins up to date and remove any that are no longer maintained.

Where required, sign Data Processing Agreements (DPAs) with plugin vendors and third-party services that process personal data on your behalf.

Assess Analytics, Advertising, and Tracking Integrations

Analytics and advertising tools are among the most data-intensive integrations on any WordPress site. Google Analytics, Facebook Pixel, Google Ads, LinkedIn Insight Tag, and similar tools collect substantial behavioral data about your visitors.

Under LGPD, these tools require consent before loading. Configure Google Consent Mode v2 to ensure Google’s tracking tags respect the user’s consent status. Set up your Facebook Pixel to fire only after marketing consent is granted via your consent management platform.

Review what data each tool collects, how long it retains it, and whether you can configure it to reduce data collection when consent is not granted. Enabling IP anonymization in Google Analytics, for example, reduces the personally identifiable information in analytics data.

Use your consent management platform to control when each tracking script loads. Scripts should remain blocked until the user provides the appropriate consent category.

Establish a Data Retention and Deletion Policy

Collecting personal data without a defined endpoint violates LGPD’s data minimization and storage limitation principles. You must establish a clear policy that defines how long each category of personal data is retained and what happens when the retention period ends.

For example, contact form submissions are retained for 12 months, then permanently deleted; newsletter subscriber data is retained while the subscription is active and for 30 days after unsubscription; e-commerce order data is retained for 5 years for tax compliance purposes.

Document this policy formally and implement it technically. Many WordPress plugins allow you to configure automatic data deletion after a set period. Build deletion routines into your WordPress maintenance checklist so data is cleaned regularly and consistently.

Create a Data Breach Response Plan

LGPD requires organizations to notify the ANPD and affected data subjects of data breaches that may pose a significant risk or cause harm. This notification must happen within a reasonable timeframe; current ANPD guidance suggests within two business days of the organization becoming aware of the breach.

A data breach response plan defines who is responsible for detecting breaches, how breaches will be assessed for severity, who must be notified, and how breaches will be contained and remediated.

For WordPress site owners, repairing a hacked website is one of the most stressful experiences possible. Having a response plan in place before a breach occurs reduces panic, speeds up containment, and ensures you meet your legal notification obligations.

Your plan should include a contact list for your hosting provider, your legal counsel, your data protection officer, and the ANPD. It should also include a log template for documenting the timeline of events before, during, and after a breach.

Maintain Records of Data Processing Activities

LGPD requires data controllers and processors to maintain Records of Processing Activities (ROPA). These records document every way your organization processes personal data, the purpose, legal basis, data categories involved, recipients, and retention periods.

Your ROPA does not need to be complex, but it must be accurate and up to date. A well-maintained spreadsheet or a purpose-built compliance tool can serve as your ROPA. Include every data processing activity, forms, analytics, email marketing, backups, user accounts, and third-party integrations.

Review and update your ROPA whenever you add a new plugin, integrate a new service, or change the way you use personal data. Treat it as a living document, not a one-time exercise.

Regularly Review and Update Compliance Measures

LGPD compliance is not a one-time project. Privacy regulations evolve, and so do the ways your website collects and processes data. Plugins get updated. Third-party services change their data practices. Your business grows and adds new data collection touchpoints.

Schedule a formal compliance review at least twice a year. During each review, reassess your data inventory, verify that your privacy and cookie policies are up to date, confirm that your consent mechanisms are functioning correctly, and test your data subject rights processes.

Use your WordPress maintenance agency to help keep your site’s technical compliance in order; plugin updates, security patches, SSL certificate renewals, and database hygiene all affect your LGPD posture.

Stay informed about the ANPD’s guidance. Brazil’s data protection authority continues to issue guidance, model clauses, and enforcement decisions that refine how LGPD applies in practice.

Conclusion: Building and Maintaining LGPD Compliance in WordPress

LGPD compliance for WordPress websites is achievable when you approach it systematically. The checklist in this guide covers every major requirement, from the initial data audit to ongoing reviews. No single item on this list is optional if your website collects personal data from Brazilian users.

The most important mindset shift is treating compliance as an ongoing operational practice rather than a one-time technical fix. Data privacy law affects every new plugin you install, every new form you add, every new analytics tool you integrate. Building privacy into your development and maintenance workflow is what sustains compliance over time.

Start with the data audit. Map your data flows. Update your privacy policy and cookie policy. Implement consent management. Secure your data with SSL and strong authentication. Apply retention policies. And build a response plan for when things go wrong.

Understanding the best WordPress security plugins can also give you technical tools that support your LGPD compliance program, from access control and two-factor authentication to malware scanning and activity logging. Security and privacy compliance reinforce each other.

Your users in Brazil and globally are increasingly aware of their data rights. A website that respects those rights builds trust, reduces legal risk, and demonstrates the kind of professionalism that drives long-term brand loyalty. LGPD compliance is not just a legal obligation. It is a competitive advantage.

FAQs About LGPD Compliance