WordPress GDPR Tools

Businesses have been scrambling to write GDPR privacy policies and update their mailing lists for GDPR. In the rush, you might have missed the new WordPress GDPR tools that are designed to make your website compliant.

Here’s a quick guide to the new WordPress GDPR tools and settings.

About the New WordPress GDPR Tools

WordPress has been mulling over GDPR for a few weeks. Like most of us, it’s left the actual roll-out of its tools until late, so site owners are likely just discovering the new settings.

If you’ve not updated your WordPress core to 4.9.6 yet, you probably won’t even be aware that the tools are available.

The main changes you need to know about are:

  • WordPress’ new personal data tools, which appear under the Tools menu as Export Personal Data and Erase Personal Data; these are essential for compliance, and will be doubly important for any site that accepts registrations
  • Privacy policy content guidance, if you want to write your own policy
  • A setting that allows site owners to define the page containing their privacy policy
  • A new “postbox” on the designated privacy policy page that will display privacy policies from plugins you’re using
  • A way to confirm personal data export or deletion by emailing the user
  • A Jetpack privacy policy generator and new Privacy Centre
  • New privacy guidance for plugin developers, including some useful information about Privacy By Design, a key GDPR concept
  • An easier way to get cookie permissions, although most site owners probably do this already.

In order to access the new WordPress GDPR settings, you’ll need to update WordPress to the latest version, WordPress 4.9.6 Privacy and Maintenance Release.

GDPR Settings

It’s important to note that the new privacy settings are not the same as the old privacy setting in WordPress, which allowed you to hide your website from search engines; they were nothing to do with personal data.

This old privacy setting was renamed and moved in version 3.5, perhaps as a way to avoid confusion with the new settings for GDPR.

Setting Up GDPR WordPress Features

Once you’ve updated WordPress, you’ll see this pop-up next time you log in as an Administrator:

WordPress Personal Data and Privacy

When you see this, you’ll have:

  1. New personal data tools for your website under Tools, so you can export one user’s data as a zip file, or erase the user’s data from your database
  2. A way to designate a page as your official privacy policy under Settings. This page also collates information from plugins, in theory, although it’s highly likely that most are not yet using this feature; there’s guidance here if you’d like to see what’s involved.

The first option, the data exports and erasure tools, will be handy for removing users and exporting the data you hold on them. You may not need these tools now, but it’s good they’re there.

The data erasure or download menu will also automatically ask the user for consent via email before their data is exported or removed, so you have consent from the right person beforehand.

The second item, the privacy policy Setting sub-menu, allows you to tell WordPress where your privacy policy is, or add one if you don’t have one already:

WordPress Privacy Policy Settings

This is more important than it looks. Why?

  • Under GDPR, you need to have a privacy policy page that any visitor can easily locate. This page makes it easy to signpost people to it.
  • This is also the page that gets the additional “postbox” field for plugins to add their own privacy policy information. You can’t see or edit this field, but as plugins start to pick up this requirement, this setting will become more important.

So if you act on one thing from this guide, I’d recommend that you head to Settings -> Privacy and select your privacy policy now.

But I Don’t Have a GDPR Privacy Policy Yet!

It’s fairly easy to create a privacy policy to comply with GDPR. You still have time to do it.

Since a privacy policy is a legal document, we at Red Robot don’t write them. But you can either write one yourself, or use a generator or template.

We’ve listed three free generators in our GDPR documentation blog. You could also follow the link from your Settings -> Privacy page in WordPress, which will take you to WordPress’ generic content suggestions. The page lives at http://your-domain.com/wp-admin/tools.php?wp-privacy-policy-guide

Where possible, I’d suggest using legal templates rather than generators. If you write your own policy, we can proofread and format it for you if you need a little help.

GDPR WordPress plugins

New GDPR Features in Automattic Plugins

Automattic, the team behind WordPress, has also updated some plugin settings, and changed its guidance for plugin users. There are lots of small changes, but here are the basics.

GDPR and Jetpack

Jetpack is a useful (and free) WordPress plugin that gives self-hosted WordPress users advanced features, similar to those provided to hosted WordPress.com users.

For example, you get some handy and interesting statistics about your site.

While Jetpack itself hasn’t changed much, it has launched a couple of tools that might be of interest to you:

GDPR and WooCommerce

WordPress has its own Privacy Blog, but is fairly light on content at the moment.

However, it does mention WooCommerce changes.

The main tools WooCommerce users need are the Export Personal Data and Erase Personal Data menus, which are already live in WordPress itself. However, the WooCommerce plugin has also been tweaked to avoid unnecessary data collection, and obtain consent where it’s needed, which is also important.

If you use WooCommerce, update the plugin to version 3.4 if you haven’t already.

GDPR and WordPress.com

WordPress.com users can now opt out of having their data collected for analytics purposes.

You’ll also be able to close a WordPress.com account and delete your data. Until now, that was impossible.

WordPress.com shares many tools with Jetpack, so it’s worth also looking at the Jetpack Privacy Centre that I linked to above.

More Information on GDPR from Automattic

Some of these updates have come very late in the day, and businesses have plenty to do over the next 24 hours to get their sites ready.

Automattic is also still rolling out GDPR information and guidance; this blog post was only published in the early hours of 24th May, but includes some useful details on other Automattic services like Askismet and Polldaddy.

Small Businesses Need to Act to be GDPR Compliant

As with most things related to GDPR, it’s a case of “better late than never”.

It’s promising that the developers behind all Automattic plugins and software have focused on data deletion. This is something that other companies are not taking seriously yet.

We’ll almost certainly see improvements in the next few versions of WordPress.

Some web hosting providers, including InMotion Hosting and SiteGround*, offer automatic WordPress updates on some plans. It’s best to switch these automatic updates on to avoid the hassle of manually keeping your site up to date.

Automatic plugin updates will ensure that you get those all-important “postbox” privacy policy updates when they eventually appear. So turn those on now too.

The following two tabs change content below.

Claire Broadley

Technical writer, blogger, and editor at Red Robot Media
Claire Broadley has been a technical author and web content writer at Red Robot since 2010. She contributes to dozens of websites, focusing on consumer technology, online privacy, digital marketing, and small business topics.
Share this:
Show Buttons
Hide Buttons