Iubenda logo
Start generating

Documentation

Table of Contents

How to Comply with the GDPR on a WordPress Site

WordPress has made some important changes in relation to the GDPR. The changes are part of WordPress’s effort to make it easier for their users to be GDPR compliant, however simply utilizing these tools in and of themselves do not guarantee GDPR compliance.

Below we’ll go through the important GDPR features, how they can benefit you, their limitations, and how to address them. Let’s dive in.

WordPress Privacy Policy Page

wordpress privacy tool

WordPress now makes it easier for website owners to set a dedicated Privacy Policy page by simply selecting Settings > Privacy from your WordPress dashboard. Once there, you can either select an existing page or create a new page to be designated as your privacy policy page.

While the feature makes it easy to designate a page, it does not provide the complete and applicable text, which is completely understandable as in order to be compliant, the text of your privacy policy should apply specifically to your case and include disclosures relevant to the data you process. What it does provide, if you click on the “Create New Page” button, is some starter text and a basic template.

How this benefits you

Limitations and How to Address Them

Main Limitations

As mentioned, the tool does not actually generate a usable and compliant privacy policy. The actual text of the template, while it is a useful starting point in helping you to think about the kind of disclosures you should include in your privacy policy, is, in and of itself, far from compliant.

In the accompanying Privacy Policy guide, WordPress informs users of this as follows:

Please edit your privacy policy content, making sure to delete the summaries, and adding any information from your theme and plugins. . . It is your responsibility to write a comprehensive privacy policy, to make sure it reflects all national and international legal requirements on privacy, and to keep your policy current and accurate.

While a full analysis of the provided starter text may require a separate article, at a quick glance, it’s clear that some sections (e.g the one under the user’s rights over their data) are either incorrect or incomplete, if you’re processing personal data under the provisions of the GDPR.

Under the GDPR, and most similar privacy-related laws, it is required that your privacy policy be available from every page of your website, the new privacy tool does not automatically do this.

Solutions

  • Produce a comprehensive, easy to read the privacy policy that meets legal requirements. One way to do this is to hire a lawyer to draft one for you, or you can simply and easily generate one of our lawyer-crafted, comprehensive and customizable privacy policies by using the privacy and cookie policy generator here. Getting started is easy. Simply enter your site name into the generator, select the language you’d like to the policy to be in and click generate.
    Getting started with the generator

    After that, select the services that apply to you:

    Services

    Customize as needed, save and you’re done. You can read the dedicated guide, How to Generate a Policy, here.

  • Make your policy visible and easily accessible from all pages of your website. You can do this a number of ways as seen in the picture below,
    integration methods

    but, by far the easiest method is to place the link to your privacy page in the footer, either directly, via a set footer menu, or via a text widget placed in your footer. You can read the full privacy and cookie policy integration guide for WordPress here.

Comments

The new comment feature now allows logged out commenters to set preferences for which personal details (name, email, website) are stored in a cookie on their browser.

wordpress comment cookie checkbox

You can find the option to enable this under Settings > Discussion.

comment cookie settings

How this benefits you

  • This feature gives you the opportunity to collect granular consent specific to the purpose of improving user experience of your site’s comment function, using a cookie.
  • It further provides another opportunity to get consent specific to this purpose even if the user has previously refused to consent to cookies via your main cookie management mechanism (assuming that you haven’t separately set your cookie management system to block these particular cookies).
  • It has the added benefit of allowing users to understand the purpose of the collection within context.

Limitations and How to Address Them

Main Limitation

The new comment feature only addresses one type of cookie. Under the GDPR, and more relevantly, the still applicable Cookie Law (you can think of it as currently working alongside the GDPR), your users need to be informed of via a conspicuous and sufficiently interruptive means such as a banner, of all of the purposes for which your site uses cookies (with the exception of exempt cookies), and they must be allowed to give their consent via opt-in (this can be done using a gdpr checkbox, button, toggle etc), refuse or withdraw consent for those cookies.

Solution

Regardless of if you decide to use the new comment feature or not, in order to be compliant, you must ensure that you still have an active cookie management solution in place that meets legal requirements.

iubenda’s Privacy Controls and Cookie Solution meets all the provisions of the law while giving you the ability to extensively customize, optimize for consent acquisition and proofs of users’ preferences, view site metrics and more. Setting up with the Privacy Controls and Cookie Solution is made even easier with our dedicated WordPress plugin. For more information on how to integrate the Privacy Controls and Cookie Solution with your WordPress site, see the plugin installation guide.

