Big Updates: WordPress, WPMU DEV, and the GDPR

The next version of WordPress drops today, version 4.9.6, and it is all about data privacy and getting ready for the EU’s General Data Protection Regulation (GDPR).

You’ve probably been inundated with notifications about updated privacy policies and information on the GDPR the last few weeks and months, which actually went into effect back in April of 2016. But come May 25, 2018, the law becomes enforceable – bringing with it a bevy of potential fines and sanctions for non-compliance.

I won’t re-hash the details of the GDPR, but we do have ‘An Overview For Website Owners‘ and an ‘Interview With A GDPR Expert‘ from last month on this blog.

This post serves to round-up what updates are now available to both end-users and site owners in WordPress core and information for WPMU DEV members about our own GDPR efforts and our updated privacy policy.

Let’s go!

WordPress Core

The changes and additions to WordPress core are described by Jonathan Desrosiers (a core contributor) as “the first round of tools that help WordPress site owners and admins meet the new requirements of user privacy regulations.” We can infer from this that this is only the beginning, that there will be additional tools and changes in the releases to come for privacy features.

Here is an overview of the big features that you are most likely to notice:

A Default Privacy Policy

The WordPress team has put together a default privacy policy that includes information about the personal data that is collected in a typical WordPress install. New tools in the dashboard give site owners access to this text, which can then be customized and easily published to a Privacy Policy page. An end goal here is to ensure that all WordPress sites have their own published privacy policy.

This is a big win for the average WordPress site owner – it can be expensive and daunting to contract legal services to help create your own GDPR friendly privacy policy. We used much of this new default text to help re-shape our own privacy policy, which we’ll discuss further down in this post.

Export Personal Data

There are two new menu items added under the Tools section in WordPress too. The first is Export Personal Data which provides a way for logged in users to request an export file of the personal data that WordPress stores on them. A user enters his/her email address, a site admin must approve, and then an email is automatically sent with a .zip file that includes an html file of the exported information.

Here’s an example of what that export file looked like for me on a test install.

Sample Data Export

 

Erase Personal Data

The second menu item added under the Tools section is Erase Personal Data. Similar to the exporting feature in how it works, this creates a request that once approved by a site administrator will delete or anonymize all user personal data.

Comment Consent Box

With this update, a new ‘consent’ statement will automatically be added above the submit comment button for logged out users which asks commenters if they want to, “Save my name, email, and website in this browser for the next time I comment.

On this blog, we require commenters to be logged in, so this doesn’t apply. This segways us nicely too…

The GDPR and WPMU DEV

We’ve been hearing from our members for nearly a year about concerns and anxiety some have when it comes to being ready for the law. Given the frequent questions we receive, there are a few points that I want to get out of the way:

  1. Nothing in the GDPR has really changed our processes or practices – we’ve been privacy conscious and pro-active when it comes to security and data protection from the beginning. For us, the GDPR has provided us with a useful reminder to be more transparent in these practices, and provide better documentation and opt-ins for our visitors and members.
  2. Nothing in the GDPR requires that visitors or customers in the EU not be hosted outside of or have data leave the EU. Full stop. Hosting EU customer’s data in other countries, including the US, is perfectly fine, as long as the GDPR is followed.
  3. There are specific legal reasons why businesses can continue to store certain types of personal data even if an individual has requested that all data be deleted. More on that here.

A New Privacy Policy

Based in part on the new default privacy text included in WordPress, please do read through our entire privacy policy here.

We worked hard to list out all of the different ways that individuals interact with our services and what we do with any data that is shared. The end goal here was to be transparent and easy to read with less legalese and more detailed examples.

Data Processing Addendum (DPA)

Our privacy policy does not technically cover your end-users or site visitors. However, the GDPR calls for a Data Processing Addendum or DPA, which is an additional legal document that provides for contractual assurances about our privacy and security practices. If you would like to request a signed DPA, reach out to our support team for a copy. You’ll just need to read through, sign and return, and we’ll then keep a copy on file with your account.

New Plugin Privacy And Security Documentation

Check out the new ‘Privacy’ section of our documentation area here.

We’ve put together lists of which of our plugins and services interact with our servers or may send data to 3rd parties. This information should be useful to you as you put together your own site’s privacy policy or do an audit of what data your site may share.

What’s Next?

We’re hopeful that the WordPress core team will continue to work through privacy tools and enhancements in WordPress core and the WordPress ecosystem. For example, we expect to be able to automatically add information in our plugins that will help pre-populate and suggest additions to your site’s privacy policy and list privacy-related information in a standardized way on WordPress.org and in the dashboard.

If you have any questions about the GDPR and your site, drop us a line. We’re here to help.

 

Ronnie Burt
Over to you! How are you feeling about the upcoming enforcement of the GDPR? Are you ready?