WordPress GDPR Ultimate Guide – everything you need to know
People share a lot of personal information with companies they do business with. This information can fall into the wrong hands if it isn’t protected, which is why governing bodies often create a series of laws to protect the privacy of individuals. With this aim, the European Union implemented at GDPR on 25 May 2018. Here we explore the law in detail to help website or business owners understand what they need to know.
What is GDPR?
People share information with a number of different entities like social media websites, banks, businesses, education organizations, government organizations, blockchain consulting companies etc. When people share this personal information, they expect the entities to protect the data to the best of their ability and not grant third-parties access to it without explicit permission. This information is stored on servers, analyzed, and utilized in marketing campaigns, services, and day-to-day operations.
While sharing the personal information can help these entities serve you better, there’s always a risk of it falling into the wrong hands. Most companies don’t give customers access to this information or delete it on request. Some cut corners when it comes to security and that can lead to increased risk of data breach.
Until recently, the rules and regulations surrounding data privacy and protection were quite complex. Organizations and entities that collected information weren’t legally obligated to share them with users, delete them on request, warn people of a data breach, or respect the rights of data owners. GDPR aims to change that and here’s a look at what it is:
1. What Does GDPR Stand For?
GDPR stands for General Data Protection Regulation, which is a set of rules and guidelines designed to protect information in the modern age of the Internet.
2. What Does it Aim to Achieve?
This set of laws aims to simplify data protection and provide clear guidelines to all EU citizens as well as businesses. The law makes it easier for people to control their personal information and everyone benefits from it. The guidelines help people determine liabilities or responsibilities. It is easier to resolve conflicts in the event of a data breach, which helps businesses and different entities.
3. Who is it Applicable To?
It is applicable to every website, company, organization that collects data from EU users. Every online platform that EU citizens visit must comply with GDPR laws or face penalties. Even entities that don’t have a physical presence in EU countries must follow these guidelines. For example, websites like Twitter, Facebook, or eBay, etc., are based in the USA, but they still need to comply in order to serve EU citizens.
4. Penalties For Violating GDPR
All platforms were expected to be compliant with GDPR starting 25 May 2018. If a website or organization violates it after this deadline, they can face fines of up to 4% of their annual worldwide revenue or 20 million Euros, whichever is higher. That is a substantial amount for any organization, which is why it’s a good idea to implement the guidelines promptly to avoid facing problems down the line.
Supervisory authorities are set up to implement these laws. These Data Protection Authorities or DPAs are independent and set up in each EU member state. It is their responsibility to audit website or organizations, issue notices of non-compliance, handle complaints of data breach, and issue penalties after notice deadlines.
What is Considered Personal Data?
According to the EU website, personal data is any information that relates to an “identified or identifiable living person.” Which means all information that can be clearly traced back to your name is personal.
Information provided through encrypted means or via a pseudonym that can be still traced back to you is also considered personal data under this law. However, information collected anonymously that can’t be traced back to you or be identified as yours isn’t personal data. That will not be protected under this law.
GDPR will protect law regardless of what kind of technology is used to collect it. Data gained from automatic collection, sourcing through forms with explicit consent, collected in surveys, are all covered.
Examples of Personal Data
- Full name
- Home address
- Office address
- Email address
- Phone number
- Location information
- Internet Protocol Address
- Cookie ID
- Personal Health Information
All of this information is protected under the GDPR. It is a well-constructed law that covers a large number of data collection and protection requirements. It is easy to implement because the law only requires making a few changes to your website. Once all of these changes are made and you have the right software upgrades in place, implementation becomes automatic.
Is WordPress GDPR Compliant?
If you own a WordPress website, you probably have received several emails from the company regarding GDPR. There are several detailed guides available on WordPress developer pages. The software has also undergone considerable revisions and upgrades to ensure it complies with the law. WordPress version 4.9.6 and up are all GDPR compliant. The development team has added several core enhancements to ensure the platform is ready for the law. This is applicable to the self-hosted WordPress.org and not WordPress.com.
While the development team has done their best to cover all angles of compliance, much is out of their hands. Websites are dynamic entities with unique designs, purposes, and content. GDPR compliance requirements are different for different entities, which is why website owners must also make sure their platform is compliant.
What should you change on your WordPress site?
There are several small changes you need to make to comply with the new law, especially if you have an old website and have been a little careless about data protection. These changes are easy to implement and there are many helpful guides available in the WordPress developer’s library. You can determine which plug-ins and add-ons will be perfect for your website. Here’s a look at what kind of changes website owners need to make:
1. Download the Latest Version of WordPress
WordPress 4.9.6 has a number of built-in privacy features that comply with the new law. This upgrade will provide a comprehensive list of features and options that can help improve your website data protection process and set you on the road to GDPR compliance success. It will be difficult to implement the law on older versions and less up-to-date websites.
