With the aim of preserving the personal information of the EU citizens as well as leveling the playing field for the businesses, the GDPR can be considered to be the biggest change in the field of data privacy law.
After the enactment of this law, the website owners are now required to walk extra miles not only to collect the users’ information but also preserving it.
So if you’re a WordPress website owner then this article is for you as I will discuss the possible impacts of this law on your website and the safeguards you can take to make your WordPress website GDPR compliant.
Having said that, I’d also prefer to make clear that though I will try to paint a detailed picture, however, since the law spans around 200 pages. So it is not possible to discuss all the intricacies in just one article.
Second, the tips in this article should not be considered alternate to the legal advice. So it is recommended that if need be, you don’t hesitate in seeking legal advice from an expert in this domain.
What is GDPR?
The General Data Protection Regulation (GDPR) is the combination of all the European data privacy laws into one regulation. Enacted on the 25th of May, 2018, the regulation attempts to delegate better control to the European Union citizens over the way their personal data is collected, used and tracked online.
Lately, you must have received emails upon emails from websites such as Google, Facebook explaining their privacy policies and how they store and use your data. Well, that’s because of the said GDPR where the information holder is supposed to convey their users how their information is going to be used and that they need to obtain clear and explicit consent from their users to process their information.
What’s the Purpose of GDPR?
The purpose of GDPR is to provide greater control to the consumers related to their information. How it is collected, stored and used.
Before GDPR, businesses would bury the consent of the users under the voluminous contract documents which majority of people don’t even bother to read. This is different now, as many will be looking through those business legal contracts with scrutiny.
But not anymore.
After the enactment of GDPR, the attempts to receive consent from the consumers about their data should be more explicit, clear and unambiguous. Clear from any overcomplicated use of legal jargon.
Also Read: How to Make your GetResponse Email Campaigns GDPR Compliant?
Does GDPR Applies to your WordPress Website?
In most cases, Yes.
Though the regulation is to protect the information rights of the EU citizens
The only way to ensure that the regulation does not apply to you is by restricting EU users from visiting your website. However, I bet you wouldn’t prefer this option of sacrificing a lucrative traffic stream. European traffic may generate some of the highest numbers of visits to your site, so you won’t be doing your website justice by restricting users from the EU. Did you know that 35% of all websites are using wordpress as their content management system? How many of these do you think has implemented this restriction? Probably not as many as you may first think.
Especially when you can make your WordPress website GDPR compliant easily by applying some safeguards.
What if your WordPress Site is not GDPR Compliant?
In the worst case scenario, you will be slapped by a hefty fine. Up to 4% of a company’s annual global revenue OR €20 million (whichever is greater).
Though this penalty has definitely stirred some panic
In fact, at first, you will first receive a warning. Then a reprimand. In case you do not act accordingly, your data processing will be suspended. It’s only after all these options are exhausted that the heavy fine will hit on your face.
Since the repercussions are severe, it’s better to be safe than sorry.
So how can you comply with GDPR?
Well, before seeking an answer to it, it’s important to understand
What is Private Information according to the GDPR?
Though, the regulation has been pretty elaborate about what they mean by “Private Information” of the individual and have listed some of the categories such as the Name, Address etc. However, to get rid of any ambiguity, the golden rule is that any information about the individual that helps him/her to identify and locate comes under the garb of the Private Information.
Therefore, after the regulation has come out, elements such as Cookies information which the website visitors used to take for granted, now also falls under the precinct.
What is Required Under GDPR?
To jot down the facets of this law, GDPR mentions 4 main pillars that you need to be wary of:
1.Explicit and Unambiguous Consent: To understand this from an example, lots of websites have pre-ticked boxes of receiving newsletters from them and whenever a visitor posts
Well, this practice should be abandoned now.
If you want to send newsletters to your visitors, you should be explicit about it.
No more “Ninja” tricks now.
By explicit, it means that no more pre-ticked checkboxes and the consent should be separate from other terms & conditions. Leave the box unchecked by
2. Rights to Data: This include informing the individual how, why and where their data is used. Moreover, the individual has the rights to download and even delete their data. Of course, this does not mean creating a whole interface to provide users the option of deleting their record on your website from their end. In fact, they can request to be forgotten and the website has to comply.
3. Breach Notification: The website/business is supposed to inform the relevant authorities in the event of a data breach within 72-hours. This condition can be overlooked if the breach is not too sensitive and poses no threats to the individual data. However, if the breach is severe, the website is also supposed to inform the individuals who’re affected, right away.
4. Data Protection Officers: If you process a large amount of data considered as personal information then you must appoint a Data Protection Officer (DPO). This,
A DPO is responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
The key term that you have to keep in mind is EXPLICIT CONSENT. In other words, this also means never to use your users’ data for reasons other than they were collected.
The practice was already looked down upon previously and was considered unethical to use your user information for purposes other than it was collected, but now, the laws have become more stringent. and laid down in black and white.
