Make WordPress Website GDPR compliant to avoid getting fined

Complying with the General Data Protection Regulation (GDPR) is a daunting process. WordPress site owners face a maze of legal requirements — all under the threat of large fines.

Thankfully, keeping your site on the right side of this strict new privacy law is as simple as following a few steps.

Read on to learn how to make your WordPress website compliant by meeting key GDPR provisions, such as obtaining cookie consent.

1. GDPR Compliance and Why You Need to Care

The GDPR is a major data privacy law designed to reshape how companies handle users’ personal information. As of May 25, 2018, any business worldwide that targets users in the European Union (EU) must comply with this piece of legislation, or face the consequences.

Businesses that fail to comply can be fined up to €20 million ($23 million), or 4% of their annual global turnover, whichever is higher. These numbers aren’t hyperbole — just take a look at the record-breaking fines recently levied against British Airways ($230 million) and Marriott ($123 million).

Even if your website wouldn’t receive such a high penalty, the possibility of a fine that completely shuts down your operations is a real concern.

To provide a quick overview of the GDPR, compliance essentially boils down to processing users’ personal data lawfully, protecting that information with strong security systems, and only keeping it on file for as long as necessary.

What is Personal Data?

Under the GDPR, any piece of data that can reveal a user’s identity — either alone, or when combined with other details — is considered personally identifiable information. This includes the following:

  • Name
  • Address
  • Phone number
  • Cookie ID
  • Location data
  • IP address

Any measure that allows users to interact with your website typically involves the collection of such data, for example, comments, email sign ups, plugins, and cookies. To comply with the GDPR, you need to consider how all of these components process data.

Let’s walk through the basic steps you can take to keep your personal data collection and processing on the right side of the GDPR.

2. Get Cookie Consent

The first step toward GDPR compliance is to manage cookie consent.

But what are cookies? In layman’s terms, cookies tell a website whether a user has visited before, and record details like login information and shopping cart items. They’re small text files downloaded to a user’s device that contain information necessary to create a smooth browsing experience.

WordPress uses several types of cookies, all of which are harmless, but collect information that is considered personal data under the GDPR. Because cookies collect personal information, businesses need to follow GDPR protocols to process them.

How to Obtain Consent

Before using cookies on your site, you need to obtain consent from users.

Article 4 of the GDPR defines consent as:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

For WordPress site owners, obtaining proper consent from users requires two actions:

1) Publish a clear cookie policy on your site

A cookie policy explains how your website uses cookies and what personal data they collect from users. To effectively write this policy, you’ll first need to perform a thorough audit of all the cookies you use, and classify them based on their type.

Whether you use a cookie policy template or write the document yourself, your cookie practices need to be clear and easy for users to understand.

2) Install a cookie consent banner on your site

The most common method of obtaining cookie consent is through a consent banner, which appears when a user accesses your site for the first time. This banner should include a link to your cookie policy, and allow users to indicate that they agree to your use of cookies (e.g., by checking a box or clicking a button). To meet the GDPR’s definition of consent, and provide users with a clear choice, it’s critical that the box is not pre-checked.

Here’s an example of a GDPR-friendly cookie consent banner :

To create such a banner, you can configure a third-party cookie consent plugin, or use a cookie consent manager that handles everything from the initial cookie audit to hosting the banner on your website.

3. Create a GDPR-Friendly Privacy Policy

Transparency is at the heart of the GDPR. Businesses are therefore responsible for clearly describing how they collect user data. The primary way that this is communicated to users is through a privacy policy.

Writing a privacy policy and linking to it on your website is a GDPR requirement. This policy fully details your site’s data collection practices by explaining in depth what type of information you collect, as well as how you store, manage, and share this data.

A GDPR-compliant privacy policy must accomplish the following:

Identify Your Legal Basis for Data Processing

State which of the 6 legal bases of data processing your activities are based on. For a WordPress website, the most likely basis will be with the consent of the data subject (user) for a specific purpose.

