Earlier this year, a group of WordPress volunteers formed a team to introduce GDPR compliance features into WordPress core. Since then, they have been on a dedicated journey to identify all personal data stored in core, create tools to manage privacy features, and establish a central repository to act as a GDPR resource for WordPress users and developers. In this article I will discuss some of the main features and how you can start using them today on your site.
WordPress 4.9.6, released mid-May, introduces the first tools of the GDPR team’s work. 4.9.6 was an automatic update, so your site has probably already been updated to this version already. To be sure, log into your dashboard and check out your current version. Run the update if your site is still behind; some hosts and developers turn off automatic updates on their WordPress installs.
Now let’s get to the good stuff!
Upon logging into the dashboard after updating, there is a popup notification alerting you to the new tools. This leads to a handy guided rundown of the features, but you can dismiss it and explore on your own. In the coming weeks, we will be doing a deep dive into each of these features!
In the past, WordPress has always stored the commenter’s name, email and website as a “cookie” in the user’s browser. This cookie allowed fields to be auto-populated on sites, making it easier and quicker for return visitors to comment. In the past, user consent was not required to save these cookies, but that has changed with the GDPR law.
Fortunately, this was a pretty easy fix: WordPress now includes a comment consent checkbox in the comments section of blogs by default.The user now has an option to leave a comment without checking this box. The box is unchecked by default, as users must now explicitly approve its use.
While you do not need to do anything to enable this checkbox on a typical install, individual themes or plugins may disable it, so be sure to check that your site includes it. You must be logged out in order to see the option.
Probably the most significant change made to core for the GDPR is the new Data Export and Erase feature. This allows a site admin to track down all data associated with a user (by email address) and either export that information to the user to view, or delete it entirely. Out of the box, this tool finds things like image uploads, comments, IP address, user metadata etc. To be clear, this tool is not yet comprehensive. If you are using a third party plugin to create additional user data, these tools may store it in such a way that the core Export and Erase tool is unable to detect. It is up to the third parties to either integrate with the core tool, or create their own export procedure.
After a user contacts you to download or remove their personal data from your site, you must log into your site and enter their email address into the Data Removal tool. This generates an email to the user with a link to verify the request. Once this is done, you can erase all the user’s associated data with just the click of a button.
While a great deal of time and effort has already been put into these three features, still the GDPR team does not rest! This is just the first version of these features. They will likely be revised and refined, particularly as details of the GDPR compliance come to light. While WordPress cannot force all websites to be compliant, it CAN provide site administrators and users with tools they need to make compliance easier on everyone. And, in doing so, help make the web a safer, more secure place for everyone.