Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Akismet is the leading anti spam WordPress plugin, operated by Automattic Inc. It intercepts comments, contact form submissions and registrations, sends them to the Akismet REST API for spam classification and stores a verdict back in the WordPress database. Akismet does not set visitor cookies by default but does transfer personal data to the United States.
Akismet (Automatic Kismet) is the de facto anti spam plugin for WordPress, operated by Automattic Inc. since 2005. The plugin ships pre installed on every WordPress install. When a comment, contact form submission or new user registration arrives, Akismet calls the rest.akismet.com REST API with the message body and contextual metadata, receives a spam score and stores the verdict alongside the comment.
Akismet does not set cookies on visitor browsers by default. It transfers personal data server side: the comment text, commenter name, email, URL, IP address, user agent, referrer, and the URL of the page hosting the form. Akismet retains this data for up to 15 days for the most likely spam, longer if it improves the corpus. The site operator therefore acts as controller of a transfer to Automattic in the US.
Since no cookies are set, Article 5(3) of the ePrivacy Directive does not apply to Akismet itself. The processing of comment, IP and email is however personal data under Article 4(1) GDPR. Transfer to the United States triggers Chapter V of GDPR: Automattic relies on the EU US Data Privacy Framework and Standard Contractual Clauses.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Most site operators rely on Art. 6(1)(f) legitimate interest in keeping the comment section free of spam, supported by a documented balancing test. Stricter interpretations (CNIL, Garante guidance for sensitive contexts) recommend an explicit consent checkbox at form submission, especially when the form collects extra personal data. Either way, the site must clearly inform commenters that their input is sent to Akismet in the United States.
Akismet is operated entirely from US infrastructure. The CDN may terminate the connection inside the EU but the spam corpus and the machine learning service run in the United States. Automattic publishes a DPA addendum, lists Akismet sub processors, signs SCCs and is certified under the EU US Data Privacy Framework.
Add a privacy notice under the comment and contact forms naming Akismet and Automattic, link to your privacy policy and to Automattic''s privacy notice, choose between consent or legitimate interest, sign the Automattic DPA addendum where applicable, document the transfer in your record of processing and consider EU spam filtering alternatives if you process sensitive data.
Websites using Akismet must obtain user consent under GDPR regulations.
DPIA considerations
Akismet is unlikely to require a DPIA on its own for a low traffic blog. A DPIA may be warranted when Akismet is deployed on a site that collects highly sensitive comments (health, political, minors), when it is used to filter authenticated user content at scale, or when combined with other Automattic services (Jetpack, WooCommerce) that share identifiers across services.
Sample consent text
This site uses Akismet to reduce spam. When you submit a comment or contact form, your message, IP, email and the URL of this page are sent to Akismet, operated by Automattic Inc. in the United States. By submitting this form you consent to this processing.
Third-party domains contacted
rest.akismet.comakismet.comwordpress.comautomattic.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| none | Server side processing (no browser cookies) | N/A | Akismet does not set cookies in the visitor browser by default; it transmits form data server side to the Akismet API |
Akismet collects user analytics data — you legally need a consent banner. Try FlowConsent free.
By default none. Akismet performs the spam check server side and does not set any cookie in the visitor browser. The data transfer happens through the WordPress server which calls the Akismet REST API.
Akismet itself does not need ePrivacy consent because it sets no cookies. Whether GDPR consent is required for the data transfer depends on your legal basis. Most operators rely on legitimate interest; a stricter interpretation suggests adding a consent checkbox at form submission.
The two common bases are Art. 6(1)(f) legitimate interest in protecting the comment section from spam (with balancing test) and Art. 6(1)(a) explicit consent at form submission. Authenticated user filtering can also rely on Art. 6(1)(b) contract.
Yes. Automattic Inc. operates Akismet from US infrastructure. The transfer is covered by Automattic's SCCs and the EU US Data Privacy Framework certification. The CDN can terminate the TLS in the EU but the spam corpus stays in the US.
For a typical low traffic blog, no. A DPIA is appropriate when Akismet filters sensitive content (health, political, minors) or when it processes a high volume of personal data alongside other Automattic services.
Display a privacy notice near the comment and contact forms, link to the Automattic privacy notice, choose between consent and legitimate interest, sign the Automattic DPA addendum where applicable, and document the transfer in your record of processing.
Yes: Antispam Bee (Germany), Cleantalk (Cyprus), Spam Protection by CleanTalk, WPBruiser, Friendly Captcha (Germany) for upstream blocking, plus native WordPress comment moderation and honeypot fields. EU origin tools reduce US data transfer.
You do not need to list Akismet in your cookie policy since no cookies are set. Instead disclose Akismet in your privacy policy as a sub processor handling spam classification, name Automattic, indicate retention up to 15 days for likely spam and the US transfer.