May 2018


GDPR: What Is It and How Does It Impact My WordPress Website?

The General Data Protection Regulation, or GDPR, changes how your business gathers information. In this article, we’ll look at how it affects your site and what steps you might take to comply.

 

Summary

  • The GDPR is a new set of EU regulations intended to provide greater control of personal data to website visitors and improve access to what is collected, why it is collected, and how it is used.
  • Regulations apply starting May 25, 2018
  • If you use analytics, lead generation forms, contact forms, comment systems, or other common marketing tools on your site, and an EU citizen visits your site, you could have compliance concerns.
  • Maximum fines for non-compliance are 4% of annual global turnover or €20 million.
  • You should perform an information audit on your site and determine what information you collect. If it is non-essential, the best option might be to stop collecting the information.
  • Otherwise, you must outline all information you collect in your privacy notice and provide options for users to request deletion of their data. In many cases, you’ll also need to get their consent to collect the information.
  • While details are scant as of the time of writing, WordPress plugins are available to address many of the common concerns.

DISCLAIMER: We’re not lawyers. With the complexity of both these new regulations and how they’ll impact the endless number of site configurations, marketing funnels, and businesses operating online, it would be impossible to cover every facet of the concerns surrounding GDPR compliance.

While we will cover what we can, and make our best effort to provide accurate, actionable information as of the time of writing, this is not to be construed as legal advice. Consulting with a legal expert familiar with GDPR regulations is encouraged before enacting major changes to your site or considering your site compliant with new regulations.

 

What Exactly is the GDPR?

The specifics of GDPR are still emerging as experts analyze the 90+ pages of the legislation.

But one thing is certain…

It will create ripples for sites and businesses around the world.

So what is this GDPR exactly and how does it affect you?

gdpr eu

We’ll be honest — the exact details are still a bit sketchy. The regulations cover so much ground and do so, in many areas, in a rather vague manner…

But in a nutshell, the GDPR is new EU legislation that establishes strict guidelines on how you can collect and use the personal information of your website visitors and customers.

It goes into effect on May 25, 2018.

Platforms such as WordPress and much of the web development community are still working hard to adapt to the upcoming changes.

Due to its ever growing popularity, we’ll be focusing on WordPress for this guide. However, if you use any modern CMS platform, there’s a good chance that regulations will still impact you.

Will the GDPR Apply to My Site?

Do you still have to worry about GDPR if you’re not in the EU?

The answer is “most likely”.

The new regulations won’t simply impact EU sites and businesses.

The GDPR impacts anyone doing business with EU residents and collecting or processing their personal data — even if only occasionally.

What is personal data exactly?

Regulations define it as:

“Any information relating to an identified or identifiable natural person”

In normal words, this includes names, email addresses, physical addresses, IP addresses, social security numbers, and other commonly recorded bits of data.

gdpr personal info

There’s also sensitive personal data.

This is a subset of personal data that includes demographics and analytics information such as race, health information, sexual orientation, religious preferences, and political beliefs.

But what uses personal data on your site?

Common features in WordPress that might use personal data include:

  • User registrations
  • Cookie notifications
  • Contact form entries
  • Mailing list subscription forms
  • Lead generation pages and forms
  • Analytics
  • Server and traffic logs
  • Security tools and plugins
  • Comments
  • CRM plugins
  • Event calendars and booking plugins
  • eCommerce plugins

Even if you only collect this information through a third-party service, it’s important to ensure that the vendors and services you use are also GDPR compliant.

Needless to say, the actual regulations are full of legalese and are not a light read. There are also still some grey areas — particularly surrounding cookies — that have yet to be clarified.

And, in some cases, there is intentional ambiguity to provide flexibility in how businesses deal with compliance concerns.

But with that ambiguity, it is hard to make exact recommendations on meeting requirements.

gdpr comic

We expect more concrete information will become available closer to the deadline as more third-party service providers and platforms work to comply with the new regulations.

For example, MailerLite, Drip, and MailChimp already offer posts to help explain how to use their tools in a GDPR-friendly way as far as email is concerned. They also outline steps they are taking on their end to ensure compliance.

