What is WordPress doing about GDPR

WordPress is hoping to have a GDPR compliance solution built into WordPress core in time for launch prior to May 25th when the General Data Protection Regulation goes into effect.

The GDPR tools they are going to provide require a widespread adoption, and therefore having these tools as plugins would not ensure full adoption.

Using hooks and filters in WordPress core, it will be possible for a plugin developers to provide information on where their plugins store personal data. This will allow WordPress core to fetch this data and output it in the WP backend to help WordPress administrators find, send and anonymise data on request from a user of their services in order to comply with GDPR requirements on making user data available to users on request.

They are hoping to have this first integration ready in time for 25th of May 2018 with the next WP release. As I write this, a second release candidate package for 4.9.6 has been released and is now available for testing.

In the meantime here’s what you need to be doing as a website owner to comply

Detect and list cookies in use on website

There are a number of cookie detection services out there but they can be expensive. Some of them you sign up for on a monthly subscription and they will monitor the site for changes in cookies etc, but we have found these can be problematic. For example when using a caching plugin on your site, which it is usually advisable to have one, the crawling of the site returns zero cookies in use until you turn off the cache plugin and test again. So you need to know what you are doing and if you want to keep your cache plugin enabled the cookie crawler may not pick up any changes to cookies, in the same way it didn’t pick them up in the first place.

One option we found that requires some work on your part but does give a list of cookies in used based on a recording of a visitor session(with you acting as the visitor) is a free software offering from Attacat. It’s a google chrome extension and they give instructions on their website as to how to use it https://www.attacat.co.uk/resources/cookies/

Up to date Cookie Policy

Once you have detected what cookies are in use on your site you need to list them in your cookie policy

Install Cookie Consent Plugin

An article on Free wordpress plugins https://smallenvelop.com/cookie-notice-wordpress-plugins/ We find WeePie Cookie Allow to be best at the moment as it allows us to present a choice to accept or decline from the time a visitor arrives on the site and it gives the option to reset their choice at any time with a Reset Button. It’s the one we use on wpconsult.ie https://codecanyon.net/item/weepie-cookie-allow-easy-complete-cookie-consent-plugin/10342528

Up to date Privacy policy

This is something that is definitely required under GDPR as you need to explain to users how you store their data, how you will use it and for how long you will hold on to it. Here is article with some privacy policy generators https://digital.com/blog/best-privacy-policy-generators/

We find https://getterms.io/ very good, they have a Basic, Custom and Comprehensive package.

WordPress are saying that they will bring in a tool to the core that can help generate a privacy policy for you based on the functionality of your website. But in the meantime try some of the above.

Install SSL Security Certificate to protect user privacy

In some cases this is something that will be available for free from your webs hosting provider. We use Siteground and it’s available to us. By the way, Siteground are fantastic!

Online Contact Form tick to consent option

This will be required, even for contact/query forms. While I know it should be obvious to anyone filling in a contact form to request a callback that they are giving permission for you to have their information in order to call you back, you will still have to ask for consent. So, create a checkbox in your form that they must tick and it can’t be one that is already ticked in advance.

Install Security Plugin to monitor for potential data breach

You will be required to inform users of a data breach within 72 hours of you being aware of it and you will also have to show that you took reasonable precautions to protect their information, and from a WordPress perspective it means using a security plugin to monitor for possible hacks or breaches.

WordPress Website Cookie Policy Compliance for GDPR

On May 25th 2018 the EU GDPR comes in to effect.


Cookie Notices Must Change to Comply with GDPR

Why does GDPR say about cookies?

Is your website GDPR compliant?

The EU’s General Data Protection Regulation requires companies to protect the privacy of their EU customers. This means there is a requirement to notify visitors to your website if you are collecting any information that could identify them and give them a clear option to give consent or otherwise.

Personally identifiable information (PII) is any data that can be used to identify a specific individual. While your website may not seem like it collecting enough information to identify a real person, the collation of information by third parties, could include your information to complete the PII profile. Therefore you must let them know of any data you are collecting about them.

Before the new regulations, it was enough just to inform visitors to your website that cookies are in use on the website, however, it’s no longer the case..

Article 7(3):​
“The data subject shall have the right to withdraw his or her​ consent at any time. (…) It shall be as easy to withdraw as to give consent.”​

The data subject being referred to here is the person behind the PII.

‘affirmative action’ step used on this website

Cookies can be personal data. The GDPR explicitly states that online identifiers, even if they are pseudonymous, even if they do not directly identify an individual, will be personal data if there is potential for an individual to be identified or singled out.  Any persistent cookie that is unique to the device by virtue of its attributes or stored values fits the criteria for personal data.  That means most cookies, and certainly the most useful ones for site owners. This is the basis for cookie consent being about GDPR compliance now, as well as the existing cookie laws.

Implied consent will no longer constitute compliance. The GDPR requires the user to make an ‘affirmative action’ to show that their consent has been given. This means that from the beginning of their visit to your website they must be informed that cookies are in use and be given the option to proceed to view the website with, or without cookies.

It also won’t be ok to say ‘By using this site, you accept cookies’. If there is no valid choice, then there is no valid consent.

The ability to opt out of consent that has already been given is also a requirement. So, just as there will be an “I Accept” button to click, in order to give consent, there must also be one that allows the user to reset their consent, if they have given it earlier. The image below is of the Cookie Reset Button in the footer of this website.