WordPress 7.0 beta 1 is now available for testing. We have been spending time trying it out, and we believe this is one of the most meaningful updates in recent years.
The official release is scheduled for April 9, 2026 and will bring features that will genuinely change how we create and manage content. These include an easier way to integrate AI features into WordPress, an improved dashboard, and potentially real-time collaboration in the editor.
Read on to learn what’s coming in WordPress 7.0 and what that means for your website.
TL;DR: What’s coming in WordPress 7.0
Real-time collaboration that allows multiple users to work on the same post or page without losing any data.
AI Web Client API that allows users to save their AI credentials and provides plugin and theme developers a standardized way to integrate AI features in WordPress.
Admin design refresh offers smoother transitions between admin area screens with modern typography and new color profile.
New Icon and Breadcrumbs blocks will be added. Several blocks will get new features and enhancements.
ℹ️ Note: This beta release is for testing and development only. So, please do not install, run, or test this version of WordPress on your live website.
Instead, we recommend using a staging site or a local site. You can test WordPress 7.0 Beta by installing and activating the WordPress Beta Tester plugin.
The WordPress backend is getting a much-needed facelift.
WordPress 7.0 will deliver a visual update to the dashboard with a fresh default color scheme, updated typography, and a cleaner, modern interface.
However, it is not just about looks.
In our testing, we found that the transitions from dashboard to editor and document view feels smoother.
As you click through different settings pages, the dashboard no longer feels like it is doing a hard reload. Instead, elements smoothly transition and slide into place.
Navigating the WordPress backend now feels faster and more like a modern web app. The cleaner layout reduces eye strain, and the fluid animations make managing your website a smoother experience.
AI is changing how we build websites. As part of on-going AI infrastructure work, WordPress 7.0 will ship with a new Web Client AI API.
The new API acts as a central hub for generative AI models inside your site’s backend.
Instead of multiple plugins fighting for control or cluttering the interface, the Web Client AI API works with the new Abilities API to keep things organized.
For beginners, this matters quite a bit. It opens the door to AI features right inside the block editor.
For instance, you will be able to safely store credentials for your favorite AI model securely inside WordPress. Your WordPress plugins and themes can then use your preferred model to provide different features.
In the near future, you will be able to generate content, summarize articles, or handle repetitive admin tasks without leaving your dashboard.
However, we want to be clear that this is the foundation, not the finished product. The real value will come as plugin developers build on top of it.
Note: The real time collaboration feature is not included in the beta-1 release that we tested. However, it is under active development and it is not yet confirmed whether or not it will make it into the final 7.0 release.
Real-time collaboration in WordPress editing started with WordPress 6.9, which introduced inline commenting known as Notes. WordPress 7.0 will continue building up on that.
If you have ever been locked out of a WordPress post because someone else was editing it, then you will appreciate this feature.
Similarly, users adding inline comments or notes will also be visible to other users working on the same content in real-time.
It will be very similar to working in Google Docs. The system handles data syncing smoothly and even supports offline editing. This is a big deal for content teams.
For example, a writer can draft a paragraph while an editor fixes typos in the section above. And a designer can tweak the layout of an image block below. Everyone works on the same page without locking each other out.
Visual Revisions For Pages
The WordPress revisions system has always been useful for undoing mistakes. However, comparing changes meant looking at raw text or HTML code, which is not ideal.
WordPress 7.0 will change this by introducing new visual revisions for Pages.
In our testing, we were happy to see that you can now view exactly how the layout, images, and content changed — all within the visual editor.
The interface shows a side-by-side or highlighted comparison of past edits, rendering the blocks as they would appear on the front end.
For beginners, this makes a real difference. If someone accidentally deleted a pricing table or messed up a gallery layout, then you can see the visual change right away. You can then restore the correct version with a single click.
However, we would like to see visual revisions for posts as well. Hopefully, it will be implemented for other post types in future.
Cover Block Video Embeds
The Cover block is one of the most popular tools for creating hero sections and banners.
WordPress 7.0 will let you use video embeds via URL as backgrounds in the Cover block.
