You might have heard of the term “GDPR” being discussed around the web. It’s still a pretty hot topic, especially with all that is going on with data breaches and security in the news. To put it simply, GDPR is a privacy law designed to give citizens back control of their personal data. Hands down, GDPR is impacting how the entire internet deals with data. The scary part is that the deadline was May 25th, 2018 and many questions regarding GDPR are still plaguing people:
- What exactly is GDPR? In layman’s terms.
- Does GDPR impact me?
- What do I need to do for GDPR compliance?
Many have a tendency to put off what they don’t understand. Taxes are a good example. For a lot of us, GDPR has simply been a lower priority on our checklists. But the GDPR deadline has come and gone and you really should take a few moments and determine whether or not you need to make changes to the way your business and or website operates. If you don’t there could be hefty fines involved.
Don’t worry, we’ll try and explain everything you need to know about GDPR below, as well what you can do to prepare. But we aren’t lawyers, so we’ll try not to bore you with all the legal details.
Please note that this post is for informational purposes only, and should not be considered legal advice.
What is GDPR? In Layman’s Terms
GDPR stands for the General Data Protection Regulation. It’s a privacy law that was approved on April 14, 2016, by the European Commission to protect the rights of all EU citizens (28 member states) and their personal data. This replaces the 95/46/EC Directive on Data Protection of 24 October 1995 and is much more extensive than the Cookie Law of 2011 (soon to be replaced by the new EU ePrivacy regulation which goes hand in hand with GDPR) . The rollout plan for the regulation was set for two years, and the deadline was May 25th, 2018.
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years… EU GDPR
If you want to read the extensive official PDFs of the regulation (11 chapters, 99 articles) we recommend checking out gdpr-info.eu, as they have everything in a neatly arranged website.
There are a few key terms to get a handle on:
- A controller determines the purposes and means of processing personal data.
- A processor is responsible for processing personal data on behalf of a controller.
- Personal data is any information that can be used to identify an individual, even indirectly by combining that information with other information.
What is Processing?
If personal data is accessed or stored or used in any way, that is considered processing. The full GDPR definition of processing includes all of the following actions taken on personal data as constituting processing of that data: collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, transmission, disclosure, dissemination, combination, alignment, restriction, erasure, or destruction.
Basic Principles of GDPR
There are seven basic principles that apply to the controller under GDPR:
- Data has be processed lawfully, fairly, and transparently. Requires that consent is given.
- Personal data has to be collected for a specific, explicit, and legitimate purpose and only used for that purpose.
- Personal data must be adequate, relevant, and limit collection to only what is necessary.
- Personal data must be accurate and kept up to date.
- Personal data should only be kept in identifiable form for the shortest period possible.
- Personal data should be processed in such a way that ensures the security of the data.
- The controller is responsible for being able to demonstrate compliance with these principles.
Individual rights under GDPR
Individuals with protection under GDPR (EU citizens) have seven rights under GDPR that the processor must be prepared to uphold:
- A right to be informed: Gives a person the right to know what information is being stored about them.
- A right to access and portability: A person can request their information is an easily downloadable format at any time, as well as use or transfer the data to another service. (Art. 20)
- A right to rectification.
- A right to be forgotten: Allows a person to request that their personal information about them is completely erased (unless there is a valid reason, such as a bank loan). (Art. 17).
- A right to restrict processing.
- A right to object.
- A right to fair treatment when subjected to automated decision making and profiling.
Additional GDPR Notes
Unfortunately, not everything is always black or white when it comes to things like this, so here are a few additional things to keep in mind:
- Applies to any personal data (PII – any data that relates to or can be used to identify someone).
Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, social security number, location data, an online identifier (IP address or email address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;. It also controls what can be done with the personal information (Art. 4).
- Applies to any sensitive personal data such as race, ethnic origin, sexual orientation, and health status. (Recital 51, Art. 9)
- Privacy by design and default: Makes sure that personal information is properly protected. New systems must have protection designed into them and access to the data is strictly controlled and only given when required (Art. 25).
- If data is lost, stolen or is accessed without permission, the authorities must be notified within 72 hours (Art. 33) along with the people whose data was accessed (Art. 34).
