WordPress 4.9.6 New GDPR Tools

WordPress 4.9.6 includes 4 new Tools for GDPR compliance.
It helps you collect info needed for your Privacy Policy based on your theme and plugins too.
And, it provides a way to retrieve, edit, and export the data you collect.
UPDATE 5/18/18: WordPress 4.9.6 has been released and is safe to update
UPDATE 5/15/18: See the section on Edit the Default Text. There is a link to the full text example of the Privacy Policy.
Be sure to see the big GDPR Guide – Special Edition of Tips Tuesday
4 New GDPR Tools
The WordPress devs have added four major tools to the core code in an effort to become GDPR compliant.
The new tools are:
- Auto creation of a Privacy Policy page based on your theme and plugins.
- Ways for site admins to list and export data collected.
- Optin to obtain consent on comments to retain data.
- A method for visitors to request and edit data held on them.
About the New Privacy and Personal Data Tools
When you update to WP 4.9.6, you will see a new pop up for Privacy and Personal Data collection.

Privacy Settings
The Privacy Settings are a sub-link under the main Settings tab.

This will take you to the Privacy Settings admin page where you will have the opportunity to link to a page you have already created for your Privacy Policy, or have WordPress create a default page for you.

You will see the message at the top of that page (in the white box) any time you update the Privacy Policy page, if you elect to have WordPress create one for you.
There are also links (highlighted in the red boxes above) to Edit or View your page. And a link to a guide with recommendations for what should be in your page.
You will be able to edit the page WordPress creates, just like any other page.
And I suggest you do, just as they also advise in the text at the top of this admin page.
It is YOUR responsibility to ensure your policies state all of the tracking and info collecting you do on your site.
NOTE: The text sections created for you are based on YOUR theme and plugins. It will be different for every site depending on how it collects data.
Default Privacy Policy Page
If you click the button to have a page created for you, it will automatically be titled Privacy Policy.
NOTE: You MUST edit this page for your site privacy needs!
It will have a URL slug of /privacy-policy.

Tip: If you already had a page with that slug, this new one will have a -2 at the end. You can’t have duplicates in the database. So, to keep this page, you would need to either:
- edit the slug to something different, like /our-privacy-policy
- delete your other page, and remove it from Trash so it comes out of the database too.
Privacy Policy Suggestions

One of the big factors with GDPR compliance is listing all of the ways you collect data in your Privacy Policy.
WordPress can now detect the plugins and theme settings that may collect and hold personal data.
It is not foolproof, and doesn’t include ALL the ways you collect or share that data, including 3rd party vendors such as your host and Cloudflare and others that are IP address related, or your list service, like MailChimp, that retains emails you collect.
So, these suggestions are just the start of what you need to list in your policy.
Default Privacy Policy Text

In the first module, you’ll see the full original version of the default text.
Copy the Default Text

If you scroll down to the end of the default text module, you’ll see a Copy button.
Click it to copy the text onto your clipboard so you can paste it into a Word doc or such for further editing, or just to retain the original, which I think is a good idea.
Edit the Default Text
Scroll down the page to the regular Text Editor.

You’ll find Summaries highlighted in bright yellow. These give you an indication of what type of text needs to be in your policy in this place.
The very first one is just a message to you, stating that you need to edit this page for your needs, and to delete those highlighted summaries.
Any paragraphs not highlighted are policy text that is meant to stay and be edited for your needs.
UPDATE 5/15/18: Click here to see an example of the full text. It is in a Google doc.
Don’t Block the Page from Google
UPDATE: As a rule, all such policy pages should be blocked from search, as they are not index worthy. But, for your main Privacy Policy, it would be best to leave it at the default, so Googlebots can crawl it and folks can find it in search.
Comment Data Collection
There is a new checkbox below the fields where a commenter enters their info.

Checking the box is explicit consent that the commenter allows you to retain their personal data.
That may also include sharing their email with Automattic so it can check if they have a Gravatar account associated with it.
I could not find where to edit the statement.
And this is going to be super, duper confusing to commenters for sites that use a comment reply email notification plugin.
Now there will be items for commenters to check.
You could end up with something that looks like this.

