Is WordPress GDPR Compliant?

In May 2018, the European Union passed the General Data Protection Regulation, a new law designed to protect the safety and privacy of every EU citizen’s personal data online. But even though the GDPR aims to protect the data of EU citizens, it also has a global reach – and it is forcing all businesses with an online presence to make essential changes to their websites within one year.

Because WordPress powers over a quarter of the world’s websites, the EU GDPR affects millions of WordPress sites. The newest version of WordPress, and a number of popular WordPress plugins, now include useful features for GDPR compliance to help WordPress website owners stay on the right side of the new regulations.

What is the GDPR?

The EU’s move to enact the General Data Protection Regulation comes in response to an increasing number of highly publicized data breaches and misuse of personal information on several high profile retail, financial and social media sites. The goal of the new legislation is to give EU citizens more control over when and how their personal data is used by online entities, but it also has the far-reaching effect of requiring all websites, no matter where they are based, to take a tougher stand on managing the privacy and safety of users’ personal data.

The GDPR’s stated mission is to help EU citizens protect their online data. Because we’re living and doing business in a global marketplace in which a website can have visitors from all over the world, the regulation effectively applies to all website owners, everywhere, that an EU citizen could potentially visit – not just to sites owned by companies located within the EU.

Penalties for non-compliance with the GDPR can be stiff. First-time violators receive a warning. After that comes a reprimand. If problems aren’t addressed, the site is slapped with a suspension of all its data processing activities. And if that isn’t enough, stiff fines are imposed – up to 4 percent of a company’s annual global revenue, or 20 million euros, whichever is greater. The EU means business, so businesses need to protect themselves.

GDPR Gives Users Control of Personal Data

The GDPR does not prohibit sites from collecting and using visitor data, but it does require them to give users clear and explicit control over how they do so. The GDPR covers actions that involve the collecting and managing of user information, including:

• Names
• Email, physical, or IP addresses
• Financial information
• Health information
• Demographic information such as age, ethnicity, or gender identity

Until the GDPR took effect, many sites relied on “assumed consent,” – that is, by the act of using the site in any way, you were consenting to allow the site to store and use your personal data for its own purposes. Now, websites that collect any of these kinds of data need to get users’ explicit consent via a positive opt-in, such as a checkbox, and to inform them clearly how their data will be used.

The GDPR also clearly establishes users’ rights to their own data. Along with clearly stating how, why, and where the site stores and uses data, websites must allow users to download the information the site is holding, and to request to have it deleted at any time. For example, if you had subscribed to a particular site’s newsletter, but then closed your account, you must be able to have access to your information stored on the site and to ask the site to remove it as soon as possible.

Finally, the GDPR requires websites to inform authorities of any data breaches within 72 hours and to immediately notify affected users that their personal information could be compromised. In past incidents, such as a recent breach at Yahoo, users were not notified that a data breach had happened until well after the fact.

The provisions of the GDPR have website owners around the world worried – and because there are so many different ways in which information is exchanged, it can be easy to miss a crucial step and fall into noncompliance. But with new features in its latest version, and a number of plugins with GDPR friendly tools, WordPress offers users a variety of ways to make a site GDPR compliant.

WordPress GDPR Compliance Takes Many Forms

The latest version of WordPress, 4.9.6, was released not long after EU GDPR privacy laws came into place, and it includes several enhancements built into the source code for making WordPress sites GDPR compliant. These include:

Positive Opt-Ins for Commenting

WordPress comment options typically require users to register, leave an email address, or take a similar action in order to validate the comment. Now, each new comment text box includes a positive opt-in – a box users must check to allow the site to collect and store that information.

Privacy Policy Templates

The latest version of WordPress also includes a privacy policy generator – a set of templates that contain the essential elements that a site’s privacy policy should include in order to be GDPR compliant. Site runners can edit these templates and add any other information that is relevant to their particular sites.

Data Management Features

To give users control over their data, WordPress also includes an “Export Personal Data” feature that can be accessed from the Tools tab on the site’s Admin dashboard. This tool allows you to make user data available for download, or to delete it entirely, at a user’s request.

Plugins Add More Options

The new privacy features included in WordPress itself offer basic options for handling user data, but depending on their nature, individual sites may need other tools, as well. To meet those specific needs, a number of popular WordPress plugins have added GDPR compliant features to plugins such as contact and subscription form creators, statistics and analytics trackers, shopping carts and payment portals, and email marketing managers.

The updated version of plugins like Google Analytics, WPForms, and WooCommerce typically include a positive opt-in feature, as well as privacy policy statements that clearly outline the way the site handles user information. For most sites, this is all that is really necessary in order to comply with GDPR, but sites that handle large volumes of information, especially sensitive data like personal health information, may need more tools in order to be fully protected.

GDPR was conceived as a way to protect citizens of the European Union from online identity theft and other threats, but thanks to the global nature of the internet, it also indirectly extends those same protections to everyone who does business online. Today, making your website GPDR compliant is a must, and WordPress has the tools you need.