EP GDPR gives you cookie consent, data subject request handling, and privacy policy generation — everything your PageMotor site needs for UK GDPR compliance.
The UK General Data Protection Regulation requires websites to obtain consent before setting non-essential cookies, provide mechanisms for people to exercise their data rights, and maintain records of consent. EP GDPR handles all of this for your PageMotor site.
A configurable consent banner that blocks analytics and marketing scripts until visitors give permission.
A shortcode-powered form for visitors to exercise their right of access, erasure, portability, rectification, or objection.
View, process, export, and erase personal data from a central request management interface in your admin.
Automatically injects consent checkboxes into contact forms and searches EP Email’s data when processing requests.
EP GDPR installs like any PageMotor plugin. The process takes under a minute.
Download EP GDPR
Download the ep-gdpr-v1.0.2.zip file from your ElmsPark account or the link provided with your purchase.
Log into your PageMotor admin
Go to yourdomain.com/admin/ and sign in.
Navigate to Plugins
Click Plugins in the admin navigation, then Manage Plugins.
Upload the zip file
Use the plugin upload interface to upload ep-gdpr-v1.0.2.zip. PageMotor will extract it to the correct location automatically.
Activate EP GDPR
In your active Themeโs plugin configuration, enable EP GDPR. It will create its database tables automatically on first load.
How to verify: After activation, go to Plugins โ Plugin Settings. You should see EP GDPR Settings with the full configuration interface. EP GDPR creates two database tables on first load: ep_gdpr_requests (for data subject requests) and ep_gdpr_consent_log (for consent records).
EP Email is recommended for handling data subject requests. Whilst EP GDPR can function independently for features like cookie consent and script blocking, you’ll need an email solution to receive and respond to data subject access, erasure, and portability requests.
EP Email provides this capability plus additional features: consent checkboxes on contact forms, cross-plugin data lookups, and notification emails routed through your SMTP provider.
The cookie consent banner appears on every page and allows visitors to accept or reject cookie categories before any tracking scripts fire.
Go to Admin → Plugins → EP GDPR (Settings)
Under Cookie Consent Banner, tick Show cookie consent banner to visitors
Configure your preferred position, style, and text, then Save
| Setting | Description |
|---|---|
| Banner Position | Where the banner appears: bottom bar (default), top bar, bottom-left floating, or bottom-right floating. |
| Banner Style | Visual appearance: Light (white background), Dark (dark background), or Minimal (subtle border). |
| Banner Text | The message shown to visitors. A sensible UK GDPR-compliant default is provided. |
| Privacy Policy URL | Link to your privacy policy page (e.g. /privacy-policy/). Appears as a clickable link in the banner. |
| Cookie Categories | Which optional categories to offer: Analytics and/or Marketing. Necessary cookies are always enabled. |
| Cookie Expiry | How many days the consent cookie lasts. Default: 365 days. |
On a visitor’s first visit, the banner appears with category toggles. The visitor can choose:
Enables all cookie categories and dismisses the banner immediately.
Enables only the categories the visitor has specifically ticked.
Enables only necessary cookies. No analytics or marketing scripts will fire.
The visitor’s choice is saved in a cookie called ep_gdpr_consent. On subsequent visits, the banner does not appear and their preferences are honoured. Scripts tagged with consent categories are only activated after consent is given (see Script Blocking).
Important: The banner alone does not block scripts. You must also tag your analytics and marketing scripts with data-consent-category attributes for EP GDPR to control them. See the Script Blocking section.
The data subject request (DSR) form allows visitors to exercise their GDPR rights directly from your website. Add it to any page using a shortcode.
Create a new page (e.g. “Data Protection Request” at /data-request/)
Add the shortcode to the page content: [gdpr-request-form]
Or with a custom title: [gdpr-request-form title="Exercise Your Data Rights"]
Publish the page. The form will render automatically with all five GDPR rights.
| Field | Details |
|---|---|
| Full Name | Required. The person making the request. |
| Email Address | Required. Used to look up stored personal data across your system. |
| Request Type | Checkboxes for all five statutory rights. At least one must be selected. Multiple rights can be exercised in a single submission. |
| Details | Required. Free-text description of the request. |
| Privacy Checkbox | Required. Must be ticked to submit the form. |
All five UK GDPR rights are always displayed on the form. These are statutory rights and cannot be selectively hidden:
| Right | Description |
|---|---|
| Right of access | Obtain a copy of your personal data held by the organisation. |
| Right to erasure | Request deletion of your personal data. |
| Right to portability | Receive your data in a portable format (JSON export). |
| Right to rectification | Correct inaccurate personal data. |
| Right to object | Object to the processing of your personal data. |
Why all five rights? Under the UK GDPR, all five data subject rights are statutory. Website owners must provide a mechanism for individuals to exercise any of them. EP GDPR displays all five by default with no option to hide individual rights.
| Setting | Description |
|---|---|
| DSR Form | Enable or disable the shortcode across your site. |
| Notification Recipient | Email address that receives alerts when new requests are submitted. |
| Success Message | Message shown to the visitor after successful submission. Default: “Your request has been received. We will respond within 30 days as required by law.” |
| Rate Limit | Minimum minutes between submissions from the same IP address. Default: 60 minutes. |
Notification emails: When a request is submitted, a notification is sent to the configured recipient. If EP Email is installed, the notification routes through your SMTP provider for reliable delivery. Otherwise, it falls back to PHP’s mail() function.
Anti-spam protection: The form includes a honeypot field (invisible to real visitors) and IP-based rate limiting to prevent abuse.
All submitted requests appear in the Data Subject Requests dashboard at the bottom of the EP GDPR settings page. Each request moves through a simple workflow.
| Status | Meaning |
|---|---|
| Pending | Newly submitted, awaiting admin action. This is the default state. |
| Processing | Admin has begun working on the request. |
| Completed | The request has been fulfilled. |
| Denied | The request has been denied (requires confirmation). |
| Button | What it does |
|---|---|
| View Data | Searches all stored personal data for that email address across EP GDPR and EP Email tables. Results appear in an expandable row below the request. |
| Export Data | Generates a JSON file containing all stored data for that email and triggers a download. Available for access and portability requests. |
| Erase Data | Permanently deletes all stored personal data for that email from consent logs and EP Email tables (with confirmation). Automatically marks the request as completed. |
| Complete | Marks the request as completed. Use after manually fulfilling the request. |
| Deny | Marks the request as denied. Requires confirmation. |
All previous data subject requests from that email address.
All consent events logged for that email in ep_gdpr_consent_log.
Delivery records from EP Email.
Queued messages from EP Email.
When you click Erase Data for an erasure request, EP GDPR deletes:
All consent records for that email from ep_gdpr_consent_log
All email log entries matching that email from EP Email’s ep_email_log
All queued messages matching that email from EP Email’s ep_email_queue
Note: GDPR request records themselves are not deleted during erasure โ they serve as an audit trail of the request itself and are subject to your data retention policy.
When EP Email is installed and active, EP GDPR provides two additional capabilities that require no code changes to EP Email.
EP GDPR can automatically inject a privacy consent checkbox into all EP Email contact forms. The checkbox appears just above the submit button.
Go to EP GDPR Settings → EP Email Integration
Tick Add privacy consent checkbox to EP Email contact forms
Customise the checkbox text if desired (default: “I agree to the privacy policy”)
Optionally make the checkbox required (recommended). Save your settings.
| Setting | Description |
|---|---|
| Add Consent Checkbox | When enabled, a privacy checkbox is injected into all EP Email contact forms via JavaScript. |
| Checkbox Text | The label text shown next to the checkbox. Default: “I agree to the privacy policy”. |
| Require Checkbox | If checked, the form cannot be submitted without ticking the privacy checkbox. |
When processing data subject requests, the admin dashboard automatically searches EP Email’s database tables:
| EP Email Table | What’s searched |
|---|---|
ep_email_log | Emails sent to or from the requester’s email address. |
ep_email_queue | Queued messages containing the requester’s email address. |
This data is included in View Data lookups, Export Data downloads, and Erase Data operations.
If EP Email is not installed, the EP Email Integration section shows a notice and these features are gracefully disabled. EP GDPR works independently.
EP GDPR can block analytics and marketing scripts from running until the visitor gives consent. This is essential for GDPR-compliant use of services like Google Analytics, Facebook Pixel, and similar tools.
Change the type attribute of any script you want to block and add a data-consent-category attribute:
Before (runs immediately, no consent required):
<script> gtag(’config’, ’G-XXXXXXXXXX’); </script>
After (blocked until consent is given):
<script type="text/plain" data-consent-category="analytics"> gtag(’config’, ’G-XXXXXXXXXX’); </script>
| Category | Use for |
|---|---|
analytics | Google Analytics, Matomo, Plausible, Hotjar, and similar tracking tools. |
marketing | Facebook Pixel, Google Ads, LinkedIn Insight Tag, and similar advertising tools. |
Scripts with type="text/plain" are ignored by the browser (they don’t execute).
When a visitor gives consent for a category, EP GDPR converts matching scripts to type="text/javascript" and executes them.
On return visits, if consent was previously given, scripts activate immediately on page load.
A ep_gdpr_consent_changed event is dispatched on document whenever consent changes, so other scripts can react to it.
Tip: In PageMotor, you can use an HTML Box to wrap your analytics script. Set the script to type="text/plain" with data-consent-category="analytics", add the HTML Box to a Block, and deploy the Block on your Templates.
EP GDPR can generate a privacy policy section that automatically reflects your plugin settings. Add it to your privacy policy page using the shortcode:
[privacy-policy]
Both hyphenated and underscored variants work: [privacy-policy] or [privacy_policy]
| Section | Content |
|---|---|
| Who We Are | Your commitment to UK GDPR compliance. |
| What Data We Collect | Auto-detected from your configuration: cookie preferences, contact form submissions (if EP Email detected), email delivery records, and DSR data. |
| How We Use Your Data | Purposes for data processing, based on active features. |
| Cookies | Lists your enabled cookie categories (necessary, analytics, marketing). |
| Your Rights | All five GDPR rights with descriptions. |
| Data Retention | References your auto-purge policy settings. |
| Contact | Uses the DSR notification recipient email address. |
| ICO Complaint | Link to the Information Commissioner’s Office. |
EP GDPR automatically purges old data to minimise the personal data you store. Configure this under Data Retention in settings.
| Setting | Options | Default |
|---|---|---|
| Purge Completed Requests | 6 months, 1 year, 2 years, Never | 1 year |
| Purge Consent Records | 1 year, 2 years, Never | 2 years |
How it works: The purge check runs once per day when an admin visits any page. Only completed and denied requests are purged — pending and processing requests are never auto-deleted.
First, check that Show cookie consent banner is enabled in EP GDPR settings. Then clear your browser cookies — if you’ve already accepted or rejected cookies, the banner won’t show again until the consent cookie (ep_gdpr_consent) expires or is deleted.
EP GDPR only blocks scripts that have been tagged with type="text/plain" and a data-consent-category attribute. If your analytics script uses the normal <script> tag, the browser will run it regardless. See the Script Blocking section for how to tag your scripts.
EP GDPR limits how often the same IP address can submit requests. The default is one request per 60 minutes. You can change this in EP GDPR Settings → Data Subject Requests → Rate Limit. For testing, temporarily set it to 0 (no limit).
EP Email must be installed and active in your current Theme for EP GDPR to search its tables. Check that EP Email appears in your Theme’s active plugins list. If it’s active but data still doesn’t appear, verify that EP Email’s delivery logging is enabled.
Make sure you’ve set a Notification Recipient email address in EP GDPR’s DSR settings. If EP Email is installed, check that EP Email’s SMTP settings are correctly configured and test email sending from the EP Email settings page.
Check that Add privacy consent checkbox to EP Email contact forms is enabled in EP GDPR settings. The checkbox is injected via JavaScript, so it only appears after the page has loaded. If you’re using a custom form class, the injection targets .ep-contact-form elements specifically.
The [privacy-policy] shortcode generates content based on your EP GDPR settings. The text adapts automatically when you change your cookie categories, enable or disable EP Email integration, or adjust data retention periods. For further customisation, you can add your own content above or below the shortcode on the same page.
EP GDPR provides the technical mechanisms for cookie consent, data subject requests, consent recording, and data management. However, full GDPR compliance also depends on your organisation’s data processing policies, staff training, and legal basis for processing. We recommend consulting with a data protection professional to ensure your overall approach is compliant.
How the suite works together: Each plugin works independently, but theyโre designed to integrate. EP GDPR manages consent for all EP plugins โ it adds privacy checkboxes to EP Email contact forms, and will manage consent for EP Newsletter subscriptions and EP Bookings personal data when those plugins are available. Install what you need โ theyโll find each other automatically.