Making WordPress GDPR Compliant – Do You Need a Plugin?

GDPR is coming… The enforcement date of May 25 2018 for the new European data protection law is only a few weeks away. WordPress Core and plugin developers have been looking at solutions for abiding by GDPR for WordPress sites.

Been living under a rock and don’t know what the GDPR is? Read my post Is Your Website GDPR Compliant? How to Get Ready for the General Data Protection Regulations to understand the fundamentals.

The WordPress Plugin Developers’ Handbook has recently been amended to say that plugins on WordPress.org can no longer guarantee legal compliance.

This doesn’t apply to commercial plugins, of course, but there really is no single tool that can make your website or business GDPR compliant. Anyone that claims so is misleading you! “Assists with GDPR compliance” is a better description.

What kind of WordPress GDPR tools might we want?

In line with individuals’ rights under GDPR:

• Tools to create a privacy policy page – right to be informed.
• Allow a user to submit a Subject Access Request – right of access.
• Allow a user to view, edit and export any personal data stored on a WordPress site – right of access, right of rectification, right to data portability.
• Allow a user to request deletion of their personal data – right to erasure.
• Allow personal data to be anonymised – an alternative form of erasure.
• Check that consent has been given when completing forms – if we are using consent as our legal basis for form data collection – right to be informed.
• Cookie management tools – right to be informed.

A look at WordPress GDPR plugins (all free from WordPress.org)

GDPR by Trew Knowledge

Download: GDPR by Trew Knowledge

Version tested: 1.3.3

Active installs: over 1,000

What does it do?

The plugin description says: This plugin is meant to assist a Controller, Data Processor, and Data Protection Officer (DPO) with efforts to meet the obligations and rights enacted under the GDPR.

It forces you to select a privacy policy page when it is activated. It doesn’t give you any guidance on writing one, though. You’ll have to do that for yourself.

Any time a new user registers and logs in for the first time, they’ll be asked to consent to your privacy policy. That consent is logged in a cookie. If they don’t consent, they won’t be logged in. If your privacy statement changes, they’ll be asked for consent again. If they use another browser to log in, they’ll also be asked again. I could see this getting frustrating!

The telemetry tracker checks for requests from WordPress Core, plugins or themes which can request data from your site without your specific knowledge e.g. when WordPress checks for updates. The Telemetry page shows:

• what file requested the data
• when
• what data was requested (upon clicking a button)

Most likely, the data requests won’t be asking for anything they shouldn’t, but it’s good to be able to check.

Here’s the kind of info collected by a plugin update check. I’ve separated out the lines to make it more readable:

"plugins":{"blog-designer/blog-designer.php":
{
"WC requires at least":"",
"WC tested up to":"",
"Woo":"",
"Name":"Blog Designer",
"PluginURI":"https://wordpress.org/plugins/blog-designer/",
"Version":"1.8.8",
"Description":"To make your blog design more pretty, attractive and colorful.",
"Author":"Solwin Infotech",
"AuthorURI":"https://www.solwininfotech.com/",
"TextDomain":"blog-designer",
"DomainPath":"/languages/",
"Network":false,
"Title":"Blog Designer",
"AuthorName":"Solwin Infotech"
}, 

You can list your website cookies by name and nature, and notify users with a cookie bar on the site. Depending on your setup, users may be able to express their consent preferences for each type of cookies used. (Cookie compliance is a complex subject; I’ve now blogged about cookie consent messages in more depth.)

You can search users for their data via their email address, and export their data as XML or CSV.

If you’re unlucky enough to have a data breach on your site, there’s a template for reporting data breaches to all affected users. Breach notification emails are sent out in batches of 100.

A secure Audit Log (GDPR > Tools > Audit Log) lets you search by the email address of any user and see what actions they have performed on the site. This log and the data breach notification would be especially useful for multi-user sites.

What’s not quite there yet?

The documentation is fairly sparse at the current time.

Some of the plugin’s features need developer knowledge to implement e.g. restricting website cookies before consent is obtained.

WP GDPR by AppSaloon

WP GDPR by AppSaloon

Version tested: 1.5.3

Active installs: over 2,000

What does it do?

This plugin focuses on users’ rights to view, correct, download and erase their submitted personal data.

WP GDPR adds a checkbox to your comment forms so that users have to affirm that they’ve read your privacy policy before they submit a comment.

Subject access requests can be made from a page on your website. There is a consent box for submitting a request.

Anyone can request their data, not just those who have a website user account.

In practice, this means visitors can access their comments.

The website admin can see all the SARs created.

Making a request sends an email to the requester’s email address. To verify their identity, the user has to click on a button in the email within 48 hours of the request.

Then they can view any of their comments left on the site. They also have the option to:

• Change the email address
• Change the name
• Send a request to delete their comment(s)
• Export comments as CSV

A delete request can be interpreted by the owner as a deletion, or there is the option to anonymise the data instead.

What about personal data collected by plugins? Well, there is the option to let visitors request data stored by some plugins, but as they’re considered “add-ons”, you need to pay for the privilege.

WP GDPR add-ons are priced from €20/year.

