A lot of changes are coming for WordPress in 2018, and not the least of which is the General Data Protection Regulation (GDPR) that the European Union is enacting, beginning May 25, 2018. The TL;DR version is that the GDPR says that users have complete control over their data, and you have to tell them why you need it. At which point, they can give the go-ahead or not. Practically, however, it’s a little more complicated than that.
WordPress and the GDPR
Since WordPress is 30% of the internet now, we have a lot of cleaning up to do. Data trickles and flows between our sites and users, and GDPR says that it’s up to us to manage our sites well enough so that users can manage their data. Even though this is a regulation passed by the EU, it affects pretty much the entire world. Because if you collect a bit or a byte of data from a person in EU (regardless of your own location), you’re subject to this law because you then have information owned by an EU citizen. And if you are found to have been in non-compliance, you can be fined up to 20 million Euros.
That’s scary for a lot of people. But it doesn’t have to be.
The good news is that there is a dedicated team of WordPress Core contributors working on GDPR-proofing the Core code before May 25. They have a website (and associated Slack channel) set up where admins and devs can keep up with the progress and to see what you need to do to get yourself (and your clients) in compliance. Here’s the breakdown of what you’re responsible for:
- Explaining who you are, how long you’re keeping the data, why you need it, and who on your team or externally has access to it
- Getting explicit and clear consent to collect data through an opt-i
- Giving users access to their own data, the ability to download it, and to delete it from your records completely
- In the event of a hack or security breach, letting your users know about it
For longer-form explanations of GDPR, you can check out our overview of data regulations in 2018, the official European Commission infographic on GDPR, and the official support post from Automattic regarding WordPress and the GDPR.
All that said, you need to know what you can do to comply with the GDPR. So here are some specific, actionable steps you can take to keep yourself (and your user’s data) safe.
The GDPR Opt-In
The single most important aspect of all this is the GDPR opt-in. Let me be clear on this. An opt-in is under no circumstances the same thing as an opt-out. The EU has said that you must “get their clear consent to process the data.” That means that users have to explicitly say yes, not only have the option to say no.
Here’s an example: you have an online dropshipping business, and maybe you use WooCommerce. When users get to your checkout page, you have a checkbox that reads “[x] Yes, I want to sign up for your amazing email list!”
No problem, right? If you have the box checked by default, you’re at fault. That’s giving them the chance to opt-out. That’s not what the GDPR opt-in rule says. They must say explicitly choose to share their information with you.
The same thing goes for comment sections that automatically subscribe folks to the comment thread, or any kind of automated contact that isn’t directly user-initiated. (Pop-up chat boxes like Intercom can be okay because that’s not reaching into their data, but could still be affected under the GDPR’s pseudonymisation clause.)
But your #1 goal is to take nothing by default. And honestly, take as little as possible when you do get explicit permission.
Ask for the Bare Minimum of Information
A lot of websites and forms and plugins and stores ask for information they really don’t need. In general, a good rule of thumb is to ask for as little information as possible from your users. If you don’t need their names, even, don’t take it. Or maybe only their first. Sometimes, all it takes is their email to get your job done.
That’s not to say that you can’t ask for the other information. The GDPR simply says you have to tell people why you need it. If you’re asking for their first and last name, tell them why. If you ask their birthdays, make it clear that you send out coupons as birthday gifts for example. Due to GDPR, there is no more asking for info “just in case” or “for future, undetermined projects.”
Many forms plugins let you include a note under/beside the primary label, so if you have a field for phone numbers, you can have a blurb that says “We ask for your phone number so our customer service representatives can expedite the set up process for your custom orders.”
Additionally, when you’re asking for information, the EU says you have to disclose “who you are […], how long it will be stored, and who receives it.” As to how and when you have to disclose this stuff, that can differ. The first one to is that you have to tell who you are at the same time you make the request for their data.
This is effectively no different than the required footers every email service requires you to provide. Just have a sentence or blurb explaining who you are, a single line stating that“This website’s data is handled by B.J. Keeton, the CIO of Awesomesauce International and its subsidiaries.” Or even something like “Data submitted by this form will be used by Awesomesauce International and no one else” will work.
That means, your contact form, sign-up form, checkout pages, wherever users may be giving you their info needs to clearly identify you and yours.
Your ToS and Privacy Policy
As for the other parts of the GDPR’s information retention clauses, you can include the details on the data’s why, how, and who in either your Terms of Service or Privacy Policy. And it’s a good idea to, as well, because these are part of the explicit GDPR opt-in.
The actionable step here is two-fold: First, make sure your ToS and Privacy Policy are GDPR compliant themselves. And second, create explicit required fields on every form indicating acceptance of both documents before processing anything. Checkboxes are fine, and text fields where users can type “I agree” are even better (but are truly obnoxious).
We have some more in-depth resources for you on this, too. You can check out how to add the required agreements to your forms here. And if you’re not sure where to begin on your Privacy Policy, we can walk you through that, too.
I would suggest adding a paragraph into your Terms of Service about accepting the Privacy Policy as a term and linking to it directly from the ToS. Then, in the Privacy Policy, add a paragraph discussing its role in the ToS, as well as exactly how your site manages data in compliance to the GDPR. Specifically, you will need to provide detailed instructions in your Privacy Policy explaining each of the following.
- How to access and download a complete record of any data you have on them
- The process through which users can fully delete their data from your records (and not simply unsubscribe, etc.) as a part of the ‘right to be forgotten’ laws previously passed in the EU
- Exactly how you will inform users of data breaches if they ever happen
- Detailed explanations of who you are, what you use the data for, who has access to it, and how long you retain it
It is now more important than ever to have a Privacy Policy in place. It was pretty important before because Google wanted you to have one. And that importance has just skyrocketed.
