Understanding Smush Plugin and GDPR Compliance

Many WordPress site owners, particularly those operating within the European Union, have questions about how the Smush Image Optimization plugin handles data privacy and its compliance with the General Data Protection Regulation (GDPR). This article breaks down the key information based on community discussions and official plugin resources.

Does Smush Collect Personal Data?

According to support interactions, the core Smush plugin does not directly interact with users' private data. A key point clarified is that Smush does not collect IP addresses as part of its standard image optimization process. The compression process is handled without storing or transmitting this type of personal information.

The Privacy Policy Text

The Smush plugin is designed to automatically add a suggested privacy policy section to your WordPress site's privacy policy page. This text explains what data the plugin processes. This happens automatically if you have a privacy policy page created within WordPress (found under Settings > Privacy).

If you have deleted your privacy policy page, the text will not be added automatically. You can manually access the suggested text by:

1. Going to Settings > Privacy.
2. Clicking the link that says "Check out our guide."
3. Finding the Smush-specific information at the bottom of the guide page.
4. Copying that text and adding it to your own privacy policy.

Note: Some users have pointed out that the plugin currently uses a filter to inject this text, which merges it with the default WordPress content rather than listing it separately in the policy index. The recommended WordPress method is to use the wp_add_privacy_policy_content function, which would make the Smush section more distinct and easily identifiable.

What About the CDN and Usage Tracking?

GDPR considerations can change if you enable certain optional features:

• Usage Tracking: Smush has an optional "Allow usage tracking" setting. If this is enabled, additional data is collected. The specifics of what is collected can be found in the plugin's documentation. For full GDPR compliance without disclosure, this setting should remain disabled.
• Smush Pro CDN: The CDN (Content Delivery Network) is a feature of the paid Smush Pro version. According to the information provided, the Smush team and their CDN infrastructure provider state they support GDPR compliance. Using the CDN would involve transmitting images through a third-party service, which should be noted in your privacy policy.

Conclusion: Is Smush GDPR Ready?

Based on the available information from support threads, the standard answer is that the core Smush plugin is considered "100% GDPR ready" because it does not directly interact with user private data like IP addresses. However, for full compliance, you should:

1. Ensure the Smush privacy text is included on your website's privacy policy page, either automatically or manually.
2. Disable the "Allow usage tracking" option if you do not wish to collect and disclose that additional data.
3. If using the Pro version with the CDN, review the provider's GDPR statements and disclose the use of a third-party CDN in your privacy policy.

As always, for specific legal advice on GDPR compliance, it is recommended to consult with a legal professional familiar with data protection laws.