Documentation Guides WP Statistics: GDPR, CCPA and cookie law compliant site analytics

WP Statistics: GDPR, CCPA and cookie law compliant site analytics

Analytics for your WordPress site that meets GDPR, CCPA, PECR, and cookie laws.

Last Update: Feb 24, 2024
Based on version 14.5 and above.

Important Compliance Note

The compliance features mentioned below are based on the default settings of the WP Statistics core plugin. It’s important to note that changing certain settings within WP Statistics could potentially affect these compliance benefits and may result in the collection of personally identifiable information (PII).

We strongly advise reviewing our detailed guide on which settings and features might impact compliance and how to configure WP Statistics to maintain adherence to GDPR, CCPA, and PECR while meeting your site’s analytics needs. This guide will help you understand and navigate any settings that might collect PII.

For more information, please visit our documentation: WP Statistics Compliance Settings Guide: Avoiding PII Data Collection.

WP Statistics tracks the usage of a website, it does not collect any personal data or personally identifiable information (PII), does not use cookies, and respects website visitors’ privacy.

Listed below is a more detailed look at our data policy, how we handle our data, and how we comply with laws such as the GDPR, CCPA, and PECR.

What the plugin collects

People are not tracked across their devices or across websites and apps that they visit. Unlike other analytics tools, we collect only the information necessary to show you simple analytics.

WP Statistics tracks overall trends in website traffic, not individual visitors. No cookies are used, no persistent identifiers are generated and no personal information is collected or stored. It is only aggregated data, and no personal information is contained within it. The plugin completely anonymizes all site measurements. Only the most essential data points are measured. The following is a list of what we collect from your visitors:


In alignment with our commitment to the privacy of your visitors, the WP Statistics plugin operates without setting any cookies (or similar technologies). We understand that cookies can be used to track visitors across multiple pages or even across multiple websites, a practice we consciously choose not to support due to privacy concerns. Consequently, we do not use cookies, browser cache, or local storage to track or store information about your visitors.

To ensure transparency and offer insight into our methodology, we’ve developed alternative strategies for gathering important analytics without compromising visitor privacy.

For those interested in understanding how we accurately count unique visitors without the use of cookies, we invite you to explore our detailed document: Counting Unique Visitors Without Cookies.

IP Addresses and Privacy

Each HTTP request inherently includes the visitor’s IP address and User-Agent, which are critical for web analytics. To respect visitor privacy and adhere to stringent data protection standards, we have implemented robust measures to anonymize and secure this data.

Anonymizing IP Addresses

To ensure visitor IP addresses are anonymized and cannot be used to identify individuals, we modify them before any processing. For IPv4 addresses, this means removing the last octet of the address, and for IPv6 addresses, we remove the last 80 bits. Here’s how it works:

  • IPv4 Example: An IP address like becomes before hashing.
  • IPv6 Example: An IPv6 address like 2001:0db8:85a3:0000:0000:8a2e:0370:7334 becomes 2001:0db8:85a3:: before hashing.

This process ensures that the IP addresses are made non-identifiable, safeguarding your visitors’ privacy.

What is IP Address Hashing?

IP hashing is a cryptographic method that encodes an IP address into a hexadecimal string, transforming it into a sequence of numbers and letters that bear no visible relation to the original IP address. This method makes it impossible to reverse-engineer the hash back to the IP address, thereby securing the data while allowing us to track behavioral patterns anonymously.

Enhanced Privacy with Hashing and Salting

To count unique visitors without compromising privacy, we utilize both the IP address and the User-Agent string from every HTTP request. However, to further anonymize this data and comply with privacy regulations, we apply a hashing mechanism augmented with a daily rotating salt. This approach ensures that:

  • The data is thoroughly anonymized, rendering it impossible to trace back to any individual.
  • The unique identifier for each visitor is generated using a formula that incorporates a daily-changing salt along with the visitor’s anonymized IP address and User-Agent.

The formula used is as follows:

hash(daily_salt + ip_address + user_agent)

By integrating a daily-changing salt, we ensure that the hash value is unique each day, preventing any possibility of tracking visitors across different days. This method significantly enhances visitor privacy and contributes to our compliance with data protection laws. The resulting hash, a random string of letters and numbers, is solely used to calculate the day’s unique visitors, aligning with our commitment to privacy and security.

The information we collect and how we use it

Data PointExample  Comment
Page URL track the page URL of each page view on your website. We use this to show you which pages have been viewed and how many times a particular page has been viewed.

Starting with version 14.5: The hostname and path are collected. Query parameters are discarded, except for these query parameters: ref, source, utm_source, utm_medium, utm_campaign, utm_content, utm_term, utm_id, s and p (detailed information).
HTTP Referer use the referrer string to show you the number of visitors referred to your website from links on other sites. 
BrowserChrome 121.0   We use this to show you what browsers and browser version numbers people use when visiting your website. This is derived from the User-Agent HTTP header. The full User-Agent is discarded. 
Operating systemmacOS 14.1We track the operating systems of your website’s visitors with our special feature by displaying the brand and version for easy analysis. This data is pulled from the User-Agent HTTP header, with the full header discarded for your privacy.
Device typeDesktopWe can help you track the devices used by visitors to your site. This information is obtained from the browser’s window width in pixels, with the actual width not retained for privacy purposes. This feature allows you to see what devices are being used to access your website.
Country, region, cityFrance, ParisWe track the location of visitors using their IP addresses. Only the city level is tracked, and the IP address is not stored for privacy. This feature allows you to see where your website’s visitors are located.

The local database stores the data

As an EU-based team, with Estonia being the place of incorporation of our legal entity, we prioritize the privacy and security of the data collected by the WP Statistics WordPress plugin. The data tracked and collected by our plugin is stored directly on the current WordPress website’s server.

For our users, this means enhanced data control and security. Specifically, if your website and its database are hosted within the European Union, you can rest assured regarding data transfer concerns. Your data remains securely stored within your WordPress installation and the EU, negating the need for concern over the Schrems II decision invalidating the EU-US Privacy Shield. This localized approach to data storage helps ensure that your website’s data storage practices are fully aligned with EU data protection standards, providing peace of mind in your data handling processes.

Ownership of your web analytics data

Your website data is 100% yours when you use WP Statistics. The site data is completely yours, and we don’t have access to any of your data.

Why should I trust you?

WP Statistics is an open-source analytics tool for WordPress. Since 2016, we’ve been committed to transparency and responsible data handling. With our source code fully accessible on GitHub, you can see how we operate and ensure we stand by our word.

  • Proven Trust: Over 600,000 websites trust WP Statistics for their analytics needs, reflecting our reliability and the trust the community places in us.
  • Open Source: Our commitment to transparency is clear. Anyone can review our code, which is completely open for scrutiny.
  • Since 2011: We’ve been building and refining WP Statistics based on user feedback and privacy standards for several years, ensuring a mature and secure product.

GDPR, CCPA, and PECR Compliance

WP Statistics is compliant with GDPR, CCPA, and PECR, meaning:

  • No consent pop-ups needed: Our analytics don’t track personal data, so you don’t need to bother your visitors with consent pop-ups for these regulations.
  • Simpler privacy policy: You can keep your privacy policy simple because you’re not collecting personal data with our analytics.
  • Better visitor experience: Visitors can enjoy your site without interruptions from consent requests or privacy notices.

With WP Statistics, compliance is straightforward, and visitor privacy is respected.