Gone are the wild cowboy days of rustling websites. To avoid heavy fines, your website must comply with a dizzying number of web accessibility, data security, and user privacy laws. This guide shows you how to become web compliant in our data-driven digital world to avoid breaking the law and the bank.
Information age. Digital Data. People. Put these together and you can find yourself in a whole world of hurt if your website handles its users’ personal data incorrectly.
Whether you own a website or build websites for clients using WordPress, this guide will help you understand everything you need to know to make your WordPress website compliant with privacy and GDPR laws and regulations using plain and simple language.
GDPR can be a Giant Dang Pain in the Rear…unless you follow this simple guide!
What we’ll cover in this comprehensive guide:
Let’s dive right in…
Why Is Web Compliance Important?
Broadly speaking, web compliance refers to all the legal requirements, policies, regulations, and standards your digital presence (e.g. your website) must observe to providers users with:
Personal Data Protection
This guide focuses on the laws, rules, and regulations governing privacy, personal data protection, and the global impact of the GDPR on businesses and websites.
To learn more about laws and regulations governing website accessibility and making your WordPress site accessible, see our comprehensive guide to accessibility and WordPress.
Why Protect Personal Data?
Virtually everything we do nowadays involves the digital processing and handling of personal data.
As exemplified in movies like The Great Hack, large businesses and corporations harvest and leverage personal data for a wide range of purposes.
Most small businesses have also been conditioned to collect as much data about their leads and customers as they can to improve their marketing. Most businesses, however, don’t know what to do with the collected data or how to securely store this information.
Personal data, then, has become a key business asset and the right to protect individuals from having their personal data misused or abused poses a serious risk and concern in the digital information age.
What is GDPR?
On April 14, 2016, the European Commission approved a privacy law designed to protect the rights of all EU citizens (28 member states) and give citizens back control of their personal data.
This privacy law is known as the General Data Protection Regulation, or GDPR, and it has major implications on a global scale for anyone doing business online.
“The General Data Protection Regulation (GDPR) is a Regulation of the European Union that protects natural persons (called data subjects) regarding the processing and free movement of their personal data.”
The GDPR was officially published in 2016 as “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016” and became applicable on 25 May 2018.
It replaced the EU’s earlier Data Protection Directive, which was in place since wa-a-a-a-y back in 1995, when very few people used the internet.
The digital landscape has radically transformed since 1995 and so the European Union decided that something more fit for dealing with personal data challenges in a world of big data and increasing digitization was needed and that it was time to reform the existing framework of data protection rules.
As i-SCOOP states on their website,
“The GDPR is designed for a single digital market in which organizations that are processing personal data know what they can do and what they can’t do with personal data. This way the digital economy, in which data are essential, should blossom in an increasingly data-intensive world.”
In short, the GDPR offers the regulatory framework designed to accommodate the reality of today’s digital world, while protecting the individual’s right to control his or her personal data.
To ensure compliance with its regulations, the GDPR has the right to enforce fines and penalties on companies and businesses that fail to take appropriate steps to be GDPR compliant.
While the GDPR is meant to protect the rights of European Union citizens, the EU General Data Protection Regulation (GDPR) affects millions of businesses all over the world. It even affects individuals, charities, and businesses of all sizes.
If your business has any dealings with European citizens (i.e. they visit your site) and you engage in any kind of personal data processing, including the storage of personal data, gathering and collecting personal data (regardless of means), aggregating, recording, exchanging, analyzing, publicizing, digitizing, enriching, structuring, changing, searching, leveraging, deleting, structuring, destroying, uploading or simply using/keeping personal data, then you will probable be required to comply with GDPR regulations or be liable for non-GDPR compliance.
And that’s just the icing on the cake. GDPR is far more wide-reaching than the above overview.
GDPR Terminology in a Nutshell
GDPR uses a whole range of jargon and terminology. So, before we go any deeper, it’s important to understand GDPR terms and concepts like the ones listed below:
GDPR Awareness vs GDPR Compliance
Being aware of the GDPR is not the same as being GDPR compliant, but it’s the first step.
“The first stage in any plan to prepare for compliance with the General Data Protection Regulation (GDPR) is GDPR awareness with a special focus on staff awareness as the first step towards personal data protection.”
GDPR awareness involves a whole lot more than just “being aware” that GDPR exists. It means taking steps to understand what GDPR is, what its implications are for your business (and for non-compliance), and how to create a culture in your organization that:
Understands and values the importance of (and consequences of not properly handling) personal and sensitive data
Empowers people to know what they can and can’t do under GDPR
Is able to demonstrate that you did what you could in case there is a data violation or data breach incident
Includes all stakeholders in the creation of a proper strategic plan.
GDPR awareness should lead to a buy-in at the executive level to learn, understand, value, respect, and commit to incorporating GDPR compliant data protection and handling measures into the overall strategic plan of your organization.
