Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
The Events Calendar is a widely used WordPress events plugin by StellarWP. It runs on the operator own server, but optional Google Maps, Google Fonts and Gravatar embeds can send visitor data to Google and Automattic in the United States.
The Events Calendar is a popular WordPress plugin published by StellarWP that lets site owners create and display events, venues and organisers. It is installed and run on the operator own WordPress server, so most processing stays within the hosting environment the operator already controls. The plugin can optionally embed Google Maps for venue locations, load Google Fonts for typography and show Gravatar avatars, and it can export events through iCal and Google Calendar feeds. The privacy questions arise mainly from these optional external embeds rather than from the calendar itself.
The core plugin is essentially cookieless for visitors and relies on standard WordPress session handling for logged in administrators. When Google Maps is embedded, Google can set its own cookies and receives the visitor IP address and the page being viewed. Loading Google Fonts directly from Google also transmits the IP address to Google, and Gravatar avatars expose a hashed email and the IP address to Automattic. Operators who self host fonts and disable map embeds can run the calendar with no meaningful third party data flows.
Under Art. 5(3) of the ePrivacy Directive, loading non essential third party assets that read or write information on the visitor device requires prior consent. German and other European courts have treated Google Fonts loaded from Google as a transfer of personal data requiring a legal basis. The operator remains the controller for these embeds and must be able to show a valid basis. Displaying the calendar from the own server, by contrast, can usually rely on legitimate interest.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Where Google Maps, externally hosted Google Fonts or Gravatar are active, the safe approach is to block these assets until the visitor gives consent. A consent banner or a click to load placeholder for maps satisfies Art. 6(1)(a) GDPR and the ePrivacy prior consent rule. If the operator self hosts fonts and removes maps, no consent is needed for the calendar itself. The consent state must be logged and revocable.
Google and Automattic are United States companies, so any IP address sent to Google Maps, Google Fonts or Gravatar is a transfer to a third country. These transfers can rely on the EU US Data Privacy Framework where the recipient is certified, otherwise on Standard Contractual Clauses backed by a transfer impact assessment. The simplest way to remove the transfer risk is to self host fonts and avoid external maps. Operators should record which mechanism applies to each remaining embed.
Audit which external embeds are enabled, then self host Google Fonts and replace live maps with a consent gated placeholder. Add a consent banner that blocks Google assets and Gravatar until the visitor agrees, and log every consent decision. Update the privacy policy to name Google and Automattic as recipients and to describe the third country transfers. Review the configuration after each plugin update, because new features can reintroduce external calls.
Websites using The Events Calendar must obtain user consent under GDPR regulations.
DPIA considerations
A full DPIA is usually not required for the self hosted calendar alone, because it processes limited data on the operator own server. A focused assessment is sensible where Google Maps and Google Fonts embeds are active, since these create third country transfers of visitor IP addresses. Document which external assets are enabled, the consent mechanism that gates them and the option to self host fonts and disable maps.
Sample consent text
We use Google Maps and Google Fonts to display event locations and styling. These services may transfer your IP address to Google in the United States. Do you consent to loading these external maps and fonts?
Third-party domains contacted
maps.googleapis.commaps.google.comfonts.googleapis.comfonts.gstatic.comsecure.gravatar.comcalendar.google.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| wordpress_logged_in | first party | session | Standard WordPress authentication cookie for logged in administrators managing events |
| NID | third party | 6 months | Set by Google when Google Maps is embedded, used by Google for preferences and security |
| CONSENT | third party | up to 2 years | Set by Google through embedded Maps to store the visitor consent and preference state |
| tk_ai | third party | session | Set by Automattic when Gravatar or related features load, used for analytics on Automattic side |
The Events Calendar collects user analytics data — you legally need a consent banner. Try FlowConsent free.
The core plugin sets essentially no visitor facing cookies and uses only standard WordPress session cookies for logged in administrators. Cookies appear when optional embeds are active, since Google Maps may set NID and similar Google cookies and Gravatar can be accompanied by Automattic cookies. If you self host fonts and disable maps, the calendar runs without third party cookies.
No consent is needed to display the calendar from your own server, which can rely on legitimate interest. Consent becomes required once you enable Google Maps, externally hosted Google Fonts or Gravatar, because these load third party assets and send the visitor IP address abroad. In that case block the assets until the visitor agrees.
Showing event data from your own server can rely on Art. 6(1)(f) GDPR legitimate interest. Loading Google Maps, Google Fonts from Google or Gravatar requires Art. 6(1)(a) consent, because Art. 5(3) ePrivacy demands prior consent for non essential third party assets. Document the basis you apply to each feature.
Only when external embeds are active. Google Maps and Google Fonts loaded from Google send the visitor IP address to Google in the United States, and Gravatar sends data to Automattic there. These transfers rely on the EU US Data Privacy Framework or on Standard Contractual Clauses with a transfer impact assessment. Self hosting fonts and removing maps avoids the transfer entirely.
A full DPIA is rarely required for the self hosted calendar alone because it processes limited data. A focused assessment is sensible when Google Maps and Google Fonts embeds are active, since they create third country transfers. Record which embeds are enabled, the consent mechanism and the mitigations such as self hosting fonts.
Self host Google Fonts, replace live maps with a consent gated click to load placeholder and disable Gravatar where possible. Add a consent banner that blocks Google assets until the visitor agrees and log every decision. Name Google and Automattic in your privacy policy and recheck the setup after each plugin update.
You can keep The Events Calendar and simply self host fonts and turn off maps, which removes most concerns. Alternatives include Modern Events Calendar or a fully self hosted setup with OpenStreetMap based maps that avoid Google. The goal is to keep event data on your own server and avoid non essential external calls.
List the optional embeds you have enabled, such as Google Maps, Google Fonts and Gravatar, with their purpose, the recipient and the retention of any cookies they set. State that these involve transfers to the United States and name the transfer mechanism. Review the policy after each plugin update because new features can add external calls.