When GDPR was implemented on the 25th of May in the year of 2018, people were in a panic. Most of them did not understand what to do to make their websites GDPR compliant. And a year has passed by and there are still websites that are not compliant with GDPR. It may not be easy to be fully compliant with GDPR, but it is important to take all the necessary steps towards compliance.
Even if you are not an EU citizen and your business is not based in the EU, you have to make your website comply with the law if you have an audience in the EU. Luckily for WordPress websites, there are a lot of plugins for GDPR compliance that can help get a head start with GDPR. But that’s not all. WordPress, as part of making its core software GDPR compliant, has brought in amazing features.
WordPress and GDPR Compliance
There are some additional features that WordPress has brought to make the core software GDPR compliant. The changes can be seen in WordPress version 4.9.6 and higher. For a simple WordPress website or blog, these features are enough to make the website comply with the EU Law. So, let’s take a look at the changes that WordPress has brought.
The Policy Generator
One of the key requirements of GDPR is transparency. This means the websites have to inform their users of their operations and data processing practices to the users. Most of the websites do this by adding a privacy policy on their website. Now, when you are creating a privacy policy for your website, certain things need to be taken care of. Mainly,
- The policy should detail all the data collection and processing in a simple and understandable language.
- The privacy policy of the website should be kept in an obvious and accessible place on the website.
So, to create a privacy policy for your website, WordPress now has a privacy policy generator. You can access it from the path Settings > Privacy on the WordPress dashboard.
If you already have a privacy policy page created for your website, then all you need to do is to set that page as the privacy policy. If you do not have a privacy policy page then you can click on generate new and then start working with the template.
The template provided has some of the common areas that you need to be answering for your privacy policy. Of course, some of them will not apply to you, and you may need to add some additional information. When working with the template, it is important to note that every website is different, so it is the responsibility of the website owner to make sure that the data written in the privacy policy is reflecting of the website, its operations, and data collection practices.
When you are done creating the privacy policy page and hit publish, the privacy policy page that you just created will be shown on the footer on every page of the website and on the login screen of the website. On the login page:
On the website footer:
Erase Personal Data and Export Personal Data
GDPR gives some rights to the users of the data that is collected, stored, and processed by the organizations. These are the following
- The right to be informed
- The right to object
- The right to restrict processing
- The right to data portability
- The right to be forgotten
- The right to access
- The right to rectification
- The rights in relation to automated decision making and profiling
Among these rights, the right to be informed is basically covered when you have a well-written privacy policy page that is easily accessible to the users. And informing the users of the cookies being used. (We will cover about cookie later in this article). Now, another important right of the user is the right to be forgotten, in which the websites will have to delete all personally identifiable data of a user when requested. When a user invokes this right, the websites are obliged to honor the right in certain circumstances.
In order for the users to be able to invoke the right, it would be convenient for both the users and the website owners to have a contact form on the website or contact information that the users can use to do invoke their right. After that, you, the admin of the website have received such a request, you can go to your WordPress dashboard, then go to Tools and then click on Erase personal data. As shown in the screenshot.
From the Erase personal data page, enter the ID of the user who has raised the request and hit Send request.
Important Note: When the personal data of a user is deleted from a website, it does not include any archives files or backups of the website. So, when restoring the website from backups or archive files, the users delete request should be respected. Also, the data deleted are the one that has been collected by WordPress and participating plugins. You may have to take extra caution to delete the personal data and comply with the requests.
The Next part is the Export personal data menu. This is useful to address the right to access personal information of the user. Similar to erase personal data, when a user raises a request to get access to their personal data, the admin of the website can enter the ID of the user the corresponding field in Export Personal data page. After the request is sent, the request will be pending for confirmation as shown in the screenshot.
After which the user will get a confirmation email. When the user has confirmed the request, the admin can honor the request and the user will be sent a link using which they export their personal data that has been stored on the website.
The Comment Cookie Opt-in Checkbox
WordPress uses cookies. Even if there are no additional plugins or third-party services used on your WordPress website, there will be cookies installed by the WordPress core software. There are two different cookies used in WordPress
1 – session cookies
2 – comment cookies
The session cookies are what enables you to log in to the site and keep logged in. These cookies do not store any personally identifiable data.
The comment cookies are used when a user comments on a post. In this case, the data entered in the comment box, including name and email ID, which are personally identifiable data, are stored in these cookies. This data is used to auto-fill the data, the next time the user decides to post a comment on a post.
There are two things to be taken care of here. First is informing about the usage of cookies and second is obtaining explicit consent for doing so. If the user does consent to the use of cookies, then the cookies must not be used and the data should not be collected. For informing the users of such cookies when they are posting the comment, all you need to is check the box that says, ‘Show comments cookies opt-in, allowing comment author cookies to be set’.
1 – You are checking if the box appears logged in as admin.
You need to check the website as a user to be able to check whether or not the checkbox is there. So log out or access your website from a private window and you will be able to see the checkbox.
2 – Your theme is not compatible with WordPress version 4.9.6, or there is something in the theme files that could be overriding the feature.
Now that you have an opt-in checkbox for comment cookies, these cookies will only be set if the commenter checks the checkbox, and submits the comment. If the checkbox is not checked, he/she will have to manually enter the details the next time he/she enters a comment. That’s all.
A Cookie Notice
Now the above is the case when there are no plugins installed, and there are no third-party services involved. Usually, the comment cookies are not the only cookies that need attention, are they? If there are plugins installed on a website and third-party cookies used, there is no escaping from the cookies.
So, in order to be compliant with GDPR, you need to display a cookie notice that shows up when the site loads. With GDPR you need to inform the users of the data collection at the point of data collection. Since most cookies are installed when at the time the site is loaded, and they can be sometimes crucial in the functioning of the website and you need prior consent from the user to be using them, you should display the cookie consent notice at the first load of the website to a user. Now, there are a lot of GDPR plugins that can help display a cookie notice bar on your WordPress website. Some of them are listed below.
- GDPR Cookie Consent
- GDPR Cookie Compliance
- WP GDPR Compliance
- Cookie Notice for GDPR
- EU Cookie Law (GDPR)
In this article, we will be using the GDPR Cookie Consent plugin to see how to display a cookie notification and get users’ consent for using them. First, activate and install the plugin on your WordPress website. Once activated, a cookie consent banner will be displayed on the front end of your website.
The default notification banner may not complement the theme of your website. So you will need to customize the banner according to your preferences. The plugin sure does provide a lot of customization options that can make the cookie banner look as though it is the part of your website. There are different layouts of the banner as well which you can choose from.
The next part is blocking the cookies prior to consent. Or in other words, only use the cookies when the user agreed to the usage of the cookies. GDPR together with ePrivacy Directive mandates that any non-necessary cookies of the website be used only if the user has agreed to use it. But in case of cookies that are absolutely essential for the website to function in a proper intended way, consent need not be taken.
So, you need to identify the cookies that are used by your website. You can either use your browser developer console or using any online tools like Cookiechecker, or CookieServe, etc. To find out what cookies are being used using your browser, all you need to do is go to the developer console and find the cookies being used from there. But in this case, it is important to check the cookies from an incognito window. This is because, when you use your regular browser, it must have cookies that have been installed from other websites as well. The following is a screenshot taken using the Chrome developer console.
After you have found out what cookies are being used on your website you have to find out what cookies are necessary for the functioning of the website and what cookies are not and which of them collect personally identifiable data from the visitors of the website. Now to block the third-party cookies of the website, what you need to do is remove the scripts from your website and add them to the non-necessary cookies section in the plugin. This will help the plugin to insert those scripts to the website only if the user of the website have given their explicit consent.
This is the basic functionality of the plugin. There are other features in the plugin as well that helps in complying with GDPR. Like generating a cookie policy, cookie audit table, etc.
Wrapping Up
Complying with GDPR sure does seem like a daunting task, but it sure should not be. Especially when you understand its requirements, and have the right tools with you, it can easily be done.