How to Make Your WordPress Site GDPR Compliant
GDPR (or the General Data Protection Regulation) is required as of May 25th, and with it comes a few new regulations most websites should adhere to even if they aren’t based on the EU. So if you haven’t already prepped your website here’s our quick and easy guide on how to make your WordPress site GDPR compliant in just 5 steps.
We’ll cover key points to help get you on your way to compliance, and fast. Why the rush? By choosing not to comply your business could face fines any where from 4% of your annual revenue well on up to €20mil (yikes). While the higher end of that spectrum is likely aimed at giants such as Amazon and Facebook, we always recommend playing by the rules. So here’s how you can have your WordPress site GDPR compliant asap.
IMPORTANT: We are not lawyers, we are simply sharing information about GDPR compliance and some of the steps we’ve used while updating our own website. Following the steps below does not guarantee you fully comply with GDPR requirements. Please consult a lawyer or GDPR consultant to be sure your website is in full compliance.
Table of Contents
- Update to WordPress 4.9.6 (or higher)
- Add a Cookie Notice
- Make it Easy for Users to Request/Delete Their Info
- Notifications for Policy Updates or Data Breach
Step 1: Update to WordPress 4.9.6 (or higher)
This is the easy step, since WordPress 4.9.6 added tons of built-in privacy settings to WordPress core. Just by updating your core WordPress installation (which you should already be doing) you’re already setting yourself up for GPDR compliance success. There is a full laundry list of privacy features WordPress added in this update, but so far as GDPR compliance is concerned, here are a few key features you should checkout.
Comments Cookie Optin
By default WordPress stores a cookie so users don’t have to retype their information when leaving a new comment on your site. Now there is an optin included on the comments form automatically – you don’t have to do anything except maybe style it if you don’t love how it looks (note: you won’t see this one on the WPExplorer blog since we disabled it – we don’t feel it’s necessary to store that information in your browser, so we chose to get rid of that cookie).
Data Export and Erase
Under Tools there are two new items: Export personal data and Erase personal data. If your site collects user information (via subscriber accounts, customer profiles, etc) you can quickly and easily export a user’s information or completely erase them from your database at their request.
If you do use the generated policy, it will already include privacy information and disclosures related to WordPress core. But it also adds in helpful headings for other suggested information you should add for GDPR compliance (such as contact forms, analytics, contact information, data protection, breach disclosure, etc).
Using the auto generated policy is a good start, but depending on the services and plugins you use on your website you’ll need to update your policy to include disclosures for all of the cookies and data being collected on your website.
Here are some of the most common:
- Google Analytics and other tracking services
- Google Adwords, Bing and other ad networks
- Cloudflare and CDN services
- Optins or pop-ups
- Push notifications
- Video players
- Shopping carts
In addition to disclosing the cookies used on your website you should also include a section on how users can disable or delete cookies in their browser. In our own policy we choose to link to the following browser guides:
- Disable Cookies in Chrome
- Disable Cookies in Firefox
- Disable Cookies in Safari
- Disable Cookies in Internet Explorer
Be sure to include a checkbox for consent on your contact forms if you have any. Lucky for you, popular contact forms plugins have already updated to make sure their forms are GDPR compliant. Here are a few form plugins that are already GDPR ready.
If you’re using Contact Form 7, you can simply add an acceptance checkbox to your forms. Just add this before your submit button: [acceptance accept-this-1] Check here to consent to this website storing my information so they can respond. [/acceptance]
The folks over at wpForms have added a GDPR agreement module you can add to all of your forms. First enable the “GDPR Enhancements” under the wpForms settings, then edit your exiting forms to insert the new “GDPR Agreement” checkbox. This way users can confirm that they consent to sending you their information.
Similar to contact forms you need to confirm user consent for newsletters. This can be done with either a checkbox that a user has to click before they opt-in, or by requiring double-optin to your email list (if you don’t already).
If you use MailChimp double opt-in is easy to enable. Just log into your account, got to your Lists and click on the button for “Opt-in Settings.” From here just select the mailing lists you’d like to add a double opt-in to and then save. Easy!
If you have a store you’ll need to disclose how you are retaining customer data, for how long and what you do with it.
For more information on WooCommerce and GDPR please reference their guide.
Note: This is in no way a comprehensive list of disclosures – these are just a few, common examples.
Step 3: Add a Cookie Notice
Cookie Notice by dFactory Free WordPress Plugin
WeePie Cookie Allow GDPR Cookie Consent Premium WordPress Plugin
Step 4: Make it Easy for Users to Request/Delete Their Info
We mentioned before that WordPress 4.9.6 added easy options for user data management, so if a user would like you to forward a copy of their information or delete their info completely you can. But in order for them to share their request you’ll first need to create a contact form or page for them to get in touch.
Depending on your website, it might make sense to install a contact form plugin to streamline contact submissions. This is likely a better option if you’re dealing with a website that has tons of users – like an online forum or membership site.
