What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union (EU) law that took effect on May 25, 2018. The goal of GDPR is to give EU citizens control over their personal data and change the data privacy approach of organizations across the world.
Basically, after May 25th, 2018, businesses that are not in compliance with GDPR’s requirement can face large fines up to 4% of a company’s annual global revenue OR €20 million (whichever is greater).
Does GDPR apply to my WordPress site?
The answer is yes. It applies to every business, large and small, around the world (not just in the European Union). If your website has visitors from European Union countries, then this law applies to you.
The EU’s goal is to protect consumers from the reckless handling of data/breaches.
What is required under GDPR?
The goal of GDPR is to protect user’s personally identifying information (PII) and hold businesses to a higher standard when it comes to how they collect, store, and use this data.
The personal data includes name, emails, physical address, IP address, health information, income, etc.
Explicit Consent – if you’re collecting personal data from an EU resident, then you must obtain explicit consent that’s specific and unambiguous. In other words, you can’t just send unsolicited emails to people who gave you their business card or filled out your website contact form because they DID NOT opt-in for your marketing newsletter.
For it to be considered explicit consent, you must require a positive opt-in (i.e no pre-ticked checkbox), contain clear wording (no legalese), and be separate from other terms & conditions.
Rights to Data – you must inform individuals where, why, and how their data is processed/stored. An individual has the right to download their personal data and an individual also has the right to be forgotten meaning they can ask for their data to be deleted.
This will make sure that when you hit Unsubscribe or ask companies to delete your profile, then they actually do that.
Breach Notification – organizations must report certain types of data breaches to relevant authorities within 72 hours unless the breach is considered harmless and poses no risk to individual data. However, if a breach is high-risk, then the company MUST also inform individuals who’re impacted right away.
Data Protection Officers – if you are a public company or process large amounts of personal information, then you must appoint a data protection officer. This is not required for small businesses.
GDPR makes sure that businesses can’t go around spamming people by sending emails they didn’t ask for. Businesses can’t sell people’s data without their explicit consent. Businesses have to delete user’s account and unsubscribe them from email lists if the user asks you to do that. Businesses have to report data breaches and overall be better about data protection.
What do you need to do to make sure that your WordPress site is GDPR compliant?
Is WordPress GDPR Compliant?
As of WordPress 4.9.6, the WordPress core software is GDPR compliant. WordPress core team has added several GDPR enhancements to make sure that WordPress is GDPR compliant. When we talk about WordPress, we’re talking about self-hosted WordPress.org (see the difference: WordPress.com vs WordPress.org).
Due to the dynamic nature of websites, no single platform, plugin or solution can offer 100% GDPR compliance. The GDPR compliance process will vary based on the type of website you have, what data you store, and how you process data on your site.
By default WordPress 4.9.6 now comes with the following GDPR enhancement tools:
By default, WordPress used to store the commenters name, email, and website as a cookie on the user’s browser. This made it easier for users to leave comments on their favorite blogs because those fields were pre-populated.
Due to GDPR’s consent requirement, WordPress has added the comment consent checkbox. The user can leave a comment without checking this box. All it would mean is that they would have to manually enter their name, email, and website every time they leave a comment.
If your theme is not showing the comment privacy checkbox, then please make sure that you have updated to WordPress 4.9.6 and are using the latest version of your theme.
If the checkbox is still not showing, then your theme is likely overriding the default WordPress comment form. Here’s a step by step guide on how to add a GDPR comment privacy checkbox in your WordPress theme.
Data Export and Erase Feature
WordPress offers site owners the ability to comply with GDPR’s data handling requirements and honor user’s request for exporting personal data as well as removal of user’s personal data. The data handling features can be found under the Tools menu inside WordPress admin.
These three things are enough to make a default WordPress blog GDPR compliant. However, it is very likely that your website has additional features that will also need to be in compliance.
Areas on Your Website that are Impacted by GDPR
Depending on which which WordPress plugins you are using on your website, you would need to act accordingly to make sure that your website is GDPR compliant.
