The Ultimate Guide to WordPress and GDPR Compliance – Everything You Need to Know

GDPR-general-data-protection-regulation. Internet-business-safety.

This is a concise, simple explanation of GDPR brought to you by Syed Balkhi and his Editorial Staff of WordPress experts.

 

Are you confused by GDPR, and how it will impact your WordPress site? GDPR, short for General Data Protection Regulation, is a European Union law that you have likely heard about. We have received dozens of emails from users asking us to explain GDPR in plain English and share tips on how to make your WordPress site GDPR compliant. In this article, we will explain everything you need to know about GDPR and WordPress (without the complex legal stuff).

 

Disclaimer: We are not lawyers. Nothing on this website should be considered legal advice.

To help you easily navigate through our ultimate guide to WordPress and GDPR Compliance, we have created a table of content below:

Table of Content

What is GDPR?

The General Data Protection Regulation (GDPR) is a European Union (EU) law taking effect on May 25, 2018. The goal of GDPR is to give EU citizens control over their personal data and change the data privacy approach of organizations across the world.

What is GDPR?

You’ve likely gotten dozens of emails from companies like Google and others regarding GDPR, their new privacy policy, and bunch of other legal stuff. That’s because the EU has put in hefty penalties for those who are not in compliance.

Fines

Basically after May 25th, 2018, businesses that are not in compliance with GDPR’s requirement can face large fines up to 4% of a company’s annual global revenue OR €20 million (whichever is greater). This is enough reason to cause wide-spread panic among businesses around the world.

This brings us to the big question that you might be thinking about:

Does GDPR apply to my WordPress site?

The answer is YES. It applies to every business, large and small, around the world (not just in the European Union).

If your website has visitors from European Union countries, then this law applies to you.

But don’t panic, this isn’t the end of the world.

While GDPR has the potential to escalate to those high level of fines, it will start with a warning, then a reprimand, then a suspension of data processing, and if you continue to violate the law, then the large fines will hit.

GDPR Fines and Penalties

The EU isn’t some evil government that is out to get you. Their goal is to protect consumers, average people like you and me from reckless handling of data / breaches because it’s getting out of control.

The maximum fine part in our opinion is largely to get the attention of large companies like Facebook and Google, so this regulation is NOT ignored. Furthermore, this encourage companies to actually put more emphasis on protecting the rights of people.

Once you understand what is required by GDPR and the spirit of the law, then you will realize that none of this is too crazy. We will also share tools / tips to make your WordPress site GDPR compliant.

What is required under GDPR?

The goal of GDPR is to protect user’s personally identifying information (PII) and hold businesses to a higher standard when it comes to how they collect, store, and use this data.

The personal data includes: name, emails, physical address, IP address, health information, income, etc.

GDPR Personal Data

While the GDPR regulation is 200 pages long, here are the most important pillars that you need to know:

Explicit Consent – if you’re collecting personal data from an EU resident, then you must obtain explicit consent that’s specific and unambiguous. In other words, you can’t just send unsolicited emails to people who gave you their business card or filled out your website contact form because they DID NOT opt-in for your marketing newsletter (that’s called SPAM by the way, and you shouldn’t be doing that anyways).

For it to be considered explicit consent, you must require a positive opt-in (i.e no pre-ticked checkbox), contain clear wording (no legalese), and be separate from other terms & conditions.

Rights to Data – you must inform individuals where, why, and how their data is processed / stored. An individual has the right to download their personal data and an individual also has the right to be forgotten meaning they can ask for their data to be deleted.

This will make sure that when you hit Unsubscribe or ask companies to delete your profile, then they actually do that (hmm, go figure). I’m looking at you Zenefits, still waiting for my account to be deleted for 2 years and hoping that you stop sending me spam emails just because I made the mistake of trying out your service.