Data Handling

The new data handling features allow you to easily export a ZIP file containing a particular user’s personal data, and to fully erase a particular user’s data, including the data collected by participating plugins.

The export feature sends a zip folder with a “mini website” with an index HTML page containing the user’s personal data segmented into groups and both features also make a new email-based method available to site owners for confirming personal data requests for both registered users and commenters.

How this benefits you

  • The feature makes it easier for you to meet the GDPR’s Right of Access (Art. 15) requirements by allowing you to conveniently export and provide user data in compliant and convenient format.
  • This feature makes it easier for you to meet the GDPR’s Right to erasure (Art. 17) requirements.
  • You can easily request confirmation for critical actions like erasure requests via email.

Limitations and How to Address Them

Main Limitations

While the Data Handling updates are easily one of the most valuable and time-saving updates, it does have certain critical limitations that you should be aware of. The first is that it only automatically exports the data collected by participating plugins. This means that the workability of these depends entirely on if the plugins you’re using have hooked into the new export/erasure feature. This means that this feature will not work with plugins that have not been modified to do this, or with old (non-updated) versions of plugins that might be in use on your site (in this case of course, you can simply update those particular plugins to the latest version).

The truly problematic thing here is that (at the time of writing this post) no central repository exists that shows specifically which plugins have this feature integrated. Furthermore, no incentives were created to encourage plugin creators to implement the feature, meaning that likely, very few plugins have gone through the trouble to re-work their code and add these features.

It’s worth noting here though, that even if every single plugin on the WordPress site supported these features, not all of the user data you process is necessarily handled by plugins. For example, if you use a cloud service or external mailing list management system, the data handled by these will not be automatically pulled into WordPress’ new Data Handling system. This is a very important point to note as the Rights to Access and Erasure apply to ALL the applicable user data, not some. So relying on an incomplete mechanism, or only providing some of the data simply means that you’re non-compliant.

With that said, these new features will likely be sufficient if you’re the only one processing users’ personal data via the functionalities built into the WordPress platform itself, as in this way your compliance will not be dependant on whether or not various third-party plugins have integrated with the new feature.

Solutions:

Currently, the best option for addressing these issues are two-fold and involve mostly preliminary measures and manual effort.

Preliminary measures

  • Choose GDPR aware partners: Ensure that the Data Processors you work with are GDPR compliant/have the means in place to facilitate user requests such as erasure or access requests. This information should be stated in the Data Processing Agreement you enter into with them.
  • Be aware of your processes: Evaluate your data processing cycle and systems and aim to set them up in a way that makes it easy for you to facilitate these requests. Some questions to ask yourself here are, for example,
    • how can I easily export a particular user’s data from my databases (this issue is somewhat dealt with by the WordPress update, as it relates to data stored on your own databases)?
    • how can I easily access and completely erase a particular users data (also made easier by the new data handling feature)?
    • which specific data am I handing over to third parties to be processed and is it considered personal data?
  • Be aware of the data you process: Truly take note of and implement the GDPR principle of data minimalization. Some questions to ask yourself here are, for example,
    • what data am I processing?
    • is it considered personal data?
    • is it strictly necessary for the provision of the service?

Manual effort
Under the current system, if you use any third-party services to process personal data, outside of what’s covered by the WordPress Data Handling tools, you’ll need to apply some manual effort in identifying, exporting from relevant databases and making the data available, or erasing the data if so requested by the user. Generally, you’ll have an average of one month to comply (with some exceptions).

Take note that if fulfilling an access request, the data will need to be provided to the user in a common and easy to access format (e.g. a spreadsheet).

Additionally if fulfilling an erasure request, it’s useful to preemptively inform the user that fully erasing their data will mean that your systems will no longer recognize them as a user (unless they somehow again add their data to your systems) and therefore you will be unable to fulfill any requests regarding that data subsequent to its deletion.

For more information on these WordPress features, read the Privacy section of the WordPress Plugin Handbook here.


These newest additions by WordPress indicate an acknowledgment of the importance of compliance and a willingness by the company to assist their users in meeting requirements. Ultimately, however, compliance is a custom venture and the responsibility (and liability) falls on you, the data controller, to properly assess your data processing activities and ensure that your systems and processes are compliant.

Procedures like maintaining Records of Processing and carrying out a Data Impact Assessment can be very helpful in figuring this out.

For this reason, based on our work surrounding the GDPR in the last few months, we’ve compiled the following list of GDPR related resources and articles to further help you with compliance.

💡

Did you know? The GDPR can apply to cookies, too. We have a plugin for that!


👉 Check it out here

See also