- Data can only be used for the reason given at the time of collection and is securely deleted after it’s no longer needed.
- Allows national authorities to impose fines on companies breaching the regulation.
- Parental consent will be required to process the personal data of children under the age of 16 for online services; can vary per member state, but it will not be below the age of 13 (Art. 8).
Who Does GDPR Impact?
While the new GDPR regulations were designed to protect the rights of EU citizens, it essentially impacts everyone on the web. That’s right, everyone! This is regardless of where a business is established or where its online activities take place. If your website is processing or collecting data from EU citizens, then you must abide by the GDPR regulations.
Here are just a couple examples of websites located outside of the EU that are impacted:
- A WordPress community site that collects personal information for each user profile.
- A WordPress theme shop that has customers sign up for accounts to purchase themes or plugins (sales and billing data).
- A WordPress blog that has a newsletter subscription widget or lets visitors comment.
- An ecommerce (WooCommerce or Easy Digital Downloads) store that sells products online.
- A WordPress site that uses analytics software.
You can probably see where we are going with this. Unless you’re explicitly blocking all EU traffic, which most of you probably aren’t, then your site falls under GDPR regulations.
If you’re wondering whether your company is already GDPR compliant, the team over at Mailjet created a handy GDPR quiz. We also recommend checking out The GDPR Checklist.
Consequences of Not Complying with GDPR
According to data.verifiedjoseph, as of March 20, 2019, 1,129 websites are still not available in the European Union after GDPR was put into effect. 😱 Many of these include large news organizations.
Why? Because they haven’t been able to comply with the technical implementations of GDPR and therefore don’t want to face fines. So they have simply blocked traffic from the EU altogether.
If your business doesn’t comply with GDPR you can get sanctioned up to 4% of the annual worldwide turnover or fined up to €20 million (the higher of the two), per infringement. There is also a tiered approach to fines. For example, a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment. (Art. 83)
In January 2019, France’s data privacy watchdog slapped Google with a $57 million fine under GDPR. And as of February 2019, there have been over 59,000 reported data breaches and 91 fines.
Crazy stats after 1 yr of GDPR:
* ~$60m in fines
* compliance costs for US firms estimated at $150b (2500x fine amount!)
* small co's hurt more than large. GOOG actually benefits!
* VC $ invested in EU startups drops significantlyRegulatory success! 🙄https://t.co/HbSoKlRRZz
— Leo Polovets (@lpolovets) May 25, 2019
Check out the GDPR fines tracker over at Privacy Affairs for the latest stats. Needless to say, if you’re a small ecommerce shop or WordPress developer these fines could be devastating!
How to Make Your WordPress Site GDPR Compliant
Now for the reason you’re probably all reading this blog post, and that is how to make your WordPress site GDPR compliant. Unfortunately, unlike our normal tutorials, we can’t give you a simple step by step tutorial as becoming compliant varies per site. But here are suggestions to get on the right track, as well as additional things to be aware of.
1. Hire a Lawyer
If you have any concerns about GDPR compliance (which most of you probably do) we always recommend hiring a lawyer, even if it’s just temporarily. This is one of those areas we strongly urge you to not try and tackle on your own. A lawyer can provide you with legal advice specifically tailored to your situation. If you get this wrong, it could result in hefty fines.
2. Review Your Data Collection and Processing Workflow
We recommend going through your entire WordPress site and determine where data collection and processing occurs, as well as where that information is stored, and for how long. This includes things such as:
- Collecting personal information on an ecommerce checkout page or WordPress registration page.
- IP addresses, cookie identifiers, and GPS locations.
- Various services such as Google Analytics, Hotjar, etc.
After you pinpoint all of these you need to confirm that you’re asking for the visitor’s permission, as well as disclosing how the data collected is used.
3. GDPR Project Has Been Merged into WordPress Core for Developers
Dejlig Lama & Peter Suhm originally started working on a project called GDPR for WordPress. This was going to provide plugin developers with a simple solution to GDPR validate their plugin and offer website administrators the overview and tools to handle the administrative tasks involved with being GDPR compliant. However, the great news is that this has now become part of WordPress core.