Sounds Like a Lot, Right?
And it is. Luckily, you’re probably using WordPress. Because of our fantastic community, developers are hard at work already on so many ways to help with GDPR opt-in and compliance. There are still many details you’ll have to work out your business, but in the coming months, I would expect options popping up in your favorite plugins — or GDPR extensions made by third parties — that insert all the stuff I mentioned by just checking a few boxes and filling in a few fields.
Basically, to make your site GDPR compliant, it boils down to making sure you’re transparent with people. Let them know what you’re doing, don’t ask for extraneous information, and let them opt-in to giving it to you, rather than you taking it by default.
What steps have you taken toward GDPR compliance so far? Any tips you can share in the comments would be great!
Article featured image by Pe3k / shutterstock.com
Divi should offer a possibility to load google fonts directly into the theme, once from the google server, so that it is directly integrated, and is no longer loaded by the google server. That would be great
GDPR Request for DIVI:
Social links in the footer / header already have an active tracker (like Facebook Connect Tracker). Can these work without tracker? It really is not necessary. I had to take them down now completely, even though they are very useful.
Still no news on DIVI + GDPR?
Time is kinda running out, need some info from you guys at elegantthemes!
Second this, it was promised before the 25th of May. Only one day left to work changes in, hoped the support would be a bit more user friendly. :O(
Any idea when WordPress is going to launch consent collection and management tools. It’s also an important part in the GDPR.
WordPress 4.9.6 is live today. It has added a bunch on new privacy tools. Going forward, plugin developers are going to be able to make their plugins gdpr compliant and have it propagate the privacy page. Neat stuff.
I’ve read a good amount on the GDPR, but I still don’t get it. Maybe someone can help me out.
My initial reaction is similar to that of Hugo above.
EU = big brother.
I live in a sovereign nation. I own a website that is hosted in my own country, outside the EU. What gives the EU the right to foist a law on me that I never voted or was represented for? What gives EU citizens the right to tell me how to run my own web property?
In the above case, GDPR seems akin to someone visiting a foreign country and trying to take the laws of their own country with them. Sorry, that’s not how the world works, folks. You’re subject to the laws of the country you are visiting. If you visit Singapore and commit a crime, the crime might be punishable by caning. You accept those terms when you enter the country, whether you do so knowingly or not.
Some good old fashioned American non-compliance seems in order here. Then again, I’m always interested to hear the other side of the story. What am I missing?
I agree with Matthew Sheeks.
I just spent an hour reading stuff about GDPR before I began glazing-over from the mountain of information for what I would need to do to be compliant… And still find it confusing.
As an American citizen, I’m still not sure what gives the EU internet police the right to force, or fine me, because someone in Europe decided to sign-up for my stupid little newsletter, or I didn’t get the grammar just right in my privacy policy.
I appreciate the efforts to make privacy more transparent, but some of the GDPR stuff I have read is a little overboard such as having to inform people every two years that they can opt-out of my newsletter, even if that option is already printed in every newsletter I send.
I have concluded that the EU should just stop using the internet.
Hi Bernard! I totally agree with you. I think it is a little overboard too. I have 3 little blogs and some others of my customers, and had a lot of work, and I am still not finished. (And I am in Germany, where it is at worst. I heard some freelance plumber got a 3.000 € fine because he didn’t have his telephone number on his website. And that was before RGPD).
But also, I think it became a huge mountain of “I think that…”.
I have read some of the complete regulation itself, and it is quite different what is said from what you read everywhere.
I am still not sure about all this “checkbox to confirmate”… when you already press a button that says “subscribe” I think that should be clear and free enough. Other thing is when they say “Download this amazing PDF” and in fact they are adding you to their list. 😉
But because I am here in Europe… I will go a little with the flow, so I feel “safer”.
Wow, is everybody so naive here that one thinks that the forced upon GDPR law is favorable for website owners?
The (not) elected EU is just trying to control you! (and me for that matter).
What they did in Cyprus with the banks (test case for robbing you’ll even more, hehe) this rules (GDPR) are even worse, since they effect even those outside the EU.
Sure we implement them as best as we can, but we also understand the reason behind it. Do you? Tell me which seller that is serious… abuses their customers/clients info? I cannot think of anybody.
Regarding divi… we use several of the wonderful templates and it would be lovely if there’s some info on how to get a YES I want to be on your list addon for email optins. Anything about this?
What about if you use google analytics? Should the viewer get an option to opt in/out as well? And how does that work?
I used in one of my sites the cookie-notice plugin that allows me to set the analytics code in the plugin options, so it only works when they say “OK”. I think it is one of the best approaches.
I wonder if ET will publish an extra article about the GDPR (DSGVO) compliance of Divi, Bloom, Monarch, etc. It would be more user friendly for your customers, if there is a central information hub about the actual status of each theme or plugin. Till now we have to search for informations like this in comments or in the forum.
Great blog news, thank you. I am happy to use DIVI.
Is ET working on updating divi and Bloom to be compliant? As a paid resource, it is expected that ET be compliant too.
Yes we are working on this.
Thanks, Nathan. Glad to hear that. I just hope it’ll be rolled out prior to May 25th, so we’re not all scrambling on or after the 25th. Will it be ready within the next 10 days?
If you need any help with specifications or implementation-details, just let me know if i can help you out somehow.
Well milions of websites will change now. Sounds like oportunity 😀
What about monarch? Is ist GDRP compliant? I heard, that it saves the IP to the local database.
Yes I’d like to know about Monarch too. I hope it doesn’t supply data to advertisers or other third parties?
I also want to know about this. Does it send some kind of information before users use it? Does it save information, and why? I think to get the count number for a link and send the people to share (once they have used the button) should not make anything else.
Great article B.J. Keeton.
Can you offer any advise on GDPR when Cookies are being used?
I’ve added a very skinny cookie banner – with a very short “this site uses cookies”, a link to my Privacy Policy page [where cookies are explained], and an “I accept” button – to the top of my Divi site. This covers GDPR compliance with respect to the issue of cookies only.
If Divi does proceed with update their opt-in forms, they will need to provide us with NOT JUST ONE checkbox, but the option for 2-3 at minimum. There are situations for online entrepreneurs where they will need to have (at least) 2 checkboxes. I’ve just been in a seminar [given by a UK attorney] on GDPR, and the requirements are much more extensive than we think. Further, if you have an already established email list, you’ll need to have them opt-in again prior to May 25th. So, we all [any business that has clients in Europe] have much work to do on this before the deadline.
Not quite true. It depends what permission, if any, was given when the email was historically added to your distribution list. If is was added just because they bought something from you, you will need to stop sending until you get explicit permission. If you added it because your form had an opt-in to emails box the customer ticked, or the field was “enter email to receive newsletters” you will not need to get permission again – but you will need to be able to show this is the case.
Oh this is definitely true,
i had to implement a feature to allow multiple checkboxes for a form – we did the “dynamic” way and allowed up to “n checkboxes”.
Another implementation we did, was to implement PGP on the Mailsending-Process, so that the received mail can only be read by their respective key-owners – this would have been an interesting feature.
Both of these things would be very good to ensure that divi is still oen of the best product – i hate that we have to use various custom-implementations to work-around divi-issues.
best regards,
Edvin
I must disagree. I’ve been researching this for some time, and have spoken with more than a few experts on this very point. You must send existing list subscribers an email to request their consent again, regardless of how or why they originally consented to receive email from you. This will need to be accomplished every 2 years.
Hello guys
Are u going to charge old clients for make their websites GDPR compliant, or you going make it for free? 🙂
This was the response that I received from Vimeo about help regarding embedded video compliance. Basically, we’ll have our own compliance covered, as for what you do, you’re on your own. They also never really answered my question as to what information they take from visitors who view embedded videos on premium customer sites.
Meh. I can see that this isn’t going to be easy.
It’s an unfortunate, but necessary kick in the pants for all of us. Most of us have not even given it a thought–third parties using data from our sites and the privacy issues.
———————————————————
Hi there,
Vimeo is indeed aware of the upcoming EU General Data Protection Regulation (GDPR). We are currently hard at work on our implementation plan and we will be in full compliance with the law when it goes into effect.
Unfortunately, we cannot sign custom agreements or complete vendor registration forms. That said, we will be making adjustments to our Privacy Policy that will reflect specific GDPR compliance requirements.
Sincerely,
Nice post.
So based on other sources:
1- This only applies if you have customers or users from EU.
2- If you are a NON EU business or website and don’t do business in that region, meaning no euro currency in your checkout, region locked your sales to prevent EU users from ordering and no recognition of that region at all (no mention of EU anywhere), you should be safe.
3- As additional measure you could ban any visitor from EU to prevent capturing any IP from them or do an exception and never log IP’s from those specific visitors.
Continuing on that, if your website is explicitly for USA visitors (for example) and you don’t do any EU recognition of those users or allow purchase or services being provided to them (as stated in point 3 above), then if an EU user is visiting your website, that alone doesn’t mean you have to be GDPR compliant.
Again all of this is by reading other sources that go in deep with what the GDPR is about.
The way I see it, is fine to implement these measures after all some of the points are nice, like the opt-in explicitly, the ability to request deletion, etc. But is not possible for every business. In the case of wordpress core and woocommerce core, the features are being facilitated by their devs.
GDPR has WP plugin https://wp-gdpr.eu/. It works with default WP comments but not with Divi contact form, what is expected because there are also add-ons for several contact form servises.
But also GDPR has an offer for developers https://wp-gdpr.eu/wp-gdpr-in-your-theme/. I don’t know details but if Divi had such thing it would be great I suppose.
Hi, nice article!
Thank you for that!
Is it in the future possible to load google-fonts from local?
GDPR-Feature Request:
It would be great if any element in divi can be checked with an Opt-IN-Click feature:
In normal state its blurry and not loaded yet. When clicked it gets active.
This could be nice for contact forms / share buttons / comment functions etc.
The bit that seems to be skimmed over for me is how users download/delete the data that you have on them?
I have an e-commerce client and I’ve made it possible for a user to delete themselves but is there a way to fulfil the data requests easily yet?
As for my own site, I don’t store any user data in the backend, it’s literally just contact forms that send info to an e-mail address. I’ve got my Privacy Policy set up with Iubenda that includes the policies of all my plugins & contact forms. Is that as far as I need to go on a non-subscription site?
I am part of a school trust in the UK, we currently have 5 schools and a growing. We have someone looking after everything for GDPR,she has read this and asks about Cookies, she says this article does not mention cookies at all so can I ask about that as she says they need to be split into cookies that are necessary and tracking cookies. Can anyone help with this?
The GDPR doesnt comprehensively cover cookies. They should have been dealt with in the new EU ePrivacy regulations which should have been published at the same time as the GDPR but they couldn’t do it in time so they will be published next year instead. So for now there is no change for cookies and the existing Privacy and Electronic Communications Regulations (PECR) Act will continue to be in force.
Thanks guys. On the ball as always 🙂 Why do you need my URL 😉
You forget to point out that the
web design or webmaster or web security personnel can’t take any responsibility of the personal data that your client collect on their website.
You can just propose technical solution to them but to write the contnent for the ToS and opt-in they MUST consult their loyer.
Do not “copy and paste” any ToS you find on internet or you will get in trouble.
If,in the past, you collect any personal data is highly suggest to inform people what use you do with their data and for how long you will keep data even after they ask for deletion and why, with valid reason (mainly for fiscal reasons), and provide a link to access to their data.
Any not needed data must be deleted immediately after the request of the user.
If you have a contact form that store data rember to take appropriate actions.
You must collect data that are only strictly necessary for the service you provide on your website, again ASK to your loyer.
Remember gender personal data as “Mister or Madame”, in most cases, are non needed personal data.
Rember that you need to have a strong and safe backup of personal data you collect to be able to inform people of a data breach. If you lose all data in the data breach and you can inform people you will get into serious trouble.
For small web site or small web commerce, if you take the proper step, is not a huge isuee to be compliant with GDPR in case of doubt consult a expert.
Is ET going to update the Contact Form module for Divi and Extra to reflect GDRP so we don’t have to use alternative plugins or form plugins in simple contact forms?
In related news, I asked the Bloom folks about their plans today to create GDPR-compliant forms and they said this: “We are currently working on making sure our products and service are fully compliant with GDPR according to the compliance regulation enforcement date. We have no time frame on when this will be done at this time, however it will be reflected in our terms of service once this has been done.”
Not five minutes later, a client forwarded me this, in which MailChimp introduces their GDPR-compliant forms. https://kb.mailchimp.com/accounts/management/collect-consent-with-gdpr-forms
Hope Bloom gets on it quickly.
I just signed up to elegantthemes .. great product .. but for my clients the need for GDPR compliant forms is an absolute MUST .. especially for bloom. Please provide us with a solution quickly.
Thanks
Before you even get into contact forms etc there is the issue with Analytics, you have to get prior consent from your visitors before you or analytics can take any of their information, so you have to defer running analytics until they have ticked the consent box or refused to give consent for GA in which case you will have to disable GA for that particular visitor, now thats one to think about
If analytics do not collect any PERSONAL data you don’t need any prior consent.
Most analytics service are already compilant with GDPR and you can turn off collecting personal data ( ip address, demographic)
If your user is logged on your website you can collect any personal data you need of the service you provide (ask to your lawyer) if you indicated in the ToS when they register.
You can use different analytics setup for logged user and for anonymous/guest users.
GA collects ip addresses which when put with other data collected on site can make ip addresses personal data, not my words but the EU courts ruling in 2016 so yes i think consent has to be asked for.
A way around it is to anonymise the ip addresses in the tracking code tag which sets the last few numbers in the collected ip addresses to zeros so then the ip address can no longer be personal data
What GDPR will bring us in US is the same kind of regulatory anti-business and anti-innovation atmosphere that plagues EU. And Google has a total monopoly there.
IF we get GDPR, we small operators can drown from not being able to comply to the regulations, let alone keep up to understand them.
Google and Facebook and big tech will have no problem, gaining more advantage, and being the biggest fish in the sea, will work with government to drive and fund what helps them keep power and consolidate more.
It is no coincidence or compromise by Mark Zuckerberg to suggest to Congress to follow GDPR.
If you use companies which have US Privacy Shield you should be fine for the most part. But all businesses, large and small, in Europe have to comply…even sole traders, so you just have to put on your big boy/girl pants and get on with it. The law wont change.
One problem which hasn’t been even touched is pretty important for agencies, especially those who prepare sites for EU governments or other official places which need to be 100% GDPR or like it is called in its already enforced version in Germany DSGVO and South Africa has more or less the same law already!
The problem are all those advertisings in the plugins which track users in the backend! They are no more allowed too if the people running them don’t ask the users to top in.
Take i.e. the dashboard plugin of WPMUDEV – it pops up nearly everywhere even you have only one of their plugins installed. All those plugins link back – and that is no more allowed. The same applies i.e. also to the cloudhosted templates!
The problem can be solved easily!
You would need to do an optin from the backend to those services and before submitting the site to the customer there must be a chance to deactivate and opt out easily from all those services. If lateron the customer (End User) likes to opt in again – what he probably won’t do as he would lose perhaps any guarantee his agencies has given him (I would recommend putting that into your contracts) then they (the End User ) would build up again a contract with in that example DIVI Elegant Themes or WPMUDEV etc. but then THEY would need to make sure that all their thirdparties and all the thirdparties of the third parties and … snowball principal. 100% comply with GDPR.
Concerning CDN as this comes in again and again – don’t get fooled. Enable http2 and you probably can serve your site faster than from a CDN!
Another way you could use is you run your own CDN for all your customers in the same datacenter –
i.e. Hetzner.de offers now great cheap cloud space for 3 $ 2GB Ram etc enough power to run a CDN and on another your DB and again on another your Sites or even on several others the sites etc.
Also what hasn’t been mentioned is Datasecurity of Multisites.
Until now ONLY drupal and Processwire can run Multisites from separate databases and separate site folders.
For all those who like to see what a piece until now not really existing at WordPress is check out Facebook and download all your data you have ever posted, all likes, all pages etc p.p. In that point Facebook is since years completely GDPR compliant (but I would not trust them that they also delete all that data if you request a complete deletion.) but same could happen to you too.
Simply imagine that one 1% of all wpmudev members would ask for getting all their content out which has even stored, commented, liked by them. This would mean 6500 people approach them and perhaps some of them even ask them for the complete deletion of their content they have ever interacted with their sites. I would not like to be in their position as they have over 650.000 members alone in their membership and many members are perhaps already out and no more listed and they have those edublogs etc.. Good is that only EU citizens and people running a company or other businessed from EU even they are no EU citizen can apply for that.
