LATEST UPDATE: May 22, 2018
I decided to create a checklist to help me wrap my head around all that needs to be done on this site and others, then I realized that this might be helpful for you all who stop by to see this page…so here’s my attempt to boil it all down to the must-do steps (and feel free to let me know if I get any of this wrong! There’s so much info out there, it’s getting harder to know what’s what):
- Create your privacy policy page. Feel free to snag from my page, but EDIT YOURS to fit your site’s needs.
- Link to your privacy policy in your menu, at the bottom of your site, on your sidebar, wherever it seems to make sense (see my post about basic HTML for making HTML links).
- Add a GDPR checkbox to your contact forms (if you use Contact Form 7, see this post)…it needs to have a link to your privacy policy page.
- Add a GDPR checkbox to your comment form (if you use a Genesis child theme, see this post).
- Add a GDPR checkbox to your optin forms. Your mailing list provider should have info on how to do this. (I’ll add some info soon.)
- Make a list – ideally do it in a text file, easy cut and paste to and from – of all the third party plugins and/or services you use and links to their compliance/privacy policies (see my ongoing plugin list near the bottom of this page, but my list only covers plugins used by me & many clients; you’ll need to audit all the plugins you use).
- Add info about all these third parties & their use of data to your privacy policy page (and link to each one’s privacy policy).
- Set up a GDPR cookie consent popup link (info on the plugin I’m going to use on the way).
- Use Wordfence to track potential site issues: How the Wordfence scanner protects your site (you don’t need to pay for the premium – the free one will work fine).
- Be ready to erase people’s data if they request it (within your site, I believe this only means commenter info, user info if they registered, customer info if they purchased…other data, say that collected by Google, they would have to go to Google to get it erased).
- Have a plan in place for if there is a data breach (I believe it means a data breach of your site, if someone hacks into your site & potentially sees your commenters, your users’ info, your customer info, but I am NOT a lawyer and I’m guessing at this point); you must inform people within 72 hours of finding out about the breach. (Not sure myself how to do this…thinking there needs to be a plugin that will give a list of names/emails of all commenters/users/etc from your site so you’d know WHO you need to notify.)
- Ask all email subscribers to re-optin; check with your email provider to see if they have an easy way to do this set up (as this one might take some time, I’d say do all the other items first – get your site as compliant as you can first, THEN fix up your existing list…BUT then again, if you have a huge mailing list, you may want to do this first and while you wait for the re-subs to come in, work on your site).
LATEST UPDATE: May 21, 2018
- Blog post about how to add GDPR note to your comment form, Genesis child themes only: read it here
- Blog post about how to add GDPR checkbox to Contact Form 7 forms (any theme): read it here
(If you try these & run into any issues, let me know & I’ll help fix & will update the posts as needed.)
LATEST UPDATE: May 19, 2018
- Blog post covering very very very basic HTML that might come in handy while you do GDPR things: read it here
- Blog post about how to add a GDPR checkbox to Contact Form 7 forms (which needs HTML): coming very soon
LATEST UPDATE: May 18, 2018
WordPress’s update is out – remember to update plugins first, then WordPress.
I’ve updated about Genesis Enews for the plugin audit – see bottom of this page.
WordPress new GDPR features:
- Settings–>Privacy: This is a new section that will allow you to set a privacy policy page. Once you set the page, you can click a link to see “Privacy Policy Guidelines” which includes starter privacy policy text that you can use. Be sure to edit it to fit with your site!
- Also, write/edit sections in YOUR voice, your writing style; the key is to provide the information in clear terms, NOT in legal mumbo jumbo. Don’t try to sound official – you want to sound honest and like yourself. The idea is that you’re giving visitors information to help them know quickly and easily how your site uses data & that you’re ready to manage their data as necessary.
- Tools–> Export Personal Data:
- This tool is for personal data from your site such as data from comments or if people are able to register as a user on your site. This will NOT apply to plugins or other third-party sites.
- Tools–> Erase Personal Data:
- This will only erase data that YOUR WordPress collects, such as commenters info or if people registered as users on your site…this will NOT affect data collected by any third party. If you sell items and use Paypal for payments, then Paypal will ALSO have data stored, and no WordPress tool can touch Paypal data. Another example – if you use an ad network, they collect data and will store it on their servers.
