GDPR: How it Affects WordPress Site Owners and Developers

If you haven’t been living under a rock for the last few months, there’s a very good chance you’ve heard of GDPR, or the General Data Protection Regulation.

This is new legislation relating to personal data and how it’s stored. It’s European legislation but it will affect website owners and developers outside Europe, as if your website is accessed by people in Europe (or your code is used by websites that do), you’ll be covered.

In this post, I’ll attempt to demystify GDPR and explain exactly what it means, and more specifically relate this to your WordPress site. Whether you’re a website owner, content marketer, or developer, the legislation could affect you – so read on.

What is GDPR?

GDPR stands for General Data Protection Regulation (snappy, huh?). It was approved by the European Parliament in April 2016 and will come into force on 25 May 2018, which means none of us has any excuse for not acting upon it (being really bored by data protection legislation doesn’t count as a defence, I’m afraid).

It’s European legislation but applies to any data collection which will impact on European citizens. Which will include most websites around the world. So Brexit is no excuse for Brits like me.

GDPR portal
The GDPR portal provides detailed information about GDPR

Like all data legislation, it includes a lot of detail, which I’m not going to go into here (you can get all that from the GDPR portal). But the main points relevant to website owners and web developers are:

  • Increased territorial scope. This means that the legislation affects not only businesses and organisations operating in Europe, but also those ‘processing the personal data’ of people living in the European Union. Which is most websites around the world.
  • Consent. Everyone whose data you collect must consent to you doing so. This doesn’t just apply to data gathered via forms but also to data picked up in the background such as IP addresses, if it’s used to identify an individual.
  • Right to access. Individuals will have the right to access to their data and to information on how it’s being processed and used.
  • Right to be forgotten. An individual will have the right to have their data erased, and for it to no longer be disseminated.
  • Privacy by design. This means that instead of bolting on data privacy, it will have to be incorporated into the design of a system from the outset.

If you don’t comply with the regulations, there are harsh penalties – up to 4% of annual global turnover or €20 Million (whichever is greater). If you run a small business that collects data for sales and/or a mailing list, or you’re an independent plugin developer, that’s a LOT of money.

So that’s the legislation – or at least a summary of it. But what does this mean in practice? What specific aspects of your work will you need to review to ensure you’re compliant?

Let’s take a look at this from two perspectives – that of a developer, and that of a website owner.

Disclaimer: I’m not a lawyer and WPMU DEV is not a law firm. This post does not constitute legal advice and does not replace any advice you obtain from a lawyer or other legal expert. If in doubt, check with an expert on data law.

How GDPR Applies to Website Owners

There are six main ways in which this will affect website owners:

  • How you collect data via forms (contact forms, newsletter signups etc.)
  • How you collect analytics data
  • What you do with that data
  • Where the data is stored
  • How you communicate with your customers and contacts
  • The code you use – plugins and themes.

Contact Forms

Any personal data you collect on an individual via a form will already be covered by data protection legislation, but GDPR may mean you have to put extra safeguards in place.

Data covered by the legislation includes not only names and addresses but also photos of individuals, such as avatars and photos they upload.

The crucial thing is that you must be transparent, so when collecting data via any form on your site, you must also provide details of how you will use the data. This means a pop-up, redirection to another page on your site, or an email with the information.

You must also provide people with details of how to contact you to get access to their information or to have it deleted. And you have to inform them if you will be sharing that data in any way.

Checklist:

  • With a form, say why you’re collecting the data and how you will use it.
  • Provide a double opt-in to ensure you have informed consent.
  • When sending out emails, include information on why you’re emailing them and how you got their data.
  • When sending out emails, provide an unsubscribe option and a ‘forget me’ option. If someone asks to be forgotten, delete their data – don’t just stop sending them emails.
  • If you share data, tell the owners of the data and ask for their consent. Don’t share without consent.
  • Use forms plugins and mailing list providers that are GDPR-compliant.
  • Include a privacy policy on your website with details of the data you process and hold, what you do with it, whether you share it, how people can access their data and how they can delete it or have it deleted.