What actually will happen we all don’t know, therefore there needs to be first a case at one of the EU courts and it must be public so you could follow the complete procedures. Unfortunately also in Germany layers already get prepared for those very lukrative jobs like US lawyers too who already call themselves specialists and run own forums etc.
Let’s see what on 25 May will be ready and GDPR compliant from all plugins which connect to their own servers without asking the enduser – at first place they would need to ask the developer or agency and as mentioned there must be a way to deactivate that whole shit.
GDPR has actually very good sides as it will help to reduce all those ads in the backend of plugins which constantly remind you to buy their plugins. GDPR will help that WordPress will be able to turn back what GNU GPL v.2 really means. Inspire to share and to develop things together.
Please update Bloom and Divi’s newsletter module so we can add a checkbox to explicitly opt-in to our mailing lists!
GDPR Compliant for EU website only or all ?
If there is any chance an EU citizen can go to your site and you collect data you must comply with GDPR
no for all websites worldwide as you can’t exclude until now only EU citizens – well OK you could run your own intranet and yo allow only people you checked before that they are no double passport holder, have no location in EU, and of course that they have no EU passport at all. In short – you must be crazy doing that so better comply – It will come soon in a harder form even to the US so don’t worry to much. I suggest you listen again carefully to the hearing of Mark Zuckerberg (7 hours) very recommended!
Will the EU Law Bury Affiliate Marketing?
Thanks for the post. This is an important topic with a lot of uncertainty about how it will pan out. Here is a GitHub thread on the Google Fonts issue. https://github.com/google/fonts/issues/1495 I don’t think it will be as big a deal as some people are making it out to be. Yes, your website would submit a request to a google server with an IP address, but can it be used by anyone other than yourself or google to identify an individual? Not likely.
Everyone needs to take a breath and tackle the low hanging fruit. Get your ToS and Privacy Policy drafted. The website mentioned in this post has a great template to copy. For those with some cash, there’s a generator here -> https://termsfeed.com/wizard/privacy-policy/ it will cost around 110 USD. I haven’t used it yet, but it’s a quick start.
Here is a similar post from WPMU Dev -> https://premium.wpmudev.org/blog/gdpr-how-it-affects-wordpress-site-owners-and-developers/
I thing I have noticed lately is a whole bunch of FREE GDPR plugins at wordpress.org.
It is a great time for people who like to get rid of ads and tracking in plugins who are premium with yearly subscriptions. Rename it so there won’t be a copyright problem (you remember perhaps the case with the duplicator premium clone) and don’t delete the copyrights of the original owners or even the GNU GPL parts, take out all ads, replace all scripts pulled from other servers with those from WordPress or which comes with the plugin (an option to choose is a good way). It is perhaps even a way to get new customers as right now many are looking for GDPR compliant plugins all over and they are still very rare. But perhaps it will be also the only way to make your site truly GDPR compliant especially if you have many sites running the same plugins and the plugin providers still did not publish any roadmap. I am very happy that I already got a response from DIVI that they will be 100% compliant and even will build in a way to deactivate the template cloud. I would rate DIVI and Elegant Themes as one of those devs who really care about GDPR compliancy and their EU customers. Thanks.
It will be interesting how plugins like buddypress, bbress,peepso etc. will be able to comply too. Let’s see!
Useful article, thanks.
My question is: for a simply website which just collect email in a contact form and/or for a newsletter, what we can explain to our users about risk of brench?
collect as little data as you really need. No phones no addresses no hobbies no images etc if you not really need it. You perhaps need the email to reply but if you even won’t need that don’t collect it.
But in the backend many plugins ace collecting full IP addresses i.e. all the log plugins -like “stream” and plugins based on it are illegal if not by design those IP addresses get cut off !
The same applies to any mail tracker where people haven’t opted in. and to make sure it is them better double opt-in
This is a good article. However, what is often missed is the information that you are already holding on individuals. Every article I have seen is based on the future and not what you are already holding on people. This article could do with being expanded to cover existing data.
Best way is to shut down all of them and ask them to opt in again. It is also a good way to clean your lists from dead mails which are no more in use.
You will need to contact your list and give them the option to opt-in to remain on the list or be removed. I’ve had multiple lists I subscribe to do this already in preparation. I have a feeling that a lot of people are going to be losing a lot of subscribers (though they might be inactive already).
It’s important to really consider who you do share data with. If you’re using email autoresponders such as Aweber, Mailchimp etc… then you are sharing user data.
You might also be collecting visitor data through Google Analytics, Facebook Pixels, webinar systems, membership areas, etc.
It’s ok but you need to be clear on who you are ACTUALLY sharing data with both in privacy policies and anywhere else that you’re claiming that “your data will not be shared with 3rd parties”. My understanding is this could land you in a very risky situation as you are then not adhering to your own policies and thus lying to your visitors/subscribers/customers.
It starts already here – one example:
You receive a newsletter-mail from wpmudev to one of theirs and other blog articles as you have subscribed, even years ago. the three – – – I have filled in. Have you ever copied our those links and checked what they actually all call. They track you right the way and that would be completely illegal, especially if you start sharing that mail i.e. forward it to someone who has NOT opted in – you could get in real trouble!
https: – – – //l.facebook.com/l.php?u=https%3A%2F%2Fwpmudev.us1.list-manage.com%2Ftrack%2Fclick%3Fu%3D53a1e972a043d1264ed082a5b%26id%3D04ebce1ce9%26e%3D23f927cb7a&h=ATMPOaqZZZ8eDceUbVKx_7ztxVeAJk_jR0UsGG2edvwgLxUQ68-Ut-sKpPz4qngbtwIv_lSRQjO4BQIMrRDqjbGz2LuD3YWIkQ4ye-1J1eCt7fizH6pA-T-f
I think it is useful to integrate the banner for the cookie law into the theme.