 

So, Is GDPR Compliance a Serious Concern?

Yes

There is no transition period or phases. Once this goes live, you’re either in compliance or you’re not.

Technically, the regulations have been in the pipeline for some time now. They took more than 4 years to create.

But as the deadline looms closer, businesses are showing increased interest.

And for good reason…

Top tier offences carry a maximum fine of the greater of €20 million or 4% of the previous year’s global turnover…

Offenses involving sensitive personal data carry the stiffest penalties.

However, current coverage from experts at Digiday indicates that unless there is a serious violation or blatant disregard for the new regulations, most auditors will provide businesses time to adapt their existing sites and make allowances for businesses that show effort in meeting requirements before doling out major penalties.

So while it might not be the immediate “marketing armageddon” some coverage makes it out to be, we still feel that there is a lot that’s unknown about how the regulations will work once live.

gdpr compliance

Moreso, if things really are the worst case scenario some think it might be, there are major questions about viability for small businesses with an online presence and smaller eCommerce operations in meeting regulations.

Regardless of how things turn out, unless it is somehow halted, the regulations will impact a huge number of sites from around the world.

 

Alright, So What Do I Need to Do?

So how can you comply and avoid potential fines?

And what do you have to do to bring your sites in line with the regulations?

Regulations focus on four major principles:

  1. Control of personal data (Right to Be Forgotten)
  2. Greater transparency in personal data collection and usage (Right to Access)
  3. Improved consent on personal data collection and usage (Consent)
  4. Increased responsibility on personal data security and storage (Privacy by Design)

Each of these principles create unique concerns for various aspects of your site.

While flexible, the ambiguity of many GDPR requirements means there’s no single way to recommend reaching compliance goals.

Instead, most experts are recommending that you start approaching it from an overall compliance standpoint and then address individual elements as needed.

  • Audit the personal information you collect and how it’s used
  • Determine what information is actually needed and don’t collect low value information
  • Provide exact information on both what you collect and how you intend to use it
  • Make sure consent is explicitly granted
  • Give users control of their data
  • Develop security protocols and report issues promptly

Auditing your existing information collection practices and consent notifications is the best place to start.

This will give you an overall view of how much work you must do to comply with new regulations.

 

Okay, How Do I Accomplish This on My WordPress Site?

There’s no single WordPress plugin you can install or task you can perform that will instantly make a site GDPR compatible.

While exact answers on how to best approach GDPR compliance will differ based on the features on your site’s pages, plugins you use, and the information you collect, there’s a few universal things you can do to help ensure compliance.

Just remember, we’re not lawyers.

We can’t promise that following this list will make your site 100% compliant.

But we can promise that as of the time of writing, the information provided below is accurate and will work to at least start bringing your site into compliance with these new and complex regulations.

 

#1. Add Consent to the WordPress Core with Plugins

While likely to be addressed before the GDPR deadline, there are certain parts of WordPress that do not natively adhere to requirements.

A major example of this is the comment system.

Submitting a comment requires an IP address at a minimum. Though, in many cases, it can also include an email address and name.

All of this is personal data.

This means you need consent to store the information and must delete comments and user data upon request in a timely manner.

User registration is similar. In most cases, you’ll need at least an email address. From there, options can extend to everything from names to phone numbers and addresses depending on what you require.

All of this must be consented to by the user, stored securely, and monitored.

Should they wish to delete their account, you can either provide an option to do this themselves through a plugin or provide contact information to request deletion.

There’s already a market forming around WordPress plugins and services designed to address these specific concerns.

While most GDPR plugins are still in their early stages, the following options allow you to alter various aspects of WordPress to comply with the new regulations.

Some even work with other third-party plugins, such as Gravity Forms, WooCommerce, and Contact Form 7 for greater flexibility.

Just be sure to check WordPress updates after the May 25 deadline.

Some of these features may be rolled out in within WordPress itself by then.

If so, you can likely delete the plugins. But until then, they’re a simple way to boost your compliance.

