How to make your WordPress site GDPR compliant

checklist for wordpress gdpr compliance

GDPR is the EU privacy protection legislation that came into force on May 25, 2018.

A couple of weeks before that date it was a rush of panic from many of our customers, asking us for help to implement GDPR on their WordPress blogs.

I promised I will write an article about GDPR, but I did not write this until now, almost a year after. That’s because I waited to see what tools would emerge to facilitate the implementation. Then I documented and implemented on my websites.

First of all, GDPR is nothing to panic about.

It’s a common sense law that wants to make site owners accountable for the personal data they collect from site visitors.

Because the personal data belongs to these people and we, as site owners, can not do what we want with this data. We need their acceptance to collect and process the data in a certain way.

I have a simple blog, why should I be compliant with GDPR?

That was the most asked question from our customers, who are mostly small and medium independent publishers.

You have to be compliant because you save personal data without knowing it.

If you embed a video from Youtube or have Facebook share buttons on your site, cookies are saved in the visitor’s browser.

These cookies are considered personal data because they can identify a person. They can track the visitor from one site to another, or create demographic profiles, etc.

The problem is that sometimes your website saves that personal data. But it is entirely unnecessary, you do not use the data yourself.

Ok, what do I do to comply with GDPR?

Well, you must demonstrate that you understand and respect the rights of individuals whose personal data you save and process.

At the same time, you should actually respect those rights, not just write in your privacy policy that you respect it.

If a person solicits the removal of their data or unsubscribes from your newsletter, you must respect the person’s request.

As I said above, these are common sense things. If you respect site visitors and customers whose personal data you collect, you are already on the right track.

The easiest way to implement GDPR on your WordPress site is to use an external solution, a specialized service such as:

This easy option is not free. But there is no way to be compliant with GDPR without paying – you either pay with money, or you pay with time and effort.

Implementation is pretty complicated and involves both configurations or even programming and also legal counseling from a specialized lawyer.

How I made my WordPress site GDPR compliant

Below I will tell you how I implemented GDPR on my WordPress websites. I must mention that I am not a legal counselor, and this tutorial does not equal legal advice.

To be compliant with GDPR, we need the following:

  • a privacy policy page
  • cookie information (it may be included in the privacy policy)
  • explicit consent to data collection (cookie banner notice)
  • the possibility to withdraw consent
  • tools for exercising rights (data export, data deletion)

Tools for exercising rights are integrated in WordPress since version 4.9.6. You can export or delete personal data if you are asked to do so. We have placed contact information in our privacy policy so that anyone who wants to exercise these rights can contact us.

The privacy policy

The privacy policy should contain the following information:

  • the contact information of the site owner
  • the contact information of the national data protection authority
  • the data you collect
  • how you use the data
  • who has access to data
  • how do you secure the data
  • cookie information
  • what are the rights of the people whose data you collect
  • how can they exercise their rights

A privacy policy model is found in the WordPress administration interface. Go to Settings> Privacy, and then click the “Check out our guide” link.

privacy page
privacy page

I have used a privacy policy model generated by the GDPR Framework plugin that I modified with the relevant information for each of my sites.

Once you’ve created the policy page, you need to add it to a navigation menu, usually in the footer of the site.

What data we collect, and what we use it for

As part of privacy policy, it is also important to state which personal data you collect, so we need to know what personal information we collect.

As mentioned above, sometimes we save data without knowing.

To identify what personal data we collect, you need to audit your site to understand how it works and how it stores data. Each website is different, it uses different themes and plugins and has various implementations.

On a simple blog, you collect data through:

  • the WordPress comment form
  • cookies placed by plugins

The data collected by the comment form is the commentator (name, email address, website) as well as the IP address and a user agent. This data is used to fight spam.

WordPress default cookies are those in comments (name, email, website) and to be compliant with GDPR. A check mark has been inserted in version 4.9.6 to allow the commentator to accept if he wishes these cookies to be saved in your browser.

simplenet

Data for online stores

If you have an online store, you also collect data through the order form of the products/services on the site. You may use these data only for processing the order: billing, delivery, etc.

Other sites can collect data via marketing plugins, contact forms, or newsletter subscription forms. People need to know what you do with the data you collect. You cannot send a newsletter to those who have not explicitly subscribed to that newsletter.

A trick that some shops were doing was to put a pre-checked box on the checkout page, and the customer was automatically subscribed to the newsletter. This is no longer legal. You can have the box if you want it. But it cannot be pre-checked, the visitor must check it if he wants to subscribe to the newsletter.

Various WordPress plugins can collect other data (cookies): social media buttons, tracking codes like Google Analytics or embeds from other sites (Youtube videos, for example).

All this needs to be identified, and once we have determined what data we collect and how we collect them, we need to decide if we actually need them or not.

Identifying cookies

The easy way to identify what cookies your site saves is to use a free trial from one of the services listed above (OneTrust, for example). They will scan all the pages of your site, list all cookies and categorize them.

The manual method

The hard method is to identify cookies manually.

