General Data Protection Regulation and WordPress
On Wednesday, April 11, the Zurich WordPress community met for the WordPress Meetup Zurich. First, Martin Steiger gave us a very good overview of the new EU data protection regulations, which come into force on May 25, 2018. Afterwards, Pascal Birchler informed us about what WordPress is planning in this regard by presenting the WordPress GDPR Roadmap.
What is DSGVO/GDPR?
For those who are not yet familiar with the GDPR, here is a brief explanation: The General Data Protection Regulation is a new law that regulates how personal data of EU citizens can be collected, used and processed by companies. The law comes into force on 25 May 2018, and even though the new law will be implemented by the European Union (EU), these new regulations will not only apply to organizations in the EU, but also to those that have customers and contacts in the EU. This will have an impact on companies all over the world. Companies in Switzerland are also affected.
Presentation by Martin Steiger
Martin began by explaining four common misunderstandings in connection with the upcoming General Data Protection Regulation:
DSGVO misunderstandings
“Switzerland is not affected by the GDPR.”“Any processing of personal data requires express consent.““Our GTC are deemed to be consent.”“The GDPR cannot be enforced in Switzerland.”
Details of the four misconceptions can be found in Martin’s blog post or in his presentation.
As I am more of a practical person, I found the following two practical examples from Martin very exciting:
Newsletter
Consent: When sending mailings, the basic rule has always applied: newsletters may only be sent to email addresses if the recipient has voluntarily given their consent. From May 25, 2018 at the latest, anyone sending a newsletter should pay attention to this.
Double opt-in as proof: the best way to prove this is, of course, if the newsletter registration was made via double opt-in. The biggest taboo that I repeatedly encounter in this context is pre-selected “Subscribe to newsletter” checkboxes when submitting forms. Or I often personally receive newsletters from agencies in the Swiss web scene, even though I have never agreed to this.
Also applies to previous recipients! The law also applies to previous recipients, which actually means that if push comes to shove, all personal data (e-mail addresses) that have been “involuntarily” collected in recent years for the purpose of sending the newsletter must be deleted.
MailChimp: Those who work with the newsletter software “MailChimp” are in very good hands, because MailChimp has already prepared itself very well on this topic and supports its customers with detailed information. Read more in this blog post: New MailChimp Tools to Help with the GDPR
Lead magnets with freebies
Many websites now offer so-called “freebies”; further information such as whitepapers in the form of PDF downloads. The user “only” has to enter their e-mail address and then receives the document as a PDF by e-mail.
Why not simply link the PDF? The question here is, of course, whether you could simply link the PDF. The answer to this is probably “no“, because the operators of the website would like to collect the data or e-mail addresses of their users. The small print usually states that you automatically register for the newsletter by e-mail address. However, this raises the question of whether this counts as voluntary consent?
Communicate clearly: If you want to be on the safe side, Martin suggests a possible solution that is a little more “privacy-compliant”:
Instead of offering the user a whitepaper as an excuse to get the email address for the newsletter, you could turn the communication around and clearly declare that if the user signs up for the newsletter, they will receive a whitepaper as a “goodie”.
My conclusion
I draw the following conclusion from Martin’s presentation:
Martin speaks again this week in Bern
If you missed Martin in Zurich, you can catch up on his presentation this Tuesday, April 17, 2018 at the Bern WordPress Meetup. The meetup is organized by Ulrich, among others. It’s worth stopping by and asking Martin questions, so don’t miss it!
WordPress and GDPR?
The WordPress community is also very active on this topic. In the second part of the evening, Pascal introduced us to a few new features:
Privacy Page
WordPress is given an easy way to create a privacy page. If possible, a standard text for such a privacy page should be provided. However, this should only serve as a basis or inspiration to make it easier to create a privacy page. Ideally, you should also be able to see the installed plugins so that you can find out what data they collect.
Cookie opt-in for comments
If someone currently writes a comment on a WordPress page, their name, email address and website URL are saved in a cookie. The next time a comment is posted, these fields are already pre-filled. This should now only be possible if the user explicitly agrees to the cookie.
Anonymization of data
WordPress will provide functions with which personal data can be easily anonymized. In a comment, for example, “Hans Muster” would be replaced with “Anonymized User” from the first name/last name. It is also proposed to delete or anonymize the IP address and user agent of a comment after a certain period of time. Anti-spam plugins currently need this information to check for spam, but after that the data is no longer important and can therefore be anonymized.
Exporting and deleting personal data
In the event that users ask the website operator to export all their personal data, WordPress will offer an export in future. As an administrator, you can then initiate such an export, which the user must confirm by email (“Yes, I really want an export of all my data). Once this has been confirmed, the administrator can download the export and/or send the data to the user by email. The file then contains data from the user profile, all comments, etc.
Similar to the export of personal data, the user should also be able to request the deletion of this data. The entire presentation by Pascal is available here as a PDF: WordPress Meetup April 2018 – GDPR Roadmap
Everyone can contribute something
Don’t forget, WordPress is open source, so anyone can contribute to this topic. Here are the open GDPR related tickets.