New Privacy Features in WordPress 4.9.6 for GDPR Compliance

With the EU’s GDPR deadline looming large in everyone’s mind, WordPress has released Version 4.9.6, which includes several new privacy-related features to help WordPress site owners comply with GDPR regulations. Here’s a rundown of the new features:

Comments

Man on Laptop - GDPR

WordPress has always had the ability for users to leave comments (assuming that the site allows for it), and the ability for them to leave their information (name and email address) behind so that the site owners can contact them.

Previously, WordPress stored this value in a cookie in the commenter’s browser automatically, but now they’ve added a checkbox where a user must opt in to this functionality so that cookies are not stored unless the user consents to it.

Privacy Policy

WordPress now includes the ability to designate a page on your site as your Privacy Policy, which it will then include on your login and registration pages. However, it will not include it anywhere on the other pages of your site, so you’ll want to add a link to it somewhere, most likely in the footer of your website.

More importantly, it includes the ability to generate a template Privacy Policy that includes information about how WordPress uses cookies and stores information natively, and includes some empty sections that you can fill in yourself, as a starter template. We’ve created a version of this so you can see what this looks like here.

WordPress has also created a section of their plugin developer handbook that deals with privacy. They’ve added methods for plugin developers to add content to the Privacy Policy page to inform users of how their specific plugins collect and use information.

Data Handling Tools

In addition to the tools WordPress has added to inform users about privacy concerns, they’ve added tools for site owners to manage user data to comply with GDPR regulations. This includes two separate tools: Data Export and Data Erasure.

The Data Export tool allows site owners to export all of the data about a specific user by entering their email address into the admin interface in WordPress. When the site owner or manager does this, it will send the user an email confirming their request. Once they’ve confirmed the request, administrators can go back to this interface to send the user their data. You can also see past requests, and remove them if you’d like to do so. In the WordPress interface, you can find this tool in the left navigation menu as Tools » Export Personal Data.

The Data Erasure tool works in a similar fashion to the Data Export tool, where an administrator inputs an email address and an email is sent to the user. Once it’s confirmed, the administrator can then use the interface to erase all data about the user. You can find this tool in the left navigation as Tools » Erase Personal Data.

It’s very important to note that these tools will only affect core WordPress data unless plugins are updated to use the WordPress tools that export or erase personal data. Typically plugins update quickly, but as the owner of the website and data controller, it is your responsibility to make sure the plugins aren’t retaining data that isn’t being handled by this tool.

Summary

Overall, WordPress has included some very useful tools for both site owners and developers to help with the management of their GDPR burden. However, like anything GDPR-related, it’s going to take some extra effort to make sure you’re utilizing them to fully comply with new regulations.