In 2018 the General Data Protection Regulation – or GDPR – came into effect. While it’s a European law, the regulations require websites that have visitors from EU states to comply with the law.
The good news it it’s easy to make your site compliant. The dad news is it’s not very clear what you need to do.
So, we’ve written a tutorial to help you make your WordPress site GDPR compliant.
Update to the latest version of WordPress
In each update of WordPress since version 4.9.6, there’s several new pre-packaged privacy settings which will help you make your site GDPR compliant.
To find out which version of WordPress you’re running, log in to your Admin Dashboard.
Scroll to the bottom of the page & on the right-hand side on the screen the version number will be displayed. As of November 2018, the current version of WordPress is 4.9.8, so if you’re running an earlier version, you should update immediately.
Comment Form Cookie Opt-In
WordPress stores cookies by default so users don’t have to re-type all of their details when leaving a comment.
There is usually an opt-in automatically included in the comment form which users can check.
You don’t have to do anything specific for this, although you may want to explore your customization options if you don’t like the way it looks.
Some theme authors use custom comment forms and may not include this opt-in, so you’ll need to add it yourself.
Export and delete personal data
Two options exist which allow you manage personal information.
To find these settings, look in your Admin Dashboard in the left-hand menu. Under Tools, you will find Export personal data, and Erase personal data.
You can quickly and easily export a user’s information or completely erase it from your database at their request.
Privacy Policy
To be GDPR compliant you need to display a Privacy Policy. If you’ve never written a privacy policy before, WordPress has introduced a template to make it simple. When you installed WordPress or updated to the latest version, a page entitled Privacy Policy was automatically generated and is displayed in your Admin Dashboard under the Pages tab.
Navigate to the Settings > Privacy and select that page from the drop-down. If you don’t already have the Privacy Policy page, use the Create New Page button to generate a privacy policy page for your site.
The site generated privacy policy includes specific privacy and disclosure information related to WordPress in general.
It gives you a starting point for your privacy policy, but when it comes to making your website GDPR compliant, you’ll find that it’s not entirely complete.
Depending on the services and plugins you use on your website, you’ll need to ensure that your privacy policy is updated to include cookie and data collected on your site.
Here’s some common areas where cookies can be collected and you’ll need to include disclosure in your policy:
- Google Analytics and other tracking services
- Google Adwords, Bing, and other ad networks
- Cloudflare and CDN services
- Opt-ins or pop-ups
- Push notifications
- Video players
- Heatmaps
- Shopping carts
Contact Forms
Include a checkbox that allows users to opt in (or not) on your contact forms (if you have any). The good news is that a lot of the more popular plugins have been updated to make GDPR compliance easier.
Contact Form 7 Plugin: A simple line of code will add a checkbox to your forms.
[acceptance accept-this-1] I understand that by checking this box agrees that this website and company may store any information I provide. [/acceptance]
wpForms Plugin: If you’re looking for an easy way to add GDPR agreement modules, wpForms has a module you can add. In the wpForms settings enable GDPR Enhancements. This will allow you to edit your existing forms to make sure they match up.
Don’t forget that once you’ve added your data agreements to your contact forms, you will need to be sure to include information about the collected data to your privacy policy.
Newsletters
One of the important points of GDPR is that however you collect information; you need to work out a safe way to store it. So just like in your contact forms, you’ll have to ask users to consent to having their data stored. In most cases, this can be easily done by including a checkbox that users can select to opt-in, or by enabling double opt-in.
Once you’ve done this, be sure to update your privacy policy to include disclosure for your newsletter.
WooCommerce Data
If you have an online store, then you’re going to need to collect a lot of customer data, so it’s important you specify what you collect, for how long, and what you do with it.
WooCommerce has built-in privacy features to make this easier for you.
Start by making sure you have the most recent version of the plugin installed.
Then go to Settings > Accounts & Privacy and make sure you enable the option which allows you to retain personal information, erasure, and privacy policy links.
Then it’s time to update your privacy policy again! Essentially, GDPR is about filling in the gaps between people providing information and knowing what happens to it afterwards. Every change you make in how you collect data is going to need an updated privacy policy, and it pays to keep this up to date.
Add a Cookie Notice
If you’re using cookies, you need to let users know that you’re using them – and not just in your privacy policy. This is why you’ll have noticed an increase in the number of cookie notices on websites. GDPR specifies that the first page a user visits needs to have a cookie disclosure.
Obviously, this means that you do too!
Many popular themes have now updated themselves to make this an easy option to enable on your first page. However, if yours doesn’t, there are plugins which can help to make you compliant.
A search for GDPR cookie compliance plugins in WordPress will display a host of useful plugins, ranging from free use to paid options.
Make it Easy for Users to Request/Delete Their Info
WordPress has streamlined a lot of the process of data collection and storing, so that you can find what you need in one place. However, it is up to you to make sure that you provide the necessary information for a user to contact you should they want their data delated.
How you do that is going to depend on how many users you have on your site. If you’re dealing with a large number of clients, it may well be worth installing a contact form which specifically deals with data deletion requests. Then include a direct link from your privacy policy to the form.
However, if you’re running a simple blog or business website which doesn’t have a huge amount of people’s data, then you should be fine just including the necessary email address for deletion requests in your privacy policy.
Notify Users of Policy Updates or Data Breaches
Now if you’ve completed all the previous steps, your WordPress site should be GDPR compliant. But there’s one more area you need to look into – and that’s what happens when you change your privacy policy, or there is any kind of data breach.
It helps to get in the habit of notifying users when you make changes to your privacy policy so that they know how their data is being used. Many of the more advanced WordPress plugins will have a notification option, so the minute you update a section of your GDPR, you can send out an automatic notification.
You also need to have an email ready should you ever have a data breach. People are particularly data sensitive today, and it’s important you let them know when there’s a risk their data may have been compromised. There’s many templates you can find online for this.
Be aware that the information contained in this article was compiled from people who regularly build WordPress sites. If you’re uncertain about the GDPR regulations, it could be worthwhile to contact a lawyer, just to ensure that you’re getting the best information.