Support » Plugin: Akismet Anti-Spam » Is this plugin GDPR compatible?

Viewing 7 replies - 16 through 22 (of 22 total)
  • ajtruckle





    @ajtruckle Akismet (autommatic) make a ton of money selling all collected data to others. So it is not all goodwill here.
    When they provide such a service (that is paid for by information) it is expected that they also provide the security and measurements with it.
    The radio-silence currently is not making things better.

    Remember that YOU are responsible for every plugin being GDPR compliant on your site. So if you use Akismet, YOU have to pay the fine, not Autommatic… Hence the radio-silence.

    Plugin Author Stephane Daury (stephdau)


    When Akismet is enabled on your site, only the personal data needed to carry out its core function of protecting you against comment spam is collected. In the language of the GDPR, this is a “legitimate interest” use of that data. In our view, additional opt-ins/notifications are not needed and can be potentially confusing.

    There was a suggestion from another poster in this thread that we are selling the data we collect via Akismet. Note that we do not sell the personal data collected through Akismet or any other Automattic product. For more details, please review our Privacy Policy here:

    With further Akismet-specific details under

    Lastly, please note that we don’t keep the Akismet data for very long. We have a short retention period for this data of ninety days at a maximum, and all spam-related data is automatically erased, regardless, at that point.

    If you have any other questions about how Akismet is complying with the GDPR, please let us know.



    As far as I understood, personal data (email, ip address) are sent to the akismet servers. Beside some policy updates, I don’t see any change that would ensure users data are protected before/after being sent to akismet, following the consent of the user.
    It seems the GDPR compliancy is far from being attained.
    To avoid any penalty due to the GDPR, I see no other option than switching to another anti-spam solution.

    Plugin Author Stephane Daury (stephdau)


    We understand the importance of complying with these regulations on your site, and appreciate the seriousness with which you are approaching protecting the privacy of your site’s users.

    If you decide you no longer wish to use Akismet on your site, we’d be sad to see you go. We feel confident that it is possible to run a site that complies with GDPR while also using Akismet, or any of our other products/services. However, we know that sometimes our products aren’t the right fit for everyone.



    Would you kindly clarify exactly where in the WordPress database Akismet stores personal data?

    I ask because, as noted above, I have seen personal-data stored in the _postmeta table, in meta_key “_feedback_akismet_values”, within a heavily serialized value.

    If this data is stored for “legitimate interest”, it does not require prior explicit consent. However, does that also mean this data is NOT protected by the right of an EU data-subject to access (view and download), update, and delete his data? If that IS required, it seems extremely difficult to comply with such a request, for this particular instance of personal data.

    The data I saw in the _postmeta table was well beyond 90 days old (based on the serialized value for its “REQUEST_TIME”) on a site where the current version of Akismet is 4.0.7. I do not know, however, what version of Akismet was active when the data was stored. And the _comments table no longer contains the associated Comment, which I assume was deleted in WordPress.

    Please understand that I’m not attacking Akismet — it’s an incredible plugin, and I’m greatly appreciative of all your hard work in providing it. I’m just trying to understand what it really does, in regards to GDPR, so I can make an informed decision about using it.

    Plugin Author Stephane Daury (stephdau)


    Hi @tzeldin88

    > The data I saw in the _postmeta table was well beyond 90 days old

    Sorry about the misunderstanding, we mean on the API end (our databases).

    The data in the comment meta is “yours” (as in, in your database), and only exists as long as the related comment exists.

    If the associated comment is edited/deleted, WordPress does its own cleanup/deletions, regardless of what plugins added them:

    That data is stored to comply with WP’s comment history APIs, which wants plugins to log their actions, so site owners can review, or trace, all of a comment’s history. In other words, it’s not for Aksimet to delete, and doing so could be considered meddling with your site’s historical processing data, which is far worse.

    The Akismet plugin does, however, have a series of scheduled cleanup jobs to clear unused data (such as for comments that are being deleted automatically when found to be spam), as seen here:

    Technically, modern WordPress should delete those itself, but we’ve gone to the extent of adding our own cleanup jobs because older WP versions weren’t very good at said cleanups. So we’ve taken it upon ourselves to make sure the data gets cleared.

    In that light, if one of your reader sends you a request for erasure on your site (for example), the Akismet (and other plugins’) meta data should be erased by WPs tools when their comments are deleted.

Viewing 7 replies - 16 through 22 (of 22 total)
  • The topic ‘Is this plugin GDPR compatible?’ is closed to new replies.