So, you’ve heard the terms “GDPR” and “GDPR compliance.” And you know they’re important – whatever they are. But did you know that GDPR compliance applies to all WordPress website owners in one way or another?
The scary thing is, the GDPR compliance date has come and gone. So, if you haven’t taken the time to understand GDPR compliance and what it means to you (we get it, things we don’t understand are easily set aside for another day), it’s time you take control and see what, if anything, you need to change.
After all, ignorance is never a good excuse. So, just because you aren’t fully sure what GDPR means, doesn’t mean you can’t get in trouble.
That’s why today we’re diving straight into GDPR compliance for WordPress to help you better understand the concept, your responsibilities as a site owner, and what you can do to ensure compliance.
To make things easier on you, we’ve created this table of contents, so you can jump straight to the topic you’re interested in just by clicking it. Otherwise, start from the beginning and learn all about the WordPress GDPR compliance.
- What is GDPR?
- Does GDPR Apply to WordPress?
- Basic Principles of GDPR
- GDPR for WordPress – Use Cases
- What is Required Under GDPR
- Is WordPress GDPR Compliant by Default?
- How to Make Your WordPress Website GDPR Compliant
What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union (EU) law that went into full effect on May 25, 2018.
The goal of GDPR is to protect the rights of EU citizens and give them more control over how their personal data is collected and how website owners process this personal information. As a whole, GDPR aims to change the approach of organizations across the world towards data privacy.
Replacing the outdated 95/46/EC Directive on Data Protection of 1995 and coming in as much more comprehensive than the existing Cookie Law of 2011, GDPR is holding online businesses to a higher standard when it comes to how they collect, store, and use any data they collect on their websites.
When it comes to understanding the GDPR law as a whole, it’s important you understand a few key terms:
- Data Controller: determines the purposes and means of processing personal data.
- Processor: is responsible for processing personal data on behalf of the controller.
- Personal Data: any information that can be used to identify a person, even indirectly.
Lastly, it’s good you understand what the term processing means. According to GDPR law, processing includes these actions taken on personal data: collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, transmission, disclosure, dissemination, combination, alignment, restriction, erasure, or destruction.
In simpler terms, any personal data that you collect, access, store, or use in any way on your website is considered processing.
Does GDPR Apply to WordPress?
Does GDPR apply to WordPress? The answer is a resounding yes.
GDPR requires businesses of all sizes and types around the world to comply with its regulations because websites are a global phenomenon. And, since all people in the EU are protected by GDPR, and have the potential to visit any website no matter where in the world it originates, the data collected on all websites have to follow the rules, just in case.
If you fail to comply with the data privacy laws under GDPR, you risk facing fines as big as 4% of your company’s annual global revenue or €20 million (whichever is greater).
Of course, you won’t just get hit with a huge fine if you’re found to be non-compliant. Here is the process before you have to pay up:
Warning > Reprimand > Suspension of data processing > Fine
Now, this might seem extreme right?
Well, as extreme as it may sound, the truth is, people visiting websites deserve to have their personal data protected from misuse and data breaches. And the EU government not only understands this, but has taken measures to make sure it happens.
GDPR Compliance Oversight
Because there are so many websites in the world right now (1,700,800,661 and counting) it makes sense that the EU enlisted some help in monitoring the compliance of websites. The EU has effectively set up what they call Supervisory Authorities (SA). They will enjoy the full backing of the GDPR laws and will have various powers such as the ability to:
- Carry out audits on websites
- Issue warnings for non-compliance
- Issue corrective measures, complete with deadlines
Compliance with GDPR rules and regulations are so serious that just 6 months after the law went into effect, PwC surveyed over 200 CXOs of large US firms and found that:
- 50% had taken up GDPR compliance as a priority
- 76% of them planned to spend in excess of $1 million to comply
- 54% were in the process of de-identifying European personal data to avoid non-compliance
So, now let’s take a deeper look at what GDPR is all about.
