Are you confused by GDPR and how it will impact your WordPress site? The GDPR, short for General Data Protection Regulation, is a European Union law that you have likely heard about. We've received dozens of emails from users asking us to explain the GDPR in plain English and share tips on how to make your WordPress site GDPR-compliant.
In this comprehensive guide, we will clearly explain everything you as a website owner need to know about achieving GDPR compliance for your WordPress site.
Contents
What Is the GDPR?
The General Data Protection Regulation (GDPR) is a European Union (EU) law that went into effect on May 25, 2018. The goal of the GDPR is to give EU citizens more control over their personal data and reshape how organizations around the world approach data privacy.
Over the years, you‘ve likely gotten emails from companies like Google about the GDPR, new privacy policies, and other legal information. That‘s because the EU has established large penalties for non-compliance. Businesses that don‘t comply with the GDPR requirements can face fines up to 4% of annual global revenue or €20 million, whichever is greater.
This has caused widespread panic and urgency among businesses globally to get compliant. Since the GDPR went into effect, data protection authorities in the EU have issued hundreds of millions of euros in fines for violations:
| Year | Total GDPR Fines Issued |
|---|---|
| 2018 | €56 million |
| 2019 | €114 million |
| 2020 | €192 million |
Clearly, enforcement and penalties are ramping up year after year. Complying with GDPR is no longer optional.
The GDPR also inspired similar privacy legislation in other parts of the world, like the California Consumer Privacy Act (CCPA), which took effect January 1, 2020. The CCPA gives California residents more control over their personal data. While the CCPA has lower fines than GDPR, it shows the global regulatory trend toward stronger personal data rights.
Does the GDPR Apply to My WordPress Website?
The short answer is yes, the GDPR likely applies to your WordPress site if you have any visitors from the EU. The GDPR considers any organization with a website that can be accessed in the EU to be subject to the regulation if they process EU users‘ data.
Don‘t panic though. It‘s not the end of the world. Regulators won‘t go straight to huge fines. They‘ll first issue warnings, followed by reprimands and suspensions before large penalties hit.
Fines will only come if you knowingly ignore the law after repeated attempts to get you to comply. The goal of data protection authorities is protecting consumers, not punishing businesses. By making a good faith effort to follow the rules, you can boost user trust and grow your business.
What Does the GDPR Require Organizations to Do?
At a high level, the GDPR aims to give users more transparency and control over their personal data. It also holds businesses to higher standards for properly collecting, storing, protecting, and using that personal information.
Personal data under GDPR includes names, emails, locations, IP addresses, health info, income, behavioral data, and plenty more that can identify an individual.
While the full GDPR regulation is hundreds of pages long, here are the key requirements to know about:
Gain Explicit Consent
To collect EU residents‘ personal data, you need to gain their explicit, unambiguous permission through an opt-in. You can‘t just email people who gave you a business card once or used your contact form – that would break anti-spam laws. Users must clearly opt in and consent to having their data collected and used by your website.
Gaining GDPR-valid consent requires:
- Checkbox opt-in or other affirmative action
- Clear, plain language – no confusing legal jargon
- Consent separate from terms and conditions or other agreements
In other words, consent cannot just be bundled into your website‘s terms and conditions. It requires a specific opt-in.
Honor Right of Access and Deletion
You must clearly inform users about how you collect, process, use, and store their personal data. They have the right to download a copy of their data from you.
Users also have a right to erasure under GDPR, meaning you must completely delete their personal data if they make a valid request. When a user unsubscribes from your email list, cancels their account, or otherwise withdraws consent, you have to honor those requests.
Minimal Data Collection
You should only collect and store the minimum personal data needed for your specific purposes. Identify your lawful basis for processing data and avoid gathering unnecessary information.
Report Data Breaches
Data breach notifications are required within 72 hours of discovery, unless the incident is unlikely to result in a risk to individuals‘ rights. In cases of high-risk breaches, you must also communicate directly to any users who are impacted.
