The GDPR (or the General Data Protection Regulation) is required as of May 25, and with it comes some new regulations that most websites must adhere to, even if they are not focused on the EU. So if you haven't prepared your website yet, here is our quick and easy guide on how to make your WordPress site GDPR compliant in just 5 steps.
We'll cover the key points to help you move quickly toward compliance. Because of the rush? By choosing not to comply, your company could face fines ranging from 4% of its annual revenue to 20 million euros (ouch!). Even though the upper end of that spectrum is likely aimed at giants like Amazon and Facebook, we always recommend following the rules. So this is how you can make your WordPress site GDPR compliant ASAP.
IMPORTANT: We are not lawyers, we simply share information about GDPR compliance and some of the steps we have used when updating our own website. Following the steps below does not guarantee that you are fully compliant with the GDPR requirements. Consult a GDPR attorney or consultant to make sure your website is compliant.
Table of Contents
- Update to WordPress 4.9.6 (or higher)
- Update your privacy policy
- Add a cookie notice
- Make it easy for users to request / delete their information
- Notifications of policy updates or data breaches
Step 1: upgrade to WordPress 4.9.6 (or higher)
This is the easy step, as WordPress 4.9.6 added tons of privacy settings built into the WordPress core. By simply updating your main WordPress installation (which you should already be doing) you are already setting yourself up for successful GPDR compliance. There is a full list of privacy features WordPress added in this update, but when it comes to GDPR compliance, here are some key features to check out.
Cookie Optin Comments
By default, WordPress stores a cookie so that users do not have to retype their information when they leave a new comment on your site. Now there is an option included in the comment form automatically: you don't have to do anything except maybe style it if you don't like the way it looks (note: you won't see this on the R Marketing Digital blog as we disabled we don't think it is necessary to store that information in your browser, so we decided to get rid of that cookie).
Export and delete data
In Tools there are two new items: Export personal data and Delete personal data. If your site collects user information (via subscriber accounts, customer profiles, etc.), you can quickly and easily export a user's information or completely delete it from your database upon request.
Policy generator
If you log into WordPress and go to Settings> Privacy you can use your current privacy policy if you have one, or Create new page to automatically generate a policy for your site.
If you use the generated policy, it will already include privacy information and disclosures associated with the WordPress core. But at the same time it adds useful headings for other suggested information that you need to add for GDPR compliance (such as contact forms, analytics, contact information, data protection, breach disclosure, etc.).
Step 2: update your privacy policy
Using the auto-generated policy is a good start, but depending on the services and plugins you use on your website, you will need to update your policy to include disclosures for all cookies and data that are collected on your website.
Cookies collected
Here are some of the most common:
- Google Analytics and other tracking services
- Google Adwords, Bing and other ad networks
- Cloudflare and CDN services
- Optins or pop-ups
- Push notifications
- Video players
- Heat maps
- Shopping carts
To find out which cookies your website is using (if you don't already know) open a browser and delete your cookies (by way of example Firefox> History> Clear recent history ... then select "all" and check the cookies option, or Chrome> Settings> Clear browsing data then select "All the time" and check the option for cookies and other site data). With the cookies clear, now visit your website's homepage and blog, then inspect your website to open the developer tools. In Chrome, select the "application" tab (in Firefox it is in "storage") and then click on the Cookies option on the left side of the screen. From here, you should be able to click on your website URL and see all the cookies that are being set. All of these should be disclosed in your privacy policy.
As well as revealing the cookies used on your website, you must also include a section on how users can disable or delete cookies in their browser. In our own policy we choose to link to the following browser guides:
- Disable cookies in Chrome
- Disable cookies in Firefox
- Disable cookies in Safari
- Disable cookies in Internet Explorer
Contact forms
Be sure to include a checkbox for consent on your contact forms, if you have one. Fortunately for you, the popular contact form plugins have already been updated to make sure your forms are GDPR compliant. Here are some form plugins that are already GDPR ready.
If you are using Contact form 7, you can simply add an acceptance checkbox to your forms. Just add this before your submit button: [acceptance accept-this-1] Check here to consent to this website storing my information so they can respond. [/ acceptance]
The people of wpForms has added a GDPR agreement module that you can add to all your forms. First enable "GDPR Enhancements" in wpForms settings, then edit your existing forms to insert the new "GDPR Agreement" checkbox. In this way, users can confirm that they give their consent to send you their information.
