Many articles talk about this topic, I talk about this too because it is very important to make your website GDPR compliant. In this post, I will show that it is not very complicated.

First, What is GDPR?

The General Data Protection Regulation (GDPR) is the new reference text at European level for the protection of personal data. It strengthens and unifies data protection for individuals in the European Union.

This regulation will enter into account from May 25, 2018. If your site is not GDPR compliant, you risk heavy penalties. I think sites will be punished after a few months but it is still better to do it now 🙂

Who is concerned?

Unless your site is outside the European Union and no country in the European Union can access it, everyone is concerned.

What should I do?

First, understand that I am not a lawyer, just a developer who has read many things about it, so contact a lawyer to be sure your site is GDPR compliant would be a good thing.

Make a site GDPR compliant is different for each site but here are some points to check:

1. Google Analytics

It depends on how you use Google Analytics on your site but this point is very important. For my part, I use Google Analytics to track visitors and cookies to collect data. The collected data are processed anonymously.
In order to be compliant with the new regulation, Google included a data processing amendment.

2. Your Forms

Every form on your website that collects data like names or email addresses needs to have a checkbox for the user to consent the storage of their data.
Great people created an amazing free plugin called WP GDPR Compliance, it is fully compatible with Contact Form 7, Gravity Forms, WooCommerce and probably more plugins in the future.
I don’t really understand why it has bad reviews, I think many users didn’t really understand its purpose or maybe it was not as good as it is now, but this plugin doesn’t make your site automatically GDPR compliant but help you a lot to make the task easier.
In the next release of this plugin, your users will be able to send a request to see all their data present in your database and also to request their data to be anonymized.

WP GDPR Compliance is very simple to use, you just need to activate it and go to Tools > WP GDPR Compliance. I use Gravity Forms on my site, so I added the checkboxes on all my forms and for the WordPress Comments too.

3. eCommerce

WooCommerce work on a new update to make their plugin GDPR compliant so you will probably have to do nothing on that side. I don’t know about Easy Digital Downloads but they will probably do a similar thing too.
There is also WP GDPR Compliance who have a setting for WooCommerce.

4. Privacy Policy Page

If it is not already done, you need to create a Privacy Policy page to tell your users how you use their data. For example, if you request a user’s name and email for a form that serves as your support, you must say that you are using their data to contact them and help them with their problem.
You can take example of my page if you want: https://oceanwp.org/privacy-policy/

Conclusion

You can see in this post that it is not difficult to make a WordPress site GDPR compliant. You just have to keep in mind that every time you collect personal data from a European user, you have to let them know that their data is being collected.

To go deeper, you can read this great post on the Kinsta blog which explains many things about GDPR: https://kinsta.com/blog/gdpr-compliance/
Do not hesitate to ask questions in comment if you misunderstood a point or if you think I forgot to talk about something.

This Post Has 27 Comments

  1. Alok Sharma

    Awesome!

    I hate to read long articles. In short, I like to read to the point.

    Your article has covered most of the basics in plain and simple language.

    I loved the way you have set up the privacy policy page. For individuals like us, I think there is nothing much to mention on the privacy policy page other than how the collected data will be used. At least, I am not into using Google Analytics or Email Marketing, so there is nothing much to worry about.

    Even though I don’t think any EU person is going to visit my websites or purchase any services from me, but it’s still a good idea to keep the website GDRP complaint.

    Thanks a million for sharing such a useful information.

    1. Glad that you like the article 🙂
      It is not very complicated, you just need to let users know that you collect their data in some way and how you use them.

  2. Eslam

    Nice short and to the point article Nicolas, thanks for sharing it and I like your privacy policy being that easy to be read and understood.
    Just one comment, I believe the implementation date of GDPR is 25th May and not 28th as mentioned in the article.
    Thanks 🙂

      1. Eslam

        You are welcome, another question, the Mailchimp widget in OWP, what is the best way to add the consent checkbox to it ?

        Thanks

          1. Eslam

            Great as usual 🙂

  3. Jesper P

    Hi!

    Thanks for a nice summary of the new regulations. However you gave your own privacy policy as an example and it is not even close to compliant with what the new regulations demand. This is what you need to have in a privacy policy according to the ICO ( https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/ ):

    The name and contact details of our organisation.

    ☐ The name and contact details of our representative (if applicable).

    ☐ The contact details of our data protection officer (if applicable).