When we tested this, we found it simple to use. You insert a Cover block, upload your video, and WordPress handles the looping background. You can still overlay text, buttons, and other blocks on top.
This opens up more design options because you can create dynamic headers that grab attention the moment someone lands on your site.
However, the best part is that you do not need extra plugins. You can do all of this with core WordPress blocks.
Navigation Block Overlays & Improvements
Mobile menus can be tricky to get right. WordPress 7.0 will bring important improvements to the Navigation block to address this.
The update introduces customizable overlays as template parts. Mobile menus can be hidden or shown based on custom breakpoints.
In our testing, we liked that the Navigation block defaults to always showing overlays for new blocks. When a visitor views your site on a smaller screen, they get a clean hamburger menu that expands into a well-styled overlay.
Building mobile menus is also more reliable. You have full control over how navigation looks on phones and tablets without writing CSS media queries.
New Breadcrumbs and Icons Blocks
WordPress 7.0 will add two blocks that many people have been asking for: Breadcrumbs and Icons. Both used to require separate plugins.
We found the Breadcrumbs block particularly useful. Breadcrumbs are important for SEO because they help search engines understand your site structure and give users an easy way to navigate back.
The block also improves site navigation hierarchy and supports the theme.json schema, so it automatically adapts to your site’s global styles.
On the other hand, the Icons block will let you insert scalable vector graphics (SVGs) anywhere in your content without touching any code.
Previously, users had to rely on separate plugins to add icon fonts to their website. Now, they can simply use the default block anywhere they need.
The current icon library is not as big as some other options like Font Awesome. But it has good selection of icons commonly used by WordPress site owners.
They are also quite easily customizable using default block settings. You can choose color, width (size), and background.
Per-Block Instance Custom CSS
For those who like to fine-tune their designs, WordPress 7.0 will introduce per-block instance custom CSS. It lets you add custom CSS to a specific block through the Advanced sidebar panel.
Simply put, you can not only add a custom CSS class to any block, but also write the custom CSS right there in the block setting.
This is useful for advanced users and designers. You can tweak the look of a single element — like adding a drop shadow to one specific button — without creating child themes or writing complex CSS selectors.
Pattern Editing Modes
Reusable patterns are great for keeping your site design consistent. However, editing them can sometimes be confusing.
WordPress 7.0 will address this by introducing new pattern-level editing modes that help you focus.
We found the new “Spotlight mode” to be very helpful. It isolates the content within a pattern and dims everything else on the page. You know exactly what you are modifying.
There is also a new “Isolated Editor mode” for synced patterns and template parts. Users can opt out of the default content-only mode if they prefer full control.
Responsive Grid Block
Displaying images and structural layouts will get a solid upgrade in WordPress 7.0 with enhancements to the Grid block.
In our testing, we found that the Grid block is fully responsive out of the box. It adapts smoothly across different screen sizes without requiring manual column adjustments.
Heading Block Variations
Structuring your articles properly is important for SEO and AI Search Optimization. WordPress 7.0 makes this process faster by registering heading levels (H1 through H6) as block variations.
When we tested the editor, we found new quick-access icons added directly to the block’s toolbar and sidebar.
Instead of clicking a dropdown menu to change an H2 to an H3, you can transform between heading levels with a single click.
This is a small but useful workflow improvement. It helps you structure your content properly for both readers and search engine crawlers. Overall, your articles become easier to scan and properly indexed.
Font Library Enabled for All Themes
The Font Library was a useful addition in recent WordPress updates. However, it was largely restricted to block themes.
With WordPress 7.0, the Font Library screen will be enabled globally for all themes.
We were pleased to find that site editors can now browse Google Fonts, upload local font files, and organize typography collections regardless of their active theme. Whether you are using a block theme or a classic legacy theme, the Font Library modal is available to you.
Client-Side Media Processing
Uploading large images has traditionally put a heavy load on web servers. This sometimes leads to timeouts or errors.
WordPress 7.0 will address this by introducing client-side media processing.
