GDPR: How it Affects WordPress Site Owners and Developers
If you haven’t been living under a rock for the last few months, there’s a very good chance you’ve heard of GDPR, or the General Data Protection Regulation.
This is new legislation relating to personal data and how it’s stored. It’s European legislation but it will affect website owners and developers outside Europe, as if your website is accessed by people in Europe (or your code is used by websites that do), you’ll be covered.
In this post, I’ll attempt to demystify GDPR and explain exactly what it means, and more specifically relate this to your WordPress site. Whether you’re a website owner, content marketer, or developer, the legislation could affect you – so read on.
What is GDPR?
GDPR stands for General Data Protection Regulation (snappy, huh?). It was approved by the European Parliament in April 2016 and will come into force on 25 May 2018, which means none of us has any excuse for not acting upon it (being really bored by data protection legislation doesn’t count as a defence, I’m afraid).
It’s European legislation but applies to any data collection which will impact on European citizens. Which will include most websites around the world. So Brexit is no excuse for Brits like me.
Like all data legislation, it includes a lot of detail, which I’m not going to go into here (you can get all that from the GDPR portal). But the main points relevant to website owners and web developers are:
- Increased territorial scope. This means that the legislation affects not only businesses and organisations operating in Europe, but also those ‘processing the personal data’ of people living in the European Union. Which is most websites around the world.
- Consent. Everyone whose data you collect must consent to you doing so. This doesn’t just apply to data gathered via forms but also to data picked up in the background such as IP addresses, if it’s used to identify an individual.
- Right to access. Individuals will have the right to access to their data and to information on how it’s being processed and used.
- Right to be forgotten. An individual will have the right to have their data erased, and for it to no longer be disseminated.
- Privacy by design. This means that instead of bolting on data privacy, it will have to be incorporated into the design of a system from the outset.
If you don’t comply with the regulations, there are harsh penalties – up to 4% of annual global turnover or €20 Million (whichever is greater). If you run a small business that collects data for sales and/or a mailing list, or you’re an independent plugin developer, that’s a LOT of money.
So that’s the legislation – or at least a summary of it. But what does this mean in practice? What specific aspects of your work will you need to review to ensure you’re compliant?
Let’s take a look at this from two perspectives – that of a developer, and that of a website owner.
Disclaimer: I’m not a lawyer and WPMU DEV is not a law firm. This post does not constitute legal advice and does not replace any advice you obtain from a lawyer or other legal expert. If in doubt, check with an expert on data law.
How GDPR Applies to Website Owners
There are six main ways in which this will affect website owners:
- How you collect data via forms (contact forms, newsletter signups etc.)
- How you collect analytics data
- What you do with that data
- Where the data is stored
- How you communicate with your customers and contacts
- The code you use – plugins and themes.
Any personal data you collect on an individual via a form will already be covered by data protection legislation, but GDPR may mean you have to put extra safeguards in place.
Data covered by the legislation includes not only names and addresses but also photos of individuals, such as avatars and photos they upload.
The crucial thing is that you must be transparent, so when collecting data via any form on your site, you must also provide details of how you will use the data. This means a pop-up, redirection to another page on your site, or an email with the information.
You must also provide people with details of how to contact you to get access to their information or to have it deleted. And you have to inform them if you will be sharing that data in any way.
- With a form, say why you’re collecting the data and how you will use it.
- Provide a double opt-in to ensure you have informed consent.
- When sending out emails, include information on why you’re emailing them and how you got their data.
- When sending out emails, provide an unsubscribe option and a ‘forget me’ option. If someone asks to be forgotten, delete their data – don’t just stop sending them emails.
- If you share data, tell the owners of the data and ask for their consent. Don’t share without consent.
- Use forms plugins and mailing list providers that are GDPR-compliant.
When you sell via your website, you’re collecting even more data. Not only will you need people’s names and email addresses, you’ll also need credit card details and possibly physical addresses too. The data you have could potentially be used in a number of ways, including to drive further sales via recommendations or to send the individual news via your mailing list.
If you collect emails when making a sale on your website and then add those email addresses to your mailing list, you must tell people, and gain their specific consent to you holding their data and using it in this way.
If you’re using WooCommerce, you may find their guide to GDPR useful.