This should then filter through to all employees by educating them about GDPR, making them aware of all the areas impacted by the handling of personal data, and ensuring that they too value and respect personal data and commit to observing all the processes involved in protecting and handling it.
Additionally, this awareness must also extend to reviewing and assessing every partner you work with and understanding how they handle personal data.
In short, as far as GDPR compliance goes, protecting personal data in your business is everyone’s business.
Do you need to appoint a Data Protection Officer (DPO)? Use this quick checklist to find out! (Infographic: ec.europa.eu)
How GDPR Impacts Your Business and Website
The next stage after GDPR awareness is GDPR compliance.
This requires assessing, reviewing, planning, strategizing, and implementing a number of processes into your business to ensure compliance including informing, educating, and training everyone in your organization to understand, value, and follow these processes.
This is an area where many businesses struggle, despite being willing to comply with and investing a significant amount of money into GDPR compliance measures.
For example, in the 2019 GDPR.eu Small Business Survey, over 700 small business leaders in Spain, the United Kingdom, France, and Ireland were asked how their businesses were coping with the new GDPR requirements and reported findings like:
Only about half of the businesses surveyed believed their organizations are fully compliant with the GDPR.
Less than half said they describe their data processing activities in clear, plain language to data subjects.
Despite being eager to comply with the GDPR and spending tens of thousands on consultants and IT solutions, many were still confused by the more technical aspects of data security.
A significant number admitted they did not comply with central requirements of the law (such as claiming to use an end-to-end encrypted email provider but being unable to name a service with this kind of encryption built in)
Nearly half said they did not always determine a lawful basis for processing user data before doing so (which is a key provision of the GDPR).
Millions of businesses are still not fully GDPR compliant, despite a significant amount of compliance-related spending. Source: 2019 GDPR.eu Small Business Survey.
With 23.5 million small and medium-sized businesses in the European Union alone, the above findings indicate there are still a potentially significant number of businesses that are not yet GDPR compliant.
Does My Website Need to Comply with GDPR?
There are instances where GDPR may not apply to your business/website, (Remember, we are not lawyers and neither are most of the article writers referred to here, so make sure to consult a proper lawyer if you think GDPR doesn’t apply to you!)
For example, if you don’t operate in the EU and you don’t offer goods and services in the EU and you don’t monitor the behavior of people in the EU and you don’t process personal data of people in the EU and you are not processing unstructured paper records of people in the EU using either automated or manual methods, or you have been granted an exemption, then GDPR might not apply to you.
This, however, is not as clear cut as it may sound.
For example, GDPR does apply to you in the following situations:
You have no office or employees in the EU, but EU citizens can obtain goods and services (paid or free) online from you.
Your website offers payments in a currency used in a EU country (e.g. Euros), or uses a language spoken in a EU country (e.g. Polish), or mentions EU customers or users.
Your website uses tracking cookies on its website to run Facebook retargeting ads and a EU citizen visits your site (so you are inadvertently monitoring their behavior).
Your website records IP addresses, pseudonymized, or encrypted data (all these can be considered to be personal data).
You’re using a computer (or other electronic device) to send an email to a EU citizen (automated processing of personal data).
The filing cabinet in your office or a drawer in your desk contains a sign-in sheet, an employee record, a customer invoice, a contact detail, or a contract from an EU citizen as part of your business record-keeping (manual processing of personal data).
GDPR exemptions don’t apply to private companies. These are generally granted to law enforcement agencies, journalists, universities, etc. to allow them to perform their required activities.
The above suggests it’s probably best to err on the side of caution. If you think your site needs to comply with GDPR, it probably does (and if you don’t think it does, consult a GDPR-savvy lawyer to be sure).
What about Brexit and 2020… is GDPR still a requirement?
After the UK left the EU on 1 January 2019, there was a transition period, during which EU law applied in the UK. When this transition period ended on 31 December 2020, EU law ceased to apply directly.
The DPPEC (Data Protection, Privacy and Electronic Communications) then amended the EU GDPR to create a domestic data protection law: the UK General Data Protection Regulation (UK GDPR).
The UK GDPR is the UK’s post-Brexit version of the EU GDPR. It is very similar to the EU GDPR, so organisations that comply with the latter are likely to be in compliance with the former.
It is interesting to note that the GDPR has not only affected countries outside the European Union like the UK, it has also influenced countries outside the European Region like Brazil to form their own version of the GDPR (LGPD).
From this, we can expect to see more GDPR-like regulations emerging around the world that will extend to every country and affect how we do business online in the global digital economy.
In other words, if you process personal data of residents of the EU, UK, Brazil, etc. your business (and your website) will have to comply with various regulations like the EU GDPR, UK GDPR, LGPD, etc.
Consequences of not complying with GDPR
In order to enforce GDPR compliance, GDPR regulators in EU member states can issue stiff fines, ensuring that non-compliance with GDPR will be more costly than complying.
As stated on the official GDPR website,
“GDPR fines are designed to make non-compliance a costly mistake for both large and small businesses.”
The official site then goes on to say that “Any organization that is not GDPR compliant, regardless of its size, faces a significant liability.”
As GDPR applies to all types of businesses from multinationals down to micro-enterprises, the GDPR can impose flexible administrative fines for infringements that scale with the type of firm, and factors like the nature, gravity, duration, intention, and number of instances the organization is found to be in breach of the regulations.
Article 83 for instance, states that companies at the higher end of the scale can be fined for non-compliance with GDPR regulations up to €20 million, or up to 4 % of their total worldwide annual turnover of the preceding financial year, whichever is higher.
For example, in early 2020, the Italian Supervisory Authority (ISA) imposed two heavy fines totalling €11.5 million on an Italian electricity and gas supplier for two separate GDPR violations. Other heavy fines related to non-compliance with GDPR were dished out to Google (€50 million), H&M (€35 million), British Airways (€22 million), Marriott (€20.4 million) and just recently, Amazon got hit with a record €746 million fine for violations of the GDPR.
Regulators aren’t just going for the big fish either. Smaller fines and penalties ranging from wrist-slaps and warnings to hundreds or thousands of euros are being meted out to businesses of all sizes. Although currently only businesses within the EU are being fined, under the GDPR, businesses outside the EU can also be fined.
Non-compliance with GDPR rules can have serious legal and financial consequences. (Infographic: ec.europa.eu)
What Is A GDPR Audit?
As we have just seen, if your business falls within the scope of the GDPR, there’s a lot of work you must do to become GDPR compliant.
A lot of this work takes place within your business, such as becoming GDPR-aware, appointing a Data Protection Officer (DPO), etc. This can be assessed by carrying out a GDPR Audit.
GDPR regulations require transparency and a lawful basis for all data processing activities.
According to GDPR requirements:
Organizations that have at least 250 employees or conduct higher-risk data processing are required to keep an up-to-date and detailed list of their processing activities and be prepared to show that list to regulators upon request. The best way to demonstrate GDPR compliance is using a data protection impact assessment,
Businesses with fewer than 250 employees should also conduct an assessment because it will make complying with the GDPR’s other requirements easier.
To comply with GDPR regulations, businesses should conduct an information audit of their data processing activities to determine things like:
The purposes of the processing.
Legal justifications for collecting, using, and storing personal data.
What information and kind of data is/will be processed in the organization.
Who has/will have access to the data in the organization.
How the data will be protected (e.g. encryption).
How the data is being/will be stored securely to protect data subject rights (and all the locations where data is/will be stored).
When and how data will be erased (if possible).
How information about data processing activities will be communicated to users and regulators.
Which third parties (and where they are located) have/will have access to the data
Performing a GDPR audit, however, is not enough. The business must also be able to answer questions like:
Have we located every digital store of personal data in our organisation?
Are we regularly checking our data for personal or sensitive information?
Are we collecting personal data in a way that supports ongoing data quality management?
Are there any opportunities to minimise our data?
Can we handle simultaneous requests from multiple users for access to information about their data within a reasonable timeframe?
Is there a plan in place in the event of a data breach? Has this plan been tested?
We recommend going through this GDPR checklist to begin the auditing process. If you need additional help with your GDPR audit, you may also want to engage the services of a qualified consultant and a lawyer.
Use the GDPR checklist to perform an audit of your business and assess your level of compliance.
As you can see, making sure your business GDPR compliant requires a lot of work.
Let’s turn our attention now to what you can do to make your website comply with GDPR’s rules and regulations.
Making Your Website GDPR Compliant
Businesses have been conditioned to collect as much data about their leads and customers as they can to improve their marketing.
Most businesses, however, don’t know what to do with the collected data or how to securely store this information.
Additionally, the introduction of GDPR laws with harsh penalties to protect personal user data and privacy rights implies that what was previously considered “best practice” in areas like website design were potentially fraught with opportunities to misuse and abuse user data.
Even though most web developers and web designers don’t work directly with user data collected from a website or digital property they are the ones responsible for creating the website that will handle the data.
New, GDPR-compliant best practices for website planning, design, and development, then, need to be created and implemented.
How GDPR Impacts Website Planning and Functionality
Data protection and privacy by design begins in the website planning phase. (Infographic: ec.europa.eu)
GDPR impacts web design and web development significantly. Websites are now incorporating something called privacy by design to ensure compliance.
“The GDPR has given birth to a new design concept simply referred to as privacy by design. The design principle states that any digital product collecting or using private data must implement strict privacy measures as part of the website design and development process.”
Businesses have been conditioned to collect as much data about their leads and customers as they can to improve their marketing.
Most businesses, however, don’t know what to do with the collected data or how to securely store this information.
Even though most web developers and web designers don’t work directly with user data collected from a website or digital property they are responsible for creating the website that will handle this data.
Designing an accessible and GDPR compliant website that respects the privacy and data rights of all web users, therefore, starts at the website planning stage.
Creating an interface design that is accessible, understandable, and usable.
Taking an active role in understanding and implementing data security and privacy in the website and database designs.
Creating a plan to “bake in” data privacy and data security measures into every aspect of the design and development process.
GDPR regulations require controllers to implement appropriate technical and organizational measures to ensure that only personal data which is necessary for each specific purpose of the processing is processed.
As this obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility, website designers and web developers should ask questions like the ones below when formulating a plan for data privacy:
What data should the website collect?
Different types and levels of data can be collected from websites. For example:
Zero party data – this is data that customers give to businesses freely and willingly with full consent in order to create a more personalized and rewarding online experience.
First party data – this is unique and identifiable data that businesses collect directly from users using their own online (e.g. website) or offline channels. This type of data includes transactional data, demographic data, behavioral data, information obtained from customer service, etc.
Second party data – this is another company’s first party data that’s packaged and sold to other businesses with no third-party involved. Businesses use this data to build a better picture of their own customer base.
Third party data – this data is typically collected from many sources, aggregated into one dataset, and packaged and sold through a data exchange marketplace.
How will this data be collected?
Typical methods for collecting data include customers entering payment details upon check out or signing up for a newsletter. However, data can also be collected via web analytics tools (e.g. Google Analytics) tracking pixels in emails and newsletters, website cookies and mouse-tracking heatmaps on landing pages, surveys, polls, quizzes, social media events, integrations with CRMs, etc.
With GDPR and other privacy laws, it’s important that data be collected with the user’s full knowledge and consent. For example, the ePrivacy Directive requires that companies obtain consent before dropping a tracker or a cookie on a visitor’s device and tracking online.
How will the site’s data be processed?
How will the site’s data be stored?
For example, in the screenshot below, this company is clearly informing its users how and where their data is stored and the security measures being used to safeguard their personal data.
Make sure to inform users where their data is being stored. Source: Nederlia.
How long will the data be stored for?
Article 5 section of the GDPR defines limitation principles for the storage of all data collected from users. Compliance requires businesses to ensure they implement data storage processes like:
Not keeping personal data for longer than needed.
Performing periodic reviews to identify and address data stored beyond its intended use (note: businesses can store personal data beyond the initially stated purpose for things like public interest archiving, scientific or historical research, or statistical purposes)
Implementing measures such as anonymization or pseudonymization to safeguard data subject rights if storing personal data beyond its initial purpose and retention period.
How will personal data be handled when it’s no longer needed?
After personal data has exceeded its initial purpose and retention period, businesses can either erase, anonymize, or pseudonymize the data.
Data anonymization protects private or sensitive information by erasing or encrypting identifiers that connect an individual to stored data. Although strict, GDPR allows companies to collect anonymized data without consent, use it for any purpose, and store it for an indefinite time—as long as all identifiers are removed from the data.
Pseudonymization allows business to perform data analysis and data processing but makes data records less identifiable.
What data security measures will the site implement?
One of the key principles of GDPR is to safeguard the personal data of your website users. Data security measures used to ensure the safeguarding of personal data include using secure web hosting servers, firewalls, data encryption, single sign-on (SSO), and two-factor authentication.
What are the risks associated with obtaining the client’s proposed data?
There are a number of issues related to security, privacy, and compliance that businesses need to take into account when obtaining data.
With second party data, for example, businesses need to trust the vendors providing the data and be sure that they have permission to collect and share that data with others.
With third party data, it’s even more difficult to know if the data has been collected with proper consent.
When planning your website, make sure to consider other questions related to compliance, such as:
If pulling personal data from an API, do all fields proposed by the client need to be filled?
If planning to use geo-location services (e.g. a store locator), does the site really need to use the users’ location?
They are legally required. Global privacy laws require Privacy Policies if you collect or use personal information.
Organization name and contact details
What types of personal information will be collected and stored
How personal information is collected and where it is stored
Reasons for collecting personal information
How personal information will be used and disclosed
How users can access their personal information, or ask for a correction
How users can lodge a complaint if they think their information has been mishandled, and how complaints will be handled
If the information will or is likely to be disclosed to third-party data processing partners (and if so, which)
Other information. For example, how long personal information is kept and if it must be scanned.
As stated in the GDPR,
How GDPR Impacts Website Planning and Legality
In addition to ensuring that your website complies functionally with GDPR regulations, website developers must also work with compliance experts to ensure that the site’s design complies legally.
Let’s take a look at what this means.
How to make it easy for users to request or delete their info
As we’ll see later, various WordPress plugins can auto-generate GDPR-compliant data request pages. This makes it easier for website owners (no custom development required–just install a plugin) and for users to request access or deletion of their information. Even WordPress core software now includes built-in data export and erasure tools.
