Does your website use third-party services? Get GDPR compliant in minutes.

Gravatar

What does Gravatar do?

Gravatar is a versatile web technology that supports digital platforms with specialized functionality and enhanced capabilities. It provides robust tools and services that integrate with modern websites and applications seamlessly. Gravatar is designed to improve operational efficiency, user experience, and digital performance. Trusted by developers and businesses alike, Gravatar offers reliable solutions that scale with organizational needs and evolving web standards.

Gravatar, the Globally Recognised Avatar service, is operated by Automattic Inc. in San Francisco. Built into WordPress core and used by thousands of comment systems, forums and SaaS applications, it lets users associate a profile picture with their email address. Every avatar request to gravatar.com transfers the visitor IP, user agent and a hash of the email to the United States.

What Gravatar does

When a page needs to display an avatar (for a comment author, a forum member, a profile widget) the website hashes the email address (MD5 historically, SHA 256 in modern versions) and builds a URL of the form secure.gravatar.com/avatar/{hash}. The browser fetches this image directly from Automattic, which can therefore log the visitor IP, user agent and the page that triggered the request via the Referer header.

Data and cookies collected

Gravatar normally does not set tracking cookies on the embedding website, but it may set Automattic session cookies (wpcom_*, tk_*) when the visitor is logged in to WordPress.com. The visitor IP, the email hash and the Referer URL are transmitted on every avatar request and stored in Automattic logs. The CNIL has confirmed that a hashed email is still personal data under Recital 26 GDPR.

GDPR and ePrivacy implications

German courts (LG Munich, 2022) ruled that loading external resources that leak the IP address without consent breaches the GDPR. Gravatar requests follow exactly the same pattern. Although the avatar itself is not a cookie, the IP transfer to a US third party falls under Art. 6 GDPR and the email hash falls under Art. 4(1). Consent is the safest legal basis for an EU facing website.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Data transfers to the United States

Automattic is self certified under the EU US Data Privacy Framework, which serves as an Art. 45 adequacy decision for transfers to certified US importers. If the DPF is invalidated again (the previous Privacy Shield and Safe Harbor both fell), transfers must rely on Standard Contractual Clauses with supplementary measures and a documented Transfer Impact Assessment. Always re check Automattic certification status at dataprivacyframework.gov.

Practical compliance steps

Disable Gravatar in WordPress until consent is granted (Settings > Discussion > Show Avatars), or use a privacy proxy such as the Avatar Privacy plugin that hosts avatars locally. Block Gravatar through your CMP under the functional or marketing category. Document Automattic as a US sub processor in your records of processing, your privacy notice and your cookie banner. If you accept comments, allow visitors to use a generic identicon or local fallback.

GDPR consent category

Essential

Websites using Gravatar must obtain user consent under GDPR regulations.

Legal basisConsent (Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy Directive). Gravatar reveals the visitor IP to a US third party and discloses an email hash, which is considered personal data by the EDPB. Consent or a strong contractual basis under Art. 6(1)(f) is required.

Risk levelmedium

Applicable regulationsGDPR, ePrivacy Directive, TDDDG, LSSI CE, CCPA/CPRA, EU US Data Privacy Framework, CNIL guidance on email hashing (May 2022)

Technical details

Tracking methodImage based avatar service. Pages query the Gravatar HTTP API with an MD5 (or SHA-256) hash of the visitor email address. Gravatar then returns the matching avatar and logs the request, including the visitor IP address and user agent.

Server locationOperated by Automattic Inc. in San Francisco, United States. Requests are served by a global CDN with edge nodes worldwide, while user data and Gravatar profiles are stored in the United States.

Data transferred outside the EUEvery request to secure.gravatar.com or gravatar.com transfers the visitor IP address, user agent and the hashed email to Automattic servers in the United States. Automattic is self certified under the EU US Data Privacy Framework. Without consent or proper safeguards the transfer is unlawful.

Third-party domains contacted

gravatar.comsecure.gravatar.com0.gravatar.comen.gravatar.comautomattic.com

Cookies placed

Name	Type	Duration	Purpose
wpcom_loggedin	third_party	2 weeks	Set by Automattic for visitors signed in to WordPress.com when avatars are fetched.
tk_ai	third_party	1 year	Anonymous identifier used by Automattic Tracks for product analytics across Automattic properties.
tk_lr	third_party	1 year	Stores the landing page referrer for Automattic Tracks analytics.

Gravatar is an essential service, but transparency matters. Manage all your consent with FlowConsent.

Get started free Scan your site

Frequently asked questions

Which cookies does Gravatar set?

Gravatar itself rarely sets cookies on the embedding website. When the visitor is authenticated on WordPress.com, Automattic session cookies such as wpcom_loggedin, wp_api_sec, tk_ai or tk_lr may be present on the gravatar.com response. These are third party cookies that require consent.

Is consent required to use Gravatar?

Yes, in the EEA. Although the avatar request does not set first party cookies, it transfers the visitor IP and an email hash to Automattic in the United States. Under Art. 6 GDPR the safest legal basis is consent, especially considering the LG Munich ruling on similar Google Fonts requests.

What is the legal basis for Gravatar processing?

Consent (Art. 6(1)(a) GDPR) is recommended for an EU facing website. Legitimate interest under Art. 6(1)(f) can be argued only if local avatar fallbacks are offered and the Transfer Impact Assessment is documented. In WordPress, the simplest path is to disable remote avatars by default.

Is data transferred to the United States?

Yes. Every Gravatar request reaches Automattic infrastructure in the United States. Automattic relies on the EU US Data Privacy Framework for the transfer. You must verify the current certification status of Automattic on dataprivacyframework.gov and document the transfer in your records of processing.

Do I need a DPIA for Gravatar?

A standalone DPIA is generally not required, but if Gravatar is combined with comment systems, analytics or marketing tags the overall website DPIA should mention the email hash, the IP exposure and the US transfer. A Transfer Impact Assessment is mandatory.

How do I implement Gravatar correctly?

Either disable remote avatars in WordPress (Settings > Discussion > uncheck Show Avatars), or install a privacy proxy (Avatar Privacy plugin) that caches Gravatar locally, or block Gravatar through your CMP behind a marketing category. Provide a generic identicon as fallback. Document the choice in your privacy notice.

Which alternatives to Gravatar should I consider?

Self hosted alternatives include Libravatar (federated, EU friendly), Avatar Privacy (WordPress plugin), Boring Avatars (procedural SVG identicons) or simply hosting uploaded avatars on your own server or object storage. Each removes the US transfer issue entirely.

How do I update the cookie policy when Gravatar changes?

When Automattic updates its privacy policy, terms or transfer mechanism, reflect the change in your cookie table and privacy notice. If the DPF status changes (suspension or invalidation), bump the consent banner version to invalidate consents that were collected under the previous regime.

Get compliant — Try FlowConsent free

Free plan · 10-min setup