GDPR compliance and WordPress: The Ultimate (and Practical) Guide for data privacy

GDPR: here are 4 letters that, combined, can give a headache to website developers and marketers, since its implementation on May 25, 2018!

Yes: since all this time, the GDPR, acronym for General Data Protection Regulation, has become well established in the minds of web users!

But if you own a website and have not yet heard of the GDPR, then it is time to get seriously informed!

That’s good: WPMarmite had met with lawyers as early as 2018 to get a little more clarity.

So, we took the decision to detail, step by step, the different key points to consider in order to make your WordPress site or your WooCommerce store compliant with this regulation.

No legal jargon, no references to obscure parts of the law: only concrete things for WordPress and WooCommerce website creators!

To write the initial version of this article, we called upon the advice of a law firm: thank you to them! However, this is only a source of general information, which cannot be interpreted as a real legal advice. If you handle a large amount of data on a daily basis, we can only recommend that you call on professionals who can help you to comply.

The original version of this article is the French one. Please keep in mind that WPMarmite is from France.
The French law is not the same as the law in the U.S., the U.K., Australia or any other country.
Therefore, this article will guide you but make sure you double check with the law of your own country and with the help of professionals in this field.

On that note, let’s see what we’re going to talk about!

What is the GDPR?

The General Data Protection Regulation is a European regulation that came into force on May 25, 2018. Voted in the European Parliament in 2016, its application is worldwide, and you can find more info right here on the GDPR.eu website.

The purpose of this regulation, which has shaken the practices of professionals and individuals on the web: to ensure that all individuals control and protect the personal data they disseminate during their browsing on the web.

What is personal data?

Is considered personal data any data that directly or indirectly identifies an individual:

• We can directly identify an Internet user thanks to their name, first name, but also their email address or phone number, and any type of demographic data (job function, gender, age, …) or geographical data (location, workplace, …).
• These personal data also include purely numerical information of an Internet user (IP address), or behavioral data (actions carried out on a website, such as visits or clicks). Even data shared on one’s own initiative, such as the posting of a photo or a like, also count in this definition.

Alright, are you ready to keep going?

Concretely, what does the regulation include?

To be very concrete, there are three important components of the GDPR that need to be taken into account:

• The improvement of user consent when a website collects personal data, the visitor must be informed that they are sharing their data, and explicitly know for what purpose.
• The traceability and high security of user data. Law tightens existing regulations regarding data security breaches, and makes the company that collects them responsible for their proper storage and protection.
• The right of the Internet user to rectify, modify, delete or collect their personal data at any time.

All these elements influence the way a website is created and managed.

Who is concerned?

The GDPR concerns any person, natural or legal person, who would be led to use in any way personal data of citizens of the European Union in the course of their professional activity.

As a reminder of geography, the UE in 2021 corresponds to all the countries in yellow:

If you collect, use or store this type of data, surprise: you are right in the target of this regulation (and potentially in the viewfinder of the EU Regulation)! And this, whatever the sector of activity or the size of your company.

Note that the GDPR also applies to internal company data: the data you collect on your employees, in personnel files, for example.

Another very important point: even if you or your company are based, or store your data, outside the European Union, the GDPR applies to your business.

Indeed, the regulation is placed from the point of view of the Internet user: if you process data from an individual residing in one of the 28 EU members, you are concerned.

What about WordPress developers and agencies?

Many WPMarmite readers, especially WordPress developers and agencies, will think, “Okay, but I just process the second-hand data that my clients collect”.

Wait a minute! You are also concerned, as subcontractors. Roughly speaking, if the processing you do of your clients’ data does not comply with the GDPR, you also risk getting a slap on the wrist.

And most importantly, if you are not GDPR compliant, you risk having some customers refuse to do business with you from now on!

So it’s a matter of planning how you address this use of data in your current and future customer contracts.