You can use WordPress GDPR plugins to auto generate personal data request pages.
How to deal with policy updates
Web compliance laws and regulations governing an individual’s rights to privacy and data security are constantly changing.
How is your business keeping up with changes to global, federal, state, and local regulations like GDPR, CalOPPA, CCPA, PIPEDA, UK DPA, LGPD, and more?
This is something that your business not only has to seriously consider, but also implement effectively.
How to deal with data breach
The most common types of data breaches include:
Cyber attacks – Malware, phishing, skimming (capturing and stealing a cardholder’s personal payment information), social engineering (identity theft), etc.
Employee data theft – While some breaches are caused by mistakes, others may involve deliberate misuse for various reasons, like committing identity theft or transferring data to a new employer.
Human error – Most data breaches are caused by potentially avoidable human errors (e.g. attaching wrong files, choosing weak passwords, clicking on dodgy links, cc’ing the wrong person in emails, etc).
Theft/loss of property – Stealing digital devices containing sensitive information (e.g. user credentials)
Although there is no fool proof method to avoid data breaches like the ones listed above, some of the minimum basic security protocols you should be employing include strong passwords, comprehensive security suites and antivirus software across computer devices, secure servers and firewalls, data encryption, SSO and multi-factor authentication, and regularly training employees on best security practices.
How to easily withdraw permissions or opt-out
The GDPR requires making sure that individuals always know they have the right to withdraw their consent and opt out of their permissions, so your site has to make it just as easy to remove consent as it was to grant it.
Using Cookies On Your Website
Cookies are an important tool to help your business gain insight into your users’ online activity and improve their experience on your website.
For example, using cookies from advertising solutions can deliver better targeted ads to your users. Your users are served ads that better match what they are looking for and this helps to improve your conversion rates.
What are cookies?
Cookies are small text files that a website stores on a visitor’s web browser as they browse your site. When a visitor returns to your site, their browser provides the string of information stored in that cookie to your website so certain functions can be performed, such as remembering your previous usage details.
Cookies can generally be easily viewed and deleted by users in their browser’s settings.
Users can modify cookie settings on their web browser (image Google Chrome browser)
Types of Cookie
“In general, there are three different ways to classify cookies: what purpose they serve, how long they endure, and their provenance.”
Refer to the tables below to learn more about each of these types of cookies:
Make your website compliant with a cookie notice and consent form.
The above are the main ways of classifying cookies, although some types of cookies will not fit into these categories or may qualify for multiple categories.
Generally, when people complain about privacy risks regarding cookies, they are referring to third-party, persistent, marketing cookies. These cookies can store significant amounts of information about a user’s online activity, preferences, and location.
Since GDPR laws came into effect, the use of third-party cookies is declining, as accessing data for third-party cookies can get complicated and increase the potential for abuse.
Cookies and The GDPR
For example, the ePrivacy Directive (EPD), also known as the “cookie law”, states that no cookies and trackers must be placed before prior consent from the user, besides those strictly necessary for the basic function of a website, i.e. that a website has to hold back all cookies, regardless of whether they contain personal data or not, until a user consents.
Although the GDPR is the most comprehensive data protection legislation passed by any governing body up to this point, it only refers to cookies once to state that they qualify as personal data as they are used to identify users, and are therefore subject to GDPR regulations.
As a result, regulations governing cookies are split between the GDPR and the ePrivacy Directive.
The EPD supplements (and in some cases, overrides) the GDPR, addressing crucial aspects about the confidentiality of electronic communications and the tracking of Internet users more broadly.
Note: The EPD will soon be replaced by the ePrivacy Regulation (EPR), which will expand on and encompass data privacy from additional areas like browser fingerprinting, metadata, and new methods of communication.
Under the GDPR, companies have a right to process their users’ data as long as they receive consent or if they have a legitimate interest.
The law also states that sites can store cookies on a user’s device if they are strictly necessary for that site’s operation. For all other types of cookies, sites need to obtain the user’s permission.
To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:
Receive users’ consent before using any cookies except strictly necessary cookies.
Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
Document and store consent received from users.
Allow users to access your service even if they refuse to allow the use of certain cookies.
Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.
WPMU DEV’s Cookies Notice and Cookies Consent button.
The above screenshot provides a good example of the various things you must do to comply with GDPR and privacy laws:
Check out this sample cookies policy template for additional ideas on ways to craft your own cookies notice.
As noted in the official GDPR website…
There are many ways to notify users about using cookies on your site…just make sure they comply with all legal requirements.
Is WordPress GDPR Compliant?
Yes, the WordPress core software is GDPR compliant.
Update WordPress to the latest version
We recommend updating your WordPress core software to the latest version to ensure it is GDPR compliant.
