Both free and paid versions of our plugin are GDPR compliant. The compliance is achieved by displaying a security message on the login screen of your website. This message can be turned on and off from the Settings page of the plugin. GDPR does not make consent a mandatory requirement for all processing of personal data. Consent (Article 6 (1)a) is indeed one of conditions that can be used to comply with the GDPR requirement that processing must be lawful, but it is not the only condition available to the controller to ensure lawful processing – there are alternatives (before the list of conditions it says that “at least one of the following” must be satisfied).

All the conditions for lawfulness of processing are spelled out in Article 6 of the GDPR. One of alternatives is Article 6 (1)f. It says it is legal to process personal data if Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Logging IP addresses for the purpose of security is an extremely widespread practice. It is a legitimate interest to comply with standard security practices. It is the default, and most websites do this. It is legal to do this without a consent.