It will use your web browser’s capabilities to handle image resizing and compression before the file is even uploaded to the server. It also brings better support for modern, advanced image formats.
This is a solid bump for WordPress speed and performance. Uploading images will be faster and more reliable, especially on slower internet connections.
It also saves your web hosting server space and processing power by compressing files right in your browser before the upload begins.
Under the Hood (Developer & Performance Updates)
WordPress 7.0 is packed with technical improvements designed to make the platform faster, more secure, and easier for developers to build on.
Here are the most notable under-the-hood changes:
Client Side Abilities API: Introduces a standardized client-side registry for WordPress capabilities, including an Abilities and Workflows API, filter/search functionality, and an improved command palette UI (#73076). This lays the groundwork for fast, app-like features.
Always-iframed Post Editor: The post editor is now always iframed, regardless of the API version of the blocks used. This ensures a consistent experience and separates UI styles from your theme styles (Dev Note).
PHP-only Block Registration: Developers can now generate blocks and patterns entirely server-side using PHP. These auto-register with the Block API and include auto-generated inspector controls (#71792).
UI Primitives and Components: The WordPress UI package receives a big update with new standardized components, including dropdowns, tooltips, fieldsets, and visually hidden elements (#73076).
CodeMirror Update: The CodeMirror library will be updated to version 5.65.40, allowing for more flexible extensibility for code editing interfaces (Dev Note).
PHP Version Support Changes: WordPress 7.0 officially drops support for older, insecure versions of PHP (7.2 and 7.3.). Make sure your server is updated (Dev Note).
Conclusion
We are excited about the upcoming release of WordPress 7.0. This version feels like a meaningful step forward, bringing modern web app capabilities directly into the core platform.
Our favorite additions are the Real Time Collaboration (if it makes into the final release) and the AI Web Client API. The ability to work on a post at the same time as a team member without getting locked out is a big deal for editorial teams.
Combined with the smooth transitions of the new admin interface, WordPress feels better to use than ever.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
I remember reviewing my site analytics years ago and seeing a sudden burst of traffic from São Paulo. I felt a rush of excitement seeing my content reach people across the globe.
Then it hit me: was my site actually legal for those readers, or was I accidentally inviting a massive fine into my inbox?
That’s because your Brazilian readers, customers, and visitors are protected by the Lei Geral de Proteção de Dados (LGPD). Similar to other laws such as the GDPR, the LGPD gives people who live in Brazil more control over their data.
And there’s another similarity to GDPR: the LGPD applies to your website, blog, or online store, no matter where you live.
If you have one single visitor from Brazil, then this article is for you.
In this LGPD compliance guide, I’ll show you how to create privacy policies, cookie popups, compliance forms, and much more, in order to comply with this important privacy law (and avoid costly fines!)
Even better, I’ll go one step further and turn the LGPD’s strict regulations into a way to build lasting trust with your visitors, improving your brand reputation while staying on the right side of the law.
⚠️ We are not lawyers. This article is for informational purposes only and does not constitute legal advice. We highly recommend consulting with a qualified legal professional to make sure your business is fully compliant with the LGPD and other privacy regulations.
LGPD: TL;DR
If you’re in a hurry, here’s a quick summary of the compliance steps covered in this guide:
Key Rule
Action Item
Data Audit
Identify all personal and sensitive data you collect.
List every tool (SEO, Analytics, Forms) and the specific data it stores.
Data Minimization
Collect only the absolute minimum information required.
Audit your forms and remove non-essential fields like phone numbers.
Sensitive Data
Stricter protection is required for health, religion, or ethnic data.
Use separate, unchecked consent boxes and enable 2FA for data access.
Privacy Policy
Transparency is the foundation of LGPD compliance.
Use the WordPress privacy policy generator to create this important document.
Cookie Management
Non-essential cookies require explicit opt-in consent.
Add a cookie popup that blocks scripts until the visitor clicks ‘Accept.’
Cookie Policy
Users prefer clear, bite-sized information about trackers.
Generate a separate page listing every cookie’s purpose and duration.
Script Blocking
You are responsible for data collected by third-party tools.