Sales Data

When you sell via your website, you’re collecting even more data. Not only will you need people’s names and email addresses, you’ll also need credit card details and possibly physical addresses too. The data you have could potentially be used in a number of ways, including to drive further sales via recommendations or to send the individual news via your mailing list.

If you collect emails when making a sale on your website and then add those email addresses to your mailing list, you must tell people, and gain their specific consent to you holding their data and using it in this way.

If you’re using WooCommerce, you may find their guide to GDPR useful.

WooCommerce guide to GDPR

Checklist:

  • Follow all the points in the checklist above for contact forms.
  • If you will be using data you obtain in the sales process for other purposes, such as emailing recommendations or special offers, state this when collecting the data and give people the option to opt out.
  • If possible, avoid collecting financial data yourself and use a third party service to take payments such as Stripe or Paypal.
  • Add an easily accessed ‘My Account’ page on your website where people can access and delete their data.
  • If a data breach occurs on your website (e.g. data is stolen or lost), tell users as soon as possible and give them the option to delete their data.
  • Use an e-commerce plugin that is GDPR-compliant.

Analytics Data

If you’re serious about SEO and conversion optimization, chances are you collect analytics data to measure your website performance. The GDPR also covers this data, but only if the data can be directly traced to an individual.

Most analytics software won’t attempt to track individuals, in which case you’re fine. But if you track sales in your analytics software, be careful not to track to the level of individual customers.

Checklist:

  • Don’t use analytics software to track individual data. Keep your reporting and analytics to the level of anonymous group data.
  • Don’t use analytics software to track IP addresses.

How GDPR Applies to Web Developers

GDPR doesn’t just apply to website owners who are processing data. Developers also have a responsibility to ensure that their code is compliant.

This will apply to developers building sites for clients and to developers writing code in the form of plugins and themes for wider distribution. The main ways in which GDPR will affect developers are:

  • In the use of third party themes and plugins when creating sites for clients.
  • When creating plugins or themes which include a form where users will input personal data.
  • When linking to third party APIs to access or process data.
  • When coding analytics functionality or anything which can identify a user via their IP address, location or other means.

Using Third Party Themes and Plugins

The guidance for using third party themes and plugins for developers doing client work is very similar as for website owners: ensure that the themes and/or plugins you use are GDPR-compliant, and that you configure them in a way that is compliant. In addition you should ensure that your client is aware of the legislation and tell them if their site includes functionality that is affected. This doesn’t remove the obligation of the site owner to manage the data in a way that is compliant, however: they are the holder of the data, not you.

Many of the big themes and plugins, such as Jetpack and Gravity Forms are already working on GDPR-compliance and provide advice for making sure you use their plugins in a way which complies with the legislation.

Checklist:

  • Follow the guidelines for website owners above when installing and configuring plugins or third party themes.
  • Tell your client if their site includes functionality affected by the legislation and point them in the direction of relevant information.
  • If in the course of development and testing you collect personal data, delete all of it at the end of this period.
  • When you hand the site over to the client, ensure that any data collected is going to the client and not to you (it can be easy to forget to edit an email address in a contact form’s settings).

Developing Themes and Plugins

Whether you’re developing a theme or a plugin for a specific client project or for wider distribution, the regulations will apply if your code includes the facility to collect personal data.

You must ensure that your code makes it possible for your client or users of your code to comply with the legislation. This will include any data capture, either overt via forms or e-commerce, or covert via cookies or APIs.

Checklist:

  • If your code includes any kind of input for personal data (including names, addresses, email addresses, social media account details, photos and more), make sure that this includes the option for the site owner to add information on how the data will be used and that where relevant you include a double opt-in.
  • If your code tracks data via cookies, ensure that this can’t be used to directly identify individuals.
  • If your code links with a third party API, ensure that API is GDPR-compliant.
  • If your code sends data to a third party API, include the option for website users to opt out.
  • If your code is affected by the regulations, add details of this to your documentation. Include guidance on how website owners can use your theme or plugin in a way that is GDPR-compliant.
  • For more information on work being done on WordPress and GDPR, follow the WordPress GDPR team.
  • If in doubt and the gathering of a specific piece of data isn’t absolutely necessary for your code to work, don’t gather the data.