However, since this message will be on all WordPress sites, our frequent commenters will figure it out.
But, would be very helpful if we could edit that message and/or add a link to our privacy policy.
Export and Remove Personal Data
One of the big GDPR compliance stipulations is that your site visitors should be allowed to see, edit, and remove all tracking info you have collected on them.
NOTE: There are currently several plugins that automate this function.
To be honest, most of them are overkill for U.S. based bloggers.
Plus, I’m VERY concerned about the:
- potential security holes they may open on your site
- visitors self-anonymising their data
- loss of shipping and other purchase related info for member and e-comm sites
- where the data is held/shared with 3rd party vendors
The new functions in WP 4.9.6 are under the Tools tab.

You, as the site admin, will be able to retrieve data on a user based on their email.

NOTE: This is not the full data you collect on your site visitors.
In fact, this may be useless for anything other than blog post comments.
You are also tracking IP addresses for analytics.
Those IP addresses are also stored off your site at:
- Google Analytics
- Your host
- Cloudflare
- Other vendors, like ad agencies and such
And, you may be collecting email addresses for your optin, which are not stored on your site, and not available via this method.
This is why some site owners find standalone plugins a more viable solution.
I’ll have more as I vet those plugins. But no way will I put them on my live production site to test.
Visitor Request for Data Held
What else is supposed to be in WordPress 4.9.6, but I have not found yet, is a way for site visitors to request a copy of all the data you are holding on them.
It is referenced in this core ticket.
I’ll keep you posted as more info becomes available on it.
But, this also goes back to the standalone plugins that may carry way more info about all of the data you are holding on visitors, including with 3rd party vendors. It may be that WP tools are not enough to satisfy full GDPR compliance on this matter.
Another issue the WP devs are tackling is for commenters to anonymize their data.
If there is no way to trace it back via email address, there is also no way for it to be deleted, as the user can no longer be identified.
So, they are considering a way to send a confirmation email to confirm the request intent.
I have not seen where that request can be made yet, so have not seen how this works either.
WordPress and GDPR are Evolving
I will keep you updated as more GDPR tools and integrations are added to WordPress.
Catch up-to-the-minute news on the BlogAid Facebook page.
Be sure to subscribe to BlogAid News and my blog posts.
Tips Tuesday is my weekly roundup of site success tips and is THE BEST way for you to keep in-the-know-and ahead of the curve.
Tips Tuesday comes as a post, podcast, and livestream discusson.