Use a plugin to block Google Analytics and Meta Pixels by default.
Consent Logging
You must be able to prove consent during a legal audit.
Maintain a secure log of user IP addresses, choices, and timestamps.
Right to Opt-Out
Users must be able to revoke consent at any time.
Create a ‘Do Not Sell My Info’ page.
Right to Erasure
Users have the ‘right to be forgotten.’
Use a dedicated form to process deletion requests within 15 days.
Data Portability
Users can request their data in a machine-readable format.
Use the WordPress Export Personal Data tool to provide a .zip file upon request.
What is the LGPD?
The Lei Geral de Proteção de Dados (LGPD) is Brazil’s main data privacy regulation that controls how personal information is collected, processed, and shared. It applies to any individual or organization that processes the personal information of people located in Brazil.
It can actually affect many WordPress websites, blogs, and organizations all over the world. If you handle data related to people living in Brazil, then the LGPD may apply to you, regardless of your location.
When I first reviewed the LGPD’s definition of ‘personal data,’ I was surprised by how broad they are.
To start, it includes any information that can identify a person, including:
Full names, initials, and surnames.
Contact details such as personal email addresses and phone numbers.
Digital identifiers including IP addresses and cookie data.
Location data like GPS coordinates or physical residential addresses.
However, unlike some other privacy laws, the LGPD also creates a special category for ‘sensitive personal data.’
This includes information about:
Racial or ethnic origin.
Religious beliefs or political opinions.
Health data or genetic and biometric information.
Under the LGPD, this data requires even stricter protection.
Why Should WordPress Users Care About LGPD Compliance?
If you ignore the LGPD, then you could face serious consequences, including large fines. If you break these privacy laws, then the Brazilian National Data Protection Authority (ANPD) can issue fines of up to 2% of your total revenue in Brazil, for the previous fiscal year.
I remember when I first looked at these numbers. I was shocked to see that the maximum fine can reach 50 million Reais per violation!
Even worse, these costs can add up quickly if authorities discover multiple infractions during an audit.
However, complying with the LGPD isn’t just about avoiding fines. It shows readers, visitors, and potential customers that you care about their privacy.
By giving your audience more control over their personal information, you’re proving that you’re trustworthy and responsible.
In fact, when I started being more transparent with my audience, I noticed that my engagement rates actually improved! Complying with privacy laws can often lead to more signups and sales, helping you grow your online business in a responsible way.
How LGPD Affects Your WordPress Site
While the LGPD covers a lot of ground, there’s a few core principles that will most likely affect you as a website owner:
Users can check their information: Users can ask you to confirm whether you’re collecting and processing their personal data. They can also request a full copy of that information.
Fix data errors: Visitors can ask you to fix any information that’s incomplete, inaccurate, or out-of-date.
You must clean up excessive data: Users can request that you delete any data that’s unnecessary, excessive, or processed in a way that doesn’t comply with the LGPD. Even if a third-party collected this data, it’s still your responsibility to delete.
Users can delete their data: Users have the right to delete personal data, even if it was originally processed with their consent. While this may be frustrating, I’ve found that honoring a deletion request quickly actually improves the user’s impression of your brand.
Users can move their data elsewhere: Readers can request that their data be moved to another service or product provider. Once again, complying with these requests in a clear and straightforward way can actually improve your brand image.
Understand who else sees their data: Users have the right to know any public or private entities you’ve shared their information with. I remember being nervous about being so open, but my readers actually thanked me for the transparency.
Informed consent: You must tell users that they have the right to deny consent, and explain what will happen if they do.
How to Improve Your LGPD Compliance in WordPress
At its core, privacy compliance is really just about being open with your users about how you handle their information.
I can’t guarantee that this guide covers every step you’ll need to take, but it will put you in a much stronger position for compliance.
To comply with the LGPD, you must first identify and document every piece of personal data your website collects, processes, and stores. This means performing a complete data audit.
To get started, I recommend making a list of every tool that gathers data, such as your SEO tools, analytics plugins, and form builders. You should look at each one and ask if your site explicitly needs that specific piece of information, in order to work.
To go a bit deeper, try asking yourself these questions about each plugin or tool:
What specific personal data does it collect? This might be names, email addresses, IP addresses, or sensitive data like religious beliefs.
Where is this data stored? Is it stored locally on your server or sent to a third-party service outside of Brazil?
What is the legal basis for collecting this information? Do you have a specific reason for this data processing, such as consent or executing a contract?
How long is this data kept? Do you have a data retention policy that makes sure you delete the information once it’s no longer needed?
Is this data shared with anyone? In particular, are there any service providers or advertisers involved in the process?
This may immediately reveal areas where you need to adjust your data handling practices in order to comply with the LGPD.
Expert Insight: Why I Audit My Sites When I started my first WordPress blog, I didn’t give much thought to what was happening behind the scenes. I was just happy to see my traffic growing and my contact forms getting filled out by new readers from all over the world.
Looking back, I realize I was collecting massive amounts of data without a plan. Performing this audit isn’t just a legal chore; it’s about understanding your own digital footprint so you can protect your visitors – and yourself.
Collect Less Data
When it comes to collecting data, I use a simple rule: if I don’t have an explicit use for that data right now, then I don’t collect it.
This is called data minimization, and it’s the best way to stay LGPD-compliant. It means you only gather information that’s adequate, relevant, and strictly necessary for your site to function.
After performing a data audit, I recommend looking critically at all the data you currently collect. Do you really need every piece of information, or are you just keeping it on the off-chance it might be useful later?
When you avoid asking intrusive questions, you clearly demonstrate that you respect the user’s privacy. This will make visitors feel more confident and comfortable interacting with your site because they know you aren’t trying to get as much information out of them as possible.
By contrast, I find that asking for too much information actually slows down a site’s growth. For example, if someone is trying to join your membership site on a slow mobile connection, every extra field is another reason for them to give up and leave.
By asking for less, you aren’t just staying legal – you’re making it easier for people to sign up.
Be Extra Careful with ‘Sensitive Data’
Sensitive data carries a much higher legal risk and a significantly higher threshold for LGPD compliance.
It includes information about a person’s racial or ethnic origin, religious beliefs, political opinions, or even their health and genetic data.
You should also consider that some questions may indirectly reveal sensitive information. For example, asking about a person’s dietary requirements could technically reveal their religious beliefs or a medical condition.
In that case, you may be able to rephrase your questions to get the info you need, without touching a sensitive category.
If you absolutely must collect sensitive personal information, then you should take these extra precautions straight away:
Separate Checkboxes: When requesting sensitive information, you must use a separate consent box that’s unchecked by default. You cannot rely on ‘standard’ consent or a general “I agree to the terms” box. The LGPD requires that consent for sensitive data be specific and highlighted, meaning it must stand out and clearly explain the exact risk and purpose.
Stricter Security: Because the harm of a breach is higher, your security must be tighter. I recommend using advanced encryption tools like AES 256 for your database, plus enabling Two-Factor Authentication (2FA) for any account that can view this sensitive information.
Data Protection Impact Assessment (DPIA): For sensitive data, the authorities may expect you to have a RIPD (the Brazilian version of a DPIA) prepared. This is a document where you identify the risks and prove you have a clear plan to mitigate them.
However, the safest method is always to avoid collecting this information in the first place, so I recommend avoiding sensitive data wherever possible.
Create a Privacy Policy
I’ve heard from many website owners who think a privacy policy is just some boring legal text that no one will ever read. However, a privacy policy is actually the best way to prove that you’re a responsible website owner.
It is a page that clearly explains what personal data you collect, how you use it, and who you share that information with. It’s a literal map of your data practices that helps visitors understand the steps you take to respect their personal information.
The good news is that WordPress comes with a built-in privacy policy generator, so it’s easy to create this important document.
To get started, go to Settings » Privacy in your WordPress dashboard.
One option is creating an entirely new page, where you’ll display your privacy policy.
To do this, click the ‘Create’ button.
This will create a new page and open it for editing.