GDPR is Coming – You Can’t Ignore It

Let’s face it – thinking about data legislation isn’t much fun for most of us. I doubt it’s why you developed an interest in WordPress. But if you own or develop websites that gather data, you can’t afford to bury your head in the sand. The same applies if you write code that gathers data.

The information and checklists above are designed to help you identify what you need to do and to act as a starting point. They aren’t legal advice so if you are concerned about GDPR and you collect and/or process a lot of data, you may want to speak to a lawyer.

Rachel McCollin
Are you GDPR-compliant yet? Share what you're doing in the comments!

10 Responses

  • How many of the WPMUDEV plugins comply already with GDPR – I could not see any changes until now! and until now none is compliant as all of them send data to your servers afaics.
    1. still IP addresses get stored and processed – against GDPR and DSVG and the South African Regulations which are pretty similar to GDPR
    2. still we have no way to opt-in into all those advertisings in the plugins by WPMUDEV, instead, we have to Opt-Out which isn’t possible actually in any wpmudev plugin – constantly we get asked to install the dashboard etc.
    3. Where does WPMUDEV store data – I guess in the USA and there is no choice to store data in a safe surrounding like EU.
    4. Usage data gets send by the plugins incl IP addresses and website URLs etc. You are also sending private images to cloud services. Where are those cloud services, which cloud services are you using do they comply with GDPR?
    5. Until now there is no way that users can request all their data at WPMUDEV in a form they can have a look at and so they can move all their data to another place – Facebook, for example, has such an option!, nor is there a way that they get deleted 100% – the right to be forgotten, which means including all usage data, credit card history data etc.
    6. Does WPMUDEV has an Officer Responsible for GDPR?
    7. GDPR has to be implemented BY DESIGN too until 25 May 2018 and until now nor hummingbird, dashboard, smush, hustle and most other wpmudev which received updates in the last 2 years (not so many from the 100 plugins) comply until now with that requirement. When will WPMUDEV be ready to release 100% compliant versions of their plugins as the current versions bare the risk for any user of those plugins to get fined and the question who is using which plugin is pretty easy to find out and it will make at least lawyers very happy to proceed.

    @ David – you could do that but it would mean taking your website more or less offsite as until now there is no way to figure out who is a EU citizen or not as those regulations are valid also for any EU citizen worldwide! I suggest better comply until 25 Mai 2018.

    I would recommend anybody using a WPMUDEV plugin to check the plugin entirely as your customers might ask you where their data gets send, collected, processed, used for any purposes etc. It would be nice to hear from you in detail what data gets collected by WPMUDEV, what usage data gets collected. i.e. if they load an image in the backend of their plugin from their servers! they can collect data incl IP addresses which would be illegal – as that image could also be integrated into the plugin itself and there are many more examples to collect data without “analytics”.

    I would suggest to anybody to do the Test:
    ultimategdprquiz.com

    and of courses reading and UNDERSTANDING the guidelines and rules.

    I thank you for that article and hope that until 25 May 2018 ALL WPMUDEV plugins will receive an update and that no more data gets collected by them without that the user of that plugin opted in to allow that tracking.

    Thanks

    • Hi Andi, quite the comment!

      I’ll reply to as much of what you left as I can – though much more from us is coming soon.

      1. Storing of IP addresses and plugins sending data to us isn’t at all against GDPR. We just need to make the opt-ins and notifications much more clear. There will be some cases where if you opt-out, that plugin or service may not work (like our Hub) – that will be common with lots of services around the web. We’ve been patiently waiting on adding in these opt-ins and notifications because our understanding is that the WordPress core team will include hooks and ways for us to do this in a common way together with all other WordPress plugins. Progress on this isn’t moving as fast as we’d all hoped, so we also have a plan B underway. We’re hearing it may be early May before this is in WordPress core. More on that soon.

