Since May 2018, there is no denying that every website owner or developer should take privacy into account when operating a WordPress website. While privacy legislation has been around for some time before 2018, the GDPR made us all realize that we should be aware of personal data and cookies used on WordPress websites.
Personal data, Cookies, and WordPress websites
When we are talking about the GDPR, we often mean both the GDPR and ePrivacy directive. For clarity in this article, we will address them separately.
The GDPR stands for General Data Protection Regulation and applies to anyone that processes, collects, or transfers personal data from citizens of the EEA (European Economic Area). The legislation was adopted in April 2016 and came into force in May 2018.
The ePrivacy Directive is also European legislation that provides us with further instructions on dealing with cookies. The ePrivacy Regulation is planned to repeal (replace) the current ePrivacy Directive. As the ePrivacy Regulation is still in draft and under debate within the EU council, local data protection authorities publish separate statements and interpretations. These statements will be effective legislation until the ePrivacy Regulation is adopted.
Complianz is developed to help WordPress users implement all GDPR and ePrivacy Directive requirements into their websites. Our legal team closely follows developments regarding privacy legislation in the EU (and outside the EU). Complianz implements the latest draft of the ePrivacy Regulation and statements from national privacy protection authorities such as the French CNIL.
We will summarize the general requirements for WordPress websites, divided into Cookies (ePrivacy) and Personal Data (GDPR)
Cookies and Consent
1. Inform your visitors about the way your site utilizes cookies.
2. Ask consent for non-functional cookies
Cookies are used for all kinds of purposes. The ePrivacy directive tells us that we can store or access information on a user’s device without consent if cookies are, e.g. essential for the website’s functioning. As described above, the interpretation of these exceptions slightly differs between the draft of the ePrivacy Regulation, or for example, the German DSGVO and countries like Belgium or Spain. For example, also anonymous statistics require consent in these countries. Non-functional cookies may not be used before the visitor’s consent.
Consent is usually asked through a cookie banner and must be specific, informed, explicit, and freely given.
Specific: Consent per Purpose instead of ‘all or nothing’. The most-used categories used are: strictly functional, preferences, statistics, and marketing.
Explicit: It is required that the visitor expresses consent through an explicit action. So consent through continued browsing or pre-checked checkboxes is not allowed.
Freely given: Cookie walls are not allowed, and the deny/functional cookies only option should be equally accessible as the accept option. Hiding ‘deny’ behind a second layer is not allowed.
Complianz blocks scripts that place non-functional cookies and helps to configure a compliant cookie banner, to gather consent.
3. Allow visitors to revoke their consent
Even after a visitor has consented to cookies, it should be possible to opt-out. It is not required to delete the cookies from the visitor’s browser, but your site can no longer access them. The revoke option should be prominent and easy to use.
4. Inform visitors of changes
If you start using new services and cookies on your site, you must ask consent for these new cookies as well. Consent should also be asked again after one year.
Complianz scans your site on a weekly basis to detect newly used cookies and plugins. The cookie banner will be shown again if significant changes are detected, or after a customizable period (1 year by default).
5. Make sure that you can prove your compliance
If one of your visitors would ever file a complaint, or if your site would be audited, you would need to prove your compliance at a certain point in time. It might seem a good idea to record IP addresses and consent status per visitor, but as IP addresses are considered personal data, this might not be a good idea in terms of the GDPR.
Complianz offers both Proof of Consent and Records of Consent. Both can be used to proof your compliance, without the need to store personal information about your visitors. The difference is explained here.
Processing Personal Data
1. (Re)Design your processes in compliance with the GPDR
Unless you are just running a simple blog, the chances are that your dealings with personal data are not isolated to your WordPress website. For example, think about personal information entered in contact forms, which ends up in your inbox. The GDPR demands that we think about all processes in which personal data is involved. For most websites, it turns out that more personal data is processed than expected, as the definition of personal data is: “all data that could identify, or be used to identify a person”. This includes, for example, IP addresses, visitor location, or even device information.
When preparing your website (and organization) for GDPR compliance, the best way to start is to investigate:
- Which processes involve personal data (or site functionalities, such as contact forms, statistics tools, etc.)
- Which data is processed?
- Where is the data stored?
- For how long is the data retained?
- How well is the data secured?
- For which purposes and lawful basis is the data collected or processed?
2. Determine which external parties you share personal data with
Most of the time, collected personal data does not stay within your organization. Almost any website owner or organization works with external software or plugins which process or receive personal data. The GDPR determines two kinds of external parties:
Processors are external parties that receive or process personal data on your behalf. The processing of this personal data is usually required to deliver the services to your clients. You are required to sign a processing agreement with all processors that you share personal information. The processing agreement describes which personal data is processed, for which purposes, which security measures should be taken, and what to do in the event of a data leak. The personal data stays under your supervision and responsibility. In cookiedatabase.org, these parties are called “second parties”.
Some common examples: CRM systems, Analytics tools, Email marketing tools, Google Analytics.
Third Parties are all other external parties that receive personal data but are usually not essential to your services, and no processing agreement is signed. Also, you don’t know (for sure) what the third party will do with the personal data. Consent from the data subject is always required before personal data may be shared with third parties.
Typical examples: Social Media pixels, ad vendors.
Complianz Premium includes an easy-to-use wizard that guides you through the process of generating an unlimited amount of Processing Agreements.
3. Inform site visitors
Once you have investigated and redesigned all your processes where personal data is involved, the critical aspect is to be transparent and inform your visitors (users/clients). The GDPR requires you to draft a Privacy statement, in which you should include at least:
- Which data may be processed through your site?
- For which purposes is the data processed?
- Inform your visitors about their legal rights under the GDPR
- Which lawful basis applies to the processing?
- Clearly, state your contact information. How can visitors contact you when they have privacy-related questions?
- If your organization processes a lot of personal information or is situated outside the EU, you might need to appoint a Data Protection Officer or GDPR-representative.
4. Ask for consent
If consent is one of the lawful bases that applies to your processing, a consent checkbox is usually used to register consent. For websites, contact forms deserve some additional attention. A consent checkbox is not necessarily needed below a contact form, as long as the form clearly describes the sole purpose for which the personal data is gathered, and the data is required to perform the requested service.
Complianz Premium includes an easy-to-use wizard that guides you through the process of generating a Privacy Statement, and (if needed) helps to configure consent checkboxes for contact forms.