In version 4.9.6, WordPress introduced the following GDPR enhancements to self-hosted WordPress sites (i.e. WordPress.org):
If you log into your WordPress site and head over to the Settings menu, you will see the Privacy section…
The WordPress Settings menu has a Privacy section.
Otherwise, follow the suggested guide and use the template to add your contact details and additional information like how you process and protect user data, data breach procedures, third party services, automated decision-making, user data profiling, and any required industry regulatory disclosures.
Comments Privacy Checkbox
When users leave comments on your site, WordPress stores personal information like their name, email address, and website URL in a browser cookie. This allows WordPress to fill in the user’s information automatically in the comment fields next time they visit.
From version 4.9.6, WordPress displays a comment privacy opt-in checkbox on themes that use the default WordPress comment form.
Many WordPress themes display a privacy opt-in form in the comments section.
If you can’t see the opt-in checkbox on your site, make sure that:
You have updated WordPress to the latest version (must be higher than 4.9.6)
You are not logged-in when browsing the comments section
You have enabled the ‘Show comments cookies opt-in checkbox, allowing comment author cookies to be set’ option in Discussion Settings > Other comment settings.
Make sure to enable the Show comments cookies opt-in checkbox option in your Discussion settings.
If you still can’t see this privacy feature, then your current theme is probably overriding the default WordPress comment form. Contact your theme developer’s support.
Export And Erase Personal Data
In version 4.9.6, WordPress also introduced two handy compliance features that allow you to process users’ data requests and export or delete their personal data.
Both tools can be accessed from the WordPress Tools menu.
Access the Export and Erase Personal Data features from the WordPress Tools menu.
Use the Export Personal Data feature to send users their requested data in a .zip file via email.
Simply enter their Username or email address, tick the checkbox to send a personal data export confirmation email, and click the Send Request button.
The table section lets you view, process, search, and sort user requests. It displays the status and date of the request and a ‘Next Steps’ workflow column.
WordPress Export Personal Data tool.
The Erase Personal Data feature lets you delete a user’s personal data upon request. It also anonymizes data that needs to remain stored in the WordPress database (e.g. plugin data). This is useful because WordPress allows plugin developers to hook their plugins into the personal data erasure feature.
The Erase Personal Data tool works just like the Export Data tool.
WordPress Erase Personal Data tool.
According to WordPress, using these built-in tool is the best way to make sure that users who request access to data really are who they say they are.
As stated on their site…
“We strongly encourage you use the email validation feature built into the export tools. This confirmation process will help safeguard against abuse, such as malicious users pretending to be someone they are not.”
WordPress has also issued the following warning:
“As this tool ONLY gathers data from WordPress and participating plugins, you may need to go beyond to comply with export requests.”
In other words, these built-in features will help make your site more GDPR compliant, but they are not enough to guarantee 100% GDPR compliance.
Let’s look at what else you can do in WordPress to improve GDPR compliance.
Making WordPress sites fully GDPR-compliant
The GDPR impacts other areas of your WordPress site.
These areas include but are not limited to the following:
Fortunately, most of the above functionalities can be added to WordPress using plugins, and many of these plugins now include GDPR-compliant enhancements.
Let’s look at some of these:
If you use analytics tools to gather website stats (e.g. Google Analytics), then it’s highly probable that you’re collecting or tracking personal data like IP addresses, user IDs, cookies, and other data to profile behavior.
If so, you may need to disclose to your site visitors that your analytics plugin may add cookies to the user’s browser, store personal information in your database, or integrate with 3rd-party applications.
Most websites use contact forms. Users must be informed if your website stores form entries or uses any of their collected data for marketing purposes (e.g. adding their details to an email list).
The very nature and purpose of a contact form makes it a potentially complex minefield of GDPR compliance issues.
For example, some of the aspects you need to consider when using a contact form in WordPress include:
Informing users what you will do with their data and how you will store it, and getting their explicit consent to use and store their information.
Disabling cookies, user-agent, and IP tracking.
Having data-processing agreements with form providers (if using an SaaS form solution) and any third-party providers.
Complying with users’ rights (e.g. right to withdraw consent).
Complying with users’ data-access and data-deletion requests.
In many cases, you can make your WordPress forms GDPR compliant by simply adding a required consent checkbox with a clear explanation.
For example, with our forms plugin Forminator, you can easily add and customize a GDPR-compliant notice when creating your forms.
With Forminator, you can easily make your contact forms GDPR compliant.
The GDPR section will then display on your contact form automatically to visitors.
Forminator adds a GDPR-compliant required user consent checkbox to your contact form.
Email Marketing Opt-in Forms
Just like contact forms, email marketing opt-in forms require obtaining user consent before adding their details to your list.
You can do this by adding a required checkbox that users must agree to before they opt in or by using an email list with a required double opt-in (this involves collecting an email address through a signup form and sending a confirmation email to the user’s address that they must click on to validate their contact information before they can be added to your list).
