If you are an active website owner, you must have heard about GDRP Compliance. If you haven’t, you should.
GDPR or General Data Protection Regulation is a consumer data privacy regulation created by the EU which comes into effect on the 25th of May 2018. Complying with GDPR is critical, even if you don’t do business directly in the EU.
GDPR is a huge change for businesses worldwide, and its impact will also be huge. But, there are a lot of misconceptions about it. We created this post to answer all the questions about GDPR and make a resource that website owners can use as a reference.
Before proceeding, we must clarify we are neither lawyers nor regulation experts. Please do not treat the information in this post as legal advice. This post is created to increase awareness and explain GDPR compliance in general.
What is GDPR
GDPR stands for General Data Protection Regulation, which is a regulation created by the EU for data protection and privacy for all individuals within the European Union. GDPR will replace an older privacy law known as Directive 95/46/EC (the “Directive”), which was the privacy law since 1995.
GDPR’s primary aim is to give people more control over their personal data. It applies to businesses in the EU, and businesses outside the EU if they collect or process data of individuals residing in the EU.
GDPR was passed in 2016, and the deadline to be compliant is 25th May 2018. There is no grace period, so your business must be compliant before that.
GDPR affects all businesses that collect personal data (details on that later), and the definition of personal data is very wide.
GDPR is also retroactive. That means it applies to all customer data you’re storing or using, even if it was collected before May 25th, 2018.
Why Should You Care About GDPR?
If you operate a website and have any website visitors from EU, then you are affected by the GDPR. It does not matter if you don’t have an email list, don’t sell any products, or even don’t advertise, you still need to be compliant.
This is because GDPR affects any business that collects the personal data of people living in the EU. According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
As a website owner, the last part is important to remember. Even recording an IP address brings you under GDPR. Since most CMSs, including WordPress, collect IP addresses by default, that means website owners have to be compliant with GDPR.
Here are a few more examples of websites that will be affected by GDPR.
- A forum that has a user profile
- An eCommerce store that sells any product (physical or digital) and records user data (purchase or otherwise)
- An affiliate website that uses various tags for retargeting
- Any WordPress blog that allows users to comment
- Any WordPress blog that lets users sign up for email lists
- Any WordPress website that has analytics set up
In the simplest terms, if you operate any website, and are not blocking all EU traffic, then you will be affected by GDPR.
Penalties for Non-Compliance with GDPR
If your business is found non-compliant with GDPR, then you can be penalized for €20 million or 4% of your worldwide annual revenue, whichever is higher. The high costs have been put in place to encourage compliance proactively. Therefore, it is important to be compliant.
GDPR – The Rules in Detail
Under GDPR, your readers/users/customers have 8 rights related to their data. If you receive any request related to those rights, then you have to respond to the request within 30 days.
1. The right to be informed
Users have the right to know what data you collect and how is it used. That means you need to provide clear and concise information about why their personal data is being collected, how it will be saved, how long will it be saved, and who else will get access to it.
2. The right of access
Users have the right to access the data that has been recorded by the data controller upon request. The data controller is the entity that holds their data.
3. The right to rectification
Users have the right to have their inaccurate or incomplete data updated or rectified. If the data controller receives a request for rectification, they need to take the necessary steps to verify the accuracy of the data and update it if required.
4. The right to erasure (or to be forgotten)
Users have the right to have their personal data completely erased, and also prevent further collection of their data. If the data controller receives this request, the user is effectively withdrawing their consent for their data being recorded.
5. The right to restrict
Under certain circumstances, users can request to restrict or suppress the use and processing of their data. In this case, the data of the user may be recorded but not used for any purpose.
6. The right to portability
Users have the right to request their data in machine readable and human readable formats. They may use this data in any way they see fit and even transfer it to another data controller.
7. The right to object
Users have the right to object the use of personal data that includes personal interests. They may also object the use of the data in a specific way, and the data controller has to make sure that users are made aware of how their data will be processed.
8. The right not to be subject to automated decision-making
Users have the right to opt out of automated decision making when it can produce an adverse legal impact or anything similar.
A Webmaster’s Responsibilities Under GDPR
In layman terms, your responsibilities as website owner under GDPR are:
- Inform users about your identity, the data you collect, why you collect it, how long do you store it, and who do you share it with
- Get clear and explicit consent from the user when collecting any data
- Let the users access and download the data you have collected about them
- Allow the users to delete their data if they wish to do so
- Inform the users within **72 hours of any data breach **
Understanding each of these rules is important, so let’s discuss them one by one.
