WordPress 4.9.6 includes 4 new Tools for GDPR compliance.
And, it provides a way to retrieve, edit, and export the data you collect.
UPDATE 5/18/18: WordPress 4.9.6 has been released and is safe to update
Be sure to see the big GDPR Guide – Special Edition of Tips Tuesday
4 New GDPR Tools
The WordPress devs have added four major tools to the core code in an effort to become GDPR compliant.
The new tools are:
- Ways for site admins to list and export data collected.
- Optin to obtain consent on comments to retain data.
- A method for visitors to request and edit data held on them.
About the New Privacy and Personal Data Tools
When you update to WP 4.9.6, you will see a new pop up for Privacy and Personal Data collection.
The Privacy Settings are a sub-link under the main Settings tab.
There are also links (highlighted in the red boxes above) to Edit or View your page. And a link to a guide with recommendations for what should be in your page.
You will be able to edit the page WordPress creates, just like any other page.
And I suggest you do, just as they also advise in the text at the top of this admin page.
It is YOUR responsibility to ensure your policies state all of the tracking and info collecting you do on your site.
NOTE: The text sections created for you are based on YOUR theme and plugins. It will be different for every site depending on how it collects data.
NOTE: You MUST edit this page for your site privacy needs!
It will have a URL slug of /privacy-policy.
Tip: If you already had a page with that slug, this new one will have a -2 at the end. You can’t have duplicates in the database. So, to keep this page, you would need to either:
- edit the slug to something different, like /our-privacy-policy
- delete your other page, and remove it from Trash so it comes out of the database too.
WordPress can now detect the plugins and theme settings that may collect and hold personal data.
It is not foolproof, and doesn’t include ALL the ways you collect or share that data, including 3rd party vendors such as your host and Cloudflare and others that are IP address related, or your list service, like MailChimp, that retains emails you collect.
So, these suggestions are just the start of what you need to list in your policy.
In the first module, you’ll see the full original version of the default text.
Copy the Default Text
If you scroll down to the end of the default text module, you’ll see a Copy button.
Click it to copy the text onto your clipboard so you can paste it into a Word doc or such for further editing, or just to retain the original, which I think is a good idea.
Edit the Default Text
Scroll down the page to the regular Text Editor.
You’ll find Summaries highlighted in bright yellow. These give you an indication of what type of text needs to be in your policy in this place.
The very first one is just a message to you, stating that you need to edit this page for your needs, and to delete those highlighted summaries.
Any paragraphs not highlighted are policy text that is meant to stay and be edited for your needs.
UPDATE 5/15/18: Click here to see an example of the full text. It is in a Google doc.
Don’t Block the Page from Google
Comment Data Collection
There is a new checkbox below the fields where a commenter enters their info.
Checking the box is explicit consent that the commenter allows you to retain their personal data.
That may also include sharing their email with Automattic so it can check if they have a Gravatar account associated with it.
I could not find where to edit the statement.
And this is going to be super, duper confusing to commenters for sites that use a comment reply email notification plugin.
Now there will be items for commenters to check.
You could end up with something that looks like this.
However, since this message will be on all WordPress sites, our frequent commenters will figure it out.
Export and Remove Personal Data
One of the big GDPR compliance stipulations is that your site visitors should be allowed to see, edit, and remove all tracking info you have collected on them.
NOTE: There are currently several plugins that automate this function.
To be honest, most of them are overkill for U.S. based bloggers.
Plus, I’m VERY concerned about the:
- potential security holes they may open on your site
- visitors self-anonymising their data
- loss of shipping and other purchase related info for member and e-comm sites
- where the data is held/shared with 3rd party vendors
The new functions in WP 4.9.6 are under the Tools tab.
You, as the site admin, will be able to retrieve data on a user based on their email.
NOTE: This is not the full data you collect on your site visitors.
In fact, this may be useless for anything other than blog post comments.
You are also tracking IP addresses for analytics.
Those IP addresses are also stored off your site at:
- Google Analytics
- Your host
- Other vendors, like ad agencies and such
And, you may be collecting email addresses for your optin, which are not stored on your site, and not available via this method.
This is why some site owners find standalone plugins a more viable solution.
I’ll have more as I vet those plugins. But no way will I put them on my live production site to test.
Visitor Request for Data Held
What else is supposed to be in WordPress 4.9.6, but I have not found yet, is a way for site visitors to request a copy of all the data you are holding on them.
It is referenced in this core ticket.
I’ll keep you posted as more info becomes available on it.
But, this also goes back to the standalone plugins that may carry way more info about all of the data you are holding on visitors, including with 3rd party vendors. It may be that WP tools are not enough to satisfy full GDPR compliance on this matter.
Another issue the WP devs are tackling is for commenters to anonymize their data.
If there is no way to trace it back via email address, there is also no way for it to be deleted, as the user can no longer be identified.
So, they are considering a way to send a confirmation email to confirm the request intent.
I have not seen where that request can be made yet, so have not seen how this works either.
WordPress and GDPR are Evolving
I will keep you updated as more GDPR tools and integrations are added to WordPress.
Catch up-to-the-minute news on the BlogAid Facebook page.
Be sure to subscribe to BlogAid News and my blog posts.
Tips Tuesday is my weekly roundup of site success tips and is THE BEST way for you to keep in-the-know-and ahead of the curve.
Tips Tuesday comes as a post, podcast, and livestream discusson.