      2. We’ve completed a full audit of our opt-ins, signup process, marketing campaigns, dashboard notifications, etc. You’ll see changes on these rolling out shortly – in fact, some are already there.

      3. The GDPR does not have any problems with data being stored in the US or any other country as long as safeguards and best practices are in place. We’re in the process of completing the certifications with the EU and Swiss Privacy Shield Frameworks. Those clauses added to our privacy policies should be approved any day now and we will update all of our users once that is complete and published. That being said, we already have options for data being stored in different regions for some of our services (Enterprise Hosting for example) and when possible, we’ll make more of those options available to other services.

      4. As part of the privacy policy updates soon to be approved, we will detail all of our 3rd party and cloud service providers, link to their privacy policies and GDPR compliance information, and more. It will all be very clear and transparent.

      5. Our method for requests of these types is simply to contact our support team. The updated Privacy Policy will link to a contact form that can be used as well. There is no requirement of automating any of this in the GDPR, and for now, we’re more than happy to manually comply. In fact, we’ve been doing this for years, this is nothing new.

      6. Yes, me :)

      7. I’d really caution you to assume that something is not compliant just because it hasn’t had a recent update. I understand we are getting close to the deadline and folks are nervous and anxious. I’ve mentioned this in a few comments, but nothing in the GDPR is really changing anything significant about what we do as a company and how we do it. As a group, we are about as privacy and security conscious as you can imagine in our own personal lives, and that scepticism and practice has carried over into what we do at WPMU DEV and the other services we run. We’ve exceeded most of the GDPR requirements long before the GDPR law was published – it is mostly just good common sense practice. What the GDPR is doing, for us, is just making all of our work around privacy and security more transparent, and in a consistent way, which is wonderful. You should feel more than confident that you can continue to use WPMU DEV, our plugins, and our services with any audience. And if you ever have any specific questions, just get in touch with our team.

      For now, give us just a bit more time – it will be worth the wait :)

  • Dear Ronnie

    1. Thanks for verifying that you will continue storing IP addresses as that violates the German regulations.

    As you seem to be the Data Security Officer you should know better as already google and others provide plugins to delete those IP addresses incl also those stored with each comment here as that is already illegal in Germany since longer time!

    I would suggest you stop tracking people and IP addresses.

    3. Thanks that you try to get the certification. Storing depends if your storage place can comply with GDPR and as right now there seems to be a problem between the US regulations and laws since Snowdon and the GDPR. If you can make sure that the US Government had no access you can comply ;-)

    The point is actually more that customers dont like to store or process their data via us services.

    4. I wished those were already out since years as GDPR is not new. It is there since 2016 and now we are approaching a real dead line. I hope you can publish the new terms asap as this would help us to keep customers.

    5. Unfortunately all this was not mentioned in the article why actually the we got asked by customers why an article about GDPR does only talk pretty general but says nothing on how Wpmudev complies. Good to know and looking forwRd to read the terms and policies. Question: will customers be able to receive all their data so they can move it somewhere else or does you only offer the option to delete everything ?

    6. Good to know

    7. Have a look to the majority of wpmudev plugins – they simply havent seen any changes since years and that was discussed in the forum often. But many of those plugins cause that you actually can track IP addresses and that is against German Law already. That is our concern. Don’t track no problem than.

    Thanks for your info

    James has asked me to come back and he offered even half price for that but we are evaluatong currently the situation as our ideas had been ignored, even we receive still lots of hero points as people love our contribution to the community.

    A better communication would solve most of those problems and would make it much easier for agencies to kedp customers in the wpmudev scheme. I hope James will extend his offer with half price to come back until we see that wpmudev complies 100% with GDPR and the German Regulations as otherwise it would be suicide for any company in Hermany using your services and that we can‘t risk

    Thanks Andi

    • Hi Andi,

      See Article 6, Paragraph 1, Point F of the GDPR. We are perfectly fine, and you could easily argue legally obligated, to keep logs and audit trails so that we can protect ourselves and our customers from fraud, malicious intent, attacks, etc.

