If you’ve been in the WordPress world for awhile, you’ve no doubt heard of GDPR. But what does it actually mean? Who does it affect? What are the penalties for not complying? And what are those cookie notifications all about? On the whole, is GDPR something that you should be concerned about?
In this post, we’ll answer these questions and more, plus we’ll give you some simple solutions to making your WordPress site GDPR-compliant. While it may seem like a complicated legal regulation, it’s actually quite simple for most sites to follow all of the rules.
Let’s get started!
This post is not legal advice. If you have any questions or concerns regarding GDPR, you should contact a lawyer.
GDPR stands for General Data Protection Regulation. It is a regulation passed by the European Union in 2016 and became enforceable in 2018.
It is more than 200 pages long and includes numerous regulations on the way user data is collected and processed. You can read a detailed guide to the GDPR on Wikipedia or read the entire thing yourself at gdprinfo.eu.
If you prefer to read it in your own language, you can do so in one of 23 other languages at this link.
Hello! My name is Sujay and I’m CEO of Astra.
We’re on a mission to help small businesses grow online with affordable software products and the education you need to succeed.
While the full regulation is quite complex, in essence, it requires you to explicitly ask EU citizens to consent before collecting or using any of their personal data.
This data includes obvious things like email addresses, but also Google Analytics data, IP addresses and other types of personal information. You must also report any breaches or hacks immediately, as well as allow users to delete or export their data in a timely manner.
Key requirements of GDPR for websites
- Ask EU citizens for their consent before collecting or using any of their personal data
- Only send emails to subscribers that agreed to sign up to your list
- If users ask for access to their data and/or for you to delete it, you must comply
There are basically two groups that are subject to GDPR:
- Organizations either based in the EU or that have a presence there. Even if the data itself is processed in Antarctica, you are still liable to GDPR.
- Organizations that sell or process data of anyone who is in the EU. That means non-citizens and even tourists, too. The location of your company doesn’t matter, only the customer’s.
Specifically, the GDPR gives individuals eight rights. Let’s cover each one briefly:
- Right of access. If someone requests their data, you have to provide it to them.
- Right to rectification. This means that people have the right to correct or modify any information you have on them.
- Right to erasure. Also called the “right to be forgotten”, this means that if someone requests you delete their data, you must do so.
- Right to restrict processing. People can request that you only store the data, but not use it for any other purpose.
- Right to portability. Personal data must be exportable in a common format, like .xls or .csv. You can’t give them data formatted in odd or confusing ways.
- Right to object. People can always object to their data being used for any purpose.
- Rights related to automatic decision making (like profiling). This is basically a list of regulations on how you are allowed to use profiling.
While it’s not something to “worry” about, you should definitely make your website GDPR-compliant. This is especially the case if you have a large number of users from the European Union. By not being compliant, you risk some serious fines and other headaches.
If you don’t have any European users, you still might wonder: Is it worth it? Do I need to bother with all of this GDPR stuff?
The answer: yes, you should. It is still worth setting up one of the plugins we mention below. It will only take you an hour, tops, and you won’t need to worry about any future conflicts.
Some sites have “solved” the GDPR issue by blocking all IPs originating in the European Union, but as you can imagine, this is not a great idea, especially if you rely on traffic or word of mouth. It also gives your European readers a very bad impression of you.
Let’s cover a few misconceptions about becoming GDPR-compliant. There is a lot of misinformation floating around online and it can be difficult to determine what is actually legitimate.
Do I need to ask subscribers to resubscribe?
No, but only if they willingly joined your list and consented to receive communications from you. If you added subscribers to your list without getting their consent, then you must ask them to resubscribe. If you don’t, you’re violating GDPR!
That said, not using opt-in lists is mostly a waste of time anyway as it isn’t a method for gaining quality subscribers.
Do I need to stop collecting personal IP addresses?
Specifically, you need to have a way for users to request that their data is deleted. For example, a contact form.
Do I need to add a consent checkbox to comment and contact boxes?
Probably not, especially if you use one of the contact form plugins we mention below.
The punishments vary depending on the size of your organisation, the nature of the infringement, and a number of other factors. For serious breaches, penalties can range up to 2 million euros or 4% of the previous year’s global turnover. That’s a pretty penny indeed!
And in case you thought these fines were just “suggestions”, watch out. Between January 2020 and January 27, 2021, the EU handed out nearly $200 million USD in fines. Violators included Google, H & M, British Airways, and Marriott Hotels.
Is your site GDPR-compliant? It depends on the situation and what you do on your site. There will be different requirements, depending whether you sell products, send email newsletters, or only publish content.
Here are some basic requirements for different use cases.
- If you have an eCommerce site, you need to let users see all of the data you’ve collected about them, if they ask for it. You must also let users delete their accounts and/or export data within it.
- If you have an email newsletter, you must only send emails to subscribers that explicitly agreed to join your list. Do not email subscribers that you didn’t add in this way.