To see what was done, you can check out the GDPR Trac tickets as well as the roadmap for GDPR compliance. This was just as important for WordPress users as it was for developers, as GDPR compliance is a two-way street. WordPress users needed new features built into plugins they were already using such as checkboxes, prompts, etc. to make sure they are compliant when collecting data.
4. Update All Legal Documents
With GDPR it’s now time to update your terms and condition pages, privacy pages, affiliate terms, as well as any other legal documents or agreements you might have. You can no longer have forms without checkboxes, unless they all under lawfulness of processing. In other words, there must be a way for the user to specifically consent. Gone are the days of just throwing terms in a link at the bottom and assuming the user will read them.
The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. (Source: EU GDPR)
Again, this is an area we recommend roping in a lawyer. If you’re just running a simple blog, at least use a tool like iubenda or something similar to generate stronger privacy policies.
A new privacy page feature was added in WordPress 4.9.6. You can now designate a privacy page on your site and it will show on your login and registration pages. We also recommend putting it in your footer.
Here is an example of the default privacy policy page now generated by WordPress. This should be used as a template and or starting point, it won’t have everything your site needs.
5. Offer Data Portability
According to Art. 20, any business that collects data must also offer the ability to for the user to download it and take/transfer the data elsewhere.
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
Make sure you have a system in place yet to provide a user with a downloadable file of their data if requested (.csv, .xml, etc). If you can’t currently offer this, you might want to hire a WordPress developer.
New features regarding data handling were added in WordPress 4.9.6. Site owners can now export a ZIP file containing a user’s personal data as well as erase a user’s personal data. There is also a new email-based method that they can use to confirm personal data requests.
6. Self-Certify Under Privacy Shield Framework
Due to the fact that many websites collect data from all over the globe and with tighter restrictions on personal data, many companies are now certifying under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. These were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
Read more about the benefits of self-certifying under the Privacy Shield.
7. Encrypt Your Data / HTTPS
In terms of encryption, there are different parts to this: encryption of your web traffic (HTTPS) and encryption where your data is stored. We always recommend you encrypt your web traffic, regardless of GDPR. The benefits of moving to HTTPS far outweigh the cons and that is where the web is headed.
The term encryption itself is actually only mentioned a few times in the GDPR and is not necessarily mandatory.
In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption (Recital 83).
So while it appears encryption is not legally required to comply with GDPR, it’s highly recommended, as you are responsible for the data. If you’re using a WordPress host like Kinsta, we are powered by Google Cloud Platform which means all data is encrypted at rest. Read more about GDPR encryption.
8. Check Your WordPress Themes, Plugins, Services, APIs
Any WordPress plugins or theme specific features you have installed that collect or store personal data must be updated for your site to be fully GDPR complaint. If you’re a WordPress developer, hopefully, you have already made GDPR changes for users. We’ll include some popular plugins and configurations below, along with direct links to how they’re handling GDPR.
Contact Form Plugins
One of the easiest ways to comply with GDPR is to simply add a required checkbox to your contact form that allows the user to consent that their submitted data is being collected and stored. However, the important part here is “easiest.” Not all contact forms necessarily need consent. This can fall under what is called lawfulness of processing.
- Gravity Forms GDPR
- NinjaForms GDPR
- Contact Form 7 GDPR (Best free solution: WP GDPR Compliance plugin. Best premium solution: Contact Form DB 7 addon.)
Check out additional WordPress contact form plugins.
Comment Plugins
Even comment plugins are collecting personal information. So just like with contact forms, one of the easiest ways to make sure you are compliant is to add a consent checkbox. But again, this can fall under what is called lawfulness of processing.
- WordPress native comments
- Disqus GDPR (currently working towards compliance)
- Jetpack GDPR
A consent checkbox was recently added to native comments in the latest WordPress 4.9.6 Privacy and Maintenance Release (as seen below).
Marketing Plugins and Services
Everything from newsletters plugins, survey plugins, quiz plugins, push notification plugins, and your email marketing software is impacted by GDPR.