      Our plugins send us only IP address information of the server hosting the WordPress installation, not any personal information. This is used specifically and only to handle update notifications and automated updates – something critically important for the security of our users who may need to be aware of and quickly install any important security updates at some point in the future. Our plugins do occasionally serve images and other media like tutorial videos that may result in IP addresses of end-users in our logs, but again, to prevent abuse and fraud, it is important this information is archived, and they’d be useless if they were anonymized. These logs will also include url of image viewed, referrer (site image is viewed from), and browser user agent. This is where our security practices to ensure the proper storage and limited access to these logs come in to play.

      To be frank, if you feel uncomfortable with this, or you feel (even though we strongly disagree) that this might violate any of your local laws, then WPMU DEV may not be a good fit for you. This would then likely be the case for all of WordPress and just about any service that isn’t proprietary and fully hosted/served/authored within your home country (or municipality or state, if local laws might come into play).

      I do genuinely appreciate the ongoing feedback and dialogue – serves to only make us better.

  • Thanks Ronnie for your feedback.

    At least one is interested on a constructive feedback and don‘t kicks out members – very appreciated as for us it is crucial to get much more information on how data gets handled used, stored, processed for what purpose etc as more and more companies wake up now and ask for GDPR help and some of them have lots of wpmudev plugins too or are even their member. Anyway.

    When you read article 5 carefully you will realize that

    „Die Daten müssen dabei in einer Weise verarbeitet werden, die eine angemessene Sicherheit der personenbezogenen Daten gewährleistet – einschließlich Schutz vor unbefugter oder unrechtmäßiger Verarbeitung durch geeignete technische und organisatorische Maßnahmen. Diese Maßnahmen wiederum sind nicht genau definiert. Es ist aber davon auszugehen, dass ein Unternehmen im Falle eines Datendiebstahls als nicht konform eingestuft wird.“

    I says that in case of a data breach you would be degraded as not GDPR conform – at least in Germany – as it has not clearly been defined how exactly the data has to be handled to be „conform“. So companies do actually much better to get rid of that data asap.

    Article 6.7.8 make clear that you need to ask each single individual!!!

    „Alle personenbezogenen Daten müssen auf rechtmäßige Weise verarbeitet werden. Das bedeutet im Klartext, dass jedes Individuum der Nutzung seiner persönlichen Daten ausdrücklich zustimmen muss. Die gesammelten Daten müssen außerdem nötig sein, um eine Aufgabe oder Transaktion abschließen zu können, die von der betreffenden Person veranlasst wurde. “

    That is a tricky part as at the end not you but the one who runs the website will be held responsible even a data breach might occure ie at one of your third paries which you are using.

    This information you started to gove and I hope more will come in more detail is especially useful and actually necessary to comply with article 15

    „Artikel 15, Auskunftsrecht: EU-Bürger haben das Recht, auf Nachfrage zu erfahren, welche ihrer persönlichen Daten ein Unternehmen zu welchen Zwecken nutzt.“

    Therefore i think it is pretty important what you started to write in you last comment. That is information all of us beside perhaps wpmudev insiders did not know but which is relevant for the evaluation of services and risks customers / website owners might take when using them.

    Nobody hopes a data breach will happen but it happened before and for sure it will happen again in future. Thinking it will not happen to anybody would be naiv and dangerous.

    Thanks again for your input to that matter which helps us and I hope this discussion will not stop until 100% transparency is abailable to take away fears of your members/our customers and many others who follow that Thread

    Some more info is needed concerning article 20:

    Artikel 20, Recht auf Datenübertragbarkeit: Die Bürger der Europäischen Union können auf Verlangen den Transfer ihrer persönlichen Daten veranlassen.

    It sounds not such easy to accomplish woth wordpress until now. Du you print out all that data and the customer has to reenter it at the new location or is there a wAy to get the users data in a digital transportable format?

    It would be beneficial for many following your articles if a blog post would be abailable which plugins would help to fulfill the GDPR requirements. That question was left open completely.

    Kind regards
    Andi

Comments are closed.