2. Data Export and Erase Options
Giving users access to their personal information is an important aspect of GDPR. This means companies are obligated to provide all the data they have collected that can be traced back to you. This includes information collected through cookies, comments, forms, transactions, historical interactions with the website, etc. If a user wants to see what kind of personal information a website has collected, they just need to submit a simple form and the website owner is obligated to provide that information.
If the users think they have shared too much, they can request website owners to delete the data. Owners are legally obligated to remove all requested information from their servers. These two request forms should be added to your website and must be clearly visible or assessable to all visitors.
3. WooCommerce Data
E-commerce websites collect more data than regular business websites, which is why this platform was upgraded to comply with GDPR as well. If you have a WordPress e-commerce website along with the WooCommerce plug-in, you need to disclose data collection activities and purpose.
Website owners need to clearly identify what kind of data will be collected and store. They also need to provide a clear reason for collecting the information and how they will use it. This won’t just comply with established GDPR standards, but will also help win a customer’s trust so it is a win-win situation.
4. Data Breach Notification
You are required by law to inform users affected by a data breach or hacking attempt that their personal information might have been accessed. This can be done through automated newsletters. Companies can send emails, phone messages, or call directly if the breach is serious. This must be done without delay to ensure affected individual have some time to prepare and protect their interests. Newsletters should contain information like:
- When did the data breach occur?
- What information was accessed?
- What are the user’s options?
- Who can they contact if they have questions?
- How is the matter being handled?
They should also contain detailed information regarding the breach and clear instructions on what to do can help users relax and trust companies to protect their interests. It’s a good idea to be as transparent regarding the process as possible.
5. Consider using premium plugin
Different plugins and scripts are already available on the market to help website owners comply. You can add forms for information requests, information deletion, automated emails in the event of data breaches, provide some extensive privacy and cookies settings for you users. If you decide to use dedicated all-in-one plugin to handle all GDPR requirements at once – don’t forget to check our Ultimate GDPR Compliance Toolkit.
Areas on your website that are impacted by GDPR
Different areas of your website are affected by this new law, which is why it’s a good idea to delve deep into how you collect user information. Most people have gotten so accustomed to sharing and using personal information, it is difficult to step back and look at all the sources. Here’s a list of areas of your website that are affected by GDPR:
- User registrations like sign-in information, password, email, telephone, account activity, etc.
- Comments on posts or reviews on product pages.
- Contact, booking, or reservation forms.
- Subscription to newsletters and serialized content.
- Social media plug-ins from third-party entities like Facebook, Twitter, and Instagram.
- Website analysis activities through third-party platforms like Google Analytics.
- Automated software for daily processes provided by third-party entities like MailChimp.
- Data collected for security purposes.
- Log and traffic information.
- Data collected for marketing purposes.
These are just some sources of information. Compliance is different for different platforms and a lot depends on the purpose of your website. For example, the compliance requirements of a single page business website are quite low. The requirements for an enterprise level e-commerce portal with thousands of pages and millions of transactions are quite high.
Website owners must consider compliance levels of all third-party entities that operate through their platform as well. For example, if you have a Facebook plug-in on the site, you need to make sure Facebook is compliant with GDPR. Same applies to third-party SaaS accounting or marketing software, etc. If the third-party entity isn’t compliant, you might be liable in the event of data breaches. It’s better to be safe than sorry under these circumstances.
GDPR Compliance and WordPress Forms
Forms are a way to collect useful information directly from a visitor. The most common of them are Contact Us forms that make it easier for website users to reach the company for more information or to make requests. GDPR regulations apply to this section of your website so you need to alter contact us forms immediately.
Fortunately, this is easy to do as most popular form-making plugs-ins are compliant and offer different ways to gain consent from users. The easiest way is to add a checkbox on the form with an accompanying message along the lines of “Click here to consent the website storing and using information provided in this form.”
By clicking on the checkbox, users provide explicit consent and will allow you to store information. If users aren’t comfortable sharing the information, they can leave the box unchecked.
wpForms has added a GDPR agreement module to the software so you can add consent options to all your forms, no matter the design or format. This change is easy to add and will go a long way to ensure your website is compliant.
GDPR Compliance and Cookies
Cookies track user activity and provide information to the owners of the cookie. These are small lines of code that are attached to the user and follow them around. They are very useful for marketing and traffic tracking purposes, but they are an invasion of the user’s privacy. Some of the most common cookies on websites are:
- Google Analytics or similar tracking services.