Now, coming to your WordPress blog, let’s see how you can comply with the GDPR’s requirements.
Is WordPress GDPR Compliant?
That’s an important question.
We need to make sure that the WordPress platform itself abides by the law. Well, the answer is yes. Though we’re way past even the WordPress 5.0 version now, but WordPress had added some features that adhered to this law back when it was in its 4.9.6th version.
Additionally, there are several plugins which offer its users an easier route to compliance. However, one must not consider merely installing the plugins as the solutions of all the problems. Since the web keeps on changing, one needs to be on his heels to meet the needs of the dynamic environment.
How does a Normal WordPress Blog Collect Information?
To figure out if you fall under the radar of GDPR, you need to see how your blog collects or user information (from the EU region). Generally, a normal blog would be fetching its visitors’ information through the following sources:
1. Google Analytics
There must be hardly any WordPress blog which does not use Google Analytics to track their website’s information and to be honest, the case if Google Analytics fall under the
After all, it’s the Google and not you who is collecting the information. Right?
Well, the verdict is that if you’re transferring the Personally Identifiable Information (PII) of your users to Google, then you’re the handler of the information and therefore, need to take steps to safeguard it.
If you want to know further about it, here’s a detailed article about Google Analytics and the GDPR law. I hope you’ll find it useful.
2. Cookies Information
A Cookie is a small file downloaded on your device, sent by the website that you visit. I won’t dive deeper
Since the cookies can be used to identify and track a person, they are to be considered as private information and therefore, require a clear and unambiguous disclosure not only that your website collects cookie information but also that how you intend to use this information.
What this means is that the previous simple and one-liner notifications like these are no longer valid:
And In order to comply with GDPR, now you have to seek consent of your visitors through a notification that should look more like this:
This is quite obvious. If you have enabled comments on your blog then surely you’re also collecting some basic information such as the name, email address etc. If that’s indeed the case then following the above examples, you now have to seek clear and explicit consent to store the commentators’ information and using it the next time (auto-fill fields) they comment.
4. Email Opt-in and Other Contact Forms
If you’re collecting email addresses (or any other information) through the opt-in forms and/or the contact forms on your website especially of the visitors from the EU regions then the GDPR law applies to you.
A safeguard that you can take is to add an additional checkbox confirming the consent of the visitor before he submits his information (again, make sure it’s unchecked). Same can be followed for the other contact forms on your WordPress website.
5. WordPress Membership Websites
If yours is a membership website then every information of your members that you collect come under the precinct of the GDPR law.
So your notifications should be clear, explicit and unambiguous clearly stating for what purpose you’re collecting the information. Moreover, the members should be able to download and request to delete their information.
Built-in WordPress Enhancements Addressing GDPR Requirements
WordPress has also added some enhancements address the GDPR requirements. These are the basic enhancements present by default in WordPress 4.9.6 and onward so you don’t need to add any fancy plugins.
Some of these changes are:
- From the Pages tab on the left, click Add New
- Now, from the Settings tab, click Privacy.
2. Add or Remove User Data
Remember, I mentioned that now the user has the right to request to download and delete information?
Well, WordPress now provides you the option of doing so quite easily. From the Tools section on the left menu bar, you can send confirmation requests to your users from the Export Personal Data option and delete the users’ data on from the Erase Personal Data option.
3. Comments Consent
Now, you don’t have to go at great lengths to add a checkbox seeking consent from your visitors within your comments section in WordPress. The latest versions have this built-in feature. All you have to do is to go to the Discussion window from the Settings tab on the left.
Once in the Discussion window, search for the option which says, “Show comments cookies opt-in checkbox, allowing comment author cookies to be set.” and check mark it.
WordPress Plugins to Address GDPR Law
If you start applying changes on your WordPress website to comply with GDPR, it’s going to take a good amount of man-hours just to make sure that you haven’t left any stone unturned.
This becomes even more daunting if you’re not tech savvy and have no experience of HTML and other designing aspects of the web.
If that’s the case then you should be using plugins which will take care of the requirements of the law to make sure that you’re not legally exposed. However, at the same time, as mentioned above, it’s not necessary that the plugins address all the concerns. So the responsibility of being vigilant rests on your shoulders.
To help you out further, I’ve written another post that will surely help you in finding the right plugin for your WordPress website. Here’s the article:
Lastly, what I’d suggest is that you should not be freaking out with this new GDPR law. They’ve not been enacted to put you out of business. In fact, all their purpose is to preserve the rights of their citizens which ultimately should be the objective of every Government. So as long as you’re being truthful, discreet and professional in handling your user information, while at the same time, taking measures to providing control to the users over their information and using proper disclosures, you’ve got yourself covered.
Yes, it does put the bloggers and the website owners in a little bit of unease but I guess that’s the price one should willingly pay in order to make this world a better place.