- Remember that one of the hallmarks of GDPR is that *we* as site owners are being held accountable to know where ALL of user’s data goes & is stored.
- This will only erase data that YOUR WordPress collects, such as commenters info or if people registered as users on your site…this will NOT affect data collected by any third party. If you sell items and use Paypal for payments, then Paypal will ALSO have data stored, and no WordPress tool can touch Paypal data. Another example – if you use an ad network, they collect data and will store it on their servers.
Other notes:
- If you use Woocommerce (or otherwise accept payments on your site through ecommerce), you’ll need to get familiar with how Paypal deals with data. Woocommerce has put out GDPR guidelines, and they said this: “Privacy considerations when using official Payments extensions: If you choose to accept payments through a gateway like Stripe or PayPal, some of your — and your customers’ — data will be passed to the respective third party, including information required to process or support the payment, such as the purchase total and your customer’s billing information. We recommend that store owners disclose that they are sharing information with payment providers in their privacy policy.”
- Click here to read Paypal’s updated Privacy Policy (you may need some of this info to clarify things on your own pp)
Last update: May 17, 2018
Click here to search WordPress.org for plugins’ pages/info.
Click here for WordPress updates regarding GDPR
WordPress is actively working on a core update that will include “new privacy tools that help with GDPR compliance.”
ALSO PLEASE NOTE: Plugins are not allowed to say they “guarantee” GDPR compliance…there are a million variables and I’m sure even the lawyers aren’t clear about how all this will play out. But do not fall for any plugin (or person, for that matter) saying they can guarantee anything.
Hello, hello…if you’re here, you’re probably in the midst of dealing with the GDPR stuff. I’m right there with you, and I’m not happy about all this extra work, either. But it is what it is, and we’ve got to comply, so let’s do this.
This page is where I’m going to list out what I’ve done/am doing, what I suggest that you do, and it’s where I’ll keep an updated list of plugins that are (or are not) compliant. I will be updating the page periodically (see the updated date at the top).
So let’s dive in!
Here’s the basic (ha!) to-do list…
- FIRST AND MOST IMPORTANTLY: If you’ve not been updating your plugins, go do it now. I’ll wait.
- Plugins will be releasing updates to help with GDPR compliance, so you need those updates.
- Plugins release updates regularly for basic security, and you need those even more, so use GDPR to get in the habit of updating plugins.
- A tip: When WordPress’s update gets released, and it will be before the deadline, update any plugins that need it THEN any themes that need it THEN WordPress. Doing updates in this order can minimize the chance for conflicts.
- Conduct a plugin audit for GDPR compliance, and stop using plugins that collect data but are not compliant (more on this in a bit).
- Create a comprehensive privacy policy for your website(s):
- It must CLEARLY spell out/explain the following info: what data your site collects, who collects it, why it is collected, and how long it’s stored.
- List all plugins and/or third parties you use on the website that collect data and if the plugin is GDPR compliant. Link to the plugin’s GDPR page/privacy policy if possible.
- WordPress’s upcoming update is going to include a privacy policy generator: Read details
- I suggest having another one ready just in case.
- Link to your privacy policy in all obvious places on your site: link on the main menu, link on your About page, link in the footer/footer widgets (and anywhere else that makes sense for your site). Better to go overboard than not.
- Add a GDPR banner/popup plugin that requires people to actually check a box to agree to your data collection before entering your site. This is the plugin I’m using: GDPR plugin
- According to this (really wonderfully comprehensive) post, “you must have an opt-in option on your site that your readers see immediately upon arrival, advising that you collect data, what data you collect, and you must receive approval from your readers (known as affirmative consent) to collect this data before they can access your site. This can be done in the form of a pop-up, but unlike previous disclosure pop-ups, this one must allow your reader to opt-in with acknowledgement of collection of data, not opt-out. It must also state that you use third party apps (if you do), and that those third-party apps are GDPR compliant. Note: All opt-in forms must have blank check boxes. You cannot have a pre-checked box that your reader/subscribers have to physically change” See the full post linked above for even more details, but the important part is that you cannot use pre-checked boxes and people must explicitly agree to your data collection.
- Add a GDPR plugin that allows people to easily “be forgotten,” i.e. have all of their data deleted (and you can show proof that you deleted it – this is where you need to know WHAT data is being collected and by whom/where so that if asked, you can delete it).
