You may have heard about the upcoming GDPR changes, which will bring much more attention to WordPress compliance in May 2018.
As a developer or online marketing agency, you can actually benefit from this new regulation. By bundling your services with a consultation on WordPress compliance and data privacy laws, you can enhance your offerings.
In this article, I've combined the best resources on GDPR I could find - to give you all information you need to evaluate your own situation.
Let me give you an overview of the structure of this article:
How is WordPress compliance impacted by GDPR?
First of all, let me explain GDPR. The name is short for EU General Data Protection Regulation.
GDPR is a new data privacy regulation controlled by the EU. Its goal is to give consumers more control over their data and to limit what companies can do with your data. Yes, it's impacting you and me.
What most business owners don't realize is, that their websites might need to comply even if they're not located in the EU.
As soon as you're doing business with EU citizens on your website, compliance with GDPR is mandatory. Not following those regulations can have hefty fines - even for businesses that are not in the EU.
To quote itgovernance.co.uk:
The administrative fines are discretionary rather than mandatory; they must be imposed on a case-by-case basis and must be “effective, proportionate and dissuasive”.
There are two tiers of administrative fines that can be levied:
1) Up to €10 million, or 2% annual global turnover – whichever is higher.
2) Up to €20 million, or 4% annual global turnover – whichever is higher.
The fines are based on the specific articles of the Regulation that the organisation has breached. Infringements of the organisation’s obligations, including data security breaches, will be subject to the lower level, whereas infringements of an individual’s privacy rights will be subject to the higher level.
To me, those amounts are quite scary. There seems to be a debate on whether GDPR will be applied to businesses of all sizes or not - but you definitely want to be prepared.
Shockingly, according to a survey of Dell and Dimension Research, 80% of businesses know few details or nothing about GDPR!
That's exactly the reason why I decided to write this post.
If you think about how you operate your business and how you collect personal data on your website site, you will most certainly have to debate WordPress compliance.
Just doing one of the following activities on your site forces you to follow the rules of this new regulation:
- Collecting personal information (name, email, address, ...) in a contact form on your website
- Running an online shop on your site
- Selling digital goods like eBooks or courses on your website
- Sending email newsletters to your list
You see, just these four simple examples prove that many - if not all - business owners will have to take measures to ensure WordPress compliance with GDPR.
8 rights enforced by GDPR
Let's briefly talk about the rights that GDPR gives to consumers:
- The right to access. Individuals can request access to the personal data companies store about them and have companies explain how that data is used. Companies must provide a copy of the data, free of charge and in electronic format.
- The right to be forgotten. Companies must delete stored data about individuals if requested.
- The right to data portability. Individuals can ask companies to have their data ported to a different service provider. This transfer needs to happen in a commonly used and machine-readable format.
- The right to be informed. Consumers have to opt-in for their data to be gathered and used. Consent has to be given explicitly. Companies need to be able to prove that an individual has given his/her consent for the data to be collected and used.
- The right to have information corrected. Individuals can ask companies to correct the data that's stored about them, in case the data is outdated or wrong.
- The right to restrict processing. Individuals can request that companies stop processing their data while the data record itself can stay in place.
- The right to object. Individuals can prohibit the use of their personal data for direct marketing. There are no exemptions to this rule, and companies have to obey the request as soon as it's received. Additionally, companies have to clearly communicate this right to individuals, from the beginning of any communication.
- The right to be notified. If there has been a security breach or data breach to an individual's personal data, companies need to inform the impacted persons within 72 hours after first becoming aware of the breach.
As you can tell, the new data privacy regulation enhances the rights of individuals quite a bit. And forces many companies to re-think their WordPress compliance strategy.
Note: if you or your clients don't have a compliance strategy, you're making a big mistake.
And here's where you as a WP developer come into play. You can help your clients make their websites compliant with GDPR.
How do you ensure your or your client's WordPress site complies with GDPR?
I'd like to touch upon four topics that, I think, are the most important to have in mind when talking about making WordPress fit for GDPR.
Disclaimer: I am not a lawyer. I don't claim that this list is complete and guarantees compliance. But it gives you a starting point. If in doubt, consult with a lawyer.
Topic 1: Adjusting your tracking codes
Most sites today have a cookie notice in a popup or header bar, that tells visitors cookies are set once they open the page.
However, I don't think this will suffice for GPDR.
Based on the right 4, the right to give consent, your visitors have to actively agree to be cookied on your website. Hence, my suggestion is that you only load your tracking codes after that consent has been given.
Of course, this will heavily impact how statistics like Google Analytics, remarketing pixels, heatmap scripts, and other tracking tools collect their data.
We'll likely see a downtrend in user numbers based on how many of your visitors deny agreement to being cookied and prevent your site from loading the scripts.
However, this isn't necessarily a bad thing!
Just think about the quality of the data that you'll be collecting if visitors give their explicit consent to load the tracking scripts.
The Facebook Pixel, for example, would build an audience of visitors who actively engaged with your website. And be it by just clicking a simple button in a popup.
Even that subtle action likely is more than the average visitor is doing on your website - which is leaving without any interaction.
In the end, optimizing your site for WordPress compliance might help build better custom audiences on Facebook. Again, just my two cents here.
A plugin that helps with WordPress compliance
When it comes to implementing tracking codes in a GDPR compliant way, I recommend you check out this plugin: WP GDPR Compliance
That plugin not just helps you write texts to make your contact forms and opt-in forms GDPR compliant.
It also prevents tracking scripts from loading until your visitor explicitly agreed to have them load. It shows a simple popup form with some explanatory text you can customize and a button that your visitors can click on.
Here's what I like most:
Your website visitors are already used to seeing and clicking on those buttons. They see "cookie notification" popups on all major websites. So seeing it on your website won't confuse them if you write a proper message in the popup.