    ☐ The purposes of the processing.

    ☐ The lawful basis for the processing.

    ☐ The legitimate interests for the processing (if applicable).

    ☐ The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).

    ☐ The recipients or categories of recipients of the personal data.

    ☐ The details of transfers of the personal data to any third countries or international organisations (if applicable).

    ☐ The retention periods for the personal data.

    ☐ The rights available to individuals in respect of the processing.

    ☐ The right to withdraw consent (if applicable).

    ☐ The right to lodge a complaint with a supervisory authority.

    ☐ The source of the personal data (if the personal data is not obtained from the individual it relates to).

    ☐ The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).

    ☐ The details of the existence of automated decision-making, including profiling (if applicable).

    Hope this helps!

  4. Carol

    Thank you Nicolas. This was really helpful. Short and simple to understand.

  5. Vincent Tobiaz

    I did not know this was required on forms, glad to know.

    This doesn’t solve the cookie issue with remarketing tags (Google or Facebook Pixel).

    http://wptest.means.us.com/european-cookie-law-bar/ – this allows you to add a bar for people to have to accept cookies, which solves this, and allows it to only show to countries in the EU so it doesn’t bother others.

    Hope this helps someone!

  6. gregh747

    This is the only GDPR article I have read to completion. Reason: short, sweet simple 🙂

  7. Merci pour cet articles et les précisions sur le GDPR. J’utilise Ocean WP et j’en suis très satisfait.

  8. Sebastian

    I love your articles, they are allways helpfull. One thing what I miss here: If you go by the book, you have to be able to manage / revoke consent. There is a good plugin called WP DSGVO (DSGVO being the german adaption of GDPR). It offers a cookie banner that asks for consent first and allows you to revoke it later for i.e. analytics and facebook pixels. While it’s only in german right now, the author makes it translatable on the next update.

    If you want to see it in action, check out my site – of course build with OceanWP + Elementor Pro 🙂

  9. David

    Every form on your website that collects data like names or email addresses needs to have a checkbox for the user to consent the storage of their data.

    This is not actually true, it is required if you obtain data by consent but that is just one of the six approved methods for processing data.

  10. Sid Greenfield

    It is absolutely Un-True that compliance under EU GDPR is mandatory for anyone outside the EU.

    The USA is a sovereign Nation State, not subject to the edicts, laws or regulations of either the UN, the EU or any other half-baked alliance of Kings, Queens or Parliamentary Associations. If anything, their laws and regulatory efforts must be compliant with Our Edict, Laws and Regulatory Requirements.

    By signing the EU-US Privacy Shield agreement, you admit subservience to the GDPR Authority, thereby becoming a “vassal” of the EU’s regulatory machinery. If you or your business refuse to sign or comply with the agreement, the EU may, under its own laws, prevent its citizens or businesses from accessing or utilizing your online presence, ( of course, they won’t ) but they have no legal presence or authority that compels your compliance if you reside ( or if your web presence originates ) outside the EU.

    The standard, common sense, privacy statement utilized by every E-commerce enabled website is already sufficiently compliant without becoming vassals of UN or EU globalist expansion efforts by signature or fait accompli. The same theory applies equally to voluntary Email or Membership subscriptions by EU citizens wherein they supply routine contact information.

    IF the Global purveyors of Merchant account and payment gateway services wish to sign and comply with such an agreement, it has no effect on our website businesses since payment processing Data comprises a “Pass Through Transaction” wherein the credit card processor is the only entity maintaining an archival record of the customers data. YOU don’t archive the information so YOU are either exempt or already compliant.

    We need to take this very seriously simply because the next step will be to put restrictions on what products are “acceptable” for sale to EU customers. That will be followed by mandated license requirements, product approval requirements, specification submission requirements, licensing fees and Tax mandates. Soon … as in probably THIS YEAR … you will certainly be required to post your Democratic Socialist Affiliation Sticker on your landing page … or be excluded from the EU markets.

  11. Dirk

    In OceanWP i can set Social Buttons in the Top Bar like the Facebook Button. Are the Social Buttons GDPR Compilant?

  12. Henning

    Salut Nicolas, thanks for the article.

    I got the Core Extension Bundle and I’m very pleased with your work and support – if I use the “Instagram Feed” widget will it be GDPR-compliant? I have a feeling, it will cause trouble.

    Many thanks
    Henning

Leave a Reply to Nicolas Lecocq Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.