If you use our template, then just remember to replace all references to WPBeginner with the name of your own business or blog.
In particular, you’ll need to explain the specific rights your visitors have.
Even more importantly, you must clearly tell visitors how to exercise their rights. For example, you might link to the form where visitors can ask for a copy of their data or request that you update an old email address.
Finally, it’s important to regularly review and update your privacy policy. That way, you can make sure it always accurately represents your current data habits and stays compliant with evolving laws like the LGPD.
Add a Cookie Popup
When it comes to collecting data, the LGPD uses an opt-in model for most cookies. This means you must obtain free, informed, and unambiguous consent before collecting any non-essential data.
Thankfully, a well-designed cookie popup can clearly inform visitors about the types of cookies you use, the data you collect, and why you’re collecting it. It can also give visitors a straightforward way to accept or reject those cookies before any scripts fire.
There are many different cookie banner plugins on the market. However, I highly recommend WPConsent because it makes adding a cookie popup to your site incredibly simple, while fully supporting LGPD’s opt–in mode.
I use WPConsent on my websites, and we also use it on WPBeginner for cookie consent management. It is a self-hosted solution, so all visitor consent data stays on your own server. You can read more about my experience in our detailed WPConsent review.
Upon activation, WPConsent will scan your entire site for active cookies and record every single one it finds, so you don’t have to search for cookies manually.
Next, WPConsent’s helpful setup wizard will show you how to customize your cookie popup.
As you make changes, WPConsent displays a live preview, so you can see exactly how the banner will appear on your WordPress site.
You can then adjust the layout, position, font size, button style, colors, and even add your own custom logo.
Expert Tip: Always test your cookie banner on a mobile device before publishing. Popups that look great on a desktop can sometimes cover important content on smaller phone screens, which can frustrate your visitors.
When you’re happy with how everything looks, simply save your changes – and you’re done!
WPConsent will now block all non-essential cookies until visitors give you their explicit consent.
Expert Tip: While the free plugin handles standard compliance, advanced features like detailed consent logging and smart geolocation require the premium version of WPConsent.
Write a Separate Cookie Policy
The LGPD states that you must provide ‘clear, precise, and easily accessible’ information about how you process data, including how you use cookies.
To meet this legal standard without cluttering your privacy policy, I recommend creating a separate cookie policy. This is typically much less overwhelming compared to a huge, bloated privacy policy that tries to explain everything.
In your cookie policy, you should clearly list the different types of cookies your site uses, like essential cookies, analytics, or marketing cookies. You should also explain their purpose, such as tracking visitors or delivering targeted advertisements.
It’s also smart to specify what personal information these cookies collect, like IP addresses or browsing history.
To encourage visitor trust, make sure this policy is easy to understand. This means avoiding technical terms or legal jargon, and instead using clear language that anyone can follow.
Thankfully, a tool like WPConsent can do all this for you.
WPConsent can scan your site and identify all active cookies. To turn this information into a cookie policy, go to WPConsent » Settings in your WordPress dashboard.
Then, simply select the page where you want to display the cookie policy.
WPConsent will then go ahead and add this policy to your chosen page.
It’s as easy as that.
Are you using WPConsent to display a cookie popup? Then visitors can access your cookie policy directly from the popup.
When the popup appears, visitors can simply click the ‘Preferences’ button, followed by the ‘Cookie Policy’ link.
And that’s it.
WPConsent will take them straight to the right page so they can see exactly how you’re protecting their personal information.
Block Third-Party Scripts
Major tracking solutions like Google Analytics, Google Ads, and Facebook Pixel often collect data from your visitors to build behavioral profiles.
According to the LGPD, you’re responsible for managing how these third-party tools collect and use all of that data.
Unlike laws that only require an opt-out link, the LGPD follows a strict opt-in model. This means you must block these third-party scripts until the visitor explicitly gives you permission to use them.
So, how do you control external tracking tools? The solution is to use a plugin with automatic script blocking. This stops tracking scripts from loading until the visitor clicks ‘Accept.’
