GDPR (or the General Data Protection Regulation) is required as of May 25th, and with it comes a few new regulations most websites should adhere to even if they aren’t based on the EU. So if you haven’t already prepped your website here’s our quick and easy guide on how to make your WordPress site GDPR compliant in just 5 steps.
We’ll cover key points to help get you on your way to compliance, and fast. Why the rush? By choosing not to comply your business could face fines any where from 4% of your annual revenue well on up to €20mil (yikes). While the higher end of that spectrum is likely aimed at giants such as Amazon and Facebook, we always recommend playing by the rules. So here’s how you can have your WordPress site GDPR compliant asap.
IMPORTANT: We are not lawyers, we are simply sharing information about GDPR compliance and some of the steps we’ve used while updating our own website. Following the steps below does not guarantee you fully comply with GDPR requirements. Please consult a lawyer or GDPR consultant to be sure your website is in full compliance.
Step 1: Update to WordPress 4.9.6 (or higher)
This is the easy step, since WordPress 4.9.6 added tons of built-in privacy settings to WordPress core. Just by updating your core WordPress installation (which you should already be doing) you’re already setting yourself up for GPDR compliance success. There is a full laundry list of privacy features WordPress added in this update, but so far as GDPR compliance is concerned, here are a few key features you should checkout.
Comments Cookie Optin
By default WordPress stores a cookie so users don’t have to retype their information when leaving a new comment on your site. Now there is an optin included on the comments form automatically – you don’t have to do anything except maybe style it if you don’t love how it looks (note: you won’t see this one on the WPExplorer blog since we disabled it – we don’t feel it’s necessary to store that information in your browser, so we chose to get rid of that cookie).
Data Export and Erase
Under Tools there are two new items: Export personal data and Erase personal data. If your site collects user information (via subscriber accounts, customer profiles, etc) you can quickly and easily export a user’s information or completely erase them from your database at their request.
If you do use the generated policy, it will already include privacy information and disclosures related to WordPress core. But it also adds in helpful headings for other suggested information you should add for GDPR compliance (such as contact forms, analytics, contact information, data protection, breach disclosure, etc).
Using the auto generated policy is a good start, but depending on the services and plugins you use on your website you’ll need to update your policy to include disclosures for all of the cookies and data being collected on your website.
Here are some of the most common:
- Google Analytics and other tracking services
- Google Adwords, Bing and other ad networks
- Cloudflare and CDN services
- Optins or pop-ups
- Push notifications
- Video players
- Shopping carts
In addition to disclosing the cookies used on your website you should also include a section on how users can disable or delete cookies in their browser. In our own policy we choose to link to the following browser guides:
- Disable Cookies in Chrome
- Disable Cookies in Firefox
- Disable Cookies in Safari
- Disable Cookies in Internet Explorer
Be sure to include a checkbox for consent on your contact forms if you have any. Lucky for you, popular contact forms plugins have already updated to make sure their forms are GDPR compliant. Here are a few form plugins that are already GDPR ready.
If you’re using Contact Form 7, you can simply add an acceptance checkbox to your forms. Just add this before your submit button: [acceptance accept-this-1] Check here to consent to this website storing my information so they can respond. [/acceptance]
The folks over at wpForms have added a GDPR agreement module you can add to all of your forms. First enable the “GDPR Enhancements” under the wpForms settings, then edit your exiting forms to insert the new “GDPR Agreement” checkbox. This way users can confirm that they consent to sending you their information.
Similar to contact forms you need to confirm user consent for newsletters. This can be done with either a checkbox that a user has to click before they opt-in, or by requiring double-optin to your email list (if you don’t already).
If you use MailChimp double opt-in is easy to enable. Just log into your account, got to your Lists and click on the button for “Opt-in Settings.” From here just select the mailing lists you’d like to add a double opt-in to and then save. Easy!
If you have a store you’ll need to disclose how you are retaining customer data, for how long and what you do with it.
For more information on WooCommerce and GDPR please reference their guide.
Note: This is in no way a comprehensive list of disclosures – these are just a few, common examples.
Step 3: Add a Cookie Notice
Cookie Notice by dFactory Free WordPress Plugin
WeePie Cookie Allow GDPR Cookie Consent Premium WordPress Plugin
Step 4: Make it Easy for Users to Request/Delete Their Info
We mentioned before that WordPress 4.9.6 added easy options for user data management, so if a user would like you to forward a copy of their information or delete their info completely you can. But in order for them to share their request you’ll first need to create a contact form or page for them to get in touch.
Depending on your website, it might make sense to install a contact form plugin to streamline contact submissions. This is likely a better option if you’re dealing with a website that has tons of users – like an online forum or membership site.
Step 5: Notifications for Policy Updates or Data Breach
The last part of GDPR that really stands out as important is policy update and data breach notifications. This comes into play if you offer user accounts on your website, collect customer information or if you maintain a newsletter.
Or if you’re using one of the best GDPR compliance WordPress plugins there’s likely a notification system already built-in so you can contact your site users. The best part is that with some of these plugin options you can easily automate policy update or data breach notifications, saving you some time.
Just to reiterate – we aren’t lawyers. This guide on how to make your WordPress site GDPR compliant is simply a collection of tips from our own personal experience researching and prepping for GDPR. Hopefully there were a few helpful tips in there for you, but really it’s just a starting point. We do highly recommend contacting a GDPR consultant or a lawyer to be sure your website is compliant especially if you’re located in the EU or if EU residents make up a significant portion of your website traffic.
Do you have any more questions on how to make your WordPress site GDPR compliant? Leave a comment and we’ll do our best to help. We’ll also update this guide as we learn more about GDPR – so if you have any other tips or key points please do share them.