Sounds like some great tools — and it’s about time someone stepped up to make it easier for small businesses to comply. But wow … talk about waiting till the last minute to push these out! Thanks so much for keeping us up-to-date as always, MaAnna.
Yeah, they’ve had their heads so buried in Gutenberg they kind of waited too long to get started on this. The tools are good, but not enough. More in tomorrow’s big GDPR Guide in Tips Tuesday.
Thanks for this update!
Thanks for sharing this, I am very happy to see this built into WordPress core. Just curious about one thing. Why do you recommend blocking it from search engines?
The privacy policy page I mean :-)
As a general rule, most pages like that are not index worthy. But, you bring up a good point. Maybe this one needs to be, just so folks can easily Google it, if they want.
I updated both GDPR posts with that suggestion, Kristin. Thanks for the feedback!!
I agree that the content might not be index worthy, and I guess it remains to be seen how this law actually will affect us. Right now it is a lot of “buzz” around GDPR, and I welcome the law. But I guess we all go back to business as usual in a few weeks . Maybe it s best to let Google decide if the privacy policy page should be indexed or not in the future :-)
I have one more question if you don’t mind. I have the beta version installed on a couple of test sites, but I can not see the checkbox below the comment field. And I can not find a setting to activate it either. Am I missing something here?
Agreed about letting Google decide, ultimately they do anyway!!
I saw that checkbox on my beta test sites. But didn’t see the link to the privacy policy, even after I had WP generate the page. So, that beta is not ready for prime time yet.
Might want to leave comments on the post about just it (linked near the top on this one) as that is the one I’ll be updating with detailed info like that on the new GDPR Tools in WP.
Based on my own searching for privacy policies, I think it is wise to let one’s own privacy page be Googled. Great update!
Agreed, Denise. I’ve updated both of my posts.
Thanks for all the explanations. I can’t wait to see how this ends up working. I have been looking at turning off the updates and most plugins are not updated or overkill. I have some tickets to the plugin creators about cron issues. I will let you know whay they say.
Thanks, Marilyn!!
Can you turn off the 4.9.6 GDPR features if you use a separate plugin?
Haven’t had time to check on that Carolyn. The only one that I think displays to the public automatically is in the comments.
Excellent write up. I’ve updated to 4.9.6 in my own site just so I could see what was going on. One thing that I haven’t seen a lot on is the GDPR and Facebook Tracking Pixels. Right now I’m taking them off my site until I learn more about the concent and how to anonymize their data.
Thank you, Amy!! I would NOT remove any current tracking at this point. Please see my BlogAid Facebook page for daily updates. And subscribe to BlogAid News for them too. We’re taking all of this a bite at a time and not losing anything on our sites.
Ok. I’ll bite. What are FB tracking pixels?
Everybody, including me, calls it that. But I believe FB calls it Facebook Pixel Tracking.
It’s for retargeting ads on FB. You can put their tracking code on your site and create a Look-a-Like audience from it to target.
You can even track per category or even down to a single post.
The other way to create an audience on FB for ads is to upload your email list to them. I hope GDPR puts a stop to that. We have no real idea what FB does with those emails!
Those comfortable with code can edit the wording or appearance of the data-collection checkbox in the theme functions. Those not comfortable with code shouldn’t break their site by even trying ;)
For most, it won’t matter. Some don’t collect one or more of the items mentioned in the default message and might want to edit it.
Joel, are you sure another WP update won’t change or affect the special coding you’ve done in the theme?
Here’s why I ask. I’ve got a client who already has a GDPR compliant statement and checkbox that is in her theme’s function file, and she’s scared to update to WP 4.9.6 because it might put it’s own default statement and checkbox there.
D’oh. Of course. You are absolutely correct.
These days all my sites use my own custom themes, so “updates” are just me editing the code.
Anyone comfortable using the code to edit that bit of text would also be comfortable making a child copy of their theme, even if only to insert that bit. Updates to the parent them would then not overwrite edits to the child theme. Again, good for geeks, but normal humans should avoid.
I’m sure the WP folks will manage this over time; probably automate the wording to match the fields of your comment form, obviating the need to edit for that reason, at least.
I notice that, though I checked the “save my info” box when I commented before, I’m having to enter it again. Clearly, the entire process is still a bit buggy. They’ll sort it before long.
I hope addressing this very thing is at the tip top of their list for the next release!!!!
I let WordPress create my policy but didn’t see the ‘Copy’ button, the highlighted text or the comment data collection checkbox so maybe they changed things. Thanks for all your hard work on this MaAnna.
When I updated I clicked to have WP show me even though I had done mine. I wanterd to make sure nothing was missed. Once you specified your privacy page the yellow text from MaAnna appears. She highlighted it yellow for us to see. WP text is not highlighted. When you get all the way to the end of their explanations, the copy button is at the bottom right. Just like in the screenshot above. It was light and hard to see for me. Once you hit COPY, you go to the page that was created (or yours you specified) and paste that in. From there you REMOVE the instructions and fill in your info those instructions spoke of.
That yellow text is from WP, not me. Thanks so much for giving the rest of the instructions to do it!!!!!!!
Oh. I just had the text. Not the yellow highlight I did notice two things. I have to check the comment box for every comment I make on the blog. And I thought I read somewhere that the PHP version of a plugin now shows in our admin /all plugins/ area? Am I dreaming?
That’s really odd Kim, as all those things should be in the 4.9.6 update – were on my test site.
Well, I didn’t specify where I wanted my page to show up so maybe that’s why.
Ah, that might do it!!