I’ll explain:
The “divi banner” (let’s call it that) has the button for accepting cookies (opt-in).
Once the button is pressed, the divi modules that depends on the “opt-in check” will become active.
Example: if we do not press ok on the cookie law banner, divi maps widget will not work. Obviously every divi module needs a link, for example a button “link to cookie law opt-in”, at least video widget, maps widget, text editor.
Sorry for my bad English, I hope I made myself understood.
Excellent summary, thank you. Lots of attention (in my community, at least) has focused on mailing lists but there’s plenty to think about on the website too. I welcome GDPR, personally, as it’s really about treating people as humans and not bits of data
So this includes any email contact forms or submissions. What if this is not stored in a database or merely added to Mailchimp? As far as I know Users cannot access that, only unsubscribe from it. Are we now required to set up a complete user database (like woocommerce) in order to allow user to delete their data (now we have to have user accounts)? None this make since and its just more BS regulations. You know what the choice the user has…if they want to enter their info in my contact form or not. That is consent enough. Screw the EU!!!
I believe a service like MailChimp will have to offer the deletion and access themselves since they are the ones with the DB and are hosting it for you.
What happens is an agreement between the controller (website owner – who first asks / gets the information) and the processor (MailChimp). You would need to explain in a privacy policy – MailChimp will be the one storing the email address. Have them give consent to this and then if they want to delete, update, rectify, etc – then they contact you and you contact MailChimp. You’re responsible as the Controller to ensure MailChimp is GDPR compliant.
It would be more likely that you (the site owner) need to modify your process to allow users to delete themselves from a MailChimp list. MailChimp’s API actually does allow for deletion, but most uses of the API only focus on unsubscribing, which is not the same. It’s likely that MailChimp integrations will need to expand to incorporate deletion if they don’t already.
B.J. – Great informative article on GDPR. I’ve been following this for the past year and it is good to see how WordPress is handling this matter. I can appreciate the opt-in vs opt-out. For the sites that I am working on now I told the clients that they needed to have a privacy policy in place. I found a privacy policy plugin was useful as a starting point. I am modifying the contact form so that the user understands why the name and email address is being requested on the contact form.
I’ve added a conditional tick box to all of my contact forms on my site.
But it does look clunky. Do Elegant Themes have any plans to streamline this?
It would be great if you added checkbox functionality to the optin module and Bloom.
I switched from the divi form module to gravity forms. It isn´t possible to add a checkbox with link to the privacy policy wich is kind of disappointing.
I hope ET will provide some functionality for the GDPR.
yes, it would be great to have this as Divi and Bloom are not free plugins.
+1
Yes please! We need it in Bloom, too. A required Checkbox “I have read and accepted privacy policy” where I can put a link to my privacy policy page.
+1
+1
+1
Yes, I’m hoping so also.
There are so many more issues than you noticed in your article. There´s a huge list.
Therefor you need to put the Google Fonts directly on your server. You are not allowed anymore to use it like before.
Also there is no chance to use scripts via CDN-links anymore.
And as I told you before….a lot more to be changed (comments, contact forms, gravatars, emoticons, SSL ….)
Do you know if Divi is working on creating a plugin that will manage these issues? I’m specifically concerned with the requirement that users can download and/or delete their information.
Heather. Update to WordPress 4.9.6 (new about an hour ago). It has a bunch of new privacy tools inc. the ones you mention. It also has a clever Privacy Page generator. Not perfect, but the WordPress dev community has been working on this for many months. Have fun
From my understanding (took a day long course just last week) there is nothing stating that the ability to download your information is required. The requirement states that is should be just as easy to take back consent, as it is given. So if you give consent through opt-in they you must make it just as easy for you ta opt out. If a user asks for the information you have 30 days to comply.
So as I understand it there is no requirement for downloadable data or auto-delete functionality.
More rules from the eurocrat parasites… I have to pay them taxes and they use their time on the clock to give me even more bureaucracy.
If you do not understand what privacy is and why is so important then the parasite is you.
Probably you even don’t understand why is necessary protect personal data of other people.
Are you not ashamed to publicly show of your limited point not view???
Diogene, if it were about privacy then governments and its institutions would not have been defined as an exception in GDPR. In fact THEY have the most data about us and THIS is against our privacy because for THEM our behaviour is completely predictable.
The GDPR is against small and medium businesses which can’t afford to deal fulltime with bureaucracy. And this way the big players take the data away from those who really are NOT the problem (which problem by the way? So much rules: to response to what crime?). So the big players have the data, they ARE the problem and they sell it to govs with all their love. THEY have no problem with it, in fact they suggested the enforcement of data privacy to governments on the last Davos conference.
Therefore this is all fake, dear – and Pieter is completely right.
I see it as (finally) a way of protecting my data – in theory at least. I’m a web designer but also a web user, I’m fed up with not knowing who has my data, why and who they’re selling it to. Read MailChimp’s Privacy Policy for instance, it’s frightening what they might be getting up to should they feel like it. I’m persuading my clients to change to a paid-for email marketing option!
Thanks Andi thats an excellent well written and informed post. I think there are very few people outside of the EU have any real idea what GDPR means and why its here – in my opinion its because of the apparent misuse of peoples data on a massive scale, the lack of security of that data think Yahoo or Uber breeches etc and the flagrant disregard that a lot of US companies seem to have regarding EU laws, Google and Facebook spring to mind think about paying the right amount of tax remember Apple getting fined €13billion for tax avoidance and and yes taking peoples personal data without their consent. The GDPR is the start of the EU fightback against this and its not going to be the last.
