The General Data Protection Regulation (GDPR) is a privacy regulation that aims to protect the privacy and personal data of the European Union (EU) citizens. It is applicable to every organization that provides its services to the citizens of the EU. So no matter where your institution is situated, if you have users in the EU, you must comply with the law.
In this article, I am going to tell you about how you can make your WordPress GDPR compliant without using plugins.
Let’s Take a Look at Why You Should Comply with GDPR
There are two main reasons for making your website compliant with the GDPR law.
The first reason being, if you are found to be non-compliant, then you will likely be charged with hefty fines. As you might already know, an organization that is found non-compliant with GDPR can be imposed a fine of up to €20 million or 4% of the annual turnover or whichever is higher.
But it is really important to note that this is the highest fine that can be imposed upon, and depending upon the nature of the infringement, you could just be issued a reprimand. Having said that, if you have a small business site, getting a fine can still prove to be distressing.
The second reason for complying with the law is to keep the trust of the users. Since GDPR is a law that aims at protecting the privacy of the users, not taking the necessary steps to protect the privacy of the users will not be a good sign for your website. Remember that users will trust your website more if you value their privacy.
How WordPress Helps Comply with the Law?
If you have a WordPress website, it is easier to comply with the regulation. Since the version 4.6.0, WordPress core has become GDPR compliant, this makes it very easy for any website that is built using WordPress has a starting point to get compliance.
Before getting into how WordPress helps in making the website GDPR compliant, we need to understand what GDPR requires websites to do with respect to the users’ data.
First, you must know and understand, from where your websites collect data? What data is being collected by your website? Whether the data is stored in a secure manner? For how long the data is stored?
To get started with understanding from where your website might be collecting data, let’s take a look at some of the common ways that websites in general collect data. These are:
- Contact and Registration forms
- Website cookies
- Payment information if it is an e-commerce store
- Social media likes and shares
So check for your website whether it is using any of these methods. Out of these, cookies and similar technologies are most likely to be used on your website, as WordPress itself uses cookies for its proper functioning. If you are curious about what cookie WordPress uses and what they are used for, check out WordPress Cookies.
Now that you know what type of data is collected on your website; where the data is collected from, you must determine further details about the data like why it is used, how it is processed, how long it will be stored for etc. All these details should be informed to the users on your GDPR and Privacy Policy pages.
As you now know your website is collecting personal data, you will need to take consent of your website visitors. If the users say ok, with affirmative action like clicking a button or checking a checkbox, then you are good to go. Otherwise, you can forget about collecting any of these data.
The personal data of the users that you store should be secure, and it should only be stored for a limited period of time. If in case there is any breach in the data stored, the users should be informed of as soon as possible.
Next is, understanding the rights of the users. GDPR makes it clear that the users have absolute authority over the data that the website collects. After all, it is their data, and they should have control over it. So, let’s take a brief look at the rights that GDPR gives to the data subjects.
- The right to be informed: This gives users the right to have all the information about the data collection practices of the website.
- The right of access: This gives the users the right to have access to all their personal information that has been collected by the website.
- The right to rectification: The users have the right to have any incomplete or incorrect data rectified.
- The right to erasure: Also known as the right to be forgotten, this gives the users the right to have their data deleted on request, in certain circumstances.
- The right to restrict processing: In certain circumstances, this gives the users the right to limit the way an organization uses their personal data.
- The right to data portability: This gives the users the right to access and use their personal data for their own purposes.
- The right to object: In certain circumstances, the users have the right to object to the processing of their personal data by an organization.
- Rights in relation to automated decision making and profiling: The users have the right to be informed and object to profiling
So What Are the Changes That WordPress Has Brought?
Version 4.9.6 has brought some changes that can help your WordPress GDPR compliant.
The Comment Opt-in Checkbox
Every time a user posts a comment on a blog post, WordPress creates a cookie that stores the user’s information. When this cookie is set, the users do not have to fill in their details every time they enter a comment.
WordPress has now introduced a feature where you can add a checkbox right before submitting your comments. The checkbox will inform the users of the cookie being used and take their consent for using them. If the users leave the box unchecked, they will have to enter their details the next time they post a comment.
To add a checkbox under a comment box, what you need to do is to go to the Discussion Settings page under the Settings menu from your WordPress dashboard. From this page, you can see the option “Show comments cookies opt-in checkbox, allowing comment author cookies to be set.”, which allows to show or hide the comment opt-in checkbox.
