Previously on the CogitActive Saga:
Anybody with a website, be it a for-profit company or an occasional blogger, has to comply with the GDPR.
WordPress itself is not GDPR compliant yet . . .
I was still stunned by the revelations from SiteGround webinar about GDPR (see GDPR part 1 – First encounter). Not only hadn’t I heard about this new General Data Protection Regulation before, but also I had only 15 days left (out of the two years of preparations allotted by the European Union) to get ready. The clock was ticking and those words from Hristo Pandjarov kept echoing in my mind:
WordPress itself is not GDPR compliant yet. What does it mean anyway? I started to check for more information about GDPR, notably on how to achieve GDPR compliance.
My first impression (after the webinar) was that
it affects everyone. Nonetheless, I wanted to double check who does the GDPR apply to. Fatefully, it apparently1 applies to anyone – be it an individual or a business – processing the Personal Data of individuals from the European Union. According to the definition below (from the official text1), the GDPR’s scope is indeed wide ranging. While names or email addresses (i.e. the required fields to submit a comment on a WordPress blog, for instance) are clearly Personal Data, less obvious things like IP addresses – stored in the web server log of any website (among a wealth of other information about the activities of the visitors) – are also considered as Personal Data. In short, if you have a blog and/or a website, the GDPR applies – except if you can legitimately argue than none of your visitors are European residents.
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
I had to be ready by May 25, 2018. Oh My! Fortunately, WordPress core team released on May 17, 2018 a new version of the CMS platform – WordPress 4.9.6 – with three GDPR-related tools (see below); hence, making WordPress GDPR compliant.
We’re committed to supporting site owners around the world in their work to comply with this important law. As part of that effort, we’ve added a number of new privacy features in this release.Allen Snook
Once WordPress updated (automatically via the SiteGround Auto-Update tool), I logged in and noticed a “Personal Data and Privacy” addendum in the Welcome to WordPress! module highlighting two new privacy features:
Personal Data Export and Erasure: New Tools have been added to help you with personal data export and erasure requests.
However, there was nothing about the comments cookies change (described in the WordPress 4.9.6 release post2).
Logged-out commenters will be given a choice on whether their name, email address, and website are saved in a cookie on their browser.Allen Snook
Before this update,
WordPress used to store the commenters name, email and website as a cookie on the user’s browser; the cookies in question were:
In order to fulfill the ‘explicit consent’ GDPR requirement, WordPress added a cookie consent checkbox to the comment form: “Save my name, email, and website in this browser for the next time I comment.” By checking this option, users thus explicitly approve the cookies to be stored as they used to be; otherwise, WordPress will not store these cookies (i.e. no consent, no cookie). As a site owner, you can choose whether to display this checkbox in your comment form (and let users choose to opt-in or not) or to stick to the new default: no cookie; hence, no need for consent. This behavior is controlled in the Settings > Discussion > Other comment settings, specifically with the Show comments cookies opt-in checkbox, allowing comment author cookies to be set option (as already explained in Configuring WordPress (Multisite) Settings). Following
the less you know the better principle, I decided to keep this disabled. Similarly, in keeping with data minimization (among other reasons; see Customizing the WordPress comment form), I removed the website field.
recommendations on what to include, along with policies suggested by your plugins and theme.
The possibility to have a network-wide policy would be welcome indeed, if only to benefit from the useful functionalities that the generator provides (e.g. suggested inclusions from plugins). There is actually a ticket on that matter; yet, I am not optimistic that this enhancement will be part of WordPress 5.5 release.
The last tool, two actually – located in the Tools menu – help complying with GDPR’s ‘data handling’ requirements. The first one – Export Personal Data – allows site owners to
export a ZIP file containing a user’s personal data2; hence, honoring any ‘data portability’ request as well. The second – Erase Personal Data – makes it easy to delete
user’s personal data, including data collected by participating plugins2. Both tools use an email-based method as detailed here and here, respectively. Importantly, this works
for both registered users and commenters2.
As stressed earlier, even though WordPress became GDPR compliant after implementing these privacy tools, my website(s) didn’t (as a result)! No solution can offer 100% GDPR compliance indeed; yet, these tools definitively
help sites meet the requirements of the new European Union’s new GDPR (General Data Protection Regulation) laws.
To be continued…
1 Mea culpa: given the limited amount of time, I didn’t read the all Regulation (EU) 2016/679 (available here) back then. I must also confess that I didn’t suffer this 88-page chore yet. ^
2 Allen Snook (2018) WordPress 4.9.6 Privacy and Maintenance Release. WordPress.org. ^