I think the likes of me based in Ireland with a few low traffic sites, so long as i have a decent GDPR compliant privacy policy which i am writing now will be ok, its the bigger operators and especially the outside the EU operators selling into the EU which will face the wrath of the EU and by that time we all will have worked it out taken the necessary steps and it will no longer be a problem.
Oh and as an EU citizen i think GDPR is a good thing – i believe in my right to privacy and the GDPR goes a long way to protecting that.
Thank went in the wrong place ill try again 🙂
Thanks for the article!
Re. forms – my understanding is that a consent checkbox is not always required for a contact form. It’s only needed if you’re using ‘consent’ as your legal basis for processing data (see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/) For a standard contact form, often ‘contract’ might be a more appropriate legal basis. The ICO’s guidance states that ‘contract’ can be used when a user has ‘asked you to do something before entering into a contract (eg provide a quote).’
What IS important is to ensure the user is informed – e.g. adding a statement to the form which says something like ‘Your data will be stored and processed in line with our Privacy Information Notice [link]’ – or providing a short description of what you will do with the data actually above/under the form.
Thanks for the great insights, B.J.!
Regarding Elegant Themes specifically, how will this work with the email opt-in module? Will the module include the explicit opt-in or will we still have to rely on our ESP for that field? If Divi generates that checkbox, I assume the answer is stored in our WordPress database but if (for example) Mailchimp generates it, the answer is stored with Mailchimp?
I have the same question – i use divi email opt ins on my site and need to add a consent box that the subscriber agrees with the privacy policy.
Yea exactly. Where is this feature DIVI??? Seems like a must based on all of this
I wonder if we could configure CloudFlare to show an interstitial, one that must be accepted before even *seeing* the site? Probably wouldn’t be too hard.
well, i think when displaying the interstitial it´s way too late. cloudflare already has the complete IP and probably some things more. in the EU you need a contract with cloudflare where they will show you the exact details of what they collect (data). it´s the same with google analytics. if you do not use anonymizeIP in the tracking-JS it is against the (german) law. really!
People keep posting their beliefs and interpretations while being misinformed about lawful basis under GDPR. Consent is only one of the six lawful basis. For IP addresses in particular, check Recital 49 for Article 6, Point [f]:
“The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, […] by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.”
Any company having a privacy policy stating what data they collect is perfectly legit to be used. CloudFlare is GDPR compliant and they are perfectly in their rights to log IP address for network functionality under “legitimate interest” as the lawful basis.
Everyone please, blanket statements are not helping anyone.
A bit nerve-racking.
Will you be updating the Divi contact form module for GDPR? It would be useful to have a way to specify why we need each piece of information against the form field so people can make an informed decision about whether to provide that information?
+1
By the way… your comments section is asking me for my name and email and saying they’re required without telling me why…
Not to be all political but I’m glad the UK is leaving the EU!!
EU GDPR is a good thing as users data will be more secure and should we end up on marketing lists, we can actually no get removed. What everyone here is missing (UK People), is that the UK government pushed this and this is an enhancement of the Data Protection Act (this now supersedes it). IF you already comply to the Data Protection Act then you are well on your way to complying with EU GDPR. Having said all this, it is a pain and my biggest compliant is that it has been un-publicised. 3% of my client base is aware of EU GDPR, think it is my responsibility to sort out for them “as its only for web sites”! This deals with every aspect of data held by a company on an EU citizen, yes websites, but also back office systems, computer printouts, spreadsheets on laptops etc etc etc. Even a photo of someone falls under personal information. We all needed more info A LONG TINE AGO, but thank you Elegant Themes for the article and I am sooooo glad WordPress is developing a solution (but time is ticking eeeek!).
We still have to comply once Brexit is over, the law will not change..there are rumours it could get worse, not better. Although I do take that with a pinch of salt. Just people stirring the pot I think.
Well, as far as I remember the UK brought up this regulation, forced over EU and finally left the EU… funny.
That doesn’t mean that you don’t have to comply with GDPR! You must if you serve EU clients :’)
regardless, the UK government has confirmed that GDPR will remain in UK law post-Brexit. So if you’re in the UK, even if you hold no data for people in the EEA, you’ll still have to comply… Oh and the Name/Email thing is fine for now. Arguably less so after 25th May!
Great idea
In Canada we are controlled by CASL (Canadian Anti Spam Legislation) and it requires all forms to specifically offer a YES and a NO when agreeing to receive emails whether it’s a newsletter, promotions, upgrades etc.
In the USA that is not the case (in my experience). You have a YES option only and a note saying you can unsubscribe at any time. We have to be aware when using any US based information gathering tools since they do not comply with the CASL standards.
True but this goes way beyond the CASL requirements, and forces that we offer visitors the option to know what is being done with their personal information, and most importantly, and omitted in the above description, how they can ensure that all traces of their personal info are removed from your servers and network.
Hi,
what will DIVI do with the Google Fonts. If I understood some texts correctly this is one problem at the moment.
Kind regards Frank
… and what about FA (Font Awesome)?
…and what about FA (Font Awesome)?
Very good question and you are absolutely right – it is not only Google Fonts as some fonts come from other third Party providers perhaps on those sites. The same applies to any content and script loaded from other sites as those could be used to track IP addresses of the site users.
there are many more problems that article covers about 5%!
Oy, yes, this is really complicated. I have reached out to Vimeo regarding embedded videos that I have on my website but are hosted on Vimeo. They have provided their customers with zero information regarding compliance.
Privacy Badger identifies Google fonts as a tracker but says that they aren’t tracking information.