Step 5: Notifications for Policy Updates or Data Breach
The last part of GDPR that really stands out as important is policy update and data breach notifications. This comes into play if you offer user accounts on your website, collect customer information or if you maintain a newsletter.
Or if you’re using one of the best GDPR compliance WordPress plugins there’s likely a notification system already built-in so you can contact your site users. The best part is that with some of these plugin options you can easily automate policy update or data breach notifications, saving you some time.
Just to reiterate – we aren’t lawyers. This guide on how to make your WordPress site GDPR compliant is simply a collection of tips from our own personal experience researching and prepping for GDPR. Hopefully there were a few helpful tips in there for you, but really it’s just a starting point. We do highly recommend contacting a GDPR consultant or a lawyer to be sure your website is compliant especially if you’re located in the EU or if EU residents make up a significant portion of your website traffic.
Do you have any more questions on how to make your WordPress site GDPR compliant? Leave a comment and we’ll do our best to help. We’ll also update this guide as we learn more about GDPR – so if you have any other tips or key points please do share them.
I’d like to add a plugin recommendation for a related problem: the task of showing ads based on the visitors’ approval. Advanced Ads has developed a new privacy module to support this challenge, which integrates the presented cookie and consent plugins, as well as allowing dynamic switches between personalized and non-personalized AdSense ads.
This is an excellent article Kyla. Thanks for the information.
Would also appreciate some GDPR information for websites using Google AdSense accounts.
It is absolutely Un-True that compliance under EU GDPR is mandatory for anyone outside the EU.
The USA is a sovereign Nation State, not subject to the edicts, laws or regulations of either the UN, the EU or any other half-baked alliance of Kings, Queens or Parliamentary Associations. If anything, their laws and regulatory efforts must be compliant with Our Edict, Laws and Regulatory Requirements.
By signing the EU-US Privacy Shield agreement, you admit subservience to the GDPR Authority, thereby becoming a “vassal” of the EU’s regulatory machinery. If you or your business refuse to sign or comply with the agreement, the EU may, under its own laws, prevent its citizens or businesses from accessing or utilizing your online presence, ( of course, they won’t ) but they have no legal presence or authority that compels your compliance if you reside ( or if your web presence originates ) outside the EU.
The standard, common sense, privacy statement utilized by every E-commerce enabled website is already sufficiently compliant without becoming vassals of UN or EU globalist expansion efforts by signature or fait accompli. The same theory applies equally to voluntary Email or Membership subscriptions by EU citizens wherein they supply routine contact information.
IF the Global purveyors of Merchant account and payment gateway services wish to sign and comply with such an agreement, it has no effect on our website businesses since payment processing Data comprises a “Pass Through Transaction” wherein the credit card processor is the only entity maintaining an archival record of the customers data. YOU don’t archive the information so YOU are either exempt or already compliant.
We need to take this very seriously simply because the next step will be to put restrictions on what products are “acceptable” for sale to EU customers. That will be followed by mandated license requirements, product approval requirements, specification submission requirements, licensing fees and Tax mandates. Soon … as in probably THIS YEAR … you will certainly be required to post your  on your landing page … or be excluded from the EU markets.
I can understand your feelings on GDPR, however for websites with a majority of traffic (or any customers) located in EU countries it’s probably best to contact a lawyer or GDPR consultant to see what exactly is required. We are not lawyers. This post simply documents some of the steps we personally took that other website managers might be interested in. We prefer to play it safe and have taken reasonable measures to follow the EU laws as best we can, which is our choice.
But as for some of your other points, here is my non-lawyer personal opinion. I think the EU is well within their rights to create rules for third parties to do business with their residents. Sales/VAT taxes are already applied based on customer location – GDPR just adds data privacy requirements, which is actually pretty easy to accomodate. I would think it’s also within the EU’s rights to block a website if a site owner chooses not comply – in fact I would say it’s a much more realistic possibility compared to heavy fines which are probably aimed more at the big players like Google, Amazon, Walmart, etc. And for your last point, the EU and many other countries (and provinces, states, counties, cities) already restrict goods sold, require business licenses, charge taxes/duties and impose many other requirements (it’s just a cost of choosing to do business in any given locale). This is why I think any web based business should make it a priority to contact a lawyer or other specialist to be sure they are in compliance 🙂
Hey, nice blog..
If you want GDPR WordPress Plugin another good option is the GDPR tool by WSD (free on WordPress.org) which can be sued to record/log all PII Processing.
Thank you so much for this article, it is really easy to understand what I’ll have to do to setup my new website!
The only thing that brings me doubts is the inclusion of videos from Vimeo or Youtube in what will be my portfolio page. will it be GDPR compliant?
Thank you so much!
For Vimeo this is easy – just be sure to set the DNT parameter to “true” when you embed a video on your site to prevent analytics/cookies. YouTube is tricky. You can use their “privacy-enhanced” URLs (replace youtube with youtube-nocookie in your video URL) which don’t place cookies, at least until a user presses play at which point a cookie will be set (so it’s really just a delay). To be GDPR compliant you really should block YouTube videos until a user consents, but luckily this is a feature of many top GDPR plugins.