WPConsent has an automatic script blocking feature that works out-of-the-box.
Behind the scenes, it automatically detects and blocks common tracking scripts like Google Analytics, Google Ads, and Facebook Pixel, without causing your site layout to break.
As soon as the visitor gives their consent, WPConsent goes ahead and executes the script. This provides a truly smooth user experience because it doesn’t need to reload the page.
Track and Log Visitor Consent
Simply getting a visitor’s consent is not enough. If a regulator ever audits your website, then you need to provide clear proof that each visitor gave their permission before you started tracking them.
That’s why having a paper trail is the best way to protect your website, blog, or online store.
Once again, WPConsent does the heavy lifting for you by automatically logging user consent. It records all important details, including the user’s IP address, their specific consent choices, and the exact date and time when those choices were registered.
You can see all this information by heading to WPConsent » Consent Logs in your WordPress dashboard.
This shows all the visitors who’ve ever interacted with your site banner.
Do you need to share this log with someone else, such as a legal advisor or auditor? Then you can simply export it from your WordPress dashboard by selecting the ‘Export’ tab.
Then, just enter a ‘From’ and ‘To’ date for the consent log, and click the ‘Export’ button.
Build Trust with Opt-Outs
Under the LGPD, you must give visitors an easy way to revoke consent. In fact, Brazilian users have the legal right to change their mind at any time, even if they previously consented to having their data collected or sold.
The easiest way to add an opt-out is by using WPConsent’s Do Not Sell add-on.
This adds a dedicated page to your site where users can exercise their right to opt-out of sharing their data, even if they gave consent previously.
Even better, these requests are stored locally in a custom table on your site, so you can review and respond to them straight away.
Just because someone gives you their personal information, doesn’t mean it’s yours to keep forever. Under the LGPD, that data always belongs to the user, so they can ask you to ‘forget’ it at any point.
There’s several ways to accept and process data deletion requests, but one of the easiest is adding a form to your site. A good form will collect all the information you need to comply with the request, and then store all these requests in a centralized location ready for you to review.
Under Brazil’s LGPD, you must fulfil data subject requests within a 15-day timeframe, so this streamlined approach is really helpful.
To achieve this, I recommend using WPForms. It is the best drag-and-drop form builder for WordPress and simplifies LGPD compliance by offering pre-built templates for Right to Erasure and Data Request forms.
We use WPForms on WPBeginner for our contact forms and annual surveys. To learn more about our experience, you can see our complete WPForms review.
WPForms also has a powerful entry management system. This means you can easily filter all the submissions from your various forms and identify any data deletion requests.
Warning: Deleting personal data is a permanent action. Before you use this tool, I highly recommend creating a complete backup of your WordPress site so you can restore your data if you make a mistake.
To review your entries, simply head over to WPForms » Entries in the WordPress dashboard.
Here, you’ll see all the forms across your entire WordPress website.
Simply find your data erasure form and click it.
You’ll now see all your ‘delete data’ requests.
Pro Tip: Since there’s a strict deadline, I recommend reviewing your form entries as often as possible. Ideally, you should check at least once per week.
And once you receive a data deletion request, WordPress has a built-in Erase Personal Data tool. Just head over to Tools » Erase Personal Data to access it.
In the ‘Username or email address’ field, type in the user’s information in order to find their record.
This tool even includes a ‘Send personal data erasure confirmation email’ setting. This simple, automated step removes any guesswork for the user, providing them with immediate peace of mind and reinforcing your commitment to total transparency.
Under the LGPD, users have two powerful rights that complement each other: the Right to Access and the Right to Portability.
Essentially, users don’t just have the right to look at their data. They also have the right to receive it in a portable file that they can take to another company or service provider.
Without the right tools, you’d need to spend hours manually searching through email logs, contact entries, user profiles, and any other places where you store information about that specific user.
However, by putting the right tools in place now, you can make these data access requests as easy as clicking a few buttons.
First, you need to give visitors a way to submit their requests. Once again, WPForms makes things very straightforward by providing a ready-made Data Request template.