Stepping up your WordPress compliance with the Legal Pages plugin might even make your website look more authoritative and serious.
People will notice that you take their personal data seriously. Thus, they might be more likely to buy from you.
Topic 2: Opt-In Forms
Collecting email addresses will become a bit more tricky with GDPR. Practices that were allowed before, aren't anymore from May.
Example: Your online shop collects email addresses for the yearly Black Friday sale. You want to build a list of subscribers you can automatically send a coupon for Black Friday to - and offers during Black Friday. So far, so good.
However, if you are list most business owners (including myself), you'd like to keep sending offers and information to those subscribers even after Black Friday is over. After all, your business always has good stuff to sell, right?
With GDPR, you're per-se not allowed to use those addresses for other purposes than marketing for Black Friday. You cannot send direct marketing emails unrelated to Black Friday to those subscribers - unless they gave their explicit consent.
Reply.io has given a great example of how opt-in forms will be affected on Medium:
Before, your opt-in form will likely look like this:
If you take WordPress compliance seriously, you'll have to rewrite your opt-in forms similar to this format:
These new checkboxes are what make the form compliant to GDPR. With those boxes checked, your new subscribers give their explicit consent to receive your newsletter and marketing information.
Update on May 4th, 2018: The European Union revised the GDPR and reformulated the clause on collecting personal data in relation to necessity.
You are not allowed anymore to collect personal information that isn't absolutely necessary for providing your service.
What does this mean for opt-in forms? You are not allowed to have fields for first name or last name in your opt-in forms anymore. Knowing the name of your subscribers is not mandatory for sending your email newsletter.
Hence, even having name fields as optional fields in your opt-in forms is a potential violation against GDPR!
Even if it's not related to WordPress compliance directly, you might also want to have your current subscribers re-consent with being on your list - if they subscribed over two years ago.
As Tony Kent from Sign-Up Technologies Ltd. says:
Do I need to contact my existing subscribers to re-establish consent?
Again, the short answer is no.
Assuming that the conditions of consent were originally gathered in a way which is consistent with post-GDPR requirements and that the future intentions for use are also similar, then consent is considered to be continuous. There is no need to go back and re-establish this just because of GDPR.
But is it a good idea? Quite possibly, yes.
Consent is not the only condition for data processing under GDPR but it is one of the pillars upon which justification is built. GDPR requires that unless there is another justification (there are 5 other justification scenarios i.e. legal obligation, public interest, vital interest, contractual, legitimate use), data processing can only be done with the consent of the data subject.
My personal take is, that I'll definitely reach out to all subscribers on my email list before May.
I see it as a great opportunity to build more trust with my subscribers and to show them that I care about them. Also, if people don't give their consent to being on my list, they might not have read my newsletters anyways.
And likely, all my newsletters do was adding clutter to their inbox.
Topic 3: Storing personal data securely
Server security should always come to your mind when you're thinking about WordPress compliance. However, I also want to emphasize that it is important to comply with GDPR.
If you store personal data of EU citizens in the database of your WordPress website, server security plays a role in making your site compliant with GDPR.
So, server security is especially important for you when you're running a WooCommerce shop, a social platform with Buddypress, or manage your digital courses through a plugin like S2 Member,
Even if it's just for the reason that you have to inform your clients about security breaches. Or that you have to be able to transport their data in a machine-readable format to another vendor. Your server configuration needs to be up-to-date.
Let me give you an example:
A client of mine in Singapore manages a database of thousands of startups in the healthcare space. Exporting their data easily takes an hour - which means that the server configuration has to support longer script running times than usual.
Of course, you should keep your WordPress updated and run automated security checks to ensure the integrity of your site. If you need help with that, get in touch with me - my agency has an affordable maintenance plan that might be a good fit for you.
Topic 4: Legal pages, e.g. for data privacy
By now you and your clients should already be aware that those pages are mandatory for most websites that are driven by businesses and meant to generate income.
Usually, I tell my clients to have a lawyer set those pages up for them. However, that comes at a price that business owners and developers sometimes cannot afford or simply don't want to pay.
To those who don't want to pay: Invest in this text! I once paid a 750€ fine just for using an image which license didn't allow the usage on a business blog. I don't want to imagine how much I'd have had to pay if that website had been lacking the required legal pages.
Earlier, in the section about adjusting your tracking codes, I mentioned a plugin called Legal Pages.
That plugin comes with multiple lawyer-approved templates for legal pages that you can use and adjust:
- Linking Policy
- External Links Policy
- Terms & Conditions
- Refund Policy
- Affiliate Disclosure
- Affiliate Agreement
- Earnings Disclaimer
- Amazon Affiliate
- Anti-Spam Template
- Double-dart Cookie
- Medical Disclaimer
- Testimonials Disclosure
To be honest, I don't know what all of those templates should include - I'm no lawyer. But just having them ready and then having a lawyer look through them can be a tremendous help for businesses on a budget.
You can check out Legal Pages here.
Are you or your clients impacted by GPDR?
Despite the fact that anyone should take WordPress compliance seriously, you or your clients are forced to have your sites comply with GDPR if:
- You collect personal data from EU citizens on your website (yes, contact forms do count!)
- Your site handles transactions with EU citizens (shops, subscriptions, etc)
Please use your own head when thinking about WordPress compliance and GDPR. I've done my best to collect the resources you need in this post, but I'm not a lawyer and not accountable for the actions you take.
If this post is missing any important information, please do let me know!
DISCLAIMER: I'm no lawyer and this post is not legal advice. I'm just trying to break down GDPR as how I understand it. If in doubt, consult with a lawyer, I'm not to be held accountable.