 

#2. Audit Your WordPress Plugins

Many WordPress plugins set their own cookies, store information in your database, or transmit data to or from third-party servers.

It’s important to ensure that every plugin or service used on your site also complies with GDPR regulations.

Many plugin authors have already written blog posts to explain any potential compliance concerns regarding their plugins and provide a timeline of when (or if) you can expect them to be fully compliant.

If you can’t find any information on the developer’s site, sending an email to their support should yield more answers.

If you’re not sure if — or unable to find confirmation regarding if — a plugin you use is compliant before the deadline, it might be easier to replace a plugin instead of customize the existing plugin to comply.

In many cases, looking up the plugin by name in the WordPress Plugin Repository will yield alternatives.

Checking reviews and the number of active installations can further help you to narrow down your options.

gdpr wordpress plugins repository

 

#3. Overhaul (or Set Up) Cookie Notifications

Cookie notifications are already a fairly common feature to anyone conducting business in the EU.

But if you simply slapped a bar up that says “we use cookies” and an accept button, that will not cut it under new regulations.

As part of the GDPR’s emphasis on consent, you must state exactly what types of cookies you use and how you use them.

You also need to give visitors more than a default consent option. A link to your privacy policy for more details might help with this.

You also cannot imply consent. This means that using scrolling as a trigger for acceptance or loading cookies before visitors explicitly accept them is a compliance concern.

There are many cookie notification plugins available on the WordPress Plugin Directory. However, few allow for opt-in cookie consent.

Cookie Notice by dFactory appears to allow both opt-in cookie consent and blocking of cookies should users fail to opt in — both key elements of GDPR regulations. Better still, it’s free…

If you don’t mind digging into your site’s code, Cookie Consent by Insites offers similar features in a free and open source Javascript snippet. Just a few cuts and pastes and you should be good to go.

 

#4. Update Your Mailing Lists to Comply with GDPR

Most marketing gurus recommend keeping things as simple as possible regarding lead capture forms.

The less steps a visitor needs to take to complete your form, the better the chance they’ll bother doing so.

To help with this, many forms include pre-checked boxes for consent to contact for mailing lists or other marketing means.

This will no longer work.

GDPR requires explicit, informed consent.

That means that not only will pre-checking the box create a violation, but you must also explain what you plan to do with the information.

gpdr compliance newsletter optin

Your Marketing Department’s worst nightmare? Maybe.

Plus, you may need to periodically renew the consent on your mailing list should you shift the focus of your campaigns.

Changing mailing list providers, business partners, or who has access to the data you collect might also require updating consent.

Many sites are also recommending ensuring that you’re using the double opt-in method to easily record consent.

However, if you’re in Canada, this was already a requirement of the Canada Anti-Spam Legislation (CASL).

 

#5. Adjust Your Contact Forms to Meet Compliance

If you’re using contact forms to collect information, you’ll also need to explain why you need the information you request.

This means that a trend toward simpler forms is likely.

The less information you collect, the less you need to worry about explaining.

And, as with your mailing list sign ups, don’t forget to be transparent about consent and outline how you’ll use the data if you’re also using the information for marketing purposes.

contact consent

Whether you’ll be sending out emails, SMS messages, using information in testimonials, or storing it for future use, you need to be specific and — if possible — provide granular consent options so that users can pick what they agree with.

Most popular mailing services, such as MailChimp, allow you to include a preferences button in your emails to allow users to easily opt in and out of your various campaigns and lists.

You’ll also want to make it easy for people to completely unsubscribe from lists and remove their information from your databases.

If they do ask to be removed, you cannot just stop emailing, messaging, or calling them.

You must remove their data completely.

Failing to do so could result in fines.

 

#6. Add Data Control to User Accounts

Adding website features such as community forums or user reviews are popular ways to boost conversions and drive sales.

However, most of these features would require users to submit an email address or name in order to create an account. This is considered personal information under GDPR.

That means you must both notify users of how you plan use the data they provide and get their consent to do so.

Regulations also require that users must be able to delete their information or have it deleted promptly upon request.