Note: If you don’t see the check-box under the comment section on your website, make sure you are logged out of the website as an administrator, and also make sure that your theme is compatible with the latest version of WordPress.
Export and Erase Personal Data
The export and erase personal data features can be found under the tools menu from the WordPress dashboard. These two features help honor the users’ request to access their personal data and the removal of their personal data.
Here is how it works. The user can raise a request to access his/her data or for the data to be deleted from the website. (It should be clear on the website how the users can contact you. You can either provide a contact form or make your contact details like email or phone number available to your users on the website, using which they can raise a request).
In case of a request to delete the personal data, from your dashboard, go to Tools > Erase Personal Data. Enter the username or email ID of the user. An email will be sent to the user prompting him/her to confirm the request. After the user has confirmed the request, the admin of the website will be able to delete the personal data of the user.
Similarly, in case when the user requests to access his data, navigate to Tools > Export Personal Data. Enter the ID of the user who has requested for his data, then click on Send Request. This will send an email to the requester to confirm the request. After the request has been confirmed, the user will now have access to export his data.
Privacy Policy Generator
The key transparency requirement of GDPR is to inform the users of all the data collection practices of the website. Most of the time this is done by the websites in their privacy policy pages. WordPress now has a policy generator that the website owners can use as a template for the privacy policy detailing the handling of the data on the website.
To access the WordPress GDPR privacy policy generator, go to Settings and then to Privacy. If you have already created a privacy policy page, you can use that page as your privacy policy or create a new one.
After you have set a privacy policy page, you will now have the link to the privacy policy page at the footer of your website and on the login screen.
This is, however, only a template and the website owner should make sure that it is consistent with the data collection and data handling practices of the website.
If you are not seeing any of these features from your dashboard, make sure that you are using WordPress version 4.9.6 or above.
Display a Cookie Banner and Take Consent
After you are done with all that is required, now it’s time for a GDPR cookie notice. Since WordPress itself uses cookies, you have to show a cookie notice to the users. Now, this may require you to get some outside help.
Though there are some free and premium plugins that will help you to do that, but that is the obvious way to go if you have a WordPress website. You have a lot more choice online when it comes to displaying a cookie notice and complying with the cookie part of the law.
Most of these online tools only require you to copy and paste a code into the source code of your page. Following are some of these resources that can help you do that. These are absolutely free to use.
CookieYes: After creating an account, simply adding a code will display the cookie banner on your website. It also gives multiple layouts and other customization options. The tool also helps you to block or add cookies based on the user’s consent. Apart from this, the website owner can manage users’ consent, display an audit of the cookies used on the website, give granular control to the users on the cookies that they want to keep or reject.
Cookie Script: The tool gives many different options for cookie notification popup that lets you inform the users and take their consent. Other features of this free tool include blocking first-party and third party cookies, manage user consent, and show the cookie notification based on location.
Cookie Control: This is yet another tool that allows you to add a cookie consent notice to your website. The tool allows you to customize the appearance of the cookie notification and classify the cookies into categories. Geo-targeting of the cookie notice and the multilingual support for the consent notification is a pro feature in the tool.
Cookie Hub: This is yet another tool that allows you to display a cookie notification on your website. The tool provides you with different features, including integration with services like Google Analytics and Facebook Pixel. The premium feature of the plugin includes daily reports of user consent, geo-targeting of the cookie notification, and logs of consent that can be downloaded.
Cookie Consent: This tool allows you to easily add a consent notice to your website. Using this tool, first, you have configured how you want the notification to look like and then you will get a code that you must copy and paste into your website’s source code. Detailed documentation about how additional features like blocking the cookies and geo-targeting is also given on the website.
Now, this doesn’t include any of the contact forms. But since contact forms anyway are created using plugins, it would be better to go for plugins that are already GDPR compliant, like WPForms, Ninja Forms, Gravity Forms, Contact Form 7, etc.
Please note that these features only help make the website GDPR compliant. All the above-mentioned features are enough to make a basic WordPress blog compliant. But because of the dynamic nature of the websites, it is the responsibility of the website owner to make sure that the website checks all the boxes for GDPR compliance.
Disclaimer: This article should not be treated as legal advice. The website owners should seek legal advice if needed to know what is best for their website or app depending on which further actions may be required to fully comply with the law.
Saud Razzak
Saud is the WordPress Community Manager at Cloudways - A Managed WooCommerce Hosting Platform. Saud is responsible for creating buzz, spread knowledge, and educate the people about WordPress in the Community around the globe. In his free time, he likes to play cricket and learn new things on the Internet. You can email him at [email protected]