Supported add-ons are:

• Gravity Forms
• WooCommerce
• Contact Form 7
• Formidable Forms – coming soon
• MailChimp – coming soon

What’s not quite there yet?

The number of add-ons is small, but growing.

The fact that you have to pay for extras might annoy some people. The basic plugin is best suited to a blog with no contact form.

WP GDPR Compliance by Van Ons

Download: WP GDPR Compliance by Van Ons

Version tested: 1.2.4

Active installs: Over 10,000

What does it do?

This plugin simply adds consent checkboxes to various forms on your website:

• Contact Form 7
• Gravity Forms
• WooCommerce
• WordPress Comments.

Your visitors won’t be able to submit any forms where the checkbox is left unchecked. You can enable the checkbox on a form-by-form basis.

You may customize the checkbox labels and error messages. This includes adding HTML, so you could leave a link to your privacy policy. An example is below – the links are not clear due to the theme!

What’s not quite there yet?

This plugin is very basic and only covers gaining consent for data collection. That’s it.

The GDPR Framework by Codelight

Download: The GDPR Framework by Codelight

Version tested: 1.0.5

Active installs: Over 1,000

On activation of the plugin, you can start a wizard to take you through the required steps.

 

I like the site owners’ guide to GDPR compliance from the plugin team.

You will be asked to create or designate the following pages:

1. Privacy tools – where you give your users tools to control their data. The page has to contain the shortcode [gdpr_privacy_tools].
2. Privacy policy – where you tell your users how you capture and use their data. There is a template for creating a page. If you use it, make sure that you customize it!!
   
3. Terms and Conditions (optional)

There’s the option to add links to your privacy policy and privacy tools pages to your website footer too.

Choices for users to view and export their data. Data can be exported in HTML or JSON format.

Choices for users to be forgotten. Beware the option to automatically delete or anonymise a user – there’s no chance for the site admin to review it. The safe option to pick is “Only notify me by email”.

Site administrators can’t be deleted.

When a user is anonymised, their user id remains and they are marked as [anonymous]. One thing I noticed was that if they have a WooCommerce account, their customer data is not anonymised, and is retained. Presumably, this is because transaction data needs to be kept by law.

What’s not quite there yet?

This plugin does what it does pretty well. I’m just not keen on the delete options – they seem a bit too easy.

Under the right to be forgotten a data subject can ask the data controller for their data to be erased. But the data controller may still refuse if there is a public interest.

But wait… what is WordPress Core doing?

GDPR has been a hot topic within the WordPress community, with a GDPR compliance group working on WordPress Core.

I’ve taken my DeLorean up to 88 mph and gone into the future of WordPress. Version 4.9.6 is currently in beta. Due for release around 15 May, it includes new privacy – i.e. GDPR-related – features.

In Settings > Privacy, an option to set/create your privacy policy. The privacy policy is an excellent starting point which includes data from the plugins you have installed.

A logged in user can request a copy of their user profile from Tools > Export Personal Data. They will then get an email which has to be confirmed by clicking a link.

Once that’s done, a site admin can generate a zip file and email it to the subject. The zip opens to an HTML file, as seen below.

Tools > Remove Personal Data. (May end up as Erase Personal Data.) Similar to the previous process, except that the admin can delete the user data.

There isn’t the opportunity for visitors – who don’t log in – to make a Subject Access Request yet e.g. to ask for comment or contact form data.

Further GDPR work in Core

There’s plenty of discussion on GDPR. Some ideas for the future include:

• Allowing users to request anonymization of their data – subject to admin approval.
• Giving plugins the capability to export or erase data.
• Add a consent box to save name, email and website in a cookie for future comments.
• Anonymize a commenter IP address once a comment is no longer pending.
• Option for site owners to deactivate Gravatars.
• Disallowing embeds on sites (these may collect IP addresses or set cookies).

My thoughts on making WordPress GDPR compliant

One critique I have of most of the GDPR plugins I looked at is the focus on consent for personal data gathering. (The exception is The GDPR Framework.) Consent is not the only legal basis for doing so, nor may it be the most appropriate in every case.

Contract or legitimate interest are other legal bases which business owners might wish to consider. For example, a submission from a “request a quote” form could be seen as data necessary for the performance of a contract.

Now I see what’s going into WordPress Core, that will make some of the plugins’ options redundant.

It would be great to see the plugin developers work with the Core GDPR compliance team to agree on what GDPR tools go in Core, and what is best handled by plugins. I’d also like to see plugin options that can be turned on or off one by one, in case they later become a Core option.

To sum up

• Privacy features are coming to WordPress very soon.
• The GDPR compliance team are working on further refinements.
• Plugins may fill in some of the gaps, depending on your site needs. At this time, rather than installing more plugins, a “wait and see” approach may be best. This area is very much in flux at the moment.
• No plugin can guarantee GDPR compliance, because every WordPress site is different and has its own reasons for collecting and processing personal data.

What data protection and access mechanisms would you like to see within WordPress? What steps will you be taking to make your install of WordPress GDPR compliant?

Category: WordPress Tags: GDPR, plugins