- Follow all the points in the checklist above for contact forms.
- If you will be using data you obtain in the sales process for other purposes, such as emailing recommendations or special offers, state this when collecting the data and give people the option to opt out.
- If possible, avoid collecting financial data yourself and use a third party service to take payments such as Stripe or Paypal.
- Add an easily accessed ‘My Account’ page on your website where people can access and delete their data.
- If a data breach occurs on your website (e.g. data is stolen or lost), tell users as soon as possible and give them the option to delete their data.
- Use an e-commerce plugin that is GDPR-compliant.
If you’re serious about SEO and conversion optimization, chances are you collect analytics data to measure your website performance. The GDPR also covers this data, but only if the data can be directly traced to an individual.
Most analytics software won’t attempt to track individuals, in which case you’re fine. But if you track sales in your analytics software, be careful not to track to the level of individual customers.
- Don’t use analytics software to track individual data. Keep your reporting and analytics to the level of anonymous group data.
- Don’t use analytics software to track IP addresses.
How GDPR Applies to Web Developers
GDPR doesn’t just apply to website owners who are processing data. Developers also have a responsibility to ensure that their code is compliant.
This will apply to developers building sites for clients and to developers writing code in the form of plugins and themes for wider distribution. The main ways in which GDPR will affect developers are:
- In the use of third party themes and plugins when creating sites for clients.
- When creating plugins or themes which include a form where users will input personal data.
- When linking to third party APIs to access or process data.
- When coding analytics functionality or anything which can identify a user via their IP address, location or other means.
Using Third Party Themes and Plugins
The guidance for using third party themes and plugins for developers doing client work is very similar as for website owners: ensure that the themes and/or plugins you use are GDPR-compliant, and that you configure them in a way that is compliant. In addition you should ensure that your client is aware of the legislation and tell them if their site includes functionality that is affected. This doesn’t remove the obligation of the site owner to manage the data in a way that is compliant, however: they are the holder of the data, not you.
Many of the big themes and plugins, such as Jetpack and Gravity Forms are already working on GDPR-compliance and provide advice for making sure you use their plugins in a way which complies with the legislation.
We're working towards the GDPR, so keep an eye out for our new privacy related features.
— Jetpack (@jetpack) July 23, 2017
- Follow the guidelines for website owners above when installing and configuring plugins or third party themes.
- Tell your client if their site includes functionality affected by the legislation and point them in the direction of relevant information.
- If in the course of development and testing you collect personal data, delete all of it at the end of this period.
- When you hand the site over to the client, ensure that any data collected is going to the client and not to you (it can be easy to forget to edit an email address in a contact form’s settings).
Developing Themes and Plugins
Whether you’re developing a theme or a plugin for a specific client project or for wider distribution, the regulations will apply if your code includes the facility to collect personal data.
You must ensure that your code makes it possible for your client or users of your code to comply with the legislation. This will include any data capture, either overt via forms or e-commerce, or covert via cookies or APIs.
- If your code includes any kind of input for personal data (including names, addresses, email addresses, social media account details, photos and more), make sure that this includes the option for the site owner to add information on how the data will be used and that where relevant you include a double opt-in.
- If your code tracks data via cookies, ensure that this can’t be used to directly identify individuals.
- If your code links with a third party API, ensure that API is GDPR-compliant.
- If your code sends data to a third party API, include the option for website users to opt out.
- If your code is affected by the regulations, add details of this to your documentation. Include guidance on how website owners can use your theme or plugin in a way that is GDPR-compliant.
- For more information on work being done on WordPress and GDPR, follow the WordPress GDPR team.
- If in doubt and the gathering of a specific piece of data isn’t absolutely necessary for your code to work, don’t gather the data.
GDPR is Coming – You Can’t Ignore It
Let’s face it – thinking about data legislation isn’t much fun for most of us. I doubt it’s why you developed an interest in WordPress. But if you own or develop websites that gather data, you can’t afford to bury your head in the sand. The same applies if you write code that gathers data.
The information and checklists above are designed to help you identify what you need to do and to act as a starting point. They aren’t legal advice so if you are concerned about GDPR and you collect and/or process a lot of data, you may want to speak to a lawyer.