After searching for hours I found a Plugin which works with the Divi Theme. It is called “Remove Google Fonts References”. After I had activated it I checked on Chrome and the WASP.inspector and I hat not listet the Google Font servers as sources anymore. I found the solution in this post, where it is described as well how you can do it in the functions.php. https://technumero.com/remove-google-fonts-from-wordpress-theme/
Note that the other plugin mentioned there (disable Google fonts) did not work.
Did not work at my site
I’m not quite sure I understand, Frank. I haven’t heard anything in regard to Google Fonts and GDPR. Or is this a separate issue?
We exclusively use divi are very worried, because of the Google services in general. For the time being we solved the font problem with a plugin.
But to make Divi really DSGVO safe we need:
Embed YouTube videos with no_cookie
A safe way to integrate Google Maps
No third-party scripts!
Contact forms with a standard-checkbox and free text.
Cookie notice on the website.
Thank you for your work
Frank
I really do not get this part about needing checkboxes everywhere… I think that some explanation and pressing a “SEND” button in a form-box should be agreement enough. Other thing, is if you want also to add this person to your subscribers lists too when they send you a message through contact form…
You are talking about implied consent, where you could place a message that said “If you press SEND”, then you agree to our terms and conditions etc.. EU GDPR says that you must define what the user is agreeing to and also record the fact that they agreed, so adding a tick box to a form that explains what they agree to will record their acceptance(and pre-filled tick boxes do not comply with EU GDPR – the user must confirm agreement). So down the road if you are approached by your countries governance body, you can present them with the evidence that the user had to “tick” the box, therefor agreeing to your conditions.
This is the whole point of GDPR. People need to consent to everything, as assumed consent is no longer permitted. Assumed being where they tick a box and you assume they want to get all your marketing when in fact they only wanted 1 piece of information from you.
Taisa – not at all. For now even the contact form need this checkbox – because you store personal data from customers.
i guess, there will be some more time to get the 100% solutions – but it’s important to do the easy stuff for gdpr.
i think the biggest problem is the user-data storage. The gdpr says that the customer should get access to all stored data from him. this means that every company should rethink all data-processes. Emails or hundreds of software will lead to bigger problems – you need to be best prepared one place to to handle everything…
just crazy
If these comments are accurate, Germany has banned the internet. Every data fragment contains IP routing information that could potentially pass through any almost server on the planet and be recorded. Even VPNs can’t hide identity data with 100% reliability. Google Fonts, CDNs like CloudFlare and other cloud-based services like AdSense and AWS are all vital parts of many businesses. I’m sure it’s not the *intent* of any law to destroy them, but it seems misinterpretation of these laws could do so.
Lol it is not Germany it is the complete European union.
We can use cloud services, but they need to be in line with the data privacy regulations.
Up to now gfonts is not in line. Because google use the loading of fonts also for tracking purposes, which is not allowed in this case.
It´s not a misunderstanding of the new law, it is really deep research to really understand it.
Because my first reply 2 days ago is not shown on ET (there was a link to my websites privacy policy) I try it a second time without link in this text. There is a text made by a German lawyer (eRecht24) just mentioning Google fonts with a link to Googles info about that. That’s it. Google Europe, located in Ireland, is following the GDPR. I signed a contract with Google as well. Don’t know about websites outside of Europe.
Just scroll further down on my page to the english text ‘Google Web Fonts’.
Chris, Germany
Well, eRecht24 didn´t integrate all the topics they should have. I booked their premium service too and realized that it is not complete. After days of research and studying this new law I can say Google Fonts are not allowed anymore like they used to be.
Because they are loaded on your site before you have the chance to get the users agreement on it. And Google Fonts are collecting data!
Google fonts collects logs records of the CSS and the font file requests from your site. It collects NO user information. Users do not need to agree to this.
Is not completely correct that you don’t have the chance to get users agreement for Google fonts. I managed to make them to not load until you accept the Cookies message with a very simple plugin. This plugin has a field for code that will not load until the user presses “OK”, so I moved my code there, because in this site, it is not so important and changes not so much with similar common fonts.
In other sites that I really don’t want my fonts to change, because they are very important for Branding purposes, I will check the option to load them directly. It is not so much problem though, I have made that before too.
With the Google fonts loaded directly from Plugins, I think you should have the choice to not use them. Maybe you don’t need them. I don’t understand why, but one plugin I tried used them only for ITS own interface! (only seen by admins) No sense at all.
The discussion on Google Fonts and GDPR compliance — https://github.com/google/fonts/issues/1495
There are so many more issues than you noticed in your article. There´s a huge list.
Therefor you need to put the Google Fonts directly on your server. You are not allowed anymore to use it like before.
Also there is no chance to use scripts via CDN-links anymore.
And as I told you before….a lot more to be changed.
using google-fonts and google-maps is really a question here in germany. google does not offer a contract for using this. google analytics does. so including google-maps and g-fonts is not compliant as people do think here in germany.
furthermore we need a statement from ET what data is stored/transferred when using update-service or other connections within the divi-universe. so it´s not only a WP-thing but also a special thing for ET if people from ET intend to do business within the EU.
No. The problem is (if I understand the posts here an Germany correctly) that the Google Fonts were loaded directly from the Google Server and not from the privat server. That means that some informations goes directly to Google what should be a problem in privacy. The people here recommend in this case to download the Google fonts to the server (website) direct and change the loading of this fonts in the theme …
Surely this is only the case if Google are taking data from your site and feeding it back to their server? There is nothing wrong with pulling information / content from somewhere else as long as they don’t have access to your users directly.
In real, Nice one article and full of information!
Good timing BJ – I keep reading about GDPR so this post is a good prompt to start looking in detail 🙂