A lot of the best WordPress plugins have already gone ahead and added GDPR enhancement features. Let’s take a look at some of the common areas that you would need to address:
Like most website owners, you’re likely using Google Analytics to get website stats. This means that it is possible that you’re collecting or tracking personal data like IP addresses, user IDs, cookies and other data for behavior profiling. To be GDPR compliant, you need to do one of the following:
- Anonymize the data before storage and processing begins
- Add an overlay to the site that gives notice of cookies and ask users for consent prior to tracking
Both of these are fairly difficult to do if you’re just pasting Google Analytics code manually on your site. However, if you’re using MonsterInsights, the most popular Google Analytics plugin for WordPress, then you’re okay.
They have released an EU compliance addon that helps automate the above process. MonsterInsights also has a very good blog post about all you need to know about GDPR and Google Analytics (this is a must read, if you’re using Google Analytics on your site).
If you are using a contact form in WordPress, then you may have to add extra transparency measures specially if you’re storing the form entries or using the data for marketing purposes.
Below are the things you might want to consider for making your WordPress forms GDPR compliant:
- Get explicit consent from users to store their information.
- Get explicit consent from users if you are planning to use their data for marketing purposes (i.e adding them to your email list).
- Disable cookies, user-agent, and IP tracking for forms.
- Make sure you have a data-processing agreement with your form providers if you are using a SaaS form solution.
- Comply with data-deletion requests.
- Disable storing all form entries (a bit extreme and not required by GDPR). You probably shouldn’t do this unless you know exactly what you’re doing.
The good part is that if you’re using WordPress plugins like WPForms, Gravity Forms, Ninja Forms, Contact Form 7, etc, then you don’t need a Data Processing Agreement because these plugins DO NOT store your form entries on their site. Your form entries are stored in your WordPress database.
Simply adding a required consent checkbox with clear explanation should be good enough for you to make your WordPress forms GDPR compliant.
WPForms, the contact form plugin we use on WPBeginner, has added several GDPR enhancements to make it easy for you to add a GDPR consent field, disable user cookies, disable user IP collection, and disable entries with a single click.
Note: We have created a step by step guide on how to create GDPR compliant forms in WordPress.
Email Marketing Opt-in Forms
Similar to contact forms, if you have any email marketing opt-in forms like popups, floating bars, inline-forms, and others, then you need to make sure that you’re collecting explicit consent from users before adding them to your list.
This can be done with either:
- Adding a checkbox that user has to click before opt-in
- Simply requiring double-optin to your email list
Top lead-generation solutions like OptinMonster has added GDPR consent checkboxes and other necessary features to help you make your email opt-in forms compliant. You can read more about the GDPR strategies for marketerson the OptinMonster blog.
The WooCommerce team has prepared a comprehensive guide for store owners to help them be GDPR compliant.
If your website is running retargeting pixels or retargeting ads, then you will need to get user’s consent. You can do this by using a plugin like Cookie Notice.
Best WordPress Plugins for GDPR Compliance
There are several WordPress plugins that can help automate some aspects of GDPR compliance for you. However, no plugin can offer 100% compliance due to the dynamic nature of websites.
Beware of any WordPress plugin that claims to offer 100% GDPR compliance. They likely don’t know what they’re talking about, and it’s best for you to avoid them completely.
Below is our list of recommended plugins for facilitating GDPR compliance:
- MonsterInsights – if you’re using Google Analytics, then you should use their EU compliance addon.
- WPForms – by far the most user-friendly WordPress contact form plugin. They offer GDPR fields and other features.
- Cookies Notice – popular free plugin to add an EU cookie notice. Integrates well with top plugins like MonsterInsights and others.
- Delete Me – a free plugin that allows users to automatically delete their profile on your site.
- OptinMonster – advanced lead generation software that offers clever targeting features to boost conversions while being GDPR compliant.
- Shared Counts – instead of loading the default share buttons which add tracking cookies, this plugin load static share buttons while displaying share counts.