Legal disclaimer / disclosure:
Nothing in this article or on this website should be considered legal advice. No single plugin or change will make your website 100% privacy friendly (or compliant with any privacy laws). This blog post is provided as guidance with good intentions, on an “as-is” basis, without warranty (or any sort of business or attorney-client relationship / contract) and provides some suggestions to help you get started to be more privacy-friendly and encouraging you to do more research into making your business more privacy-friendly. When in doubt, it’s best to consult with a specialist internet law attorney to determine if you are in compliance with all applicable laws for your jurisdiction(s) and use case(s).
Being privacy-friendly is not something many websites take into consideration. Why you should you make your website more privacy-friendly? There are numerous reasons, from showing that you want to give your website visitors choice in what data you store about them, that you aren’t just offering your website visitors data to any company, it helps your website stand out as a website (or company) that cares about website visitors data, and it shows that you care about your website visitors privacy.
Now that you know why you should, there are many things you can do to make your website more privacy-friendly. Most of these things can be applied to any website but certain ones many apply to only certain web platforms (like WordPress).
If you have a comments section (there are many reasons as why you may want to keep comments on or turn them off) and use avatars you aren’t privacy friendly by default. As by default WordPress uses Gravatar, and since around 35% of the web uses WordPress (according to https://wordpress.org/), Gravatar may track where and when your website visitors leave a comment and keep it “for as long as they have a reason to keep it“. Either have the avatars be randomly generated (like many of the choices are in WordPress), use a plugin like Pixel Avatars, or turn off avatars all together. If you are using WordPress and you want to change the avatars you can follow the guide at Elegant Themes. There are also many other comment platforms / addons like Disqus which don’t tend to have the best privacy record. There are so many better alternatives some of which you can see a list at AlternativeTo.
Do you really need to know exactly how someone got to your website, how long they spent on each page, what page they left at, and where they are in the world? All that data is collected by your website analystics, which you most likely only actually use a portion of. Most people tend to use Google Analystics since it’s free and fairly easy to use. As stated in the section about Fonts, Google is untrusted by those who care about their privacy but there are many alternatives that are available (they range in price and include free and open source alternatives). By default any analystics record everything, most analystics software have some options to decrease the amount of recording it does. Doing everything from anonymising the last octet of an ip address (so you would see 192.168.1.0), to only keep very general analystics reports (like Fathom Analytics (affiliate link) and Simple Analystics do). To find these options you will have to go into your analystics settings, sometimes they are easy to find and sometimes you will have to contact the support team to get help.
Nobody needs to know exactly where a website visitors mouse moves, and yet that is what you are doing if you have a heatmap (or session replay) on your website. There is no privacy alternative, the best thing to do is just turn it off, remove it, and delete your account with that heatmap company. Some of the most well known heatmap companies are, Hotjar, Smartlook, LiveSession, FullStory.
Content Delivery Network’s (known as CDN from here on) are what many sites use to protect their website (from DDos), make it faster for website visitors, and be able to handle many people coming to your website at the same time. That is what is great about CDN’s, what’s not great is that when you turn on the CDN and get it connected to your website now every website visitors will have to go through that CDN in order to see your website. Which means that the CDN has all that data about your website visitor and can decide who gets through to your website (and who doesn’t). What happens when the CDN goes down? Your website could become unreachable. Which has happened before.
If you want to show off something from another website and don’t just want to link to it you will embed it. Anything you embed acts like the website visitor has gone to that site. To protect your website visitors privacy I would suggest just giving a link to what you want to show them, or using a privacy friendly alternative (like using Invidious instead of YouTube, and Nitter instead of Twitter, and openStreetMap instead of Google Maps) to embed.
If you advertise your website on other websites (like doing Facebook ads) and you want your website to be privacy friendly then you need to stop with the ads. As almost all of these ad companies get you to put something on your website so you can see how many people have actually clicked on the ad and gone to your site (and if they have taken another step). With those things the ad companies can just about track anything on your website and use that data to their advantage (they say to your advantage but in reality those companies are just collecting more and more data and selling it). If you wish to do marketing for your website or business then there are ethical ways to so, Marko Saric has your guide.
Captcha. Most websites use some sort of captcha to stop bots from filling in forms, or doing things only humans should be doing. Google recaptcha is the most popular option, there are many reasons why you shouldn’t add it to your website, and it tends not to be useable in certain parts of the world but there are many privacy-friendly alternatives.
If you do need to collect some of your website visitors data then get explicit consent from your website visitor before doing so, or before sending their data to a third-party (either because of embed content or you are using things like advertising your website by using the Facebook Pixel). That means that the website visitor actually has to check off what data they want sent (most likely you will have certain third-parties in categories, so embedding could do in the entertainment category). By default nothing should be checked. There are many ways to do this, from using something like Cookiebot, to Metomic to something else that your website visitors have to check before any of their data gets sent.
Making your website privacy-friendly isn’t a one-time thing it requires constant updating and changes.