This template is designed to gather all the information you need, such as the user’s email and the kind of data they want to receive.
Once you add this form to your site, WPForms will automatically log and display all these requests directly in your WordPress dashboard.
To see these submissions, go to WPForms » Entries. Here, select your data request form to see all the relevant entries.
WPForms presents all your data requests on a single screen, which makes it easy to comply with the LGPD’s 15-day time limit.
Plus, when you receive a data access request, you can fulfill it using WordPress’ built-in Export Personal Data tool.
To stay compliant with the Right to Portability, you need to provide user data in a structured, commonly used, and machine-readable format. WordPress fulfills this by providing its data in a zip file.
For most small businesses and blogs, this standard .zip export file satisfies the ANPD’s requirement for a machine-readable format.
To create this .zip, head over to Tools » Export Personal Data in your WordPress dashboard.
You can now type in the person’s username or email address to find the correct record. Then, just export the .zip file and share it with the person who made the request.
Frequently Asked Questions about LGPD
I remember when I first started researching data privacy. For every one question I answered, three more seemed to pop up. It’s a lot to take in!
To help you find that perfect balance between legal compliance and growing your site, I’ve put together a list of the questions I get asked most often about the LGPD.
Whether you’re worried about the size of your business or how the LGPD compares to other laws, these FAQs should help clear things up.
Does the LGPD apply to small blogs and personal websites?
Yes. Unlike some other laws that have a minimum revenue or data threshold, the LGPD applies to anyone who processes data related to people in Brazil.
How is the LGPD different from the GDPR?
They are very similar, but not identical. Both prioritize user consent and data rights, but the LGPD has its own specific timelines. For example, the GDPR gives you 30 days to respond to a data request. Meanwhile, the LGPD is stricter, requiring a detailed report within 15 days.
Do I need a Data Protection Officer (DPO)?
Most small to medium-sized WordPress sites shouldn’t need a dedicated DPO. The ANPD has stated that ‘small processing agents’ are exempt from this requirement.
However, as your site gets more successful, it’s a good idea to keep checking the latest ANPD guidance, as you might grow into this category.
Can I still use Google Analytics?
Yes, but you must change how you load it. You cannot load the Google Analytics script as soon as the page opens.
Under the LGPD’s opt-in model, you must use a tool like WPConsent to block that script until the visitor clicks ‘Accept’ on your cookie banner.
What happens if I have a data breach?
If your site is hacked or data is leaked, then you must notify both the ANPD and the affected users within three business days from the date you discovered the incident. This is the official timeframe generally required by the ANPD.
I recommend drafting a ‘Breach Response’ document today and saving it, so you don’t have to start from scratch during a crisis. This should include templates that you can use to communicate with your users and the ANPD, and a detailed checklist of the steps you’ll take to address the breach.
When notifying your users, the LGPD states you must use simple and clear language, with no legal jargon. In particular, you need to tell your audience:
What data was leaked
The risks they face, such as potential phishing emails
The steps you’ve already taken to fix the breach, and what actions the user can take to protect themselves, such as changing their password.
By being protective, you can show your audience that even when things go wrong, you’re a responsible website owner who’ll work hard to resolve the problem.
Do I need to translate my site into Portuguese?
No, the law doesn’t explicitly require you to translate your entire site into Portuguese.
However, if they’re going to provide informed consent then your Brazilian visitors need to understand what they’re agreeing to.
If you have a large Brazilian audience, then creating a Portuguese version of your Privacy Policy and Cookie Banner is a great way to build trust.
Additional Resources for LGPD Compliance
I remember when I was first trying to piece all these privacy compliance rules together. Sometimes, a single guide just isn’t enough, or you might want a more detailed guide for a specific plugin or task.
To help you out, I’ve pulled together a list of the best resources from WPBeginner. I often return to these articles when I’m setting up a new project, just to make sure I don’t miss a single thing:
How to Auto-Delete WordPress Form Entries, Data minimization is a lot easier when you don’t have to do it manually. This guide shows you how to set a cleanup task, so you don’t hold onto personal information for longer than you need to.
