WordPress GDPR compliant – All you need to know

Introduction

In the past weeks, you might have heard about GDPR and how it will affect the websites. Does it apply to you? What should you change on your site to be compliant with it? I will try to explain some of the things you need to take into account when making your WordPress GDPR compliant.

Disclaimer

This is not legal advice, I’m not a lawyer. (if you’re seeking legal advice, contact a lawyer or someone with a GDPR certificate)

What is GDPR?

The General Data Protection Regulation (GDPR) is a European Union (EU) law taking effect on May 25, 2018.

The purpose of this regulation is to offer a better protection and control over data for individuals.

As stated in the first article of the regulation:

1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

Since the law is from the European Union you might think that it doesn’t apply to you if you’re from outside of EU. That is not true.

This law applies to anyone and any type of business that has visitors from EU. Depending on how you collect data from the users, you might need to do some adjustments on your site. Also, there must be a clear way of explaining how the data is stored, where and for how long.

There are fines involved if you don’t respect the GDPR. The higher spectrum of fines goes up to $20.000.000 or 4% of your annual income (worldwide), whichever is higher. (source here)

It sounds very scary, but keep in mind that the fines are just the last resort option. Before that, you will receive a warning, then a reprimand, then a suspension of data processing and if you don’t fix all the issues you will get fines. (source here)

GDPR is here to stay and the sole purpose of this regulation is to help users protect their data. Making it impossible to collect soft-opt-ins, sell data, share user data, process them with a 3rd party without the consent of the user.

 

What are the requirements under GDPR?

The GDPR has around 88 pages if I remember correctly. You can find it linked in the “Useful articles” section.

Here are the most important things you need to have in mind from now on when designing/developing websites.

GDPR protects personal data. This includes name, emails, physical address, IP address, health information, income, etc. (more on this here, where personal data is defined and here where you can find a more detailed take on personal data).

Also, online identifiers (like nicknames, names associated with devices) are part of the personal data if they can be used to track or identify a person. (more here)

If you process data that doesn’t help identify a person or it’s impossible to associate it with a real person, you don’t need consent from the visitor. (more here)

That being said, you will need to provide

Transparent information – You will need to provide clear details of what information you’re going to store from the user, where it’s stored, for how long and how it will be used. It must be clear if you share the information with a 3rd party or not.

Example: If you have an opt-in form for news about new products. You will have to mention what the form is for. If you plan to use the same form to subscribe the user to a different list also (via the same form), you will need to add a checkbox asking if you can add them to an extra mailing list. The will have to provide consent for that extra list. (See Condition for consent and Recital 32)

Rights to access data – The user must know where the data is stored and how they can access it. This way the can ask for the data to be deleted (unsubscribe for example).

Rights to rectification – The user has the option to adjust/change the data if it has misinformation in it. Basically, the user should have access to edit the details provided.

Rights to erasure – (or the right to be forgotten). You must provide the option to delete any activity for that user (including account on your site, subscriptions to newsletters, cookies).

Rights to data portability – Users can download their data and move to another service provider.

More information can be found in Chapter 3 – “Rights of the data subject” of GDPR.

 

Is WordPress GDPR compliant? What about the plugins?

WordPress

The last update, 4.9.6, makes WordPress GDPR compliant,

The new update provided some new functionalities that were required under GDPR:

• Users can request a log of their activity on your site
• Users can request to delete all the data related to their account
• The are no cookie saved by WordPress that involve personal information without your consent (example: the comment section on WordPress. Now you have to approve if you want the site keep your information if you come back later to comment again)
• Option to create a Privacy Policy page. The page is generated by WordPress if you don’t have one. Once you set a Privacy Policy page, it will be linked to the login and register forms. You should also add it to every page on your site. A link in the footer to it will work.

You can read the full WordPress 4.9.6 release statement from WordPress themselves.

Plugins

Most of the plugins will start to provide GDPR updates. This is a thing that you must search for each plugin. Maybe check their main website page, look for news about new GDPR releases.

Contact forms, plugins that use cookies (Analytics, Facebook Pixel, etc.), e-commerce (WooCommerce), membership plugins, email marketing (data collection plugins) are the ones that you should keep an eye on.

 

Is your WordPress GDPR compliant?

Making your WordPress GDPR compliant will be different for each project. It depends on what you have on the site, forms, 3rd party services, etc. But there are a few things that you can do to make sure your WordPress install complies with GDPR requirements.

You must have a Privacy Policy page. In there, users and visitors will find all the details about the points mentioned above. Including: how the data is stored, what data is stored, what cookies are running on the site by default (as long as those cookies don’t store/require personal data), how can they access it and so on.

If you’re running a blog, a presentation site, portfolio, you might not be affected that much. You will create this Privacy Policy page and state all the details in there. The forms must have a clear message for the user to understand what they are signing for.

The purpose of forms has to be clear. (mention what it’s for and add a link to the Privacy Policy in that form)

Add checkboxes asking for consent if you want to share that information from the form with 3rd parties.

Enable tracking cookies only if the user provides consent. You can do it with a Cookie Policy pop-up where they can go and set what to enable. Except for the cookies that are necessary for site functionality (don’t need personal data), all the other categories must be disabled by default.

Google Analytics now offers the option to track users without creating an UserID and by hiding the IP address. This means you can use this cookie as default. You can then ask for consent to use the full Analytics code.  (see here and also the link from “Useful articles”)

Free solutions

• GDPR

I read the documentation and it provides useful information on how you can find the cookies running on your site, how to put them in categories and use the functions they offer to make the site GDPR compliant.

You will need to put in some effort and do the work yourself using those functions inside your theme.

Premium solutions

There are some premium solutions for cookie management:

• CookieBot
• CivicUK

You will be able to manage the cookies, set geolocation so those pop-ups will appear only for EU visitors, option to enable certain cookie categories and revoke access if the user changes his mind.

 

Useful articles

Here is a list of useful articles. I also read them and used information from them to create this article.

• The GDPR document re-created in a site version. Here you can easily navigate chapters and keywords from the official regulation.
• Is Your Website GDPR Compliant? How to Get Ready for the General Data Protection Regulations – an article from WPMU that goes over the general idea of GDPR
• Is my use of Google Analytics GDPR and ePR compliant? – some details about Google Analytics and the new features they added in accordance with GDPR
• 6 Myths about the GDPR and Email Marketing Debunked – Aweber has an article debunking some of the myths around what you need to do to be GDPR compliant.

 

Final words

GDPR seems like a lot to take in at first. Doesn’t matter if you like it or not, it’s here to stay and it’s not such a bad thing. Yes, you will need to be more careful about what you have on the site and how it handles data. But that’s what you’d want when it comes to your data, right?

Having these rules in place will make the internet a safer and much more transparent space (as it was intended to be).

Even though you’re not GDPR compliant yet, just try and cover all the things mentioned. I don’t think EU will start striking you down on the first day the law goes into effect.

I’m interested to see what solution WordPress has to offer for plugin creators in order to make their cookies into a universal consent form. Right now all the plugins might come up with their own little methods. A centralized way will be a good idea to make WordPress GDPR compliant.