- MailChimp GDPR
- MailerLite GDPR
- ActiveCampaign GDPR
- AWeber GDPR (Check out their post on how to keep GDPR records of consent for subscribers)
Analytics, Tracking, Remarketing
Any third-party service or plugin that collects data. This includes things such as Google Analytics, A/B testing plugins, heat map services, remarketing platforms, etc. In regards to Google Analytics itself, it might be recommended to anonymize the IP.
As of April, Google launched a new data retention settings for Google Analytics. These controls give you the ability to set the amount of time before user-level and event-level data stored by Google Analytics is automatically deleted from Analytics’ servers. You can access these settings under Admin → Property → Tracking Info → Data Retention.
Do you need a cookie prompt if you’re only using Google Analytics reporting and not display advertising? It depends. Check out this great post from Jeff on GDPR Compliance with Google Analytics – Do You Need Cookie Consent?
eCommerce Solutions and Payment Processors
Any type of WordPress eCommerce solution is of course heavily impacted by GDPR as these collect sales data, personal information, user account data, and have integrations with third-party payment processors.
- WooCommerce
- Easy Digital Downloads (currently in discussion)
Beyond the documentation above, we also highly recommend checking out this great blog post on 12 ways to make your WooCommerce website GDPR compliant.
Community Plugins
Community plugins, forum plugins, and membership plugins a lot of times store additional personal information aside from the integrated WordPress signup process.
- bbPress GDPR (currently in discussion)
- BuddyPress GDPR (currently in discussion)
Third-Party APIs
Even third-party APIs collect data. A good example of this is Google Fonts. Most of you probably are using Google Fonts, whether it’s baked into your WordPress theme or you manually added it. You really have to look into each API and find out the data the provider is collecting. In some cases, data collection is allowed for lawful bias without consent (Recital 49).
This can be a lot of work and downright confusing as some companies, even Google, might not provide simple yes or no answers. Check out this conversation between developers on whether or not Google Fonts are GDPR compliant. You could always host your Google fonts locally on your own CDN and this then resolves the issue.
We’ll keep this post updated as some WordPress plugin developers are currently working on adding GDPR compliance features. Or even more scary, many haven’t even started yet. If you have concerns regarding a plugin you have running, check with the developer directly to see how they plan to handle GDPR.
Lawfulness of Processing
While simply asking for consent as shown above is the easiest way to comply with GDPR, it’s not the only way. In fact, in some cases, data processing is permitted without consent due to the term known as lawfulness of processing. Here are just a few examples:
Contractual Necessity
Data processing is permitted if it’s necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6 (1) b)
Legitimate Interest
Data processing is permitted when it’s necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (Art. 6 (1) f)
Note: This does not apply to processing carried out by public authorities in the performance of their tasks.
For further examples, we recommend checking out the post on Lawful Basis for Processing by White & Case LLP.
Helpful GDPR WordPress Plugins
Below are a few helpful plugins we also recommend checking out that can help:
- WP Security Audit Log: One of the best ways to really see what’s going on with your WordPress site. We usually recommend this for security reasons but it can be an excellent way to see what is collecting data, such as user registrations, comments, contact form entries, etc.
- WP GDPR Compliance: This plugin assists website and webshop owners by providing common tips to comply along with integrations with some popular plugins such as Gravity Forms, Contact Form 7, WooCommerce, and WordPress native comments.
- GDPR: Another plugin that assists you in getting compliant. Features terms of service & privacy policy registration consent management, rights to erasure & deletion of data with a confirmation email, data processor settings and publishing of contact information, right to access data from admin dashboard and export, cookie preference management, and much more.
- GDPR Cookie Compliance: Allows users to give consent for specific cookie purposes with the ability to enable and disable cookies at a granular level.
- iubenda Cookie Solution for GDPR: This plugin is an All-in-One approach that helps to make your website GDPR compliant by generating the privacy policy text, the cookie banner, and the blocking management of cookies. It also automatically scans your site to auto-configure the solutions needed. Finally, you can also capture, store, and manage GDPR content records for your webforms and also translate documents with a single click (10 languages supported).
- Complianz GDPR: This plugin pretty much does everything you need for GDPR compliance! It automatically detects if you need a cookie warning, integrates with Google Analytics (you might not need a warning), scans your site for cookies, has the ability to block cookies, generates a cookie policy, and much more.
- GDPR Cookie Consent: This plugin helps to display a cookie consent notification on your WordPress site. It only allows the cookies to be installed on the user’s browser when they have given explicit consent. The users can also reverse their consent at any time. In addition, the plugin offers multiple customization options to the style the consent bar according to your site’s theme.
We Built Our Own WordPress Cookie Consent Plugin
Due to the fact that every business and website is different, it’s almost impossible for a third-party plugin to guarantee legal compliance.
This is exactly why we ended up building our own GDPR cookie consent plugin. This way visitors to our site could easily customize everything based on scripts and cookies we have running. This ensures we are fully GDPR compliant.
We separated our cookies into two categories: Necessary cookies (which load by default, but don’t collect PII) and marketing cookies. A user can click on each one and separately choose if they want to accept them or not.
We will be writing a blog post about how we built this solution, so stay tuned! Otherwise, you could always hire a WordPress developer to build one specifically for your site’s needs.
GDPR Audit
Beyond confused? 😦 Don’t worry, GDPR can be a lot to wrap your head around and it’s a massive change in regards to personal data collection. If you’re concerned about your own WordPress site, it might be wise to invest in a GDPR audit by an expert, preferably one that works solely with WordPress. We recommend checking out the GDPR Audit from GreyCastle Security.
Changes Kinsta Made for GDPR
Due to the fact that Kinsta was founded in Europe, we’ve had tighter restrictions on our data from the very beginning. But as every company needs to do, we had to revisit each of our policies with our legal team regarding data processing, collection, and storage.
As you saw above, this included looking at our WordPress site and building our own cookie consent solution to ensure we were fully compliant by the deadline.
Kinsta utilizes Google Cloud Platform which is fully committed to GDPR and we have reviewed all of our third-party vendors and integrations to arrange for similar GDPR-ready data processing agreements.
A few changes we’ve implemented include:
- Offering new ways to comply with data portability.
- Data Processing Addendum.
- Kinsta is a member of the EU-U.S and Swiss-U.S. Privacy Shield Framework.
As a Kinsta client, you are referred to as a data controller. This means you are responsible for implementing appropriate technical and organizational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR.
Summary
As you have probably grasped by now, GDPR is a really big deal! It’s impacting almost every WordPress site on the web. The deadline has come and gone, therefore we encourage everyone to take the time, do your research, and ensure your site is fully compliant. If you don’t, you could be looking at some pretty hefty fines!
Got any questions about GDPR and WordPress? Drop them below in the comments. Or if you know of another popular WordPress plugin that is already GDPR compliant let us know and we’ll add it above!
Hi Brian!
This article is really wonderful as it contains every detail about GDPR.
I am seriously reading all articles on kinsta with WordPress. I run a blog on blogger. Time has come that I should shift it to WordPress. I have already developed a liking for kinsta but cost is coming on its way.
But I have decided to do it on kinsta and it may take little more time but it shall be kinsta.
Thanks and regards,
Kalyan Ghosh.
Hi Brian,
great article, and timely :-) The resource list is awesome and as I’d expect Kinsta is on the ball.
Now, I have a question re GDPR. As a Data Controller hosting my sites on Kinsta, as I understand it Kinsta is then a sub contractor in this process and is thus a Data Processor on my behalf. Which means we need a Data Processing agreement which I can keep on record as the Data Controller for my business and sites.
Is this something Kinsta is happy to provide..?
I’m also glad to see you are in Europe and I also chose London as my server location with GDPR in mind (as well as a good UK/EU customer base in prospect).
cheers,
Iain
Hey Iain,
Glad the post was helpful. Yes, Data Processing agreements are something we are working on for the upcoming GDPR changes.
Brian!
Excellent article. I run a very small WordPress site on Kinsta. And, I now understand that I have a big batch of work to do. I do heartily endorse privacy concerns. And, once these GDPR, and like regulations, begin to settle out (in a few years?), I think that the internet will become a more welcoming universe.