So whether your site is using basic WordPress features, such as blog comments, or a more complex plugin such as WooCommerce or BuddyPress, compliance requires that you are familiar with the way the features you use store information and where you can remove a user’s personal information should they make that request.

We expect that many big plugins and the WordPress core will eventually offer this as a baked in feature.

However, until that time, unless you can find a third-party plugin or service that will do it for you, you’re stuck manually digging through your various databases.

For basic data deletion, Delete Me is a third-party plugin designed to delete user accounts within WordPress — and any blog posts or comments attached to them.

 

#7. Update Your Privacy Policies

While already a questionable practice for all but the most basic of sites, the days of boilerplate privacy policies are likely dead with the onset of GDPR.

Much like with cookie notifications, it’s no longer enough to state you collect information for analytics, marketing, or other uses.

You need to break down the exact information you collect, the services you use to process or store said data, and provide a means for users to access or delete the data you have stored that is associated with them.

For some good examples of privacy policies created with GDPR in mind, check out:

While a lawyer experienced with both your business type and online privacy policies in regards to the GDPR is your best option for ensuring a comprehensive, effective set of legal policies, you can also use third-party sites to help you generate something more valid that the typical boilerplate option.

We recommend Iubenda.

With both free and paid options, they can likely handle the concerns of even complex sites and provide a privacy policy that will ensure compliance without all the back and forth of consulting with a legal expert.

 

#8. Talk to A Lawyer or GDPR Expert

With the potential penalties at stake, assuming your efforts to comply with the GDPR are good enough could be a costly mistake.

Especially if you are a bigger business collecting lots of data…

Then there’s the off-site considerations, such as the third-party services processing and storing data for you.

Once you have an idea of how to proceed, we recommend consulting with an expert to ensure that you’ve covered all the requirements and that the changes you put in place — or plan to put in place — will cover any possible liabilities.

 

Any Other Options?

The vague wording of many requirements leave many businesses questioning the liabilities involved.

Because of this, some are considering if it wouldn’t be wiser to simply not service EU visitors instead.

Establishing geoblocking through a CDN like Cloudflare, or using this script (created specifically for the purpose) may be options for this.

On the marketing side, Drip wrote up a guide that walks you through excluding EU residents from their mailing list platform.

However, blocking still doesn’t completely eliminate the risk of contact or transmission of personal data from EU residents.

So, if you’d rather try to comply, this guide offers a solid starting point for achieving compliance.

 

Final Thoughts

Overall, the concepts behind the regulations make sense given the increased number of breaches and questionable information gathering stories in the news.

However, many of the new regulations conflict with the popular trends and best practices currently used by website owners and marketers.

This may pose a serious headache for website operators — particularly if all the interpretations of the new regulations turn out true and the EU is aggressive in enforcing them.

Regardless of what changes are made to the WordPress software to help with compliance, companies and organizations will need to assume responsibility for their own compliance, as these regulations extend far beyond the core of WordPress.

Because of this, we’d still recommend consulting a legal expert familiar with the GDPR before considering your efforts complete and your site compliant.

“Everyone needs to be working in implementations for their own businesses and sites in any case ahead of deadline day, in addition to any changes that need to be made in the WP code,” Burns said. “It’s important to remember that GDPR compliance is not a tick box you can squeeze in next April. This is about your processes, your workflows, and your systems of accountability. Start now.” ~ Heather Burns

 

Helpful Tools

We’ve said it before and we’ll say it again, these new regulations are complex.

How people are interpreting them and frequent updates to both website software and plugins makes for a somewhat fluid situation.

If you’re looking for additional resources on meeting GDPR compliance, you can also consult the official EU GDPR portal for full copies of all regulations, handy summaries, and additional resources. They also list partners available to help businesses meet GDPR requirements.

Don’t feel like sorting through pages of complex legal speak and confusing phrasing?

Check out The Ultimate GDPR Quiz.

With just a few clicks, you can find out what impact these new regulations might have on your site, where to focus your efforts, and some basic actionable tips.

 


 

Additional Resources

For additional takes on what these regulations mean, extra resources, and some alternative suggestions, check the resources list below.