WordPress has made some important changes in relation to the GDPR. The changes are part of WordPress’s effort to make it easier for their users to be GDPR compliant, however simply utilizing these tools in and of themselves do not guarantee GDPR compliance.
Below we’ll go through the important GDPR features, how they can benefit you, their limitations, and how to address them. Let’s dive in.
WordPress now makes it easier for website owners to set a dedicated Privacy Policy page by simply selecting Settings > Privacy from your WordPress dashboard. Once there, you can either select an existing page or create a new page to be designated as your privacy policy page.
While the feature makes it easy to designate a page, it does not provide the complete and applicable text, which is completely understandable as in order to be compliant, the text of your privacy policy should apply specifically to your case and include disclosures relevant to the data you process. What it does provide, if you click on the “Create New Page” button, is some starter text and a basic template.
As mentioned, the tool does not actually generate a usable and compliant privacy policy. The actual text of the template, while it is a useful starting point in helping you to think about the kind of disclosures you should include in your privacy policy, is, in and of itself, far from compliant.
In the accompanying Privacy Policy guide, WordPress informs users of this as follows:
Please edit your privacy policy content, making sure to delete the summaries, and adding any information from your theme and plugins. . . It is your responsibility to write a comprehensive privacy policy, to make sure it reflects all national and international legal requirements on privacy, and to keep your policy current and accurate.
While a full analysis of the provided starter text may require a separate article, at a quick glance, it’s clear that some sections (e.g the one under the user’s rights over their data) are either incorrect or incomplete, if you’re processing personal data under the provisions of the GDPR.
Under the GDPR, and most similar privacy-related laws, it is required that your privacy policy be available from every page of your website, the new privacy tool does not automatically do this.
After that, select the services that apply to you:
Customize as needed, save and you’re done. You can read the dedicated guide, How to Generate a Policy, here.
but, by far the easiest method is to place the link to your privacy page in the footer, either directly, via a set footer menu, or via a text widget placed in your footer. You can read the full privacy and cookie policy integration guide for WordPress here.
The new comment feature now allows logged out commenters to set preferences for which personal details (name, email, website) are stored in a cookie on their browser.
You can find the option to enable this under Settings > Discussion.
The new comment feature only addresses one type of cookie. Under the GDPR, and more relevantly, the still applicable Cookie Law (you can think of it as currently working alongside the GDPR), your users need to be informed of via a conspicuous and sufficiently interruptive means such as a banner, of all of the purposes for which your site uses cookies (with the exception of exempt cookies), and they must be allowed to give their consent via opt-in (this can be done using a gdpr checkbox, button, toggle etc), refuse or withdraw consent for those cookies.
Regardless of if you decide to use the new comment feature or not, in order to be compliant, you must ensure that you still have an active cookie management solution in place that meets legal requirements.
iubenda’s Privacy Controls and Cookie Solution meets all the provisions of the law while giving you the ability to extensively customize, optimize for consent acquisition and proofs of users’ preferences, view site metrics and more. Setting up with the Privacy Controls and Cookie Solution is made even easier with our dedicated WordPress plugin. For more information on how to integrate the Privacy Controls and Cookie Solution with your WordPress site, see the plugin installation guide.
The new data handling features allow you to easily export a ZIP file containing a particular user’s personal data, and to fully erase a particular user’s data, including the data collected by participating plugins.
The export feature sends a zip folder with a “mini website” with an index HTML page containing the user’s personal data segmented into groups and both features also make a new email-based method available to site owners for confirming personal data requests for both registered users and commenters.
While the Data Handling updates are easily one of the most valuable and time-saving updates, it does have certain critical limitations that you should be aware of. The first is that it only automatically exports the data collected by participating plugins. This means that the workability of these depends entirely on if the plugins you’re using have hooked into the new export/erasure feature. This means that this feature will not work with plugins that have not been modified to do this, or with old (non-updated) versions of plugins that might be in use on your site (in this case of course, you can simply update those particular plugins to the latest version).
The truly problematic thing here is that (at the time of writing this post) no central repository exists that shows specifically which plugins have this feature integrated. Furthermore, no incentives were created to encourage plugin creators to implement the feature, meaning that likely, very few plugins have gone through the trouble to re-work their code and add these features.
It’s worth noting here though, that even if every single plugin on the WordPress site supported these features, not all of the user data you process is necessarily handled by plugins. For example, if you use a cloud service or external mailing list management system, the data handled by these will not be automatically pulled into WordPress’ new Data Handling system. This is a very important point to note as the Rights to Access and Erasure apply to ALL the applicable user data, not some. So relying on an incomplete mechanism, or only providing some of the data simply means that you’re non-compliant.
With that said, these new features will likely be sufficient if you’re the only one processing users’ personal data via the functionalities built into the WordPress platform itself, as in this way your compliance will not be dependant on whether or not various third-party plugins have integrated with the new feature.
Currently, the best option for addressing these issues are two-fold and involve mostly preliminary measures and manual effort.
Preliminary measures
Manual effort
Under the current system, if you use any third-party services to process personal data, outside of what’s covered by the WordPress Data Handling tools, you’ll need to apply some manual effort in identifying, exporting from relevant databases and making the data available, or erasing the data if so requested by the user. Generally, you’ll have an average of one month to comply (with some exceptions).
Take note that if fulfilling an access request, the data will need to be provided to the user in a common and easy to access format (e.g. a spreadsheet).
Additionally if fulfilling an erasure request, it’s useful to preemptively inform the user that fully erasing their data will mean that your systems will no longer recognize them as a user (unless they somehow again add their data to your systems) and therefore you will be unable to fulfill any requests regarding that data subsequent to its deletion.
For more information on these WordPress features, read the Privacy section of the WordPress Plugin Handbook here.
These newest additions by WordPress indicate an acknowledgment of the importance of compliance and a willingness by the company to assist their users in meeting requirements. Ultimately, however, compliance is a custom venture and the responsibility (and liability) falls on you, the data controller, to properly assess your data processing activities and ensure that your systems and processes are compliant.
Procedures like maintaining Records of Processing and carrying out a Data Impact Assessment can be very helpful in figuring this out.
For this reason, based on our work surrounding the GDPR in the last few months, we’ve compiled the following list of GDPR related resources and articles to further help you with compliance.