Here are some elements to mention in your contracts, in a specific part about the use you make of your data, to be right on course:

• The name and contact details of your Data Protection Officer (DPO) (you don’t need to name one if you don’t deal with a mass of data on a daily basis);
• The method you use to collect, store and use your data;
• How you secure your data;
• Your possible relationships with other subcontractors, who would use the same data;
• Your method of notification of a security breach, and possibly your process for correcting or deleting data at the request of users (see part 4 of this tutorial: everyone is concerned!).

What are the penalties?

Even before the GDPR, the law already applied penalties in case of offences involving personal data. Admittedly, in practice, these were rarely applied, or with relatively low fines.

But the GDPR has reinforced the system of penalties already in place. And the administrative fines detailed in the regulation are much more dissuasive! They are expected to reach 4% of the revenue of the person or company concerned, and up to 20 million euros for the most serious violations.

This is why we will now guide you step by step in bringing your site into compliance with these new obligations.

What should you include on your WordPress site?

Let’s get started: let’s look at the best practices you should apply to your WordPress site.

1. Have a privacy policy

The first key point of the GDPR is the need to place clear and transparent information on your website for users.

You must therefore seriously consider your site’s privacy policy and review your general terms and conditions of sale (if you have a store).

Your privacy policy page, usually located in your footer, should explain concretely what you do with this data.

So make it appear:

• Your contact information, as well as the editor of the site, and its host.
• What type of data you collect when you register or order on your website: name, first name, email, telephone, postal address, IP address…
• Why you collect this data: newsletter communication, billing, tracking user behavior on the site..
• How long you store this data: you can keep marketing data for up to 3 years, and order-related billing data for up to 6 years.
• The security measures you have put in place to ensure the protection of this data, as well as how they can exercise their right to modify or delete this data. This is what will interest us in the 5th part of this article.

These elements should appear in a page integrated in your footer.

And good news: Starting with WordPress 4.9.6, you can create your Privacy Policy page directly from the Settings > Privacy tab of your WordPress interface. While this feature is handy, we still recommend that you hire a professional to design it.

You can use a page with pre-written paragraphs, or you can create your own personalized page in a simple way.

Warning: your Privacy Policy page should also appear at every moment your users share their data (typically in contact or download forms), to inform them about the use of their data.

Putting these elements in place on your WordPress site is first and foremost to save you trouble with them (reports and other threats…), and to install an aura of trust.

2. Review all forms on your WordPress site

The elements that are most impacted by the GDPR on the web are the forms. This is indeed a key point of contact between you and your visitors, where they share their personal data with you.

And on a site, there are forms! So let’s see how to optimize them to comply with the regulation.

Many sites use forms, for example, to offer newsletter subscriptions or to download documents. However, at this point of contact, your users share personal data with you: their email at least, and why not their first and last names.

WordPress site creators generally manage these forms, known as “opt-in” forms, via plugins such as OptinMonster coupled with a Mailchimp or MailPoet (there are many others).

Here we are in the case where the compliance of your website depends on a third party, which we talk about in the part “Check on your WordPress plugins“.

Whether you delegate this task to a plugin, or whether you have built your forms yourself, you should in any case check that you can:

• Add a transparency statement indicating who the controller is;
• Specify the reason for collecting the data (for example: “Enter your email address to receive our newsletter”);
• Specify the associated rights i.e. how to access their data, but also how to modify and delete them at any time (i.e. unsubscribe);
• Refer to the Privacy Policy for more details on the various terms and conditions.

Regarding the famous check boxes, it is not necessary to add them to obtain the users’ consent in the case where there is only one reason for collection (in this case, to receive a newsletter).

On the other hand, if you plan to share this data with partners and prospecting, the user must give consent for each of these uses. In this case, a form should be accompanied by the mention of transparency as well as two checkboxes (one for each additional consent).

Also note that you cannot ask a client to leave you data that is not related to what they are registering for.

For example, if you ask them to subscribe to a newsletter, you don’t need to ask their gender or age.

No more Big Data, time for Smart Data!