Thanks,
Orrin Smith
Well, that was my first-blush response. I remain thoroughly thankful to Kinsta for the continuing posts of valuable information that lead me to explore issues. However, now that I have explored GDPR, read much, and implemented some changes to my small website, I have acquired some skepticisms about the whole value of GDPR, and related privacy issues.
I am from india, & our site is also based on india. So , gdpr applies to us if we have users from europe?
Yes, GDPR impacts everyone that collects personal data from European visitors, regardless of where your site is located.
Actually GDPR applies if european users are just able to visit your website. Already in this case access logs and such are saved. By definition the ip adress (usually part of such logs) is also treated as personal data and therefore it is nearly impossible that GDPR doesn’t affect anyone.
Hey GDY,
Yes, by data collection this includes IP addresses. In the post above we have stated, GDPR essentially impacts everyone on the web.
Hi,
as many companies done in Sweden we have produced our own Data Processing Agreement that we try to get all our affected suppliers to sign. Will Kinsta accept customers own Data Processing Agreements or will you only accept an agreement provided by Kinsta? And if only Kinsta provided agreements when will there be one ready?
Br
Lars
Hey Lars,
We are working on our Data Processing Agreements for the upcoming GDPR deadline. Stay tuned for updates!
It’s really confusing, as different websites say differents things.
On this page, they say that we don’t need a consent checkbox for contact forms :
https://codelight.eu/wordpress-gdpr-framework/knowledge-base/do-my-contact-forms-need-a-consent-checkbox/
But according to your guide, even if the form is sent to an email inbox, we still need this content checkbox.
So now I am not sure if I have to do it or not.
Hey Mike, it actually depends.
Notice we say, “One of the easiest ways to comply with GDPR is to simply add a required checkbox.” But it’s not always required and this is where the section about “Lawfulness of Processing” comes into play. Some data collection and processing is allowed under GDPR, but it depends on how you use it. Like they said, if you’re using that data for other things then consent would be needed. Confusing? Yes, but this is where we highly recommend seeking legal advice or getting a GDPR audit done by a professional if you have any questions.
Hopefully, that helps!
Thanks for this guide, very helpful indeed!
There is no mention about HTTPS though.
I read somewhere that encryption would be required for collecting user data, is this correct?
Hey John,
We’ve just updated the article above (see step 7) with our take on GDPR encryption. There are really two parts to this: encryption of your web traffic (HTTPS) and encryption of your data where it’s hosted. GDPR is actually quite vague when it comes to this, as it only mentions encryption a couple times.
Our recommendation is:
1. There are no good reasons not to encrypt your web traffic. We highly recommend moving to HTTPS if you haven’t already. Check out our HTTPS migration guide: https://kinsta.com/blog/http-to-https/
2. If you use a host like Kinsta, we are powered by Google Cloud Platform, which utilizes encryption at rest for all data.
Great, many thanks for this clarification Brian!
Wow. Fantastic article and resource Brian! Much appreciated :)
Hey Brian, will Kinsta Users get an E-Mail when the contract ist available? The 25th is coming closer. :D
Hey Julian, yes Kinsta clients will be receiving an email. Stay tuned!
Don’t forget to update this post for the WordPress 4.9.6 (privacy and maintenance) update.
Best of luck in your GDPR journey!
Thanks Rob! We’ve just updated the post with the changes in WordPress 4.9.6 :) Good luck on your GDPR journey as well.
The new check box in the comments section is helpful regarding cookies, but I’m still unsure about needing a commenters email in the first place. Does this really fall into “lawfulness of processing”?
I honestly don’t even know why WP comments require an email address? By default, it simply gets used for nothing because WP doesn’t have a built in way for a commenter to receive follow ups. So yeah, I, and most other WP sites seem to be pointlessly collecting millions of people’s email address for no good reason, and not explaining to people why we’re doing it?
Am I misunderstanding something?
Wow… I just learned about all this, as I only signed up for a domain a week ago. This is pretty overwhelming to say the least. I’ve read several articles that seem to have differing opinions on what is compliant vs what isn’t. If my blog has affiliate links, and I collect emails through something like Mailchimp… are checkboxes and notices in the privacy page considered compliant? I’ve seen there is a yearly fee some need to pay too. I don’t want to do anything illegal but I’m also coming in at the tail-end of this. Needless to say, I’m confused and worried.
