Previously on the CogitActive Saga:
In order to fulfill the ‘explicit consent’ GDPR requirement, WordPress added a cookie consent checkbox to the comment form.
Simply adding a required consent checkbox with clear explanation should be good enough for you to make your WordPress forms GDPR compliant.Syed Balki
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Throughout my readings (how to make your WordPress site GDPR-compliant), I indeed noticed a recurring claim:
you must obtain explicit consent. Such claim prompted requests like this one: GDPR Consent Needed – Jetpack Comments. Briefly, the author – johnstonesnow, a legal expert on DPA and GDPR – was asking for this plugin to add
a required tick box for consenting to data processing to its comment form module. As often, the agent did not understand – nor address – the request and refer to the WordPress cookie consent checkbox instead (see GDPR part 2 – WordPress privacy release). After specifying
this is NOT about cookies, johnstonesnow explained his concern again, but to no avail. Obviously frustrated (
If your people could just take even a tertiary look at the GDPR requirements), he added
Anyway, given these premise, I started to wonder: should I gain consent to store commenter’s personal information? Besides, how could WordPress assert to be GDPR compliant if their comment form is not? I was determined to get to the bottom of the matter…
Is johnstonesnow’s claim correct?
As already mentioned, the general belief is that you must obtain freely given, specific, informed, and unambiguous consent when you collect Personal Data. However, I could not find any article directly addressing specifically this issue for comment forms. Nonetheless, I was able to gather few indications of the contrary; still, nothing official. For example, on a WordPress support forum, Marius L. J. states that
you do not need explicit consent . . . because it’s implied that your data is stored with the intent of public display when making public comments. I could read a similar statement in a PrivacyPolicies article
Generally speaking, you shouldn’t ask for consent if . . . you’re processing personal data to the benefit of your company or others in a way that your users would reasonably expect, with minimal risk and impact on individuals (legitimate interests). Do comments fall in that category?
If your people could just take even a tertiary look at the GDPR requirements.johnstonesnow
Did I read the all Regulation (EU) 2016/679 document? No, this 88-page chore is yet to be suffered. However, I found a more digestible article2 on the subject matter in GDPR.EU. Briefly, the author – Ben Wolford – explains that
consent is just one of the six legal bases outlined in Article 6 of the GDPR2. According to him,
you only need to choose one legal basis for data processing, but once you’ve chosen it you have to stick with it. You cannot change your legal basis later, though you can identify multiple bases2. Here is an excerpt of Article 6(1) – Lawfulness of processing:
Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Contrary to popular belief, the EU GDPR (General Data Protection Regulation) does not require business to obtain consent from people before using their personal information for business purposes.Ben Wolford
Article 7 – Conditions for consent
First of all, it is important to understand that while
there are two types of consent in most privacy laws: implied and express, apparently
implied consent does not exist in the GDPR.
Express consent is what “consent” means under the GDPR. You ask for someone’s consent, they understand the question and the implications, and they make a genuine choice.PrivacyPolicies
Actually, the GDPR is rather clear about what ‘consent’ means. To paraphrase their definition, a consent must be 1) freely given, 2) specific, 3) informed, 4) unambiguous, and 5) (given) by a statement or by a clear affirmative action. Basically,
you must implement the five elements of consent every time you ask for consent from your users.
If you’re missing any one of these five elements, you don’t have consent under the GDPR.PrivacyPolicies
In addition, you should keep a record of such a consent because you should be able to demonstrate that the user has consented to processing of his/her Personal Data. Finally, consent must also be easy to withdraw at any time.
Which legal basis, then?
Anyway, let assume, for a second, that I would choose to use consent as the legal basis for my comment form. Accordingly, I should add for each field (i.e. “specific”) a checkbox (i.e. “by clear affirmative action”) along with a clear and simple (i.e. “unambiguous”) explanation for the purpose of the data processing (i.e. “informed”). Of course, I should also add a checkbox for the IP address, which is another Personal Data collected by the comment form. Importantly, if there were more than one reason to conduct a data processing (e.g. IP address for spam protection and for website analytics purposes), I would have to obtain consent for each purpose separately, giving the person commenting an opportunity to consent to each activity individually. Last, but not least, apparently
you cannot require consent to data processing as a condition of using the service(i.e. “freely given”). In my opinion, this last point makes the use of consent as a legal basis for a comment form impracticable.
Practically, this is just not practical!
So, which legal basis should you choose – other than consent – for the comment form data processing?
Briefly, after qualifying the WordPress privacy release of
rather disgruntled than enthusiastic, the author – Christian Behrends – explains his concerns with the storing of the Name, Email and IP address. In his opinion,
this weighs more heavily than setting a cookie; and him to add
we prefer not to afford the luxury of casual handling of the GDPR. His strategy consists in making sure
that the user is aware that we keep their name, email address and IP address in our database, why we do this and what we do with it. To do so, he simply implements a mandatory checkbox with an
What about the legal basis?
Here is his statement on that matter:
In my opinion, our legitimate interest (Art. 6 EU-GDPR 1.f) is preferable to the consent of the data subject as legitimation of the processing and sufficient.Christian Behrends
Going, going… GONE!
To be continued…
2 Ben Wolford (2019) What are the GDPR consent requirements? GDPR.EU. ^
3 Christian Behrends (2019) GDPR-compliant Comments with WordPress. webdevtrust. ^