So once you have selected a contact form plugin and added a consent confirmation for GDPR, at the same time you will need to add a section to your privacy policy about the information it collects. This will depend on the fields you include in your forms: name, email, address, age or anything else.
Newsletters
Identical to contact forms, you must confirm user consent for newsletters. This can be done with a checkbox that a user must click before opting to participate, or by requesting a double option from their email list (if they haven't already done so).
If you use MailChimp, dual subscription is easy to enable. Simply log into your account, access your lists and click the "Subscription Settings" button. From here, simply select the mailing lists you'd like to double-subscribe to and then save. Easy!
With your consent confirmation method in place, simply add a section where you keep the email addresses of users for your newsletter to your privacy policy.
WooCommerce data
If you have a store, you will need to disclose how you are retaining customer data, for how long, and what you do with it.
First, use WooCommerce's built-in privacy features. After installing or updating the plugin, go to the Settings> Accounts and privacy section. Enable options for retention, erasure, and privacy policy links of personal data.
Next, be sure to add the appropriate disclosures to your privacy policy. You may want to consider sections on why your website would collect personal data, how it is used (to promote your website to better serve users, process transactions, promotions, etc.), how it protects user information, and the processing of payments.
For more information on WooCommerce and GDPR consult your guide.
Note: This is by no means a complete list of disclosures; these are just a few common examples.
Step 3: add a cookie notice
We recently talked exclusively about EU cookie law and how to make your site comply with cookie law. For simplicity, you should disclose your use of cookies, and not just in your privacy policy. You must add a cookie acceptance and disclosure notice on the first page a user visits. Luckily, there are tons of plugins that can contribute. Here are a couple of popular options.
Cookie notice for the free WordPress dFactory plugin
The free Cookie Notice plugin is a great and easy way to add a simple cookie notification and opt for your website. The plugin includes settings to add a personalized message, links for more information and a button to accept or reject cookies. At the same time you can add a cookie expiration (at which time users will have to opt in again), determine the location of the script (header or footer), and add a simple style with the included options (text color, style button, position and animation).
WeePie Cookie Allow Cookie Consent GDPR Premium WordPress Plugin
Alternatively, you can try the premium WeePie Cookie Allow plugin. This more advanced cookie compliance plugin includes options to comply with the cookie laws of the EU, UK, Netherlands, Italy and Germany. Choose a consent method (explicit via button or implicit in scrolling), style (box or bar plus layout options) and add links to a privacy policy or site terms. This plugin at the same time is compatible with several sites and is ready to respond to all sizes of devices.
Step 4: Make it easy for users to request / delete their information
We mentioned earlier that WordPress 4.9.6 added easy options for user data management, so if a user wants you to resend a copy of their information or delete their information entirely, they can. But in order for them to share your request, you will first need to create a contact form or page for them to get in touch.
Depending on your website, it might make sense to install a contact form plugin to streamline contact submissions. This is probably a better option if you are dealing with a website that has a lot of users, such as an online forum or a membership site.
Some plugins like Ninja Forms already have custom data export and data removal request form templates built in (check out our Ninja Forms GDPR Release). Just create your forms and then include links to them in your Privacy Policy.
But if your website is a basic blog or business site with no user accounts other than yours, it should be fine to just include a contact email in your privacy policy.
Step 5: Policy update or data breach notifications
The last part of GDPR that really stands out as important is the policy update and data breach notifications. This comes into play if you offer user accounts on your website, collect customer information, or maintain a newsletter.
Now that you have updated your privacy policy to comply with GDPR, it is a good time to notify users of your changes. If you use an email platform, please send a quick privacy update notice.
Or if you are using one of the best GDPR compliance WordPress plugins, chances are there is already a notification system built in so you can communicate with your site users. The best part is that with some of these plugin options you can easily automate policy updates or data breach notifications, saving you some time.
Ending
Just to reiterate, we are not lawyers. This guide on how to make your WordPress site GDPR compliant is simply a collection of tips from our own personal experience researching and preparing for GDPR. Hopefully, there are some helpful tips for you, but it's actually just a starting point. We strongly recommend that you contact a GDPR consultant or attorney to ensure that your website is compliant, especially if you are in the EU or if EU residents account for a significant portion of your traffic. website.
Have more questions about making your WordPress site GDPR compliant? Leave a comment and we will do our best to help you. At the same time we will update this guide as we learn more about GDPR, so if you have any other tips or key points, please share them.