Breach Notification – organizations must report certain types of data breaches to relevant authorities within 72 hours, unless the breach is considered harmless and poses no risk to individual data. However if a breach is high-risk, then the company MUST also inform individuals who’re impacted right away.

This will hopefully prevent cover-ups like Yahoo that was not revealed until the acquisition.

Data Protection Officers – if you are a public company or process large amounts of personal information, then you must appoint a data protection officer. Again this is not required for small businesses. Consult an attorney if you’re in doubt.

GDPR Data Protection Officer

To put it in plain English, GDPR makes sure that businesses can’t go around spamming people by sending emails they didn’t ask for. Businesses can’t sell people’s data without their explicit consent (good luck getting this consent). Businesses have to delete user’s account and unsubscribe them from email lists if the user asks you to do that. Businesses have to report data breaches and overall be better about data protection.

Sounds pretty good, in theory at least.

Ok so now you are probably wondering what do you need to do to make sure that your WordPress site is GDPR compliant.

Well, that really depends on your specific website (more on this later).

Let us start by answering the biggest question that we’ve gotten from users:

Is WordPress GDPR Compliant?

Yes, as of WordPress 4.9.6, the WordPress core software is GDPR compliant. WordPress core team has added several GDPR enhancements to make sure that WordPress is GDPR compliant. It’s important to note that when we talk about WordPress, we’re talking about self-hosted WordPress.org (see the difference: WordPress.com vs WordPress.org).

Having said that, due to the dynamic nature of websites, no single platform, plugin or solution can offer 100% GDPR compliance. The GDPR compliance process will vary based on the type of website you have, what data you store, and how you process data on your site.

Ok, so you might be thinking what does this mean in plain English?

Well, by default WordPress 4.9.6 now comes with the following GDPR enhancement tools:

Comments Consent

WordPress Comments Opt-in for GDPR

By default, WordPress used to store the commenters name, email and website as a cookie on the user’s browser. This made it easier for users to leave comments on their favorite blogs because those fields were pre-populated.

Due to GDPR’s consent requirement, WordPress has added the comment consent checkbox. The user can leave a comment without checking this box. All it would mean is that they would have to manually enter their name, email, and website every time they leave a comment.

Data Export and Erase Feature

WordPress Data Handling - GDPR

WordPress offers site owners the ability to comply with GDPR’s data handling requirements and honor user’s request for exporting personal data as well as removal of user’s personal data.

The data handling features can be found under the Tools menu inside WordPress admin.

Privacy Policy Generator

WordPress Privacy Policy Generator for GDPR

WordPress now comes with a built-in privacy policy generator. It offers a pre-made privacy policy template and offers you guidance in terms of what else to add, so you can be more transparent with users in terms of what data you store and how you handle their data.

These three things are enough to make a default WordPress blog GDPR compliant. However, it is very likely that your website has additional features that will also need to be in compliance.

Areas on Your Website that are Impacted by GDPR

As a website owner, you might be using various WordPress plugins that store or process data like contact formsanalyticsemail marketingonline storemembership sites, etc.

Depending on which WordPress plugins you are using on your website, you would need to act accordingly to make sure that your website is GDPR compliant.

A lot of the best WordPress plugins have already gone ahead and added GDPR enhancement features. Let’s take a look at some of the common areas that you would need to address:

Google Analytics

Like most website owners, you’re likely using Google Analytics to get website stats. This means that it is possible that you’re collecting or tracking personal data like IP addresses, user IDs, cookies and other data for behavior profiling. To be GDPR compliant, you need to do one of the following:

  1. Anonymize the data before storage and processing begins
  2. Add an overlay to the site that gives notice of cookies and ask users for consent prior to tracking

Both of these are fairly difficult to do if you’re just pasting Google Analytics code manually on your site. However, if you’re using MonsterInsights, the most popular Google Analytics plugin for WordPress, then you’re in luck.

They have released an EU compliance addon that helps automate the above process. MonsterInsights also has a very good blog post about all you need to know about GDPR and Google Analytics (this is a must read if you’re using Google Analytics on your site).