If you use the Google Chrome browser, delete cookies and cache from the browser, then navigate to your website, right click on the page, then click Inspect, go to the Application section, then click Storage and then Cookies (in Safari it’s Inspect Element > Storage > Cookies).

You have to check all the pages of the site to identify cookies, which is hard to do by hand.

Some pages are similar so it would be worth checking out:

  • first page
  • archives (categories, tags, search, etc.)
  • single post page
  • pages that have embeds from other sites
  • newsletter subscription page
  • contact form page
  • pages with other forms or stuff that saves data (survey etc.)

As you can see, it’s hard to check manually so, it is best to use a specialized service which automatically scans all pages of the site.

The automatic method

Once identified, cookies should be broken down into categories:

  • essential (website cannot work without)
  • statistics (Google Analytics, for example)
  • social media (Facebook, Youtube, etc.)
  • advertising (retargeting, remarketing, etc.)

According to GDPR, when visitors enter the site, they must be told that you are saving cookies, you must let them know what cookies you save, and they have to give you consent to save these cookies.

It is not ok to set all cookies as essential and to have just an acceptance button; cookies must be accepted or refused for each category.

At the same time, you must also have a cookie settings page from where the visitor can withdraw his acceptance if he has given it to you in the past or to accept if he has declined in the past and now has changed his mind.

If a visitor refused the social media cookie category, for example, when visiting the site, social media scripts should be blocked.

Complicated, right?

Yeah, I didn’t find a WordPress plugin that does everything automatically.

Pluggins I’ve tested

The plugins I’ve tested are:

At the time of my testing, none of them seemed complete, they needed additional implementations, some quite complex for an average user.

That’s why I recommend specialized external solutions, especially for sites that need to save cookies. I’m talking about sites that perform retargeting, remarketing, conversion rate optimization, etc.

But most websites don’t need to save all those cookies and could work just fine.

According to the GDPR law, if we do not collect cookies that are considered personal data, then it is not mandatory to ask for the visitor’s consent to save cookies.

So, if we only save essential cookies, we are not required to display that cookie banner notice, and we also get rid of the complex implementations of blocking scripts and cookie settings.

I find it absurd to ruin your site design and user experience by displaying a pop-up asking visitors to give you permission to save cookies that you don’t even need or use.

So let’s remove non-essential cookies, this is precisely in the spirit of the law, i.e., not to save personal data unless we have a legitimate reason to.

I have already identified the cookies on my website, and the problematic ones (personal data) are:

  • Google Analytics cookies
  • share button cookies (Facebook)
  • Youtube cookies
How to get rid of Google Analytics cookies

I don’t use demographics or remarketing in Google Analytics / Adsense / Adwords, so I don’t need them.

Basically, you have to do 4 things in your Google Analytics account:

  • accept the data processing amendment
  • disable data sharing
  • disable data collection for advertising features
  • disable user-ID

This is the tutorial I followed for setting up all the above. It is written by the developer of the CAOS plugin.

After that, the final step is to anonymize visitor IPs.

I ditched the Google Analytics plugin that I used, and manually copied the tracking code to which I added the following code.

ga('set', 'anonymizeIp', true);

If you do not feel comfortable working with code, another option is to use the Google Analytics plugin called CAOS – it has an Anonymize IP checkmark in the settings.

Okay, we’ve got rid of Google Analytics cookies that are personal data; Google Analytics will work just fine without it.

How to get rid of Facebook cookies

Bill Erickson & Jared Atchinson have made a share button plugin that is compliant with GDPR, meaning it does not save cookies, tracking scripts, absolutely nothing that is personal data.

The plugin is called Shared Counts.

I’ve replaced the share button plugin with this GDPR-compliant plugin, and so I’ve removed the Facebook cookies.

How to get rid of Youtube cookies

I have embedded videos on some pages on the site, and fortunately, there are not many so I can change them manually. If you have more, you can search & replace with a WordPress plugin or directly in the database.

I’ve replaced youtube.com URL in the embed code with the youtube-nocookie.com URL.

That’s it.

I’ve identified what cookies are saved and eliminated those that I did not need, leaving only those strictly necessary, for which I don’t need to get visitor consent because they aren’t considered personal data.

what cookies are saved and eliminated those that I did not need, leaving only those strictly necessary

This has eliminated the need to have a banner notice cookie on my website.

Keep in mind, what I did above was specifically for my websites; you may have other cookies on your website, each site is different.

Other considerations

I’ve tried to make this GDPR tutorial as easy as possible, but it’s a very complicated matter.

What I have described in this article generally fits most simple websites like my blog or my business, but for shops or other online businesses, it’s not enough just to implement some stuff on the site, you also need some administrative implementations.

For example, we have done the following:

  • we appointed a DPO (data protection officer)
  • we requested a DPA (data processing agreement) from all partners where we store data
  • we are drafting a DPA that we can offer to our clients
  • we’ve done training for our employees on data protection

I hope this has helped you make your WordPress website GDPR compliant, if I missed something, feel free to leave a comment, I’ll try to answer questions, or direct you to the relevant resources.


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *