GDPR part 4 – Privacy Policy

Previously on the CogitActive Saga:
Anybody with a website, be it a for-profit company or an occasional blogger, has to comply with the GDPR; if there is personal data collected and/or stored by you, you need to prepare a Privacy Policy explaining what’s the use of that data.

Again, the General Data Protection Regulation (GDPR) affects everyone on the web: if your website is processing (see definition below) personal data from European Union citizens, then you must abide by the GDPR regulations. As already emphasized (see GDPR part 1 – First encounter), something as basic as an IP address, which is stored automatically in the web server log of any website, is considered as personal data.

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

What about a website built with WordPress? Apparently, by default WordPress doesn’t collect any data from visitors unless they post a comment. Not allowing comments on a website, or worse on a blog, just to comply with the GDPR would be a nonsense; they are indeed an essential part of blogging (see Comments in WordPress). Besides, many plugins add third party services that collect visitor data. Also most embeds may collect data or add cookies (including from iframes). In short, there is no way to get out of it!

Privacy Policies are a core aspect of the GDPR. These documents are the keystone for ensuring that both websites and their users are aware of privacy rights and acting to protect them.Ross B.

There are many things to do to become GDPR compliant; still a basic principle is that personal data shall be . . . processed lawfully, fairly and in a transparent manner (Article 5). According to Maria P., a legal writer at PrivacyPolicies, one of the easiest ways to stay transparent and inform your users is through your Privacy Policy. Indeed, such a legal document typically discloses what information you gather and for what purpose; basically, it should address the What, the How and the Why! However, unlike other legal documents, which use legal jargon, the Privacy Policy should inform the users in a concise, transparent, intelligible and easily accessible form, using clear and plain language (Article 12). Okay, but the question remains: how to write a Privacy Policy?

Sorry to disappoint you; this post is not a step-by-step tutorial on how to write a Privacy Policy, but rather an account of my own experience. Besides, such an exercise is beyond my subject matter expertise anyway. Now, there are countless articles on how to add a Privacy Policy to a WordPress websites, as well as how to write a Privacy Policy. While the formers provide (limited) information on how to write one – along a brief “what is GDPR?” section – most only describe the WordPress privacy tool (see below). As for the latter, …

WordPress generator

As detailed in GDPR part 2 – WordPress privacy release, WordPress added some features to help site owners with this daunting task. In particular, they provided a tool that generates a pre-made Privacy Policy template. Unfortunately, the automatically generated page was far from complete (see GDPR part 3 – Oops!). Now, to be fair with the Editing Helper feature of the tool, which pulls together a collected set of default texts which detail a site’s data collection and sharing, my websites¹ were rather rudimentary (at the time I tested it) to say the least.

Granted, I could have used the accompanying Privacy Policy Guide to fill in the blanks. It comes indeed with recommendations on what to include, along with policies suggested by your plugins and theme. However, at the time, I had no plugin installed (other than the ones bundled with my installation) and, more importantly, it was not possible to have a network-wide policy (using the tool; see GDPR part 2 – WordPress privacy release). For these reasons, I decided to postpone this task² to benefit from the useful functionalities that the generator provides (i.e. suggested inclusions from plugins).

Given these premise, I eventually decided to use the tool to generate a Privacy Policy for this blog (Beyond) and to compare the text with the one generated two years earlier (for my website). My idea was to pool the information from both policies. So you can imagine my shock, on clicking on Create New Page (in Settings > Privacy; from the blog dashboard), to find that the newly generated template was the exact same as the one generated two years earlier for my (stripped down) website! With one notable exception, though. The suggested text for the Who we are section was indeed slightly³ different:

Our website address is: https://blog.cogitactive.com.

Admittedly, this tool ONLY collects policy help texts from WordPress and participating plugins; yet, I was (naively) expecting something better than that. As for the participating plugins, the list was disappointingly limited to a single item⁴. Condemnations aside, beware that you should use the Check out our guide link (in the Settings > Privacy screen) to access the recommendations on what to include, along with some suggested texts. The plugin(s) source(s) are listed below the one from WordPress core. From this page, you can copy/paste each suggested text (manually), or click on Copy this section to clipboard; doing so will indeed copy only the suggested texts (i.e. without the accompanying recommendations).