- Google Adwords, Bing, Facebook, and similar advertising networks
- Cloudflare, SaaS, and CDN services
- Opt-ins or pop-ups for different services
- Push notifications from software programs, websites, and apps
- Video players
- Heatmaps for marketing
- Shopping carts on e-commerce websites
GDPR ensures cookies can’t collect information from user activity without the user’s explicit consent. Every time a user enters a website, they see a pop-up notification that asks permission for cookies. If the user grants permission, website owners can track activity and use them for their marketing endeavors. If the users don’t accept cookies, owners can’t use the information. Many website owners direct users to their privacy policy page if they click on the “decline” button.
You need to add a cookie button to your website that complies with GDPR. The button provides basic information on what kind of data is collected and how it is used. The WordPress library contains many free cookie button plug-ins that add a small notice to your website. You can take this a step further by using a premium cookie plug-in like WeePie. These premium plug-ins comply with GDPR and the individual laws of countries like UK, Italy, Germany, etc. They also offer more sophisticated consent buttons to ensure you have explicit permission to use the information.
The cookie consent buttons should be present in all your online assets like main site, blog site, microsites, etc. They should be responsive on all platforms, including mobile. Make sure the button is visible but doesn’t compromise user experience. You must also remove all third-party cookies from your website or online presence unless they are useful and compliant with GDPR as well. This ensures you can’t be held responsible for any data breaches by third parties.
GDPR Compliance and WordPress Comments
Users usually don’t share much when they comment on posts or review products online. Most use generic names and don’t provide email or other contact information as they’re not required to do so in the default comment form settings provided by WordPress. However, some website owners require users to provide the full name and email details before commenting. These forms must comply with GDPR and WordPress provides ample options to do so. Here are some factors to consider:
- WordPress places a cookie on the user’s online presence so they don’t need to type the contact information repeatedly on every comment. This means the data is collected and stored so you need to ask permission for it. This can be done by adding a simple checkbox underneath the fields.
- Comment forms should come with a warning about collecting information and using for marketing or research purposes. This will give users an idea of what happens to the information they submit so they can give informed consent.
There are different kinds of comment form plug-ins available. The basic WordPress plug-in is compliant so you don’t need to do much to make the comment form suitable. You can also disable the comment cookie entirely and let the users type contact information whenever needed. Some users will prefer this over letting websites store their personal data.
GDPR Compliant Privacy Policy
The privacy policy is one of the most important aspects of a website and it must be updated to comply with GDPR standards. If you are part of any social network, banking website, educational institution, and other such establishments, you might have already received a privacy policy notice. This notice informs users about upgrades to a website’s privacy policy, invites them to read it, and then asks them to consent to the changes. Your website needs such a document as well.
1. How to Upgrade
A website owner needs to upgrade their policy according to the new law. This can be an intimidating process because the policy is a lengthy, detailed document. Fortunately, there are several tools available to help you with the process. Here’s a look at what you can do:
- Use WordPress Generator – WordPress has a privacy policy generator that uses your current policy or allows you to create a new one that is compliant with GDPR. This auto-generated policy is a good place to start if you have no clue about how these documents work and how they should be framed.
- Custom Policy – Most websites need to customize their policy eventually to suit their website’s requirements. An auto-generated one might not cover all information collected, which can place your website at risk down the line. Every source of information must be covered by the policy to ensure your website is fully compliant.
If you are collecting a lot of personal information, it’s a good idea to consult with a legal professional before drafting a privacy policy. That will help mitigate the risk of GDPR violation.
2. What Does GDPR Require?
Most websites provide long, detailed privacy policy documents. They read like court papers and can be tedious, which is why GDPR requires website owners to:
- Provide concise, transparent, intelligible information.
- Ensure the privacy policy is easy to access.
- Information is written in plain language, especially if it is addressed to a child.
- It is free of charge.
This ensures users don’t have a hard time reading and understanding the privacy policy and providing informed consent.
While drafting this document, you need to explain a few points to the website users and they are:
- Who is collecting data?
- Why is it being collected?
- What is the legal basis for processing data?
- How will the information be used?
- What right does the data subject have?
- How can a user raise a complaint?
- Will the information be shared with third parties?
The answer to these questions will help you organize the information in a privacy policy efficiently.
Any website that operates in the EU or is accessed by EU citizens must follow GDPR. These changes aren’t too difficult to implement and it is mandatory to toe the line. It is a good idea to understand the law well and implement it thoroughly.