Assign Data Protection Officer (If Needed)
Public authorities and organizations that conduct large scale processing of sensitive data may need to formally designate a Data Protection Officer (DPO). Most small businesses do not require a dedicated DPO.
Regular Audits
Continuously evaluating and testing your data practices is crucial for ongoing GDPR compliance. Conduct internal audits every 6 months to identify any gaps.
In plain terms, the GDPR ensures you can‘t spam people, sell their data without consent, or ignore their requests to delete their data. You must be transparent about how you handle data and quickly report any breaches. By respecting users‘ privacy rights, you build trust.
Is the WordPress Software Platform GDPR Compliant?
Yes, the WordPress core software has been GDPR compliant since version 4.9.6 released on May 17, 2018. The WordPress team added several enhancements to meet key GDPR requirements like consent for comments, data export, and breach notification tools.
However, no single platform can guarantee full GDPR compliance for any website due to the dynamic nature of how sites are built and used. Your specific compliance obligations depend on your:
- Website content
- Plugins and features
- Data collection and usage
- Location of visitors
- Business activities
For example, an ecommerce site and simple blog have very different data practices and GDPR needs. While WordPress core provides GDPR-ready features, additional effort is required based on your website implementation and visitors.
Let‘s look at some of the tools WordPress includes to aid compliance:
Comment Consent Checkbox
Users must opt in and consent to cookies that store their name, email, and website for pre-filling on future comments. This checkbox ensures active consent:
If it‘s missing, your theme is overriding the default comment form. Follow these steps to add the checkbox back.
Data Export and Erase
These tools under "Export Personal Data" and "Erase Personal Data" in the WordPress dashboard allow users to download a copy of their WordPress data for portability per GDPR Article 20. They also allow erasing data per Article 17.
Having these user-facing data tools helps honor GDPR rights.
Privacy Policy Generator
The built-in privacy policy generator helps you easily create a baseline privacy policy with recommended GDPR disclosures. You answer a series of questions and it auto-generates a policy.
The generator covers key details like data collection, usage, sharing, and user rights. You can further customize the policy with specifics for your site.
While these tools establish a good GDPR foundation, you likely need to take additional steps based on your specific site. Let‘s explore some common examples.
Other Website Areas to Audit for GDPR Compliance
Though WordPress core provides helpful GDPR features, your particular site likely requires more review to achieve full compliance. Examples include:
Contact Forms
- Add consent checkboxes and clear permission language
- Disable unnecessary cookies and tracking
- Ensure you have systems to honor data erasure requests
- Use GDPR-compliant form plugins like WPForms
Analytics
- Anonymize or omit unnecessary personal data collection
- Add cookie consent notices as needed
- Carefully vet analytics services for GDPR readiness
- Use privacy-focused analytics like Simple Analytics
Email Marketing
- Require double opt-in and document consent
- Allow unsubscribes and data erasure requests
- Review signup forms, flows, wording for consent best practices
- Evaluate email providers based on GDPR compliance
Online Stores
- Audit checkout processes, account registration, and data storage
- Update privacy policies and terms and conditions
- Assess tools like remarketing pixels for consent needs
- Follow specialized ecommerce GDPR guides like WooCommerce
Social Media
- Use GDPR-compliant plugins like Smash Balloon to embed feeds without excess tracking
- Review usage of platforms like Facebook and Instagram for consent requirements
A GDPR compliance checklist can help methodically identify potential gaps across all areas of your site, business processes, and data systems. Here is a sample checklist:
| Website Area | Audit Action Items | Status |
|---|---|---|
| Forms | Identify types of personal data collected Add consent checkboxes and language Disable unnecessary cookies |
☐ In progress |
| Email Lists | Document opt-in consent records Honor unsubscribe requests |
☐ Not started |
| Analytics | Review tracking technologies for compliance | ☐ In progress |
| Social Media | Evaluate consent needs for any embedded content | ☐ Completed |
Best WordPress Plugins for GDPR Compliance
While no single plugin delivers 100% GDPR compliance, purpose-built plugins can help significantly in tackling common website needs and ar