MonsterInsights EU Compliance Addon

Contact Forms

If you are using a contact form in WordPress, then you may have to add extra transparency measures especially if you’re storing the form entries or using the data for marketing purposes.

Below are the things you might want to consider for making your WordPress forms GDPR compliant:

  • Get explicit consent from users to store their information.
  • Get explicit consent from users if you are planning to use their data for marketing purposes (i.e adding them to your email list).
  • Disable cookies, user-agent, and IP tracking for forms.
  • Make sure you have a data-processing agreement with your form providers if you are using a SaaS form solution.
  • Comply with data-deletion requests.
  • Disable storing all form entries (a bit extreme and not required by GDPR). You probably shouldn’t do this unless you know exactly what you’re doing.

The good part is that if you’re using WordPress plugins like WPFormsGravity FormsNinja Forms, Contact Form 7, etc, then you don’t need a Data Processing Agreement because these plugins DO NOT store your form entries on their site. Your form entries are stored in your WordPress database.

Simply adding a required consent checkbox with clear explanation should be good enough for you to make your WordPress forms GDPR compliant.

WPForms, the contact form plugin we use on WPBeginner, has added several GDPR enhancements to make it easy for you to add a GDPR consent field, disable user cookies, disable user IP collection, and disable entries with a single click.

GDPR Form Fields in WPForms

Email Marketing Opt-in Forms

Similar to contact forms, if you have any email marketing opt-in forms like popups, floating bars, inline-forms, and others, then you need to make sure that you’re collecting explicit consent from users before adding them to your list.

This can be done with either:

  1. Adding a checkbox that user has to click before opt-in
  2. Simply requiring double-opt-in to your email list

Top lead-generation solutions like OptinMonster has added GDPR consent checkboxes and other necessary features to help you make your email opt-in forms compliant. You can read more about the GDPR strategies for marketers on the OptinMonster blog.

WooCommerce / Ecommerce

If you’re using WooCommerce, the most popular eCommerce plugin for WordPress, then you need to make sure your website is in compliance with GDPR.

The WooCommerce team has prepared a comprehensive guide for store owners to help them be GDPR compliant.

Retargeting Ads

If your website is running retargeting pixels or retargeting ads, then you will need to get user’s consent. You can do this by using a plugin like Cooke Notices.

Best WordPress Plugins for GDPR Compliance

There are several WordPress plugins that can help automate some aspects of GDPR compliance for you. However, no plugin can offer 100% compliance due to the dynamic nature of websites.

Beware of any WordPress plugin that claims to offer 100% GDPR compliance. They likely don’t know what they’re talking about, and it’s best for you to avoid them completely.

Below is our list of recommended plugins for facilitating GDPR compliance:

  • MonsterInsights – if you’re using Google Analytics, then you should use their EU compliance addon.
  • WPForms – by far the most user-friendly WordPress contact form plugin. They offer GDPR fields and other features.
  • Cookies Notice – popular free plugin to add an EU cookie notice. Integrates well with top plugins like MonsterInsights and others.
  • Delete Me – a free plugin that allows users to automatically delete their profile on your site.
  • OptinMonster – advanced lead generation software that offers clever targeting features to boost conversions while being GDPR compliant.
  • Shared Counts – instead of loading the default share buttons which add tracking cookies, this plugin load static share buttons while displaying share counts.

We will continue to monitor the plugin ecosystem to see if any other WordPress plugin stands out and offer substantial GDPR compliance features.

Final Thoughts

Whether you’re ready or not, GDPR will go in effect on May 25, 2018. If your website is not compliant before then, don’t panic. Just continue to work towards compliance and get it done asap.

The likelihood of you getting a fine the day after this rule goes in effect are pretty close to zero because the European Union’s website states that first, you’ll get a warning, then a reprimand and fines are the last step if you fail to comply and knowingly ignore the law.