List Your Contact Information

Include your business contact details — an email address, postal address, and potentially a contact phone number. This provides users with points of contact should they have questions regarding your privacy policy or data-handling practices.

Under the GDPR, larger companies may also need to list the contact details of the following roles:

Data controller — the entity that processes data on the organization’s behalf (such as a payroll company)

Data protection officer — the company’s appointed representative for all GDPR-related matters

Tell Users About Their Rights

You should include a section that explains to users their rights and how they can act on them.

Under the GDPR, users have new legal rights to their data and information about how it’s collected and used. These include the right to find out what data has been collected from them, to have this information modified or deleted, and to refuse data processing entirely.

Use Transparent and Clear Language

Although a privacy policy needs to be legally sound, it must also be accessible for users. Article 12 of the GDPR outlines another key concept of the GDPR — transparency. Users need to be able to understand what they’re agreeing to, and vital information should not be hidden within chunks of legalese.

When writing your privacy policy, focus on making it user-friendly, and avoid vague language that could make the document ambiguous.

The best approach to writing a privacy policy is either to use a privacy policy template, which you can customize for your specific WordPress site, or to take advantage of a privacy policy generator online.

4. Managing Site Privacy and GDPR WordPress Plugins

As well as managing cookie consent and writing a privacy policy, you need to review all the other tools your website uses to ensure they stand up to GDPR scrutiny.

Check Your WordPress Version and Plugin Compatibility

To begin, make sure you’re using the latest version of WordPress. After the GDPR was announced, WordPress included several new privacy features, such as:

  • Allowing commenters to choose whether their name, email address, and website URL are saved in a cookie on their browser.
  • Providing the option to designate a privacy policy page, which you can then link to in your footer.
  • Launching data handling tools that enable site owners to export files containing user data, or erase this data, in order to comply with data subject access requests.

You’ll also want to examine your existing plugins to check they meet compliance requirements. For example, find out what data your contact form collects, where it’s stored, and whether you offer a consent checkbox for users when they submit personal details.

Review Ecommerce Requirements

If you operate an ecommerce store on your website, you need to satisfy several additional GDPR obligations. To help with this, WooCommerce made some updates to their checkout flow to avoid unnecessary data collection.

You should also strongly consider using a terms and conditions template to create a document that protects your store from abusive users and covers your back in case of pricing errors.

Examine Your Marketing Activities

Your marketing efforts are not exempt from the GDPR.

There are now stricter requirements for email lists and subscriptions. Mailchimp deployed a variety of new features in response, such as GDPR-friendly form options and built-in GDPR language. Using these features allows you to maintain your brand’s voice while also collecting exactly the right permissions.

Because analytics tools collect various types of personal data, these must be configured correctly. For example, Google Analytics now includes a data retention functionality that gives you control over how long data is kept on file. Choosing the wrong settings and neglecting to delete data violates one of the key GDPR principles.

In summary, managing site privacy and plugins to satisfy the GDPR requires knowing the ins and outs of your website’s data collection practices, and taking responsibility for ensuring all your tools work together to meet these new standards.

5. Key Takeaways

Aproximately 75 million websites use WordPress — 34% of the internet. As businesses become more familiar with the GDPR, enforcement becomes more wide-reaching and less forgiving — smaller websites are definitely not exempt from fines.

Although compliance is still complex, the right tools are available. Just follow these steps:

  • Understand the basic principles of the GDPR
  • Determine what personal data your site collects
  • Obtain cookie consent from users
  • Describe your data collection practices in a clear privacy policy
  • Ensure all your plugins and third-party tools meet the GDPR’s privacy requirements

If you’re starting from scratch and just building your WordPress site, find out how to start a blog that automatically satisfies the GDPR. Alternatively, if your site is already established, remember these key takeaways, and good luck in your compliance journey.

What's your reaction?