WordPress GDPR compliance. Let’s start with an obvious question. Do you even need to bother with GDPR and cookie notice? If you are running a blog or a business website and you have visitors coming to your website from one of 28 members of the European Union – then the answer is yes.
Even if you are in the USA, Canada or Bolivia – if your website is accessible t people from the EU, you need to comply with the GDPR.
In this article, we are explaining how to make your WordPress website GDPR and EU Cookie compliant. GDPR WordPress. Sounds more daunting than it really is.
Keep in mind – none of us here at Blogging Money is a legal expert or a lawyer. We are writing this in good will and with the hopes to educate others. For all business-critical questions concerning GDPR and its legal implications, you might need to consult your lawyer or legal department.
With all this being said, the ideas, and approaches shared in this blog post are the ones we use for ourselves. In essence, we are sharing our experience, but your mileage might vary.
What is GDPR?
GDPR stands for General Data Protection Regulative, and it is the EU law dealing with the personal information, protection of data, right to change information gathered about you and more. In short – it’s the EU’s effort to regulate the rights of its citizens related to online data and privacy.
The EU laws are notoriously stricter than the user privacy laws in the USA and most other countries. The law itself took effect back on May 25, 2018 – more than a year ago. Even though the GDPR has been around for a while now, we still get asked about its effects and how to make WordPress GDPR compliant.
GDPR is not the same thing as EU Cookie law but they are somewhat related in a way that GDPR is much broader and more modern than the older EU Cookie law. You can often spot people search for “GDPR cookie notice for WordPress” – this article should cover that topic.
There are fines involved
You should not wave your hand and ignore GDPR all-together thinking – I’m running a small business/blog, no one is going to come after me. While that might be correct, it can also happen that you end up paying fines. And they are hefty.
For example, if you are a large business found in gross violation of GDPR requirements, you will be charged up to 4% of your company’s annual global revenue – or – 20 million euros. Whichever is greater. For our US-based readers, 20M euros is roughly 22.5M US dollars. Not a small amount by any measure.
For more minor offenses, you might be charged 2% of your company’s revenues – it’s a tiered approach to make sure there is some sense of fairness and discrimination about the seriousness of violations.
You will not be charged 4% or 20 mils straight away. This tiered approach means that you will get warned, then maybe reprimanded, it might lead to the suspension of your data processing activities and lastly – being fined. But why even risk it?
The regulation itself is a 200+ pages long beast. Say what? Sure, here’s the link so you can read it in all its glory and its 11 chapters.
From the GDPR point of view, personal data is a critical concept. Personal data is defined as any data that can be used to identify a person – either directly or indirectly by identifier and a reference. The EU considers the name, address, IP address, ID number, location data, or online identifiers all as personal data. And this is not a full list.
GDPR is a beast of law, and it deals with a data breach, rights to rectify information, and more.
My obligations under GDPR
As mentioned earlier, GDPR revolves around the concept of personal data and, more precisely, personally identifying information – or PII. If you collect, store, or use PII data – you must comply with GDPR.
But what if I’m only running my small business website or on the WordPress blog. Do I collect, store, or use PII data? In short – you probably are. GDPR is relevant to most, if not all, site owners.
If you have a Google Analytics account, Google Tag Manager, or some other tracking and analytics software – you need to comply. Do you collect email addresses and other data from your users and visitors for your email marketing or digital marketing purposes? You need to meet GDPR obligations. Even obtaining a single email address means that you need to make sure your WordPress GDPR compliance is in place.
WordPress GDPR compliance
Luckily, the WordPress team made some changes to the CMS itself, and since version 4.9.6, its core code and software is GDPR compliant. But be warned – this does not mean that the entire website is GDPR compliant. If you add Google Analytics, Facebooks ads or collect emails for newsletter – you need to ensure compliance on your own.
The critical addition to WordPress dealing with the GDPR compliance is WordPress comment consent, which you can find at the end of this post. You need to click on a check mark and opt-in if you want to save your name, email, and website in the web browser you used to access this post.