Inform users about your identity, the data you collect, why you collect it, how long do you store it, and who do you share it with
This rule aims to inform users who is storing their data and how is it being used. Under GDPR, you have to be specific about the data you collect and gain explicit consent (discussed in #point 2) whenever you collect data.
To understand this rule, let’s take an example. Suppose that you run an eCommerce store. Here are the basics that you need to cover to comply with this rule.
- Mention your business details and contact information in your privacy policy
- Explain to users what data you are collecting and on what pages
- If you collect email addresses, mention why you collect it and gain consent
- If you email users with abandoned cart emails, mention that, and gain consent
- If you collect their addresses for shipping, mention that and gain consent
- If you allow customers reviews, mention how and where the review can be shared and gain consent
- If users can share their product pictures, mention how they can be used and gain consent
- If you share their personal information with 3rd parties (e.g. a shipping company), mention that and gain consent
- If you store their information for any period (accounting, intelligence, retargeting, etc.), mention that and gain consent
The important thing to remember is that visitors need to be informed about every way that their data can be used. They also need to be informed of every 3rd party that gets access to their data.
Get clear and explicit consent from the user when collecting any data
The ‘clear’ aspect means that you have to use everyday language to make the visitor understand the data being collected. The specifics have to be clear and cannot be buried in legal terminology like the Terms and Conditions.
The ‘explicit consent’ means that every time you collect data, the visitor has to confirm it. Usually, it can be through a checkbox, but it is important that the checkbox is not checked by default.
Let the users access and download the data you have collected about them
On a user request, you have to give them access to all the data that you have collected about them. This should include data collected by plugins and themes. The latest version of WordPress has already presented a solution, and more details are discussed in a section below.
Under this rule, you have to provide your readers access to the data they created. For example, if they read a few posts on your website, you have to share that data. But if you used some analytics to predict the type of content they would like to read, then you can skip that information.
Allow the users to delete their data if they wish to do so
This rule is similar to the rule above, but instead of just viewing their data, visitors can also request deletion of their data. The latest version of WordPress has this feature built in and we’ve discuessed this in detail in a section below.
There are a few exceptions to this rule. If there is a legal reason for you to keep the data (like invoice data), then you can refuse to delete the data.
Inform the users within 72 hours if any data breach
If the data of your visitor is leaked in any way (hacked website, stolen computers, accidental password sharing), then your visitors, readers, or customer have to be informed of the leak within 72 hours. You also have to inform your local GDPR authorities about the leak, but that information is ambiguous.
How Will Your WordPress Website be Affected?
It’s obvious that all WordPress websites will be affected by GDPR. To transition into a fully compliant website, you have to start thinking about your website from a customer data perspective.
Start by making a list of all the places where data is captured and think about the guidelines mentioned above. Think along these lines.
- Am I informing users that data is being collected
- Am I clear in mentioning what the data will be used for?
- Is there a way for my readers to provide explicit consent for this?
- Is there a way for my readers to withdraw consent for this?
- Can I make this data available to them upon request?
- Can I delete this data upon request?
- Can I anonymize this data upon request?
- Does my privacy policy mention all required details about data use?
You have to ask yourself these questions for all the places that you collect user information from. Apart from this, you also need to know what kind of data your theme and plugins capture. Every theme and plugin you use has to be GDPR compliant as well.
WordPress websites usually collect data through the following methods.
- Registered Users
- Comments
- Contact forms
- Traffic and analytics
- Email subscriptions
- Ad solutions
- Security plugins
You have to comply with GDPR is all these places. We will discuss the steps you need to take in the next section.
Steps You Need to Take to Become Compliant
No matter what kind of website you operate, it is important that you become compliant with GDPR as soon as possible. Here are the steps that you need to take to make your WordPress website compliant.
Based on the basic guidelines highlighted above, you need to make changes in the following areas:
- Your Terms & Conditions page
- Your Privacy Policy
- Your Comments
- Your opt-in forms (newsletter, lead magnets, subscription form, contact forms)
- Your analytics
- Any other page where you collect user information
Step 1: Terms and Conditions
The terms and conditions are the basic rules that bind your visitors to your website, while the privacy policy deals with the data you gather. Include relevant information about GDPR compliance and also the process how users can place requests regarding their data.
Step 2: Privacy Policy
Since GDPR deals primarily with consumer data, the most important changes that you will need to make will be in your privacy policy.