Basic Principles of GDPR
There are seven basic principles that apply to the controller (which in most cases is you, the website owner) under GDPR:
- Data must be processed lawfully, fairly, and transparently. You must also gather explicit consent from users to collect any personal or identifying data before storing it or using it in any way
- Personal data must be collected for a specified, explicit, and legitimate purpose and only used for that clear purpose – nothing else
- Data collected must be adequate, relevant, and limited to only what is necessary
- All data must be accurate and kept up to date at all times
- Data collected must be in an identifiable form for the least amount of time possible
- Data should be processed in a secure way
- The controller is responsible for demonstrating compliance with these principles
In addition, all EU citizens have seven rights under GDPR that the processor must uphold. They have the right to:
- Be informed about what information is being stored about them
- Access their information in an easily downloadable form at any time, as well as use and transfer the data to another service
- Rectification (or modification) of any data
- To be forgotten, or, have their data completely erased unless a valid reason not to exists
- Restrict processing
- To object
- To fair treatment when subjected to automated decision making and profiling
Next up, we’ll take a look at GDPR for WordPress and how you can ensure compliance.
GDPR for WordPress – Use Cases
Though GDPR is designed to protect the rights of EU citizens, the truth is, it impacts everyone on the internet – even WordPress website owners.
In fact, if your website is collecting and processing data from EU citizens, you need to follow the GDPR regulations.
Take a look at these use cases to get a better understanding of how WordPress site owners are impacted by GDPR law:
- A website using analytics software such as Google Analytics to collect site data
- eCommerce websites that collect personal and financial information from customers
- WordPress sites that require users to create accounts to make a purchase
- Community websites that collect user information for profiles
- Blogs that have a newsletter opt-in form or any other type of contact form
- Any website that allows users to comment and requires they leave their name and email
- Sites using retargeting (and cookies) to display personalized messages to people when they return at a later time
As you can see, there are many instances where WordPress site owners collect, store, and process identifying information of site visitors. And honestly, the only way to avoid having to comply with GDPR is to block all EU users, which is not a smart business move.
What is Required Under GDPR
The goal of GDPR is to protect a user’s data such as their name, email, physical address, IP address, phone number, health information, occupation, income, and more. This is especially true because nowadays high risk data breaches are becoming the norm and threaten user’s personal information all the time.
Since it’s so comprehensive, we’re only going to share with you the most important requirements of GDPR, so you can make sure you’re in compliance.
1. Explicit Consent
If you’re collecting personal data from an EU citizen, you must obtain explicit consent from them before collecting the data. This means having a positive opt-in (not an automatically clicked checkbox people may not see).
It also means using clear wording that explains why you’re collecting data and how you plan to use it. Lastly, it means separating the consent from your site’s terms and conditions.
2. Breach Notifications
Certain types of data breaches must be reported to relevant authorities within 72, unless it poses no threat to the individual data you have stored. If the breach is considered high risk, you must also notify individuals that may be impacted immediately.
3. Rights to Data
You must tell users where, why, and how their data is being processed and/or stored. People have a right to download their personal data at any time and the right to ask for their data to be deleted too.
In other words, GDPR gives EU citizens a right to know what’s happening with their personal information. It also ensures online businesses aren’t sending people emails they didn’t ask for, selling data with out consent, are reporting data breaches when they happen, and are managing their email list responsibly.
Is WordPress GDPR Compliant by Default?
As of WordPress 4.9.6, the WordPress core software is GDPR compliant. In fact, there are many GDPR enhancements built into the core that aim to help you become GDPR compliant.
Of course, we’re when we say WordPress, we mean the self-hosted WordPress.org content management system. To see the difference, check out this WordPress.com versus WordPress.org comparison.
With that said, let’s check out how GDPR for WordPress works on a fresh install.
1. Comment Consent
WordPress used to store people’s names, emails, and websites as cookies on their browsers when they left a comment. This way, when they returned and wanted to leave another comment, the form fields would pre-populate and commenting would be easier.
Now, in an effort to comply with GDPR, WordPress has a built-in consent checkbox in the default commenting system that people can click.
If the user doesn’t click the box, they can still leave a comment. The only difference is, no cookie will be stored and the next time they want to leave a comment they’ll have to fill in all the form fields again.
2. Data Export and Erase
One of the rights EU citizens have under GDPR is the right to download and erase their personal data at any time they want. That’s why the WordPress core has a built-in tool for doing both under Tools in the WordPress dashboard.
This makes complying with a user’s request to export or erase their personal data a cinch.
The cool thing about this generator is that you can assign it to an existing webpage on your site or have a new page created for you. You can then access the page the policy is on and make edits.
Though the WordPress core comes with plenty of GDPR enhancements, no platform is going to be 100% GDPR ready. That’s why chances are high you’re going to need to make additional changes to your site to be in compliance.
Let’s take a look at some of the most common ways to make your WordPress website GDPR compliant.
How to Make Your WordPress Website GDPR Complaint
To help you abide by the GDPR compliance requirements, we’ve come up with some actionable tips you start implementing right away.
1. Update to WordPress 4.9.6 (or higher)
You should know by now how important it is to your site’s security that you keep your WordPress core, themes, and plugins up to date at all times. But just in case, if you want to ensure GDPR compliance, you’ll need to update to WordPress version 4.9.6 or higher to take advantage of the built-in GDPR enhancements mentioned above.
You can check this by going to Dashboard > Updates to see which version of WordPress is running on your site right now. If you need a newer version, you’ll see a notification there.
- Google Analytics or other tracking services
- Push notifications
- Shopping carts
- Opt-in forms or popups
- Contact forms
- Google Ads or other advertising networks
- CDN services
- Video players
Not sure what cookies your site is currently storing?
To figure out what cookies your website is using, open a new browser and clear your cookies. For Firefox go to History > Clear Recent History. Then, select ‘Everything,’ make sure the cookies checkbox is clicked, and click Clear Now.
For Chrome, go to Settings > Clear Browsing Data. Then, select ‘All Time’ and check the cookies option.
Once your cookies are cleared, go to your site’s homepage and open the developer tools. To do this in Firefox, click the hamburger icon and then Web Developer > Storage Inspector (in Chrome it’s under Application). Then, click on the ‘Cookies’ option on the left of the screen. You should be able to click on your website’s URL and view all the cookies being set when people come to your site.
Check out this example of The Co-Operative Bank, which has a clear cookie notice once you arrive on their site.
3. Get Consent on All Contact Forms
No matter what kind of contact form you have on your website, you’ll need to make sure you get explicit consent from people to collect their personal data, store it, or use it in any way.
The easiest way to do this with your WordPress site is use a GDPR compliant contact form. Some examples include:
- Contact Form 7: add an acceptance checkbox to your form by adding a simple shortcode just before the ‘Submit’ button.
- WPForms: add a GDPR Agreement checkbox to any form you create after enabling GDPR enhancements in the Settings section.
- MailChimp: for opt-in forms, use the consent checkbox or enable the double opt-in feature to make sure people are sure about receiving emails from you in the future.
Of course, these are just some of many examples of how you can use existing WordPress contact form plugins to become more GDPR compliant.
4. Create a Cookies Notice
Adding a cookies notice to your website that appears to users when they arrive on your site gives them the chance to decide whether to continue exploring your site or not.
Now, if you want some people to abandon your site right away, you won’t give them the option to disable cookies on your site and continue engaging with your content, like The Food Network does.
However, to keep more people on your site, it’s a good idea to offer the option to accept or decline cookies, like JetBrains does:
This way, even if users decide not to let the website store cookies on their browser, they can continue to view your website.
Popular cookies notice plugins for WordPress include the free Cookie Notice for GDPR and premium WeePie Cookie Allow. The one you choose will depend on the type of cookie features you need to run your WordPress website.
For example, a plugin like WeePie Cookie Allow comes with advanced features like:
- Additional data privacy laws compliance (e.g., UK cookie law, Dutch cookie law, and Italian cookie law)
- Accept or decline cookies offer
- Consent logging
- Cookie consent display for EU visitors only
- Display options – cookie bar or box, customization of texts, colors, fonts, and positions
- Analytical cookie consent
- Multisite support
- WPML support for translations
- Disable for logged in users
- And much more
Of course, a basic cookies notice will work just fine and ensure you are compliant with that part of GDPR law.
In the end, the GDPR compliance date has long passed, meaning if you haven’t taken measures to create a GDPR compliant WordPress website – the time is now.
Remember, the EU government is not out to get you. They don’t want to fine you tons of money or shut your site down. What they do want to do, however, is protect their citizens from online businesses that misuse personal data or fail to secure it like they should.
And wouldn’t you agree, EU citizen or not, that all your WordPress site visitors deserve the same treatment?
The more compliant your website is, the safer people will feel using your site. Not to mention, the more conversions you’ll have, the better your reputation will be, and the more sales you’ll secure. We’d say that’s a win-win for everyone.
If you know your site is already GDPR compliant, and you’re looking to grow your business, check out these top WooCommerce plugins that can easily be added to your WordPress site.
Disclosure – we are not lawyers. Nothing on this website should be considered legal advice. Because websites are dynamic in nature, no plugin, theme, or platform can claim to be 100% GDPR compliant. If you’re ever unsure about your GDPR compliance, it’s best to consult a specialist internet law attorney to help with your jurisdiction and individual status of compliance.