- There is a plugin that will do this (GDPR personal data plugin), however WordPress is working on an update to the core that may include this functionality as well – I will update when I know more. Info on upcoming WordPress update
- Add clear GDPR wording and checkboxes to EVERY optin form on your site – your email provider probably already has these ready to use (I know Mailchimp and Mailerlite do, and I’m sure the other big companies do, too).
- ONE HICCUP AS OF MAY 17: If you are using Genesis Enews widgets for your optins, which is what I use & what I install for clients, then adding these checkboxes to your (nicely styled!) optin boxes might be a challenge. I am in the process of working on a solution for this & will update soon.
- Ask all of your email subscribers to RE-OPTIN. The only way out of this one is if you know, without a doubt, that your subscribers are NOT in the EU. If any are, they must clearly and specifically re-optin…using an optin form that requires them to check a box that says they agree to your policies.
- I will post more info about how to do this very soon.
- Take the time to learn and understand what data is collected by every facet of your site, by whom, why, and how long it’s kept. The reason is so that if someone asks you to delete all their data, you know where to delete it from. I know this is the most daunting part…many of you don’t consider yourselves “technical” when it comes to your site, and the reason you use the various services you use is so that someone else handles the tech stuff. But now, GDPR is essentially forcing everyone to up their level of “tech” knowledge of their sites…I know it seems overwhelming, but I’ll try to help keep it all as bare-bones as possible.
- To start with, here are some examples of data collection by sites:
- WordPress collects basic data regarding which plugins are used and some other things to help it develop the actual program;
- Google Analytics collects data such as IP address/location, time on site, etc (and uses cookies);
- Ad companies collect similar data & use cookies;
- Your mailing list company collects and stores names, email addresses, clicks/openings, etc (and any other info you’ve chosen to ask for);
- Your hosting company may collect data but definitely stores data in the form of logs (not because they use what they store in logs, but the nature of a log is that data is stored. I’m working to find out how this impacts GDPR).
- To start with, here are some examples of data collection by sites:
- Once you know what data is collected and by whom, create an action plan of what to do if there is a data breach. GDPR says that if there is a data breach, you have 72 hours from finding out about it to inform everyone who is affected by the breach…so you need to be able to tell people what data was breached.
- Exactly how to know if there is a breach is something that may depend on your site’s setup…I will add more info to this as I clarify it in my own setup.
Plugin Audit Info
To do your plugin audit, I suggest this approach:
- First pass: Look at your list of installed plugins and note which ones most likely collect data.
- Start a list of what they collect, so you have it for your own records.
- Go to each plugin’s homepage (or download page on WordPress.org) and see if they’ve released any info on GDPR compliance.
- As it gets closer to the deadline, if the plugin has not yet come into compliance, decide either to do without it or look for a replacement.
- By the GDPR deadline, if the plugin has not said they’re compliant, you must stop using it.
- Second pass: Check all the rest of the plugins to make sure they’re not collecting data (they can surprise you).
- Look on the plugin’s homepage or their download page on WordPress.org.
- Keep a list of these too, in case you’re ever required to show proof that you did your due diligence.
Plugins I’m either using or watching for others
Here are the plugins I am in the process of vetting either for myself or for clients…you may use a lot of these (if you’re a client, I’ve installed a lot of them for you, lol!), but you might use a whole bunch more that I don’t use, so this will not be an exhaustive list. 🙂
**I am working through this list and will be adding to it & changing as I go.**
TO BE AUDITED:
- Genesis Simple Edits:
- Genesis Simple Hooks:
- Genesis Responsive Slider:
- Slider Revolution:
- Smart Slider:
- iThemes Security:
- Updraft Plus:
- Regenerate Thumbnails:
- Kirki Toolkit:
- Advanced Custom Fields:
- Autoptimize:
- Coming Soon Page and Maintenance Mode:
- Dynamic to Top:
- En Spam:
- Jquery Pinit Button for Images:
- Pretty Links:
- Widget CSS Classes:
- Widget Importer Exporter:
DOES NOT COLLECT DATA – but often have caveats:
- Image Widget:
- Does not collect data (full compliance statement due soon from plugin maker)
- Contact Form 7:
- Does not collect or store any data, only sends form info to you via email
- But it is possible to use a plugin that DOES store the form info, such as the plugin Flamingo, and that would need to be checked & declared, but Contact Form 7 on its own does not
- If you use something like Google reCaptcha (as I do), this would need to be disclosed.