The EU is not out to get you. They’re doing this to protect user’s data and restore people’s trust in online businesses. As the world goes digital, we need these standards. With the recent data breaches of large companies, it’s important that these standards are adopted globally.

It will be good for all involved. These new rules will help boost consumer confidence and in turn help grow your business.

We hope this article helped you learn about WordPress and GDPR compliance. We will do our best to keep it updated as more information or tools get released.

If you liked this article, then please subscribe to our YouTube Channel. You can also find us on Twitter and Facebook.

Additional Resources

Legal Disclaimer / Disclosure

We are not lawyers. Nothing on this website should be considered legal advice. Due to the dynamic nature of websites, no single plugin or platform can offer 100% legal compliance. When in doubt, it’s best to consult a specialist internet law attorney to determine if you are in compliance with all applicable laws for your jurisdictions and your use cases.

WPBeginner founder, Syed Balkhi, is also the co-founder of OptinMonsterWPForms, and MonsterInsights.

Is Your Website ADA Compliant?

ada-compliance-decided-in-the-courts

Are you aware of the regulations regarding section 508 of the American Disabilities Act and the impact it has on your business website?

Poorly designed websites can create unnecessary barriers for people with disabilities, just as poorly designed buildings prevent some people with disabilities from entering. Access problems often occur because website designers mistakenly assume that everyone sees and accesses a webpage in the same way. This mistaken assumption can frustrate assistive technologies and their users. Accessible website design recognizes these differences and does not require people to see, hear, or use a standard mouse in order to access the information and services provided.

The start of a website lawsuit trend?

Winn-Dixie recently faced, and lost an ADA compliance lawsuit for its website, and it made for some pretty sensational headlines. Website accessibility is a hot topic right now, so every case that goes wrong for someone is bound to result in some pretty fanatical headlines. But should you actually be worried? In short — maybe.

So let’s try and make ADA compliance, who needs to be worried, and what you can do about it as simple to understand as possible. Full disclosure — I am not your lawyer, and nothing in here is legal advice.

What Does ADA Compliance Mean?

ADA is short for the Americans with Disabilities Act, which became law in 1990. It prohibits discrimination against individuals with disabilities in all areas of public life. The ADA, at least for Title III (private sector businesses), only applies to companies that employ 15 or more persons.

In January 2018, some new federal regulations will take effect. All federal institutions’ websites must meet AA compliance on all items in WCAG 2.0 by this time. We’ll get into what that means a little later.

Why Is ADA Compliance Suddenly a Bigger Deal?

Legal precedent is changing, and ADA compliance related lawsuits are becoming more successful, and the courts are seeing more of them as a result. Title III of the Americans with Disabilities Act pertains to private sector businesses. Lately, those protections are more frequently expanding into digital territory as web and mobile applications become more necessary in our day-to-day lives.

Who Needs To Be Compliant?

The general consensus right now is that any business considered a “public accommodation” should have an ADA compliant web presence.

“Public accommodation” could apply to most things depending on who is making the interpretation. Generally, however, this would refer to B2C, retail, or any business the general public should be able to use, understand and access easily.

The judgment against Winn-Dixie was determined after the courts felt that the website was too heavily integrated with the physical store presence. This could have been prompted by things like placing their weekly ad on the website.

What Do I Need To Do To Be Compliant?

Why that’s simple, just follow all 61 guidelines laid out in WCAG 2.0 to either AA or AAA level!

Sound scary? It’s not as bad as it seems. Your site probably already meets many of these rules and will not take a web developer very long to bring it up to par. However, there are some items that are much more difficult to fix, depending on the situation.

  • Text must meet a minimum contrast ratio against the background, which can significantly impact your design.
  • Your site must be fully navigable via keyboard only. This usually includes things like skip navigation buttons and can involve manually setting a tabindex everywhere.
  • Your site should be navigable with screen reader software. This can be difficult to test and can involve some arduous fixes similar to what is necessary for keyboard navigation.
  • Your site must handle text scaling up to 200% without causing horizontal scrolling or content-breaking layout issues. Once again, this may be more difficult to fix in some complex designs.

How Do I Check All Of This?

A variety of software can be used to test for ADA compliance.

  • WAVE is a good start, but can produce a lot of false positives, particularly for contrast ratio issues.
  • Lighthouse from Google Developers can help generate a report on potential issues.
  • Manual testing for contrast ratio using this calculator.
  • Manual testing with screen reader software
  • Manual testing with keyboard only navigation
  • Job Access With Speech (JAWS) is the most popular screen reader used by the blind. You can download a free trial for testing.
  • Web Accessibility is available as a WordPress plugin.

The automated tools will catch a lot of the simple issues, but manual testing is often still going to be required for nearly all websites if you want to ensure you are meeting requirements.

Hopefully, this sheds a little light on the situation and what it means for your business. Or, if you’re a web developer, how to be proactive to help your clients.

(Excerpted from Hackernoon)

The Top 5 Reasons Why You Need To Deploy New-school Security Awareness Training In 2018

Excerpted from CyberheistNews Vol 7 #50

2017 was a dumpster fire of privacy and security screw-ups.

To start 2018 with a simple, effective, IT security strategy is an excellent New Year’s resolution and helps your CEO to keep their job. Better yet, thousands of your peers will tell you this was the best and most fun IT security budget they ever spent… hands-down.

This list is the high-power ammo you need to get budget and roll out new-school security awareness training, ideally right now.

Here are the Top 5 reasons…

  1. Social Engineering is the No. 1 go-to strategy for the bad guys. Unfortunately, their time is money too. Why spend 2 months of research uncovering a 0-day when you (literally) can create an effective spear-phishing attack in 2 hours? They are going after the human—the weakest link in IT security—and your last line of defense.
  2. Ransomware is only going to get worse in 2018. Email is still their favorite attack vector, and their sophistication is increasing by the month. The downtime caused by ransomware can be massive.
  3. Compliance requirements for awareness training are being sharpened up. Thinking that today you can get away with a yearly one-time, old-school awareness training session is whistling past the graveyard. A good example is May 25, 2018 when enforcement actions for GDPR begin. We have compliance training for GDPR ready in 24 languages.
  4. Legally you are required to act “reasonably” and take “necessary” measures to cope with a threat. If you don’t, you violate either compliance laws, regulations, or recent case law. Your organization must take into account today’s social engineering risks and “scale security measures to reflect the threat”. Don’t trust me, confirm with your lawyer, and next insist on getting budget. Today, data breaches cause practically instant class action lawsuits. And don’t even talk about all employees filing a class action against your own company because your W-2 forms were exfiltrated with CEO fraud.
  5. Board members’ No. 1 focus today is cyber security. Some very pointed questions will be asked if they read in the Wall Street Journal that your customer database was hacked and the breach data is being sold on the dark web. Once it becomes clear that your organization did not deploy a simple, effective strategy that could have prevented this, a few (highly placed) heads will roll. Target’s CEO and CISO are just an example. Help your CEO to keep their job.

Former US CISO on Why Awareness Training Is Priority Number 1:

In an information technology environment where personnel are on the cyber front line at work and also at the house, the key to ensuring security is still awareness training, says former U.S. CISO Gregory Touhill, who was the Air Force General responsible for Cyber Training before he became the first US CISO.

“A congressman asked me when I took my post as the first federal CISO: ‘If I gave you an extra dollar, how would you spend it on cybersecurity?’ And I told him I would spend it on better training my people. I find a very well-trained, well-informed workforce is better prepared to help an organization buy down their cyber risk,” Touhill says in an interview with Information Security Media Group.

