Previously on the CogitActive Saga:
Anybody with a website, be it a for-profit company or an occasional blogger, has to comply with the GDPR;
Again, the General Data Protection Regulation (GDPR) affects everyone on the web: if your website is processing (see definition below) personal data from European Union citizens, then you must abide by the GDPR regulations. As already emphasized (see GDPR part 1 – First encounter), something as basic as an IP address, which is stored automatically in the web server log of any website, is considered as personal data.
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
What about a website built with WordPress? Apparently,
by default WordPress doesn’t collect any data from visitors unless they post a comment. Not allowing comments on a website, or worse on a blog, just to comply with the GDPR would be a nonsense; they are indeed an essential part of blogging (see Comments in WordPress). Besides,
many plugins add third party services that collect visitor data. Also most embeds may collect data or add cookies (including from iframes). In short, there is no way to get out of it!
Privacy Policies are a core aspect of the GDPR. These documents are the keystone for ensuring that both websites and their users are aware of privacy rights and acting to protect them.Ross B.
There are many things to do to become GDPR compliant; still a basic principle is that
personal data shall be . . . processed lawfully, fairly and in a transparent manner (Article 5). According to Maria P., a legal writer at PrivacyPolicies,
pulls together a collected set of default texts which detail a site’s data collection and sharing, my websites1 were rather rudimentary (at the time I tested it) to say the least.
recommendations on what to include, along with policies suggested by your plugins and theme. However, at the time, I had no plugin installed (other than the ones bundled with my installation) and, more importantly, it was not possible to have a network-wide policy (using the tool; see GDPR part 2 – WordPress privacy release). For these reasons, I decided to postpone this task2 to benefit from the useful functionalities that the generator provides (i.e. suggested inclusions from plugins).
Our website address is: https://blog.cogitactive.com.
this tool ONLY collects policy help texts from WordPress and participating plugins; yet, I was (naively) expecting something better than that. As for the participating plugins, the list was disappointingly limited to a single item4. Condemnations aside, beware that you should use the Check out our guide link (in the Settings > Privacy screen) to access the recommendations on what to include, along with some suggested texts. The plugin(s) source(s) are listed below the one from WordPress core. From this page, you can copy/paste each suggested text (manually), or click on Copy this section to clipboard; doing so will indeed copy only the suggested texts (i.e. without the accompanying recommendations).
After going through some how-to-write-a-privacy-policy articles5, I decided to try on my own (i.e. without assistance). Happily, my website, as well as my blog, are relatively basics. In particular, I do not allow registration (see Network Settings), I have a limited number of plugins, I don’t use Google Analytics – unlike most website owners – and, more importantly, I am not running any advertising (see footer)! Last, but not least, I do not handle any sensitive personal data such as health or payment information. Still, the task was not straightforward.
Nothing can substitute professional legal advice in drafting your legal policies and/or assisting you with compliance.PrivacyPolicies
One final point
Simply, I replaced the aforementioned PHP code (in the site-info.php file of my child theme) with the above HTML code.
To be continued…
1 As you may know if you are following the CogitActive Saga, after turning my regular WordPress installation into WordPress Multisite, I created a blog to unfold the aforementioned story (see Adding a site to my Multisite network). Hence, at that time, I had two sites in my network: the main site (cogitactive.com) and this blog (Beyond). ^
3 Apart from the obvious addition of the subdomain (i.e. “blog”), the protocol was now HTTPS rather than HTTP. You may want to consider reading Making my website work over HTTPS – the proper way to understand the significance of such a detail. In keeping with comprehension, if you don’t know what are “subdomain” and “protocol”, you can check my post about domain name; the “Understand the basics” section, in particular. ^
4 A contact form plugin for that matter. I don’t want to spoil which one yet (to be addressed in the near future); still, I want to praise it to the sky. ^
7 As described in GDPR part 3 – Oops!, I used the tool for the main site of my network. ^