Specifically, you have to include the following information:
- Who you are – Include your name or organization name, address, contact information, etc
- What data is collected – Mention that you record the IP Address, name, email and other information that you collect. This information will differ from website to website
- Why you collect the data – Mention specifically why you collect the data that you do.
- How long is the data retained – Mention how long will you retain the data
- How is the data shared – Who else do you share the data with? If you send email newsletters, then your share your data with your email service provider. Mention all the services that you share data with.
- How do customers download their data – Describe the process on how customers can access their information. The latest version of WordPress will help you achieve this, and we discuss it in the last section.
- How to delete their data – Describe how customers can delete or ask their data to be deleted. The latest version of WordPress has this feature as well, which we discuss in the last section
- Contact Information of your Data Protection Officer – In most cases, this will be your email address
An important thing to know is that WordPress 4.9.6 (released May 17th) has many features which will let you do many of the tasks discussed above. It also has a privacy policy generator which guides you on what information needs to be included in your privacy policy. We have discussed the details in the last section.
Step 3: Your Comments
Since comments will be stored on your website and qualify as personal data, that means that you have to have the explicit consent of the user before capturing their information. The latest version of WordPress has this feature as well.
Step 4: Contact Forms
Any contact form and other venues from where a user can submit their information have to be made compliant by adding information about what data is being captured and how will it be used. You will also need to add a checkbox for users to provide consent to use this data.
Step 5: Analytics
You need to review all analytic solutions that you use on your website and mention the data being captured in your privacy policy.
Step 6: All pages that capture information
Review all the pages which might capture user information (via content upgrades, etc.) and follow GDPR guidelines on those pages as well.
Step 7: All plugins, themes, and 3rd party services
Review your themes, plugins, and other 3rd party services (email service, etc.) and make sure that all of them are GDPR compliant. Failure of a theme or plugin to be compliant implies that you are also non-compliant with GDPR.
Upcoming WordPress Compliance
Since WordPress is such an important and huge part of the web, the WordPress team has made many changes in the latest version (4.9.6) to comply with GDPR regulation. Let us walk you through the important changes and how you can configure WordPress to be compliant.
When you install or update to the 4.9.6 version, the first thing you will see is a notification about setting up a privacy policy and the addition of new tools to WordPress.
You can navigate to Settings -> Privacy to create a privacy policy.
You will reach the following page. Here you will select an existing page where you want to place your privacy policy. If you don’t have a dedicated one, you can always create one. For this example, we created a new page.
WordPress will create a page and share the basic information that you should have on your privacy policy. Do not publish it outright. The text shared by WordPress is a sample privacy policy. Take the time to review the content in the policy, add or remove data, and only then publish the policy.
Apart from the privacy policy, WordPress has also added tools for users to view their data, and even request deletion of their data. Currently, the process is manual, but we’re sure that more tools will come along later that will help automate the process.
The process works this way.
- A user requests to view or delete their data (via comments, contact form, or other means)
- The site admin goes to the export or erase personal data setting and enters the readers’ email ID, and clicks ‘send request’
- The reader receives an email with a confirmation link to confirm their request
- If the user clicks the link, their request is confirmed, and the site admin can send them an email with their personal data with the click of a button
- The user can download the file and view their personal data. The file is deleted after 72 hours for security purposes
- If the request is for deletion, then the site admin can delete the data after the reader has confirmed their request
WordPress has also made changes to the comment system. Since a website will save the IP Address and the email of the commenter, it is important to take explicit consent from the commenter.
In the new version, when a visitor comments, they will have to check a checkbox for WordPress to save a cookie on their computer.
How Has MyThemeShop Prepared for GDPR?
We are happy to announce that all MyThemeShop products are GDPR compliant. If you use only MyThemeShop products, then your website is already on the path to compliance.
Here are the steps we’ve taken to make MyThemeShop products compliant with GDPR.
- All MyThemeShop products will describe the data they record, and for what purpose. Site admins will have to provide explicit consent about the use of the data. Once they give consent, they can then update their privacy policy describing the use of the data.
- For viewing and removal of data, MyThemeShop uses WordPress core features that we described in the section above. When a user requests their data, all data recorded by MyThemeShop products is also included in the report. If a user requests removal of their data, all the data recorded by MyThemeShop products will also be deleted.
FAQ’s About GDPR
- Do I need to hire a data protection officer?
Not necessarily. Hiring a Data Protection Officer (DPO) is only mandatory if you run have a data controller with more than 250 employees.
- I run a personal blog on WordPress. Do I need to be compliant as well?
