GDPR part 2 – WordPress privacy release

Previously on the CogitActive Saga:
Anybody with a website, be it a for-profit company or an occasional blogger, has to comply with the GDPR. WordPress itself is not GDPR compliant yet . . . you need to prepare a Privacy Policy explaining what’s the use of that data.

I was still stunned by the revelations from SiteGround webinar about GDPR (see GDPR part 1 – First encounter). Not only hadn’t I heard about this new General Data Protection Regulation before, but also I had only 15 days left (out of the two years of preparations allotted by the European Union) to get ready. The clock was ticking and those words from Hristo Pandjarov kept echoing in my mind: WordPress itself is not GDPR compliant yet. What does it mean anyway? I started to check for more information about GDPR, notably on how to achieve GDPR compliance.

My first impression (after the webinar) was that it affects everyone. Nonetheless, I wanted to double check who does the GDPR apply to. Fatefully, it apparently¹ applies to anyone – be it an individual or a business – processing the Personal Data of individuals from the European Union. According to the definition below (from the official text¹), the GDPR’s scope is indeed wide ranging. While names or email addresses (i.e. the required fields to submit a comment on a WordPress blog, for instance) are clearly Personal Data, less obvious things like IP addresses – stored in the web server log of any website (among a wealth of other information about the activities of the visitors) – are also considered as Personal Data. In short, if you have a blog and/or a website, the GDPR applies – except if you can legitimately argue than none of your visitors are European residents.

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

I had to be ready by May 25, 2018. Oh My! Fortunately, WordPress core team released on May 17, 2018 a new version of the CMS platform – WordPress 4.9.6 – with three GDPR-related tools (see below); hence, making WordPress GDPR compliant.

We’re committed to supporting site owners around the world in their work to comply with this important law. As part of that effort, we’ve added a number of new privacy features in this release.Allen Snook

Comments

Once WordPress updated (automatically via the SiteGround Auto-Update tool), I logged in and noticed a “Personal Data and Privacy” addendum in the Welcome to WordPress! module highlighting two new privacy features:

Personal Data Export and Erasure: New Tools have been added to help you with personal data export and erasure requests.

Privacy Policy: Create or select your site’s privacy policy page under Settings > Privacy to keep your users informed and aware.

However, there was nothing about the comments cookies change (described in the WordPress 4.9.6 release post²).

Logged-out commenters will be given a choice on whether their name, email address, and website are saved in a cookie on their browser.Allen Snook

Before this update, WordPress used to store the commenters name, email and website as a cookie on the user’s browser; the cookies in question were:

• comment_author_[hash]
• comment_author_email_[hash]
• comment_author_url_[hash]

Thanks to these cookies, when a person would come back and comment, he or she would not have to fill the related information again. Of course, while convenient, this is not GDPR compliant!

In order to fulfill the ‘explicit consent’ GDPR requirement, WordPress added a cookie consent checkbox to the comment form: “Save my name, email, and website in this browser for the next time I comment.” By checking this option, users thus explicitly approve the cookies to be stored as they used to be; otherwise, WordPress will not store these cookies (i.e. no consent, no cookie). As a site owner, you can choose whether to display this checkbox in your comment form (and let users choose to opt-in or not) or to stick to the new default: no cookie; hence, no need for consent. This behavior is controlled in the Settings > Discussion > Other comment settings, specifically with the Show comments cookies opt-in checkbox, allowing comment author cookies to be set option (as already explained in Configuring WordPress (Multisite) Settings). Following the less you know the better principle, I decided to keep this disabled. Similarly, in keeping with data minimization (among other reasons; see Customizing the WordPress comment form), I removed the website field.

Privacy Policy Page

Putting together a ‘privacy policy’ is a daunting task. Thankfully, the new tool provided by WordPress will generate a pre-made privacy policy template. Of course, it won’t have everything your website needs (each site being unique); yet, it’s a good starting point. Basically, the template has a number of sections – some already filled with text – that outline what type of information your need to provide. There is actually a Privacy Policy Guide (along the page template) to help you fill in the blanks. It comes with recommendations on what to include, along with policies suggested by your plugins and theme.

The new page will include help and suggestions for your Privacy Policy. However, it is your responsibility to use those resources correctly, to provide the information that your Privacy Policy requires, and to keep that information current and accurate.

After your Privacy Policy page is set, we suggest that you edit it. We would also suggest reviewing your Privacy Policy from time to time, especially after installing or updating any themes or plugins. There may be changes or new suggested information for you to consider adding to your policy.

Currently supported bundled themes . . . have been updated to support these changes. Site footers will display a link to the site’s privacy policy when one has been selected.WordPress

Data Handling

The last tool, two actually – located in the Tools menu – help complying with GDPR’s ‘data handling’ requirements. The first one – Export Personal Data – allows site owners to export a ZIP file containing a user’s personal data²; hence, honoring any ‘data portability’ request as well. The second – Erase Personal Data – makes it easy to delete user’s personal data, including data collected by participating plugins². Both tools use an email-based method as detailed here and here, respectively. Importantly, this works for both registered users and commenters².

Of note, the privacy policy needs to include information on where users should send such requests!

Summing up

As stressed earlier, even though WordPress became GDPR compliant after implementing these privacy tools, my website(s) didn’t (as a result)! No solution can offer 100% GDPR compliance indeed; yet, these tools definitively help sites meet the requirements of the new European Union’s new GDPR (General Data Protection Regulation) laws.

To be continued…

---

¹ Mea culpa: given the limited amount of time, I didn’t read the all Regulation (EU) 2016/679 (available here) back then. I must also confess that I didn’t suffer this 88-page chore yet. ^
² Allen Snook (2018) WordPress 4.9.6 Privacy and Maintenance Release. WordPress.org. ^