Complying with the General Data Protection Regulation (GDPR) is a daunting process. WordPress site owners face a maze of legal requirements — all under the threat of large fines.
Thankfully, keeping your site on the right side of this strict new privacy law is as simple as following a few steps.
Read on to learn how to make your WordPress website compliant by meeting key GDPR provisions, such as obtaining cookie consent.
1. GDPR Compliance and Why You Need to Care
The GDPR is a major data privacy law designed to reshape how companies handle users’ personal information. As of May 25, 2018, any business worldwide that targets users in the European Union (EU) must comply with this piece of legislation, or face the consequences.
Businesses that fail to comply can be fined up to €20 million ($23 million), or 4% of their annual global turnover, whichever is higher. These numbers aren’t hyperbole — just take a look at the record-breaking fines recently levied against British Airways ($230 million) and Marriott ($123 million).
Even if your website wouldn’t receive such a high penalty, the possibility of a fine that completely shuts down your operations is a real concern.
To provide a quick overview of the GDPR, compliance essentially boils down to processing users’ personal data lawfully, protecting that information with strong security systems, and only keeping it on file for as long as necessary.
What is Personal Data?
Under the GDPR, any piece of data that can reveal a user’s identity — either alone, or when combined with other details — is considered personally identifiable information. This includes the following:
- Phone number
- Cookie ID
- Location data
- IP address
Any measure that allows users to interact with your website typically involves the collection of such data, for example, comments, email sign ups, plugins, and cookies. To comply with the GDPR, you need to consider how all of these components process data.
Let’s walk through the basic steps you can take to keep your personal data collection and processing on the right side of the GDPR.
2. Get Cookie Consent
The first step toward GDPR compliance is to manage cookie consent.
But what are cookies? In layman’s terms, cookies tell a website whether a user has visited before, and record details like login information and shopping cart items. They’re small text files downloaded to a user’s device that contain information necessary to create a smooth browsing experience.
How to Obtain Consent
Before using cookies on your site, you need to obtain consent from users.
Article 4 of the GDPR defines consent as:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
For WordPress site owners, obtaining proper consent from users requires two actions:
2) Install a cookie consent banner on your site
Here’s an example of a GDPR-friendly cookie consent banner :
To create such a banner, you can configure a third-party cookie consent plugin, or use a cookie consent manager that handles everything from the initial cookie audit to hosting the banner on your website.
Identify Your Legal Basis for Data Processing
State which of the 6 legal bases of data processing your activities are based on. For a WordPress website, the most likely basis will be with the consent of the data subject (user) for a specific purpose.
List Your Contact Information
Under the GDPR, larger companies may also need to list the contact details of the following roles:
Data controller — the entity that processes data on the organization’s behalf (such as a payroll company)
Data protection officer — the company’s appointed representative for all GDPR-related matters
Tell Users About Their Rights
You should include a section that explains to users their rights and how they can act on them.
Under the GDPR, users have new legal rights to their data and information about how it’s collected and used. These include the right to find out what data has been collected from them, to have this information modified or deleted, and to refuse data processing entirely.
Use Transparent and Clear Language
4. Managing Site Privacy and GDPR WordPress Plugins
Check Your WordPress Version and Plugin Compatibility
To begin, make sure you’re using the latest version of WordPress. After the GDPR was announced, WordPress included several new privacy features, such as:
- Allowing commenters to choose whether their name, email address, and website URL are saved in a cookie on their browser.
- Launching data handling tools that enable site owners to export files containing user data, or erase this data, in order to comply with data subject access requests.
You’ll also want to examine your existing plugins to check they meet compliance requirements. For example, find out what data your contact form collects, where it’s stored, and whether you offer a consent checkbox for users when they submit personal details.
Review Ecommerce Requirements
If you operate an ecommerce store on your website, you need to satisfy several additional GDPR obligations. To help with this, WooCommerce made some updates to their checkout flow to avoid unnecessary data collection.
You should also strongly consider using a terms and conditions template to create a document that protects your store from abusive users and covers your back in case of pricing errors.
Examine Your Marketing Activities
Your marketing efforts are not exempt from the GDPR.
There are now stricter requirements for email lists and subscriptions. Mailchimp deployed a variety of new features in response, such as GDPR-friendly form options and built-in GDPR language. Using these features allows you to maintain your brand’s voice while also collecting exactly the right permissions.
Because analytics tools collect various types of personal data, these must be configured correctly. For example, Google Analytics now includes a data retention functionality that gives you control over how long data is kept on file. Choosing the wrong settings and neglecting to delete data violates one of the key GDPR principles.
In summary, managing site privacy and plugins to satisfy the GDPR requires knowing the ins and outs of your website’s data collection practices, and taking responsibility for ensuring all your tools work together to meet these new standards.
5. Key Takeaways
Aproximately 75 million websites use WordPress — 34% of the internet. As businesses become more familiar with the GDPR, enforcement becomes more wide-reaching and less forgiving — smaller websites are definitely not exempt from fines.
Although compliance is still complex, the right tools are available. Just follow these steps:
- Understand the basic principles of the GDPR
- Determine what personal data your site collects
- Obtain cookie consent from users
- Ensure all your plugins and third-party tools meet the GDPR’s privacy requirements
If you’re starting from scratch and just building your WordPress site, find out how to start a blog that automatically satisfies the GDPR. Alternatively, if your site is already established, remember these key takeaways, and good luck in your compliance journey.