Re-post from the blog
A lot of changes are coming for WordPress in 2018, and not the least of which is the General Data Protection Regulation (GDPR) that the European Union is enacting, beginning May 25, 2018. The TL;DR version is that the GDPR says that users have complete control over their data, and you have to tell them why you need it. At which point, they can give the go-ahead or not. Practically, however, it’s a little more complicated than that.
WordPress and the GDPR
Since WordPress is 30% of the internet now, we have a lot of cleaning up to do. Data trickles and flows between our sites and users, and GDPR says that it’s up to us to manage our sites well enough so that users can manage their data. Even though this is a regulation passed by the EU, it affects pretty much the entire world. Because if you collect a bit or a byte of data from a person in EU (regardless of your own location), you’re subject to this law because you then have information owned by an EU citizen. And if you are found to have been in non-compliance, you can be fined up to 20 million Euros.
That’s scary for a lot of people. But it doesn’t have to be.
The good news is that there is a dedicated team of WordPress Core contributors working on GDPR-proofing the Core code before May 25. They have a website (and associated Slack channel) set up where admins and devs can keep up with the progress and to see what you need to do to get yourself (and your clients) in compliance. Here’s the breakdown of what you’re responsible for:
- Explaining who you are, how long you’re keeping the data, why you need it, and who on your team or externally has access to it
- Getting explicit and clear consent to collect data through an opt-i
- Giving users access to their own data, the ability to download it, and to delete it from your records completely
- In the event of a hack or security breach, letting your users know about it
For longer-form explanations of GDPR, you can check out our overview of data regulations in 2018, the official European Commission infographic on GDPR, and the official support post from Automattic regarding WordPress and the GDPR.
All that said, you need to know what you can do to comply with the GDPR. So here are some specific, actionable steps you can take to keep yourself (and your user’s data) safe.
The GDPR Opt-In
The single most important aspect of all this is the GDPR opt-in. Let me be clear on this. An opt-in is under no circumstances the same thing as an opt-out. The EU has said that you must “get their clear consent to process the data.” That means that users have to explicitly say yes, not only have the option to say no.
Here’s an example: you have an online dropshipping business, and maybe you use WooCommerce. When users get to your checkout page, you have a checkbox that reads “[x] Yes, I want to sign up for your amazing email list!”
No problem, right? If you have the box checked by default, you’re at fault. That’s giving them the chance to opt-out. That’s not what the GDPR opt-in rule says. They must say explicitly choose to share their information with you.
The same thing goes for comment sections that automatically subscribe folks to the comment thread, or any kind of automated contact that isn’t directly user-initiated. (Pop-up chat boxes like Intercom can be okay because that’s not reaching into their data, but could still be affected under the GDPR’s pseudonymisation clause.)
But your #1 goal is to take nothing by default. And honestly, take as little as possible when you do get explicit permission.
Ask for the Bare Minimum of Information
A lot of websites and forms and plugins and stores ask for information they really don’t need. In general, a good rule of thumb is to ask for as little information as possible from your users. If you don’t need their names, even, don’t take it. Or maybe only their first. Sometimes, all it takes is their email to get your job done.
That’s not to say that you can’t ask for the other information. The GDPR simply says you have to tell people whyyou need it. If you’re asking for their first and last name, tell them why. If you ask their birthdays, make it clear that you send out coupons as birthday gifts for example. Due to GDPR, there is no more asking for info “just in case” or “for future, undetermined projects.”
Many forms plugins let you include a note under/beside the primary label, so if you have a field for phone numbers, you can have a blurb that says “We ask for your phone number so our customer service representatives can expedite the set up process for your custom orders.”
Additionally, when you’re asking for information, the EU says you have to disclose “who you are […], how long it will be stored, and who receives it.” As to how and when you have to disclose this stuff, that can differ. The first one to is that you have to tell who you are at the same time you make the request for their data.
This is effectively no different than the required footers every email service requires you to provide. Just have a sentence or blurb explaining who you are, a single line stating that“This website’s data is handled by B.J. Keeton, the CIO of Awesomesauce International and its subsidiaries.” Or even something like “Data submitted by this form will be used by Awesomesauce International and no one else” will work.
That means, your contact form, sign-up form, checkout pages, wherever users may be giving you their info needs to clearly identify you and yours.
Your ToS and Privacy Policy
As for the other parts of the GDPR’s information retention clauses, you can include the details on the data’s why, how, and who in either your Terms of Service or Privacy Policy. And it’s a good idea to, as well, because these are part of the explicit GDPR opt-in.
The actionable step here is two-fold: First, make sure your ToS and Privacy Policy are GDPR compliant themselves. And second, create explicit required fields on every form indicating acceptance of both documents before processing anything. Checkboxes are fine, and text fields where users can type “I agree” are even better (but are truly obnoxious).
We have some more in-depth resources for you on this, too. You can check out how to add the required agreements to your forms here. And if you’re not sure where to begin on your Privacy Policy, we can walk you through that, too.
I would suggest adding a paragraph into your Terms of Service about accepting the Privacy Policy as a term and linking to it directly from the ToS. Then, in the Privacy Policy, add a paragraph discussing its role in the ToS, as well as exactly how your site manages data in compliance to the GDPR. Specifically, you will need to provide detailed instructions in your Privacy Policy explaining each of the following.
- How to access and download a complete record of any data you have on them
- The process through which users can fully delete their data from your records (and not simply unsubscribe, etc.) as a part of the ‘right to be forgotten’ laws previously passed in the EU
- Exactly how you will inform users of data breaches if they ever happen
- Detailed explanations of who you are, what you use the data for, who has access to it, and how long you retain it
It is now more important than ever to have a Privacy Policy in place. It was pretty important before because Google wanted you to have one. And that importance has just skyrocketed.
Sounds Like a Lot, Right?
And it is. Luckily, you’re probably using WordPress. Because of our fantastic community, developers are hard at work already on so many ways to help with GDPR opt-in and compliance. There are still many details you’ll have to work out your business, but in the coming months, I would expect options popping up in your favorite plugins — or GDPR extensions made by third parties — that insert all the stuff I mentioned by just checking a few boxes and filling in a few fields.
Basically, to make your site GDPR compliant, it boils down to making sure you’re transparent with people. Let them know what you’re doing, don’t ask for extraneous information, and let them opt-in to giving it to you, rather than you taking it by default.