Akismet and the GDPR

While the new GDPR regulations have been in place since May 2018, we still get questions about our GDPR compliance. This page should serve as information about our compliance and to highlight the controls over the data Akismet uses to provide the most widely‑used spam catching service for WordPress sites. We’ve caught more than 500 billion spam comments to date and we do so while being mindful of the GDPR and other privacy regulations.

When Akismet is enabled on your site, only the personal data needed to carry out its core function of protecting you against comment spam is collected. In the language of the GDPR, this is a “legitimate interest” use of that data. By displaying the notice of “This site uses Akismet to reduce spam. Learn how your comment data is processed.” (which can be enabled in the plugin settings), you’re letting visitors know that Akismet is collecting data for our legitimate interest and how we’re processing it.

You can read more about this and how you can customize that notice here.

A common misconception is that we are selling the data we collect via Akismet. We do not sell the personal data collected through Akismet. For more details, please review our Privacy Policy here and more details on Akismet-specific items here.

Please note that we don’t keep the Akismet data for very long. We have short retention periods of between two weeks and ninety days for the vast majority of our spam-related data, at which point it is automatically deleted from our databases. Anyone can opt-out of all long-term tracking for the very small subset of data we do keep longer by using our contact form.

Additionally, the Akismet plugin fully integrates with WordPress’ personal data erasure and privacy policy tools.

We don’t touch other comment-related data stored on your site’s databases. For self-hosted sites, you may see data in your _postmeta table for longer periods of time – that data is yours and is not part of the data that we use for Akismet.

The data collected by Akismet is stored on servers located all over the world. This allows us to offer an Akismet that is both fast and reliable. When we transfer data to the US and other countries outside of the EU we do so under the Standard Contractual Clauses (SCCs), which have been upheld by the EU Court of Justice as a legal means of transferring data under the requirements of the GDPR. Additionally, we include the SCCs in our Data Processing Addendum (DPA), which is available to all of our users. You’re welcome to request a DPA by logging into your account on WordPress.com, and clicking the “Request a DPA” button at https://wordpress.com/me/privacy in your dashboard.

With everything privacy related, things can be confusing and complicated, so if you have other questions or concerns that we haven’t addressed here, please get in touch with us and we’ll be happy to address them with you.

Have a website that you’d like to defend against spam?