So, how to write a Privacy Policy?

Drafting a comprehensive yet simple Privacy Policy is no easy task. Admittedly, the template has prompts and headers to kickstart the process and some sections have already some text filled in. However, leaving the document as-is would not do it². After reading the Privacy Policy Guide, which is quite informative, I was still not sure what to include or not…

The less personal information you request, handle, and store, the easier it is to write your Privacy Policy.Jocelyn M.

After going through some how-to-write-a-privacy-policy articles⁵, I decided to try on my own (i.e. without assistance). Happily, my website, as well as my blog, are relatively basics. In particular, I do not allow registration (see Network Settings), I have a limited number of plugins, I don’t use Google Analytics – unlike most website owners – and, more importantly, I am not running any advertising (see footer)! Last, but not least, I do not handle any sensitive personal data such as health or payment information. Still, the task was not straightforward.

As tempting as it may be to copy another’s business’s online Privacy Policy, don’t do it. There’s simply no such thing as a “standard” Privacy Policy.PrivacyPolicies

I am neither a lawyer, nor an attorney.

After reading countless Privacy Policies from different websites, I had a better idea on what it meant (to write one) and only then, the WordPress template, as well as the Privacy Policy Guide, proved particularly useful. Nonetheless, despite my efforts to make it as thorough and as complete as possible, I can’t be sure that my Privacy Policy is in conformity with the law⁶. That only a lawyer can do!

Nothing can substitute professional legal advice in drafting your legal policies and/or assisting you with compliance.PrivacyPolicies

One final point

In keeping with law requirements, needless to say, you must make your policy easy to find and access. Given the absence of a network-wide policy feature (for WordPress Multisite), I had to add manually the link in the footer (for this blog⁷). To match the formatting of my website (in which the Privacy Policy was already published), I checked the PHP code that was added in the site-info.php file (see GDPR part 3 – Oops!), as well as the HTML outcome (by inspecting the source code). To make a long story short, the former was outputting this HTML:

<a class="privacy-policy-link" href="https://cogitactive.com/privacy-policy/">Privacy Policy</a>
<span role="separator" aria-hidden="true"></span>

Simply, I replaced the aforementioned PHP code (in the site-info.php file of my child theme) with the above HTML code.

To be continued…

¹ As you may know if you are following the CogitActive Saga, after turning my regular WordPress installation into WordPress Multisite, I created a blog to unfold the aforementioned story (see Adding a site to my Multisite network). Hence, at that time, I had two sites in my network: the main site (cogitactive.com) and this blog (Beyond). ^
² Meaning that I let the fragmentary Privacy Policy as-is for a while. Again, the template should have been enough for a default WordPress blog – that is with no additional feature. ^
³ Apart from the obvious addition of the subdomain (i.e. “blog”), the protocol was now HTTPS rather than HTTP. You may want to consider reading Making my website work over HTTPS – the proper way to understand the significance of such a detail. In keeping with comprehension, if you don’t know what are “subdomain” and “protocol”, you can check my post about domain name; the “Understand the basics” section, in particular. ^
⁴ A contact form plugin for that matter. I don’t want to spoil which one yet (to be addressed in the near future); still, I want to praise it to the sky. ^
⁵ Often, these guides are proposed by companies offering Privacy Policy Generators (sometime even for free). What’s the catch, you may wonder? As explained in How to podcast?, they create high quality content to bring traffic to their site. As for the free templates, they have limited clauses, and you will end up paying for their premium agreements. Besides, they use standard templates and you will have to edit or add the information to satisfy your specific needs anyway. ^
⁶ In fact, there are many laws to consider, beyond the GDPR, and only someone who knows the law(s) should draft such a legal document – even though a Privacy Policy should be written in plain, easy-to-understand language. ^
⁷ As described in GDPR part 3 – Oops!, I used the tool for the main site of my network. ^

What do you think?

Like ()
Agree ()
Disagree ()
Thank you ()