GDPR is a regulation only for corporate entities. If you monetize your business in any way, then you will be considered a business. Even if you don’t monetize your website, but use any service that collects user data in any way, make sure they are compliant with GDPR and update your privacy policy accordingly.
Also, use the upcoming WordPress features to become compliant easily. Since the cost of non-compliance is so high, its better to be safe than sorry.
- What is meant by explicit consent?
Explicit consent means that every request for data capture must be specifically agreed. Since most consent on websites is through check boxes, explicit consent means that check boxes must be unchecked by default.
Thanks for providing this details about GDPR. I will take my time to read and my all my sites up to date. Thanks
Hello Diana
Thank you for leaving a comment.
You can even bookmark this page for later reading.
Feel free to share it across on social media and stay tuned for more.
Hi guys, i am usin Splash theme in a couple of webs using WP and i do not have the checkbox for WordPress to save a cookie on the commenters computer. Are you working on the update? I seem to have all updated. Thanks!
Hello Alejandro,
Thank you for your comment.
We are pushing updates to all our products as we speak. Since we have 150+ products, it might take upto a day for all products to be updated.
Do not worry though, your theme will be updated soon.
Hi Team, thank you for this write up. It’s an excellent guide and makes it much easier to understand the regulations. I have taken some steps to (hopefully) ensure my sites are now compliant with GDPR.
Keep up the great work!
Hello Glen
We are glad you found this helpful for your website.
Thank you for leaving a comment. Stay tuned for more.
A detailed guide for all the people connected to the internet world! Thanks for sharing the clearance of GDPR.
Masud Parvage
@ Micro Dollarz
Hello Masud,
Thank you for leaving a comment, and we are glad you liked this.
Feel free to share it across on social media and keep visiting for more.
Hello,
My question is that if I provide a popup saying
“By closing this banner, scrolling this page, clicking a link or continuing to browse otherwise, you agree to the use of cookies.”
Does that counts under explicit consent? Looking forward to your comment.
Hello,
No, it doesn’t count as explicit content. Users have to acknowledge that they read the text and agreed to it. That can only be done if they click a button shown beside the text that they are agreeing to.
Hope that helps.
Let us know if you have any more doubts, we are here to help.
Is the ‘Crypto theme’ GDPR compliant?
I do not see an update for it.
Hello Jude,
We are working on updating all our products as we speak.
It might take some time as we have 150+ products, but don’t worry, your theme will be updated soon.
Very informative article. Thanks for providing all details. I just updated my privacy policy to meet the new requirements.
Hello Manoj,
Glad this article helped you.
Thank you for your comment. Stay tuned for more.
Hello,
Thanks for this article.
I run a wordpress blog with mythemeshop installed on it.
I have a contact form to capture people’s leads and people can also comment on my blog.
Are those elements considered as cookies?
I’m not sure if my blog uses cookies or not even if I don’t put any files on people’s computers.
Since I don’t collect any other information, this is what I put in my Privacy Policy :
“This website does not use cookies but we work with other third party websites that may use cookies…”
Is that ok?
Thanks for your help
Hello Jose,
WordPress uses cookies by default. So, if you are using WordPress, you are setting cookies in a visitor’s browser as well.
Most of the contact forms capture a sender’s IP, so you have to be GDPR compliant as well.
Thankfully, WordPress’ latest version 4.9.6 gives you tools to place relevant information in your privacy policy to be compliant. You can access these from Settings > Privacy.
Hope that helps.
Hello Team,
Thanks for this detailed guide about GDPR. I have shared this guide to my followers
Hello Jenny
Thank you for leaving a comment and sharing it across.
Stay tuned for more.
If I am using the free wordpress.com and not using any plug-ins etc do I still need to come up with a privacy policy, or is the pop-up from wordpress about privacy and cookies enough?
Hello Teresa,
Yes, it should be enough but for further details you can read the article posted by automattic (owners of WordPress.com) here: https://automattic.com/automattic-and-the-general-data-protection-regulation-gdpr/
Hope that helps.
Do not hesitate to let us know if you have any more doubts.
Hi Theme, thanks for the GDPR article. It made me aware of the steps that I need to take to become compliant with GDPR. I am not sure if I need to adjust my contact page or my comment page on my website to become GDPR compliant. Please advise.
Regards,
Ronnie
Hello Ronnie,
Thanks for leaving a comment.
You will need to update both. If you are using our themes, we have already updated them to be compliant. If you are using any other theme, please get in touch with your developer and see if they have already updated your theme for GDPR.