Gravatar sends email data to third-party servers. For GDPR-conscious WordPress sites, Simple User Avatar and similar plugins replace this external dependency. Here is the GDPR context and how to handle the transition cleanly.
The GDPR Issue with Gravatar
GDPR requires transparency about how personal data is processed and shared with third parties. When WordPress sends an email hash to Gravatar, it is transmitting user data (even in hashed form) to a service operated by Automattic. Depending on your interpretation of GDPR and your legal counsel’s advice, this may require:
- Disclosure in your privacy policy that email addresses are shared with Gravatar for avatar display.
- A legitimate legal basis for this data transfer (legitimate interest or consent).
- Possibly explicit user consent for the data transfer, depending on jurisdiction and interpretation.
WordPress’s built-in privacy policy generator includes a Gravatar disclosure. Many sites include this disclosure and consider it handled. Others prefer to eliminate the data transfer entirely by switching to local avatars.
Disabling Gravatar Without a Plugin
The quickest approach — no plugin required. Add this to your child theme functions.php:
// Disable all Gravatar requests
add_filter( 'get_avatar_url', function( $url, $id_or_email, $args ) {
// Return a local default image URL instead
return get_template_directory_uri() . '/images/default-avatar.png';
}, 10, 3 );
// Or return empty to show no avatar
add_filter( 'get_avatar', '__return_empty_string' );
The first version replaces all avatars with a single default image. The second removes avatars entirely. Choose based on your design.
Using Simple User Avatar for Per-User Avatars
Simple User Avatar lets each user upload their own photo locally. No Gravatar request is made. Users with no uploaded avatar fall back to whatever your theme’s default is (the mystery person silhouette from WordPress, or your custom default).
After installing Simple User Avatar, communicate to users that they can upload a profile photo from their account page. For sites with existing Gravatar users, they will see their Gravatar until they upload a local photo, unless you add the Gravatar disable filter above.
Updating Your Privacy Policy
If you switch to local avatars and disable Gravatar:
- Update your privacy policy to remove or update the Gravatar section.
- Note that profile photos are now stored on your server and are visible to other users (if author bios or comment sections display them).
- Include information about how users can update or remove their profile photo.
Testing After the Switch
After disabling Gravatar and activating local avatars, check:
- Comment sections — avatars display correctly for recent comments.
- Author bio sections — profile photos show correctly.
- WooCommerce account pages — if avatar is shown there.
- BuddyPress or community features — if applicable.
- Admin user list — small avatars appear next to user names.
- Browser Network tab — no requests to gravatar.com appear.
Communicating the Change to Users
If your site has a visible community (member site, forum, or comment-heavy blog), tell users about the avatar change. A short announcement explaining that they can now upload a profile photo directly, with instructions for where to do it, reduces confusion and increases profile completion rates.
For GDPR compliance configuration on WordPress including privacy policy, cookie consent, data processing records, and user data handling, a WordPress developer can implement a complete GDPR baseline.