- If you have a membership site, you need to let users delete their account and/or data. This can be as simple as a “delete my account” form on a specific page. You must also let users change this data if there are errors.
- If you have a blog with comments, you need to let users delete their comments.
Now let’s walk through a number of other things you can do to ensure that you won’t have any issues.
First and foremost, you should always keep your WordPress site updated to the most recent version. Newer versions of WordPress include updates that pertain directly to user data protections.
Since WordPress 4.9.6, the actual WordPress.org software itself is GDPR-compliant. Changes in that update included modifications to comments, privacy settings, and more. Read the full release report here.
If you collect your users’ email addresses, you’ll definitely need to have a checkbox in your signup form. Thankfully, this is included in pretty much every email marketing and contact form plugin:
- MailPoet has an extensive guide to making sure you are GDPR-compliant in your forms and emails.
- ConvertPro helps you stay GDPR-compliant when subscribing users to your newsletter and other lists.
- MailChimp makes it easy to collect email addresses and send emails safely.
While it isn’t strictly required, it is also a very good idea to enable double opt-in for your email newsletters. This means that subscribers will need to confirm their subscription before you send them any emails, and as you can imagine, it makes your case for consent much stronger.
- Allow users to request and erase their data
- Make a plan for disclosing a data breach, in the unfortunate event that it occurs
While WooCommerce itself doesn’t store any personal data, many of its extensions do. Check out this page for more information on the particular extensions that do.
WP AutoTerms is another useful free plugin that helps you generate a variety of legal agreements for regulations like CCPA, GDPR or Amazon Associates affiliate link disclosure.
Google Analytics tracks a number of different personal data points, so it is important to understand and use a plugin that collects it responsibly. Google themselves has implemented many requirements within the advertising ecosystem. Last year, they launched Consent Mode, which allows your settings to dynamically adjust, depending on the consent level of the user.
MonsterInsights is one of the most popular analytics plugins for WordPress. They have an extensive guide on using their plugin in line with GDPR regulations and their premium package also includes a EU GDPR Compliance add-on to make the process easy.
If you collect user data as a part of your website, it is essential that you allow users to delete their data. This includes things like personal information, images, comments, or other details.
There are a number of plugins that add this functionality. Try one of the two listed below. If you don’t want to use a plugin, you should create a contact form that allows users to contact you and request data deletion.
This plugin adds a “delete” button to the user profile page. You can also add it to any other page by using a shortcode.
This simple plugin allows certain user types to delete their own accounts. It does this by creating a delete page, which asks for confirmation before deleting the account. Although slightly outdated, Delete Me should still work for most people.
A completely free plugin that allows website users to enable or disable any cookies. You can customize the template colors and text, too.
This free plugin creates a cookie notice with Accept and Reject options. By default, cookies will not be enabled until the Accept button is pressed.
Complianz is a cookie consent plugin that supports GDPR, California Consumer Privacy Act (CCPA), and other global policies. You can configure cookie acceptance for particular reasons, like US, Canada or Europe. The free version is limited to one region at a time, while the paid version comes with extra features.
This plugin asks users to accept or decline cookies. If they decline, tracking scripts like Google Analytics and Facebook Pixel will not load.
There are over 50,000 WordPress plugins available. While most of the best ones have implemented GDPR-friendly policies, not all have done so. This is especially true if the developers of the plugin are not based in the European Union.
As such, you should always make sure that any plugins or themes that you use are GDPR-compliant. Ensure that they do not collect data in a way deemed illegal by the regulations, or you’ll be facing some steep fines!
If you plan to use the data of your users in any way, you need to ask them for permission first. This includes selling access to the data, selling the data itself, or using it in a way not outlined in the initial agreement accepted by visitors.
For example, let’s say you run a cooking blog. Subscribers willingly join your list to receive content from you. If you sell your website and the email list along with it, you’ll need to reconfirm all of subscribers.
If you are the unfortunate victim of a hack or breach, you are required to notify all users as soon as possible. According to the official regulation, you have 72 hours to report a breach from the time you become aware of it.
If you are using a WordPress-optimized website, it’s likely that you should first contact your host. They will be able to assist you in managing the hack.
Finally, as an extra level of security, try using a tool that checks if your site is GDPR-compliant. While they aren’t guaranteed to be accurate, the process can nevertheless be useful.
Try one of the following tools:
Hopefully this guide helped you to make your site GDPR-compliant. While the long list of regulations can seem daunting, it is fairly simple to set up.
As a quick final summary, to be GDPR compliant, you’ll need to:
- Notify all users of cookies and get their consent
- Offer mechanisms that allow users to delete or export their data in a common format
- Only send emails to subscribers that have explicitly signed up
- Don’t use the data of a customer if they object to you doing so
- Keep your WordPress and plugins/themes updated
Are you having any difficulties understanding the GDPR requirements? Is there a particular aspect of the process that you need assistance with? Let us know in the comments and we’ll make a guide for it!