With our opt-in plugin Hustle, for example, you can create opt-in forms like popups, slide-ins and inline forms and insert a configurable GDPR approval field into your form with the click of a button.
Hustle lets you easily insert a GDPR approval field into your opt-in form.
This will then automatically display a GDPR-compliant notice with a required checkbox that users must agree to and click on.
Hustle’s customizable GDPR-compliant opt-in form notice.
eCommerce and Membership Sites
If you run an eCommerce store or a membership site on WordPress, then it’s definitely important to make sure that your site is in compliance with GDPR.
If your WordPress eCommerce store runs on WooCommerce, check out their comprehensive GDPR compliance guide for store owners.
If you run a WordPress-based membership site, check for GDPR-compliant settings in your membership plugin or software.
For example, one of the most popular membership site plugins for WordPress, Wishlist Member, provides a range of configurable GDPR-compliant settings in its Members > Data Privacy section.
Wishlist Member’s Data Privacy settings.
Using Gravatars, images, and embedded content on your site can potentially trip you up in terms of GDPR compliance.
For example, Gravatars are PII (Personally Identifiable Information).
Uploading images with EXIF GPS location data included allows site visitors to download and extract location data and correlate uploaded media to a particular user.
Embedded content can allow third-party services to collect your user’s IP Address, User Agent, store and retrieve cookies on their browser, embed additional third-party tracking, and monitor user interaction with that embedded content, including correlating their interaction with the content with their account with that service (if users are logged in to that service).
If your site uses retargeting pixels or retargeting ads, you will need to inform users about it and get their consent. See the section below for plugins that can help make this process easier.
Best WordPress Plugins for Improving GDPR Compliance
You can automate certain aspects of GDPR compliance using WordPress plugins.
As should be clear from this article, however, no solution can guarantee 100% compliance and that includes plugins. So, be wary of and avoid using any WordPress plugin claiming to make your site fully GDPR compliant.
Here are the best free and paid WordPress plugins we recommend checking out to improve your site’s compliance with GDPR requirements in no particular order of preference:
Complianz – GDPR/CCPA Cookie Consent
Complianz offers a fully-featured Privacy Suite that will help your WordPress site meet compliance requirements in the European Union, the United States, and/or the United Kingdom (GDPR, ePrivacy, CCPA, PECR, and more!)
You can use the plugin’s wizard to configure your site for privacy legislation compliance.
Use the Wizard to configure your compliance settings.
The premium version adds a whole range of advanced features, integrations, agreements, and support for many additional consent, privacy, and compliance requirements for worldwide coverage and protection, as well as premium support.
Note: WPMU DEV members receive 25% off all Complianz plans.
Download this plugin: Complianz
iubenda’s GDPR Cookie and Consent Solution plugin for WordPress.
iubenda provides an all-in-one legal document management service to help make your website (or app) compliant with the law on multiple languages and legislations and a free WordPress plugin to interface two services that will help make your website more GDPR and ePrivacy compliant: Cookie Solution and Consent Solution.
These services include a fully customizable cookie banner, blocking scripts, cookie consent management, and comprehensive record-keeping for GDPR purposes.
The WordPress plugin provides an easy interface with iubenda’s online service.
The plugin also detects and identifies all supported forms embedded in the website and maintains valid and detailed records of consent using its Content Solution service.
Note: WPMU DEV members receive 20% off all Iubenda’s products.
CookieYes – GDPR Cookie Consent & Compliance Notice (CCPA Ready)
CookieYes adds customizable GDPR compliant features to your website and supports cookie compliance with the LGPD (Brazil), CNIL (France), and California Consumer Privacy Act (CCPA).
This plugin includes many features including selecting the type of law, displaying the cookie banner in the header or footer, auto-hiding the cookie bar after delay or scrolling, revisit consent widget, customizable cookie bar options, and cookie button shortcodes.
Cookie Yes Settings
The premium version offers additional enhancements like single click automatic scanning and categorization of cookies, script autoblocking, location based exclusion of cookie notice for EU countries, user consent audit logs, cookie bar preview, cache plugin support, additional layouts and templates, and more.
Download this plugin: CookieYes
Cookiebot | GDPR/CCPA Compliant Cookie Consent and Control
Cookiebot is a freemium plugin that delivers a cloud-driven solution to automatically control cookies and trackers, and ensure GDPR, ePrivacy and CCPA compliance.
Note: The amount of subpages on your website will determine whether your site runs on the free plan or a premium plan.
Download this plugin: Cookiebot
WP GDPR Compliance
WP GDPR Compliance assists WordPress site owners to comply with the GDPR.
The plugin integrates with the native WordPress comments and registration forms and automatically adds a GDPR checkbox to those forms with customizable messages. It also allows users to control consent permissions and creates special pages allowing users to exercise privacy rights requests such as ‘Right to access’ and ‘Right to be forgotten’.
WP GDPR Compliance Plugin Settings.
Download this plugin: WP GDPR Compliance
GDPR Cookie Compliance (CCPA ready)
GDPR Cookie Compliance can help your site meet some of the following data protection and privacy regulations: GDPR, PIPEDA, CCPA, AAP, LGPD and others.
Users have full control over cookies stored on their computer, including the ability to revoke their consent.
GDPR Cookie Compliance Settings screen.
The premium add-on includes additional options like full-screen layout, geo location, ability to hide cookie notice banner on selected pages and block users from viewing 3rd party resources until they accept cookies, export & import settings, WordPress Multisite extension, accept cookies on scroll, cookie declaration, consent log and analytics, language specific scripts and local data storage of user data.
The plugin is optimised for WCAG/ADA compliance and supports all major caching servers and plugins.
Download this plugin: GDPR Cookie Compliance
Cookie Notice & Compliance for GDPR / CCPA
Cookie Notice & Compliance combines a plugin that displays a cookie notice on your website to comply with EU GDPR and CCPA cookie laws and consent requirements and a free web application that provides automated compliance features using an intentional consent framework that incorporates the latest guidelines to data protection and consent laws from over 100+ countries.
Ouch…my demo site failed Cookie Notice’s compliance check!
Enabling the Cookie Compliance module gives you access to the full suite of compliance features. This includes customizable GDPR & CCPA notice templates, consent analytics dashboard, cookie autoblocking, cookie categories, and proof-of-consent storage.
Download this plugin: Cookie Notice & Compliance
GDPR Cookie Consent Banner
GDPR Cookie Consent Banner helps your WordPress site comply with a number of privacy laws like the GDPR, UK GDPR, CCPA, the ePrivacy Directive (EU Cookie Law), and the UK’s Privacy and Electronic Communications Regulations (PECR).
You will need to sign up for a free account and obtain an API key to unlock the plugin’s features, which include automatic cookie scans, a customizable GDPR, CCPA, and ePrivacy-compliant cookie consent banner, automatic cookie consent & preference tracking, legal policy generator, automatic cookie configuration, auto-generated cookie descriptions and cookie categories, autoblocking of scripts, multilingual support, and access to additional policy, disclaimer, and terms and conditions generators.
You will need an API key to unlock the plugin’s features.
Download this plugin: GDPR Cookie Consent Banner
EU Cookie Law for GDPR/CCPA
The plugin can be easily configured from a one-page settings screen.
EU Cookie Law plugin’s settings page
The plugin also lets you use shortcodes in posts, pages and widgets to revoke cookie consent, show a list of cookies, and prevent cookies.
Download this plugin: EU Cookie Law for GDPR/CCPA
Additional Compliance Solutions
In addition to compliance plugins, you may want to check out some of the solutions below:
As stated on their website, Termageddon is “a generator of policies for websites and applications.”
The service allows you to stay compliant for different privacy laws and regulations (e.g. US state privacy laws like CalOPPA, CCPA, DOPPA, VCDPA, Canada’s PIPEDA, and, of course GDPR) even when these laws change, by automatically keeping your Privacy Policies updated through code placed on your website.
Learn more about this service: Termageddon
TermsFeed provides customized legal agreements and policies for online businesses.
You can access agreements and policies for free using the site’s generators and templates and purchase optional premium agreements with additional clauses for a one-time fee, so you only pay for what you need.
TermsFeed monitors changes in laws, acts, and regulations across various jurisdictions (countries and states) and notifies you if any updates are required for your generated policies.
Learn more here: TermsFeed
PrivacyPolicies.com offers an affordable solution for creating legal web documents.
Their premium one-time payment service offers additional options like the ability to add various types of clauses and download your documents in various formats (HTML, DOCX, TXT).
Learn more here: PrivacyPolicies.com
Web Compliance – It’s The Law
GDPR laws and regulations were introduced to protect and safeguard personal user data from being misused and abused in an increasingly digital-driven and internet-connected world.
The implications of privacy laws and the GDPR for businesses are wide-ranging. It requires a radical change of thinking in how you do business online, from planning your website to marketing and promoting your products and services in a global economy.
The above information can help make your WordPress site more GDPR compliant. It’s important to note, however, that although we cover many areas in this comprehensive guide, it’s still not enough to guarantee 100% GDPR compliance for your business or your website.
Ultimately, making your website compliant is not just a requirement by law, it’s also a good thing for all online users. After all, we are all each others’ online consumers and we all deserve to have our personal data valued, protected, and respected.
One final reminder: As stated throughout this article, we encourage you to seek the legal advice of web compliance experts. Don’t assume that GDPR does not apply to your business or website, or that all the measures you have implemented so far are enough to make you 100% compliant.
Privacy & GDPR – Useful References
For additional information check out the links below:
Permanent link to this post here