I therefore invite you to take check on the use of the data you intend to collect and to create forms with the right mentions (and possible checkboxes if necessary).

The forms are done: consent is assured. Let’s move on!

3. Check on your WordPress plugins

To find out if your plugins are GDPR-compliant, you’ll need to conduct your own little personal investigation.

Start by listing all your plugins that could have something to do with:

• Collecting consent and data from your users: form plugins, comments, retargeting plugins, etc.
• The use of your user data: content customization plugins, visitor behavior tracking, newsletters, automated marketing, etc.

Then, search on the official sites of these plugins or in their documentation what their developers have done to align with the GDPR.

Search for GDPR directly on their site or do a Google search of this type: site:woocommerce.com GDPR

Many of the most popular ones have been compliant since 2018.

In case an a plugin is not able to comply with the GDPR, it is advisable to find an alternative to replace it. Not easy, we concede… but absolutely necessary.

All the APIs you have authorized (Facebook, Twitter, or Mailchimp, to take only these famous examples) are also concerned. But don’t get too worked up: as long as you know what APIs your site uses, what data they process, and you keep a record of all this (see the section dedicated to this point): there’s no need to eliminate them from your WordPress site.

4. Establish a strong data security process

It is more than ever the responsibility of the data owner to pamper data, notably by protecting it against any security flaws, but also by allowing individuals to have a right of control over it.

4.1 Create a process for erasing or modifying data

With the GDPR, each type of data now has a specific legal retention period. You do not have the right to keep customer or user data indefinitely without using it, for “just in case” reason.

For example, Google Analytics had quickly integrated this into its solution after the regulation was implemented, without making its users lose their visit history.

The GDPR thus obliges you to:

• Keep a maximum of 36 months of inactive contacts (who do not open your emails) in your database;
• Re-display the cookie acceptance banner for the user after 13 months.

However, the GDPR also provides that you must inform any user, before they share their data with you, that they have the right to withdraw their consent at any time. And on top of that, the regulation specifies that this must be done easily for the user!

So you will need to set up a simple procedure that will allow your users to:

• Withdraw their consent
• Access their data
• Modify them
• Ask to delete them
• Ask to transfer them to a third party (this is called the “right to portability”)

You could create a specific page dedicated to this procedure on your site, containing a precise request form. But your contact form is quite suitable (you are not going to receive this kind of request every day after all).

So think about doing the same on your newsletters (normally, an unsubscribe link is present).

My advice: redo yourself the user path of your visitor, to detect all the moments when they might want to exercise their right of withdrawal or deletion. A real work of art, which will allow you to set up a really clear process.

If you receive a deletion request, go to the tab Tools > Erase Personal Data from your administration.

You will then be able to manually delete the data of the user who has asked you to do so, by entering their email address.

Have you been asked to have access to all the personal data left on your site? Easy: go to Tools > Export Personal Data, and proceed in the same way. You can then send a .zip file containing all the data of the user in question.

Bye bye data!

Want to let your users manage the deletion or modification of their data independently? Use the GDPR Data Request Form plugin. Simple and efficient!

4.2 Prepare for a possible security breach

You must also ensure that you effectively guarantee the security of your users’ personal data.

Here are a few elements that you must therefore take into account:

• It is necessary to put in place adequate measures and techniques to guarantee a high level of security for your users’ data. Data encryption, anonymization… Your internal processes must be clear on this subject.
• You must inform the supervisory authority within 72 hours in case of a security breach. In some cases, you must even inform the user concerned, especially if the breach is likely to create a high risk for their rights and freedoms.

5. Set up an internal data processing register

Prior to the GDPR, any company processing personal user data had to report it through a reporting or authorization system.

Since May 25, 2018, this procedure is no longer necessary, and is replaced by another obligation: that of keeping a data processing register.

The idea? Set up, internally, a complete documentation that certifies that you are in compliance with the GDPR. A data mapping to show good faith, in short.

Your register must answer three key questions about your data processing:

• WHO: list the internal persons who process data and, if applicable, your subcontractors, making sure that they are also in a process of compliance with the GDPR and planning to review your contracts;
• WHAT: map the personal data processing carried out by your organization (type of data collected, purposes of processing, proof of consent, information brought to the attention of the persons concerned, etc.) ;
• HOW: check how this data is processed (transfer abroad or not, hosting or not, archiving or deletion of data, etc.) and what security measures are in place internally.

This register must be kept up to date at all times.

Yes, this is no small task for those who handle data on a daily basis! But that’s the role of your Data Protection Officer, or DPO.

A veritable conductor of personal data, the DPO has the mission, in particular, of monitoring the entity’s compliance with the GDPR and cooperating with the supervisory authority of each country.

It can be an internal person (technical, legal position…) or an external person (lawyers, consultants…). Smaller organizations can share a DPO among themselves.

However, the lawyers we interviewed warned us about internal conflicts of interest. For example, if you appoint your agency’s marketing manager, it is highly likely that his/her opinion will be biased on the use of the data for his/her newsletters..

So appoint a data fanatic who will look closely at the law and your personal data practices and keep your registry up to date.

Phew, that’s a lot of work, huh? If you have an ecommerce site, stick around: we’re adding a few things you shouldn’t overlook. Otherwise, you can go directly to the part about marketing levers to eradicate from your practices.

How to make a WooCommerce store compliant with the GDPR?

Because a showcase site or a blog and an ecommerce site don’t mix the same type of data, it is essential to make a special point on what happens to sites using WooCommerce.

You will discover here some specificities not to be neglected in your compliance. Of course, this doesn’t exempt you from setting up everything we just talked about (an online store under WooCommerce remains a WordPress site).

1. Appropriate General Terms and Conditions of Sale

The General Terms and Conditions of Sale are similar to the General Conditions of Use, except that they assume a commercial relationship between the user and the website. It is absolutely mandatory to put them on a dedicated page in the footer of your WordPress site.

If you don’t have this page yet, it’s high time to create it! (Seriously, you sell without Terms and Conditions?!)

Then go to the “Settings” tab of your WooCommerce plugin, then to “Order”. In the “Page setup” part, you will find a field “Terms and conditions”.

As WooCommerce indicates, once this page is selected, an additional box will appear when a user will land on your order page. They will then have to check this box to certify that they have read these Terms and Conditions of Sale, and agree to follow them.

2. An order page where your Privacy Policy appears

In the case of an ecommerce site, your Privacy Policy must appear clearly in the order forms.

Since version 3.4 of WooCommerce, you can automatically add the transparency mention needed to be GDPR compliant, with the possibility to customize the text to be displayed.

Everything is done in the Settings > Accounts and Privacy tab of the plugin.

3. Perfect WooCommerce subscription forms

You probably know it: in WooCommerce settings, there are several ways for the user to share (or not) their data with you. They can :

• Create an account during order validation
• Create an account from the “My Account” page
• Choose not to create an account to order on your site

But what about GDPR?

It’s simple: whether your visitor creates an account or not, they will have to enter information related to their order (delivery address, first and last name…) as well as their email address to allow them to track their order. But if you have followed everything so far, you know that this is personal data!

Here again, whatever the settings you choose, you will have to add a transparency note to your WooCommerce forms leading to your privacy policy.

4. Customer reviews in compliance with the regulation

On WooCommerce websites, nothing is better to increase the credibility of your product than customer reviews. The GDPR also changes the deal on these elements, which also require prior collection of user consent to publish them.

To make sure you are in compliance in this regard, it’s simple: you only need to authorize their publication when the visitor has purchased the product (and has therefore previously accepted your privacy policy, and given his/her consent).

Go to the “Products” tab of your WooCommerce plugin, and check the box “Reviews can only be left by “verified owners”.

If the buyers are verified, it means that they have placed an order and have accepted your privacy policy. Easy-peasy!