Previously, when you commented on a blog post, WordPress would place a cookie on your computer so it would be easier for you to add your comments. Now, it can’t do that without your explicit confirmation. One of the GDPR concepts is opt-in – you should not consider that users agree and consent to anything unless you get their explicit opt-in.
This means that it is not enough to show a cookie notice/bar and say that if you are using cookies and that you hope users are okay with that. They must give you explicit consent for that. We will cover that part in more practical terms a bit later.
Personal data export and erase
Another GDPR compliance feature added to WordPress are personal data export and erase features. You can find those under the Tools in your WordPress admin interface. These tools make it easier for you as a website owner to comply with users’ requests to get their data or to have their data completely removed.
Of course, you might need to consult your lawyer to make sure you are in good shape.
But these are all WordPress core features. Your website will have analytics software, possibly email marketing and newsletter subscription forms, third-party contact forms, and more. You need to ensure that all those are GDPR compliant.
We will cover two major and most common cases: Google Analytics and Google Tag Manager compliance and web forms.
Google Analytics and Google Tag Manager
Regardless if you are using Google Analytics directly or via Google Tag Manager (learn how to integrate Google Analytics and Google Tag Manager here), you need to ensure you are following the GDPR.
Google Analytics collects, tracks, or stores data considered to be PII by GDPR. This includes stuff like user IDs, IP addresses, cookies, and more.
How to make Google Analytics GDPR compliant?
You have two options here to make sure your Google Analytics is GDPR compliant.
Anonymization of IP addresses
The first one is to anonymize PII data like IP addresses. You can do so by following this Google’s blog post. Granted, it’s a bit more technical.
Getting an opt-in consent from users
Another option is to make sure users give you an actual consent enabling you to track them with Google Analytics and Google Tag Manager.
Again, you have two options here.
The easiest one and the one we’d recommend is using the MonsterInsights plugin. It’s the most popular Google Analytics plugin for WordPress. It comes with a specially built MonsterInsights EU compliance addon, and it will automagically anonymize IP addresses, disable UserID dimension, enable ga() compatibility mode and much more.
The beautiful thing is that MonsterInsights will integrate nicely with another free plugin called Cookie Notice, which brings us to the second option.
The second option requires you to get and install Cookie Notice plugin by dFactory. Once you install the plugin it and activate it, go to the Setting in your WordPress page and then click on Cookie Notice.
Setting up the Cookie Notice plugin
Under the message, enter the following text:
Under the Button text, enter Accept.
To be compliant with GDPR, you must enable users to reject cookies. Remember – you need both explicit opt-in as well as an ability to revoke your consent.
Under Revoke cookies, enter the following text: “If you want, you can revoke your cookie consent here.”
What you did now is that you enabled users to reject cookies altogether. But, also, you need to allow them to revoke previously given permission. The plugin supports the shortcode [ cookies_revoke ] which you can enter on your Privacy Page.
So, for example, if a user comes to your website and she opts-in (accepts the cookies) and later she decides to change her mind and revoke them, she can now go to the place where you entered your shortcode. She will see a button saying, “If you want, you can revoke your cookie consent here.” and if she clicks it – the cookies will be revoked.
But none of this will have any effect unless you add actual Google Analytics or Google Tag Manager code in the Script blocking area.
You can see two tabs – Head and Body. Click on the Head and paste your GA or GTM code here (the part that should go in <head>.
Click on Body. Now paste the GA or GTM code that goes in <body>.
The code you entered here is only going to be used after the user accepts the cookies. So this is a place where you should add all the relevant code for Google Analytics, Google Tag Manager, or any other solution of this kind.
Make sure you check the Reloading.
Under Cookie expiry, set the value you need. GDPR doesn’t allow cookies lasting more than one year.
The rest of the plugin settings are related to styling and the overall appearance of the cookie notice bar and buttons. Play with them to make sure they fit nicely with your website.
GDPR is not something to be ignored. But, also, it is not something that you should be afraid of. Granted, it might look like that – but if you followed this blog post, chances are you now have a solid understanding of what is GDPR. You also understand how can you make your WordPress site GDPR compliant, and how can you make your Google Analytics GDPR compliant.
If you want to learn more, we suggest you check out these valuable resources: