On May 25, the General Data Protection Regulation (GDPR) went into effect in the European Union. It claims jurisdiction over any website that holds data on EU citizens, so compliance is a worldwide issue.
The new regulation places strong restrictions on the collection and use of personal information. Many sites are finding it easier to apply the new standards to everyone, rather than to figure out who is a citizen of the EU. It’s a long and complex document. Some of its major points are:
- Sites that collect information on people must have a specific purpose for asking for it, and they can’t use it in other ways without the subject’s consent.
- Consent is required for collecting information, and it has to be removed if the subject withdraws it. Providing certain information can be a condition of doing business, but the termination of business which requires the information is the only penalty that can be applied.
- Information on data collection and privacy needs to be in clear and understandable language. This is why so many sites have been updating their privacy policies.
Keeping track of permissions and providing required notifications can be a difficult task, especially for a site with limited resources. Fortunately, WordPress has supplied some tools which make it easier, and third-party software creators offer some more.
The first step is to make sure your site is updated to WordPress 4.9.6, or whatever the latest version is as you’re reading this. Just doing that will aid in compliance.
By a strict reading of GDPR, any site that accepts comments may have compliance issues. WordPress comment forms normally ask for the commenter’s name, email address, and website. That’s personal information, and you need explicit consent to collect it. It’s doubtful that the EU authorities will go after low-traffic blogs for failing to get consent, but it’s all new territory right now. The safest approach is to add an opt-in checkbox which users must click before they can comment.
WordPress 4.9.6 doesn’t go quite this far, but it adds a checkbox to the default comment form. It has this text: “Save my name, email, and website in this browser for the next time I comment.” Users can comment without checking that box, but all their comments may go into moderation, depending on the site’s approval settings.
All approved comments will appear on the site, though; that’s the point of commenting. Does the fact of leaving a comment constitute explicit permission to publish it? If the author insists on removal of comments, are you obligated to comply? GDPR includes a so-called “right to be forgotten,” so it’s at least possible. But if you get a request to delete comments, how do you make sure it’s authentic?
None of this is clear, but you have options. There’s no way in WordPress core to search by the commenter’s name, but you can sort comments by author, making it easier to find all the ones by the same person. You can then delete them without much trouble. Some plugins can make this job easier.
If your site engages in e-commerce, the stakes are higher, if only because your site is more likely to be noticed by the EU authorities. You need to review all the information you’re collecting and make sure you’re obtaining consent. Check if the e-commerce plugin which you’re using has a GDPR-related update.
WooCommerce, for example, has new features for compliance in version 3.4. it provides updated text for notifications and allows anonymization in exporting data.
A number of third-party plugins are available to help with compliance. Some could be useful; others could be junk or worse. As usual, get plugins only from trustworthy sources.
Recently WordPress updated its guidelines to prohibit developers to prohibit “implying that a plugin can create, provide, automate, or guarantee legal compliance.” This doesn’t mean they can’t be helpful. It just means that developers shouldn’t give legal advice concerning what their code does. Developers can say that their products may be helpful in achieving compliance, but the responsibility for complying is yours. Many plugin sites now have disclaimers.
Some plugins have “GDPR” in their names, which clearly suggests they’re intended to help you comply. Most of them are third-party products. If they’re available on WordPress.org, they’ve gone through a review process. None of them are endorsed by the EU.
WP GDPR Compliance covers similar ground. It lets a site add an opt-in checkbox to forms, including comments, Contact 7, WooCommerce, and Gravity Forms. Users can ask to view the data on themselves; they get a temporary link sent to their email address.
WP GDPR creates a page for users to ask for their personal data, as well as giving the site owner information on what plugins are collecting personal information. Users can ask to have comments removed, and the plugin provides a quick way to do the deletion.
Beyond that, you have to judge the seriousness of the issue based on what kind of information you collect and how much of an EU presence you have. If in doubt, ask a lawyer. Many tools are available to help your site stay clear of violations.