5. The problem with your abandoned cart plugin

If you have a WooCommerce website, chances are that you use a WooCommerce abandoned cart plugin, to catch the ones who wouldn’t have finalized their order.

The problem, you can probably see it coming from far away, now that you are experts of the GDPR: yes, still the harvest of consent!

Because, when a user abandons their cart, plugins like YITH Recover Abandoned Cart, Jilt or AutomateWoo still collect data, and this without them having had the time to check the box on the Terms and Conditions. Ouch. Totally not GDPR-friendly.

The solution, which gets around the problem a little but resolves it temporarily: add a small text inviting the user to check your Privacy Policy, just below the field where they must leave their email address.

To do so, you’ll use a small code snippet, adapted from the WooCommerce documentation.

The Jilt abandoned cart plugin is one of the good students in its category by adding a transparency message and a link to oppose this practice.

6. What about deleting and modifying data on WooCommerce?

If your customers ask you to delete or to have access to the personal data they have transmitted to you in the past, how to proceed?

Here again, WooCommerce thinks of everything for you, in the Settings > Accounts & Privacy tab. You will find there two checkboxes:

They will add to your users account settings the options related to the deletion and mobility of their data, for a store totally in accordance with the regulation.

As soon as a request is made, the plugin takes care of the requested manipulations automatically. Fingers in the nose!

I can hear you sighing: “It’s not over yet, these consent and data issues”!?

Yes, yes, don’t worry: you still have to check that you don’t make any marketing misstep with respect to the GDPR.

What marketing practices are prohibited by the GDPR?

In your daily life to find or convert customers, you handle data.

You prospect to find new customers, you send emails to retain those who follow you, you do retargeting to retrieve the visitors that you did not convert, etc.

In short, you are juggling with personal data.

But many of these practices have now moved to the dark side of the force… at least if you don’t inform your users beforehand, in your Privacy Policy.

So here is a quick checklist of marketing levers for which you need to collect the consent of your users:

• Sending emails (marketing newsletters or prospecting emails: same treatment)
• Profiling (i.e., tracking the behavior of your users on your website, such as their purchase history or the time they spend on a page)
• Retargeting (i.e. is the act of re-presenting an ad to a prospect)

Well, when it comes to profiling and retargeting, as a marketer, I’m scratching my head about the consent requirement…

For the moment, the first goal is to show the supervisory authority your goodwill towards the GDPR, despite the confusion that still reigns around these practices. The ePrivacy Directive (which was supposed to increase the GDPR directives by 2021, but whose implementation date has been postponed), will no doubt tell us more, especially on the use of cookies…

But no, dry your tears, dear readers. From my point of view as a web marketer, the GDPR is a great opportunity to rethink your marketing strategy, to give more freedom to customers in the choices they can make.

No more debilitating push mails, banner ads that don’t convert, and irrelevant side product proposals. Make way for the omnipotence of SEO and good content!

What should we think of the GDPR?

If the GDPR seems to be a binding regulation, I wanted to finish this article on a critical, and above all positive tone. Stay tuned, you’ll see that there’s some good in all this legislative mess!

Points of attention

• Note the rather unclear side of the regulation. In the text of the GDPR, there are many references to the national laws of each country… Don’t forget, if you process the data of users residing in other EU countries, to find out about the application of the regulation there. You can find more information here on gdpr.eu and also a checklist for US companies.

The positive points

• Companies, agencies, and WordPress developers who adapt their practices to the GDPR now have a true expert image and increased credibility. By setting up clear Terms of Use, and by showing your efforts on your website, you create a true relationship of trust with your users.
• The GDPR was also an opportunity to take a closer look at the experience you offer your users on your website, as well as the security of your site and the data it collects.
• Beyond all professional considerations, we can be happy that regulation will finally allow us to regain control over the personal data we collect on the Internet (we are all Internet users after all).

So tell us in a comment what this regulation inspires you, and if you have found good practices to be GDPR-compliant!