- You must make your contact forms GDPR-friendly and be clear about WHO gets the info submitted, why, etc: CF7 blog post on how to make GDPR-friendly forms
- But it is possible to use a plugin that DOES store the form info, such as the plugin Flamingo, and that would need to be checked & declared, but Contact Form 7 on its own does not
- Does not collect or store any data, only sends form info to you via email
- Simple Social Icons:
- Does not collect data; displays links to your social accounts only (this is NOT a sharing plugin).
- Social Warfare:
- Does not collect or track anything: “Social Warfare does not collect ANY personal data from the people who visit your site and click on a share button. Our buttons are merely utilizing the 3rd party share APIs of the respective networks. As soon as someone clicks a Social Warfare share button, everything that occurs after that click is handled by the social network’s API. … Our UTM tracking feature merely adds a string to the end of a shared URL so that Google Analytics can record that traffic data–Warfare Plugins does not receive, record, or track ANY of that data. … Our click-tracking feature is merely a Google Analytics event, which, again, is recorded by Google Analytics, not Social Warfare. … So it is without question that Social Warfare has full compliance with GDPR because we don’t track a single thing.” Read their reply about compliance
- Social Warfare does not track data, but ALL THE SOCIAL NETWORKS DO…so if you are using a social share plugin such as Social Warfare, you must disclose in your privacy policy that data IS shared with Facebook, Twitter, Pinterest, etc.
- Does not collect or track anything: “Social Warfare does not collect ANY personal data from the people who visit your site and click on a share button. Our buttons are merely utilizing the 3rd party share APIs of the respective networks. As soon as someone clicks a Social Warfare share button, everything that occurs after that click is handled by the social network’s API. … Our UTM tracking feature merely adds a string to the end of a shared URL so that Google Analytics can record that traffic data–Warfare Plugins does not receive, record, or track ANY of that data. … Our click-tracking feature is merely a Google Analytics event, which, again, is recorded by Google Analytics, not Social Warfare. … So it is without question that Social Warfare has full compliance with GDPR because we don’t track a single thing.” Read their reply about compliance
- Black Studio TinyMCE Widget:
- Does not collect data, but plugin author said: “Our plugin does not explicitly handle any personal data, so it is not directly affected by the GDPR. It will be solely a site’s admin responsibility to comply with the new regulation regarding the data inserted through the widget.” Read their response about compliance
- TinyMCE Advanced:
- Does not collect data: “TinyMCE Advanced does not collect or store any user related data. It does not set cookies, and it does not connect to any third-party websites. It only uses functionality that is available in WordPress, and in the TinyMCE editor. … In that terms TinyMCE Advanced does not affect your website’s privacy laws compliance in any way.” Info from this page.
- Genesis eNews:
- Does not collect data: According to the plugin author, “This plugin, in and of itself, only acts as a wrapper for the form inputs that you indicate that directs information to the mailing list service. In other words, if you use MailChimp, this plugin makes it simple to create a form that directly submits submissions to MailChimp. In and of itself, this plugin does not collect, store, or handle any transmission of any data. The visitor’s name and e-mail, after their direct action, submits that information as entered directly from their browser to the mailing list service of the site administrator’s choice.”
- Also: “To all: There will be an update to Genesis eNews Extended going out on Monday [May 21] that will include an option for you to easily add a link to your privacy page, as set in WordPress 4.9.6 which was released [May 17].”
- Quotes are from this page (page 2 of that thread).
**DOES** COLLECT DATA/definitely declare these in your privacy policy:
- Google Analytics:
- Go to this page for info on how to set how long GA keeps data. Here is Google’s privacy policy (with links to where people can access their data & change what’s collected): Google privacy info
- Google Adsense:
- Facebook:
- Twitter:
- Pinterest:
- Instagram:
- Basic info then links to Facebook’s info page (they are owned by Facebook): Info here
- Shareaholic:
- Yoast SEO:
- Collects website data only; info is here
- Wordfence:
- Working on becoming compliant, and they will soon have an update ready & will be ready by the deadline: Their latest blog post about compliance
- Woocommerce:
- Jetpack:
- Gravatar:
- Akismet: