TL;DR: The GDPR is a new regulation by the EU. It changes a lot regarding how each and every WordPress site goes about doing their business. Even non EU-based sites and businesses are affected. You have less than a year to make your WordPress GDPR compliant. Else you’re facing serious fines – up to € 20 million, or more, believe it or not.
On 25th May 2018, the GDPR (General Data Protection Regulation) enacted by the EU will come into effect. Is your website running on WordPress GDPR compliant? What are the steps that you must take when making your WordPress website to ensure that you follow the guidelines? What if you neglect this?
This post will help you in your endeavor to be ready when the regulation kicks in.
- First, we’re going to talk in detail about the GDPR guidelines, the specific areas of your business that the guidelines affect, and why you should be concerned about WordPress GDPR compliance.
- Next, we will cover the basics of making a WordPress site complaint with the guidelines.
- Finally, we will discuss the implications of the use of plugins on your WordPress site and how your GDPR compliance might be affected.
I’ve only just found out about this new GDPR law. I only have a WordPress blog (cookery and handicrafts). It’s not a business, just a hobby. I have very few followers (around 45), even after having set up my blog 4-5yrs ago. Do I also have to advise my followers about this? I don’t think so, but – just in case!
Thanks
Karen
Thanks for this article. One thing that’s missing though is this cookie compliance part. I’ve been reading a bit about that and basically shouldn’t we be allowing users to opt-in for cookies too? It seems bloody nuts, but there you have it. There’s a couple of paid plugins cashing in on this as well. I’m just wondering whether it’s really necessary to have big ugly confusing cookie opt-in’s everywhere just because I want to use Analytics.. any thoughts?
One interesting thing about the GDPR is that it makes running a service using advertising illegal. If you go check article 29 working group, they have guidance on consent. A party is said to not give consent freely when the service they are signing up makes allowing personal advertising a pre-condition. I.e – Facebook now has to introduce a paid service in order to be able to continue with its ad supported free service. I feel that it is a gross intrusion of privacy by the EU and should be contested in court. Essentially, they are saying, a person cannot make a contract with another party to allow them to track their personal data (even if he/she chooses) to gain access to a service or product which is free. This is not about data protection at all, it is about the free availability of information hindering something.
Question. You said that «if you wish to buy a mailing list, you would be sending emails illegally to the recipients, since no one explicitly asked to receive emails from you.» OK. But how we can ask for that permission if we cannot send emails?
Im EU GDPR certified and was interested in the new regulation from BA point of view. You cannot send emails without an unambiguous consent given by your users. So firstly you must define the purpose for collecting the data and than ask the users to opt in (given by choice) for each segment of the service you wish to offer and opt out which should be mandatory. So the site should clearly state “would you like to receive our newsletter” for ex. You may have users who would be happy to visit the site to comment on it but not to receive newsletter…that’s how it should work. Another ex. the statement of this site “by signing up you agree to the basic rules, Terms of service and privacy policy….is not EU GDPR compliant.
Okay, I do not want to sell to European citizens, I just have a site that sells a product to anyone who wants to buy. It’s a problem of EU and its citizens to find and “obscure” it, isn’t it? How can they punish me with fines in any way? What for? For having a product and a site? I am shocked myself to tell this, but China looks more sane when blocking the “digital presence” of the West from their citizens because other countries owe nothing to China and and should not obey its laws.
I have wordpress site but I don’t collect data from visitors. They only subscribe in receiving emails containing my posts. Should I make my wordpress site (which runs on free mode) GDPR compliant?
Yes. In a simple use case of using feeds etc. I think WordPress core team is already working on a built in solution. In terms of subscriptions and forms I can recommend Gravity forms which also has been working on the GDPR implementation in their product. If you use a third party subscription plugin they will most likely provide an update to support the new law.
You’ve answered your own question. “They […] subscribe in receiving emails […]”. By subscribing, your visitors are providing you with access to their personal data (email address), which you are consequently collecting. I would definitely call that procedure *collection of data*.
actually, wordpress does collect the email addresses and they already opted in to receive emails.
Nevertheless, the visitors are visiting *your* website. That makes *you* responsible for making sure the website is GDPR compliant. Besides, the fact that the visitors have already opted in to receive emails is hardly an excuse for you not to abide to the rule by offering them the capability of knowing exactly what kind of info you’re collecting, and exactly what you’re using it for. No offense, but instead of trying to find ways to avoid abiding to the regulations, ask yourself what can be done so that your website is offering the visitors the three rights: Right to Access, Right to Be Forgotten and Data Portability.
We have a small online webstore in the US, and get maybe single digit EU customers a year. We just use their information for shipping customer purchases, no mailing lists, Google Ads or whatever (it’s a side business). Are we pretty much compliant with GDPR as long as we don’t do any marketing to the EU area?
I would disable EU countries from the list of countries that can purchase (checkout form) just to be on the safe side.
You *are* collecting and processing personal data, regardless of what you’re using it for. That makes your ecommerce website non-compliant, unless, of course, you change that by adhering to the GDPR laws.
no it’s not.
Excuse me, there ARE bilateral agreements between the US and EU so there are going to be enforcements processes.
I am not referring to the US. How about Cambodia for example?
Exactly my point, no misunderstanding. Why make a definite statement like this “They don’t have jurisdiction outside the EU unless there are bilateral agreements” when you don’t exactly know whether it is true?
what’s true? I was speaking generally about any country, not one country in specific. And I am correct.
I have 40+ websites I either run or maintain. I have 2 questions:
1. What if I got rid of all the contact forms and plugins and simply use an email address that people click on to contact someone? Would that qualify as not collecting data?
2. What about sites that are behind a “password protected” screen, i.e. private sites? Do they still need to be made compliant too?
1. No. It still would be collecting data. Email is personal data.
2. Yes.
Thanks for your reply. Regarding point 2, but how would any authority be able to check if the site is hidden behind a password protect box? Or would they seriously be going to hack the site to see what’s behind it?
Eu nationals gain a right, under GDPR regime, to gain access to a copy of their personal data stored by any processor. It is essentially via this mechanism that a person can discover that company is not compliant with the GDPR, in which case they can notify their national personal data protection agency, which will initiate a process after which you might be held responsible. It is, therefore, not the agency itself that will proactively go and scout all the off-internet sites, but its private individuals under GDPR regime that have a right to “initiate” process against you.
Maybe I need to ask my questions in a different way. We have 5 or so sites that are behind a password protected screen, because we have not made them “live”, and they have been that way for about a year and this is not likely to change any time soon. Basically, they are unfinished sites that need work, but when that work is being done (if at all) depends on my client. There are no user registrations or mailing lists or anything. Yes, there are contact forms, but not that anybody would use them because the sites are not visible to anyone to actually enter. Does this *still* mean that they have to be made compliant? Because if not, I could save myself a small chunk of work…
No, if they do not collect data of any actual living EU citizens, then you should not have a problem.
Thanks. That’s a few sites down on my list then! 😉
“1. What if I got rid of all the contact forms and plugins and simply use an email address that people click on to contact someone? Would that qualify as not collecting data?” I don’t see how this can qualify as data collection in any manner, Kristaps. If I publish my own email address on my site and someone clicks on it or copy it and, then, they send me an email, I am NOT collecting personal information at all. Excuse me but it does nor make sense at all. On the other hand, if you use a contact form it would also be arguable it qualifies too. It totally depends. For example, if I use the contact form to save the information entered by the visitor, then it would qualify. However, if I just use the form to pass the data to a server side script that sends (but not saves) that information to the SMTP server, then there is not data collection at all, as you are simply acting as an email client. If for any reason this law understand this last case as data collection, then I strongly believe they are wrong. In any case, I miss… Read more »
“1. What if I got rid of all the contact forms and plugins and simply use an email address that people click on to contact someone? Would that qualify as not collecting data?”
I don’t see how this can qualify as data collection in any manner, Kristaps. If I publish my own email address on my site and someone clicks on it or copy it and, then, they send me an email, I am NOT collecting personal information at all. Excuse me but it does nor make sense at all.”
That was exactly my thoughts!!!!! I mean, they are contacting ME, not me contacting THEM. Otherwise, hey, would the law not then need to also extend to your friends (or anyone for that matter) emailing you and you emailing them, if the above scenario is included in the new law?
While the use cases you both have described are reasonable, there are still a number of genuine reasons why they are not wholly excluded from the scope of the Regulation. At the end of the day you still perform processing of personal information. Please note that this only applies to individuals, and not legal personas or business representatives in their official capacity. There are 2 general exceptions that would apply, however, they would not completely exclude you from the applicability of GDPR, but would instead change the scope of its applicability. Under the “legitimate interest” consent exception you can assume that consent is given and that you can lawfully process the email address in order to return a question from your client. It is possible to put most everyday business interactions under the “legitimate interest” basis, but that does not really help you long term when it comes to other concepts under the GDPR. In terms of processing email with forms and other methods, it is not exactly true, that there is no personal data stored. Even when you forward the data from the form to an SMTP server, it is usually both the server logs (depending on the application,… Read more »
“I don’t see how this can qualify as data collection in any manner, Kristaps.”
GDPR art. 4 (1) – ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
GDPR art. 4 (2) – ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
But what, for example, if someone had an email like 029893fjkjfka@blah.com? That, in my view, is not something that could identify anyone as an “identifiable natural person”, or could it?
Woe is me to wade into a debate with someone whose name is “Teabagger Blaster”. I totally get where you’re coming from, but I feel you’re seeing it from a “top down” rather than “bottom up” perspective (maybe it’s natural being a teabagger that you’d only consider the “top down” important!). I’m more for individual rights than for corporate rights. I see the GDPR being a great protection of individual rights which also benefits more people in society than just the people that make money.
There are plenty free ways to get legal consent and to manage expectations and data with regards to security and privacy. You’re probably right to say there’s not a “single example of 100% compliance online anywhere” because GDPR doesn’t come into effect until May! Only after then will we find out how it works in practice and there will probably be plenty ways in which it will change and develop to cover all use cases.
As long as you’re not abusing people’s PII (i.e. spam), only collecting what you need, and being conscious, careful and secure of its storage, processing and distribution then you should have nothing to worry about as a small business.
There is an excellent plugin https://wordpress.org/plugins/gdpr-personal-data-reports/ that looks after right to be forgotten and SAR’s automatically for your wordpress site, works with all plugins.
Very nice article! A good free plugin is https://nl.wordpress.org/plugins/wp-gdpr-core/ , it already creates a data register where your users can access, download , delete their personal data.
What Alex means is that it’s not something that can be fixed turnkey. It will matter just as much the client-side technologies you use as the back-end server side solutions.
It varies by how complex your website is. If you have a standard 5-page then they are taking the mick. If you have a CRM, e-commerce, use analytics they are probably insulating you from their full costs.
That seems quite too much to me, if you have only info website with no comments and such.
That’s nothing, some devs are chargin thousands for this. Exp[ect to pay between £500 and £2000 depending on your setup. It’s not just 5 minutes work, there is a lot to put into making sure things are compliant and you don’t get fined.