GDPR part 6 – Comment form adjustment

Previously on the CogitActive Saga:
In order to fulfill the ‘explicit consent’ GDPR requirement, WordPress added a cookie consent checkbox to the comment form.

May 25, 2018 – the General Data Protection Regulation (GDPR) was about to be enforced. Within a short period (see GDPR part 1 – First encounter), I managed to publish my Privacy Policy page¹ and have a link to it displayed in the footer of my website (see GDPR part 3 – Oops!). After their privacy release, WordPress was claiming to be GDPR compliant – so was my web-hosting provider SiteGround. Given the nature of my websites back then, that is a basic blog (with no post yet) and an even simpler website (under construction, as well), I was confident that my sites were ready for the GDPR. Again, I had no plugin but those bundled with WordPress, I didn’t (and still don’t) allow registration, and I wasn’t (and still aren’t) handling any sensitive Personal Data. Was my GDPR compliance journey coming to an end?

Simply adding a required consent checkbox with clear explanation should be good enough for you to make your WordPress forms GDPR compliant.Syed Balki

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Throughout my readings (how to make your WordPress site GDPR-compliant), I indeed noticed a recurring claim: you must obtain explicit consent. Such claim prompted requests like this one: GDPR Consent Needed – Jetpack Comments. Briefly, the author – johnstonesnow, a legal expert on DPA and GDPR – was asking for this plugin to add a required tick box for consenting to data processing to its comment form module. As often, the agent did not understand – nor address – the request and refer to the WordPress cookie consent checkbox instead (see GDPR part 2 – WordPress privacy release). After specifying this is NOT about cookies, johnstonesnow explained his concern again, but to no avail. Obviously frustrated (If your people could just take even a tertiary look at the GDPR requirements), he added Any form submission must obtain the user’s explicit consent, and not only that, but an agreement to terms and privacy policy, which can’t be inserted in Jetpack Comments either.

Anyway, given these premise, I started to wonder: should I gain consent to store commenter’s personal information? Besides, how could WordPress assert to be GDPR compliant if their comment form is not? I was determined to get to the bottom of the matter…

Is johnstonesnow’s claim correct?

As already mentioned, the general belief is that you must obtain freely given, specific, informed, and unambiguous consent when you collect Personal Data. However, I could not find any article directly addressing specifically this issue for comment forms. Nonetheless, I was able to gather few indications of the contrary; still, nothing official. For example, on a WordPress support forum, Marius L. J. states that you do not need explicit consent . . . because it’s implied that your data is stored with the intent of public display when making public comments. I could read a similar statement in a PrivacyPolicies article Generally speaking, you shouldn’t ask for consent if . . . you’re processing personal data to the benefit of your company or others in a way that your users would reasonably expect, with minimal risk and impact on individuals (legitimate interests). Do comments fall in that category?

If your people could just take even a tertiary look at the GDPR requirements.johnstonesnow

Did I read the all Regulation (EU) 2016/679 document? No, this 88-page chore is yet to be suffered. However, I found a more digestible article² on the subject matter in GDPR.EU. Briefly, the author – Ben Wolford – explains that consent is just one of the six legal bases outlined in Article 6 of the GDPR². According to him, you only need to choose one legal basis for data processing, but once you’ve chosen it you have to stick with it. You cannot change your legal basis later, though you can identify multiple bases². Here is an excerpt of Article 6(1) – Lawfulness of processing:

Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Contrary to popular belief, the EU GDPR (General Data Protection Regulation) does not require business to obtain consent from people before using their personal information for business purposes.Ben Wolford

Article 7 – Conditions for consent

First of all, it is important to understand that while there are two types of consent in most privacy laws: implied and express, apparently implied consent does not exist in the GDPR.

Express consent is what “consent” means under the GDPR. You ask for someone’s consent, they understand the question and the implications, and they make a genuine choice.PrivacyPolicies

Actually, the GDPR is rather clear about what ‘consent’ means. To paraphrase their definition, a consent must be 1) freely given, 2) specific, 3) informed, 4) unambiguous, and 5) (given) by a statement or by a clear affirmative action. Basically, you must implement the five elements of consent every time you ask for consent from your users.

If you’re missing any one of these five elements, you don’t have consent under the GDPR.PrivacyPolicies

In addition, you should keep a record of such a consent because you should be able to demonstrate that the user has consented to processing of his/her Personal Data. Finally, consent must also be easy to withdraw at any time.

Which legal basis, then?

Anyway, let assume, for a second, that I would choose to use consent as the legal basis for my comment form. Accordingly, I should add for each field (i.e. “specific”) a checkbox (i.e. “by clear affirmative action”) along with a clear and simple (i.e. “unambiguous”) explanation for the purpose of the data processing (i.e. “informed”). Of course, I should also add a checkbox for the IP address, which is another Personal Data collected by the comment form. Importantly, if there were more than one reason to conduct a data processing (e.g. IP address for spam protection and for website analytics purposes), I would have to obtain consent for each purpose separately, giving the person commenting an opportunity to consent to each activity individually. Last, but not least, apparently you cannot require consent to data processing as a condition of using the service(i.e. “freely given”). In my opinion, this last point makes the use of consent as a legal basis for a comment form impracticable.

Practically, this is just not practical!

So, which legal basis should you choose – other than consent – for the comment form data processing?

Certainly, I am not a lawyer and I could not decipher the Regulation (EU) 2016/679 document. Nonetheless, after reading many Privacy Policies (see GDPR part 4 – Privacy Policy), my impression was that most people/business use the ‘legitimate interest’ reason. Granted, this is not a clear, and what is more, official answer; yet, I stumbled upon this post³, which might be the closest to one:

GDPR-compliant comments with WordPress

Briefly, after qualifying the WordPress privacy release of rather disgruntled than enthusiastic, the author – Christian Behrends – explains his concerns with the storing of the Name, Email and IP address. In his opinion, this weighs more heavily than setting a cookie; and him to add we prefer not to afford the luxury of casual handling of the GDPR. His strategy consists in making sure that the user is aware that we keep their name, email address and IP address in our database, why we do this and what we do with it. To do so, he simply implements a mandatory checkbox with an I read your Privacy Policy label and a link to the policy page.

What about the legal basis?

Here is his statement on that matter:

In my opinion, our legitimate interest (Art. 6 EU-GDPR 1.f) is preferable to the consent of the data subject as legitimation of the processing and sufficient.Christian Behrends

Going, going… GONE!

To be continued…

¹ Back then, it was nothing but the default template page created by the WordPress tool – AS IS – but I have written and published a more thorough and complete version since (see GDPR part 4 – Privacy Policy). ^
² Ben Wolford (2019) What are the GDPR consent requirements? GDPR.EU. ^
³ Christian Behrends (2019) GDPR-compliant Comments with WordPress. webdevtrust. ^

What do you think?

Like ()
Agree ()
Disagree ()
Thank you ()