If you’ve been on the internet the last few weeks, you might have noticed everybody and their mother is making you accept new privacy policies to continue using their site.
This is because the European Union’s General Data Protection Regulation (GDPR) will come into effect May 25, 2018. The GDPR sets new policies on how website owners can collect and store user data. It’s designed to protect users living in the EU and give them more control over how websites collect and store their data.
But here’s the fun part—even if you don’t specifically serve European users, we all need to be in compliance because people living in the EU can access your site. Hypothetically you could be fined 20 million Euros or more for failing to comply. So even if this is the most boring blog post you read today, it could save you 20 million Euros.
Disclaimer #1: This is not legal advice. This email is based on my own interpretation of what I’ve read online regarding GDPR compliance. There is still lots of confusion out there about exactly how this affects us all. Consult a lawyer for actual legal advice.
Disclaimer #2: I put this guide together for my clients, who use WordPress sites for their small businesses and nonprofits based in the United States. They use Google Analytics, have contact forms, and possibly a few other simple data collection tools. I’m putting it out as a resource for anybody who might find it useful, but your site may collect user data in ways not covered here. So feel free to use this as a starting point, but do your own research as well.
For most of my small business WordPress clients, there are three main areas to address for GDPR compliance:
Google Analytics – Anonymizing IPs
The main way many of you collect user data is with Google Analytics. Any aggregate data is fine (i.e. anything that can’t be traced to an individual user).
The GDPR is concerned with personally identifiable information (PPI), such as email addresses, usernames, birth dates, etc. None of this is captured by default, so if you haven’t configured your settings to include this kind of PPI, good.
Google Analytics does collect user IP addresses, which is considered personally identifiable information. You can’t see them, but they are on Google’s server, and as the site owner you’re still responsible.
To be safe, multiple sources have recommended anonymizing the IPs Google Analytics collects. This involves adding a snippet of code to your Analytics tracking code.
Add Checkbox to Contact and Opt-In Forms
If users are filling out forms on your site that include any personal data (such as email addresses), they need to consent. I recommend adding a required checkbox to any forms on your site stating “I consent to my submitted data being collected and stored.” This also applies to comment forms.
It must be a checkbox. You can’t just say “by submitting this form you consent…” That doesn’t count as consent anymore.
Under GDPR, you need to be able to give users their data if requested. I can’t really imagine a scenario where a user would demand the data from a form they submit on my site, but you still want to make sure that you can do this if necessary.
3rd Party Plugins
You are responsible for any data being collected on users of your site, even if it’s from a 3rd Party WordPress Plugin. I recommend you look into how the plugins you use are preparing for GDPR and heed any recommendations they make.
I wrote this because most of the stuff I found on the web about GDPR was too dense and comprehensive to be useful. But please use my recommendations as a starting point, not a comprehensive guide. Do some additional research specific to any other areas of your site related to user data.
Here are a few to check out:
The Lowdown on GDPR Compliance for WordPress Users – Kinsta
5 Actionable Steps to GDPR Compliance with Google Analytics