Thanks Brian, that’s a great piece of material.
We’re currently transferring our blog to WordPress, so it will be super helpful in keeping ourselves compliant with GDPR :)
I think that Disqus is already GDPR compliant, will be using it for comments.
Thanks for this guide, very helpful.
One question: whick wordpress plugin do you use on kinsta for cookie notice?
I need one where my user can change cookie settings.
thanks.
Hey Alessio, the cookie notice you see on the Kinsta site was actually built by our in-house developers. There are a few cookie notice plugins on the repository you might want to check out. And because of GDPR, you can expect to see more popping up.
Thx for the heads-up.
But what about people using the free version of wordpress(.com)? They can not use plug-ins and don’t even have access via ftp to add configuration code.
Any suggestions are extremely welcome. Thx in advance.
Hey Peter!
That’s a great question. In terms of the free version of WordPress, it will be up to them to push out all the updates in terms of GDPR compliance. This is one reason we, of course, recommend going down the self-hosted route as you have more control.
Thanks you for this article. May I know which solution are you using for cookie bar? Is this an plugin? Some plans to release an article/tutorial in this area? Im finding it little confusing.
Thanks you ?
Tom
Hey Tom,
Our cookie solution was created in-house by our developers. Here are a couple plugins that do something similar:
https://wordpress.org/plugins/wp-gdpr-compliance/
https://wordpress.org/plugins/gdpr-cookie-compliance/
Hopefully, that helps!
Hey Brain,
Nice blog as always.
Just want to know your thoughts on cloudflare and GDPR. I use cloudflare on 2 of my websites, its an excellent service. Want to stick to it.
Hey Junaid,
Cloudflare is a member of the Privacy Shield (https://www.privacyshield.gov/participant?id=a2zt0000000GnZKAA0&status=Active) and also provides a Data Processing Agreement. We can’t give legal advice, but you should be good with Cloudflare. I also recommend checking out their GDPR page (https://www.cloudflare.com/gdpr/introduction/) regarding what type of data they collect.
Hi Brian, one thing to add that I didn’t see mentioned here—the need to keep records of consent, including the signup form used, so you’re able to prove exactly what the subscriber signed up to. Aweber have some useful info on it at https://blog.aweber.com/email-marketing/simplest-way-keep-gdpr-records-consent-subscribers.htm
Hey Steve! Thanks for the link. We’ve added it to the Aweber section in the post.
I love your cookie alert bar!
You should publish it as a plugin ;)
Thanks Jim! I agree, our developers did an awesome job with our cookie solution. There are a few plugins out there now that do something very similar. I recommend checking some of these GDPR plugins out: https://kinsta.com/blog/gdpr-compliance/#gdpr-wordpress-plugins
Great article. Good for the new upcoming companies who are yet to implement GDPR.
Hey,
The largest change to date in the data privacy regulation law is GDPR. WP GDPR compliance requires that you as a website owner must take care of all PII – Personal Identifiable Information, in order to support the compliance of the citizen’s rights.
Hey Michal! Yes, PII is discussed in detail above. Definitely one of the most important aspects of GDPR.
Great article. I love your cookie alert bar!
Hi, Brian
I tried the WP consent plugins and they don’t work with Google Analytics. Analytic cookies are still setting and the site not compliance with the GDPR requirments. Cookie checker https://2gdpr.com reports that.
What should I do and how can I fix it, if I don’t want to disable GA cookies?
Excellent piece of information!
Just please, remove WP GDPR plugin from the list. It has been closed as of October 23, 2019 due to security issue.
Thank you! We have removed it from the list.
After spending a lot of time researching online, it appears that basically no one meets the privacy laws as intended and I’m not sure we can.
The ICO explicit says “A consent mechanism that emphasizes ‘agree’ or ‘allow’ over ‘reject’ or ‘block’ represents a non-compliant approach”
So my dilemma is do I just use any old WordPress cookie notice plugin or just take my chances. (and recommend the same to my clients?)