Earlier this year, a group of WordPress volunteers formed a team to introduce GDPR compliance features into WordPress core. Since then, they have been on a dedicated journey to identify all personal data stored in core, create tools to manage privacy features, and establish a central repository to act as a GDPR resource for WordPress users and developers. In this article I will discuss some of the main features and how you can start using them today on your site.

WordPress 4.9.6, released mid-May, introduces the first tools of the GDPR team’s work. 4.9.6 was an automatic update, so your site has probably already been updated to this version already. To be sure, log into your dashboard and check out your current version. Run the update if your site is still behind; some hosts and developers turn off automatic updates on their WordPress installs.

Now let’s get to the good stuff!

WordPress Privacy Features for Site Owners

WordPress Privacy Features notification

Personal Data and Privacy popup in the admin

Upon logging into the dashboard after updating, there is a popup notification alerting you to the new tools. This leads to a handy guided rundown of the features, but you can dismiss it and explore on your own. In the coming weeks, we will be doing a deep dive into each of these features!

Privacy Policy Generator

WordPress Privacy admin menu

New Privacy menu item in the Settings dropdown

Many sites have already have privacy policies as a page link in their website footer. The verbiage of these policies can vary, but oftentimes small businesses just do a web search to copy an existing privacy policy and call it a day. Now, site owners are required to explicitly tailor their privacy policy to their own site, and explicitly gain acceptance to these terms from users on your site. Making sure each site is more transparent with their users about the data they collect and how it is handled is one of the core tenets of the GDPR.

Navigate to Settings > Privacy in your WordPress dashboard to see the new Privacy Policy system. You can use an existing Privacy Policy page if you already have one, or create a new one via a pre-made privacy policy template which gives guidance of what else you can add.

Privacy Policy guide notification

After generating your privacy policy page, a notification with link to the Privacy Policy generator appears. You can use this to write your own privacy policy tailored specifically to your site.

Setting your Privacy Policy here will enable it to be shown automatically on your login and registration pages. Websites typically put the Privacy Policy link in their footer menu, and you should continue doing that so it is globally accessible from anyplace on the site as well.

Commenter Cookie Opt-Ins

In the past, WordPress has always stored the commenter’s name, email and website as a “cookie” in the user’s browser. This cookie allowed fields to be auto-populated on sites, making it easier and quicker for return visitors to comment. In the past, user consent was not required to save these cookies, but that has changed with the GDPR law.

Fortunately, this was a pretty easy fix: WordPress now includes a comment consent checkbox in the comments section of blogs by default.The user now has an option to leave a comment without checking this box. The box is unchecked by default, as users must now explicitly approve its use.

WordPress GDPR comments consent checkbox

WordPress now ships with a comments consent box to opt-in to cookie use in the browser

While you do not need to do anything to enable this checkbox on a typical install, individual themes or plugins may disable it, so be sure to check that your site includes it. You must be logged out in order to see the option.

Personal Data Export and Erase Feature

Personal Data Export and Erase admin menu

Manage Personal Data exports and erasure requests via new pages in the Admin

Probably the most significant change made to core for the GDPR is the new Data Export and Erase feature. This allows a site admin to track down all data associated with a user (by email address) and either export that information to the user to view, or delete it entirely. Out of the box, this tool finds things like image uploads, comments, IP address, user metadata etc. To be clear, this tool is not yet comprehensive. If you are using a third party plugin to create additional user data, these tools may store it in such a way that the core Export and Erase tool is unable to detect. It is up to the third parties to either integrate with the core tool, or create their own export procedure.

After a user contacts you to download or remove their personal data from your site, you must log into your site and enter their email address into the Data Removal tool. This generates an email to the user with a link to verify the request. Once this is done, you can erase all the user’s associated data with just the click of a button.

WordPress Export and Erase admin tool

You can now manage user Export/Erasure requests from the admin

Unlike the comment cookie opt-in, the request is not (yet) put in an obvious place, like a user account settings page etc. Instead, you are meant to explain in the privacy policy how to contact the site owner for download or erasure of their data. The admin must then go into the site and export or remove this information for the user.

Our Work Is Not Done!

While a great deal of time and effort has already been put into these three features, still the GDPR team does not rest! This is just the first version of these features. They will likely be revised and refined, particularly as details of the GDPR compliance come to light. While WordPress cannot force all websites to be compliant, it CAN provide site administrators and users with tools they need to make compliance easier on everyone. And, in doing so, help make the web a safer, more secure place for everyone.