Training at All Levels

Touhill calls for daily security drills and exercises at all levels of an organization to help reinforce defensive strategies.

“Board and C-suite officers are increasingly large targets for whale phishing,” Touhill says. “Everybody has a stake in cybersecurity and I would contend everyone is on cyber front lines. That training needs to be tailored and continuous for the entire workforce.”

Touhill discusses:

  • The effectiveness of techniques such as gamification;
  • Why he believes one-and-done annual training fails;
  • Continuous phishing training;
  • His recommendations for improving training in 2018.

Touhill is now president of the Cyxtera Federal Group and teaches cybersecurity and risk management for the CISO certification program at Carnegie Mellon University’s Heinz College.

Scam of the Week: New Massive Data Breach Poses Major Threat

Here’s a fun question to pose to the family dinner table: Have you ever heard of Alteryx?

100 to 1 you never heard of them, but chances are good that they have heard of you. Alteryx is a data analytics company that makes its money by repackaging data that it’s collected from different sources. And it became the latest reminder of how much data little-known companies have collected on us – and how little oversight there is over the security of that data.

Companies You’ve Never Heard of Are Exposing Your Personal Data

Earlier this week, an analyst from the security firm Upguard shared that Alteryx had not properly protected detailed information it had collected on 123 million U.S. households (All told, there are about 126 million American households, according to the Census Bureau.)

This data leak was discovered by a researcher, and not (we hope) by a criminal. But the leak affects about as many people as the massive hack Equifax reported in September, which affected 145.5 million Americans, or nearly every adult.

Another Leaky AWS Bucket

The data had been left unprotected in an Amazon Web Services storage bucket available to anyone with a free AWS account. After being informed of the data breach, Alteryx secured the information, however, it had been available to identity thieves and scammers for a considerable period of time.

Alteryx and credit reporting agency Experian—which was the source of the data—both downplayed the risk of identity theft because no names were included in the data included in the data breach. This response is just PR and disingenuous as 248 data fields for every household were included in the data breach which are easy to map to the names.

This is just another example of the lack of important laws in the United States protecting people from data aggregators’ negligence and requiring these companies to employ security measures to protect our personal data. Many other countries require such measures by law, the new European GDPR is an excellent example.

What to Do About It

I suggest you send the following to your employees, friends, and family. You’re welcome to copy, paste, and/or edit:

“There is another major data breach, that pretty much covers every living adult in the United States. At this point you have to assume that cyber criminals have highly personal information that they can use to trick you. You need to watch out for the following things:

  • Phishing emails that claim to be from your financial institution where you can “check if your data was compromised”
  • Phishing emails that claim there is a problem with a credit card, your credit record, or other personal financial information
  • Calls from scammers that claim they are from your bank or credit union
  • Fraudulent charges on any credit card because your identity was stolen

Here are 5 things you can do to prevent identity theft:

  1. First sign up for credit monitoring – dozens of companies do that.
  2. Next freeze your credit files at the three major credit bureaus Equifax, Experian and TransUnion. Remember that generally it is not possible to sign up for credit monitoring services after a freeze is in place. Advice for how to file a freeze is available here on a state-by-state basis:
    http://consumersunion.org/research/security-freeze/
  3. Check your credit reports via the free annualcreditreport.com
  4. Check your bank and credit card statements for any unauthorized activity
  5. If you believe you may have been the victim of identity theft, here is a site where you can learn more about how to protect yourself:
    www.idtheftcenter.org.

Quotes of the Week

“By three methods we may learn wisdom: First, by reflection, which is noblest; Second, by imitation, which is easiest; and third by experience, which is the bitterest.” – Confucius

“Wisdom comes from experience. Experience is often a result of lack of wisdom.” – Terry Pratchett

“Here is an example of a young man gaining wisdom by experience. LOL:”
http://mashable.com/2017/12/22/man-fails-slide-london-tube-escalator/#leLSSc2WJqqR

 

Font Resize