Development Security

What are the requirements of GDPR for WordPress sites

BY WPreveal Editorial
Last edited:
 October 28, 2023
Reading time:
 12 mins
Topic:
GDPR

/

Blog

/

Development, Security

/

What are the requirements...

💡We may earn a commision if you subscribe to a service from a link on this page.

Now let’s discuss a relatively boring (we have to admit) but crucial aspect of every WordPress website. We know you all love designing and code snippets but there’s more if you want to deliver a legitimate browsing experience. In today’s digital age, where websites are ubiquitous and data privacy is a paramount concern, website owners must navigate a complex landscape of legal requirements to protect their users’ personal information. If you own a WordPress website, understanding the regulatory framework that applies to your specific situation is essential. Whether you’re based in Europe or USA (or any other part of the world), you need to be aware of the GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) – two significant data privacy laws that can impact your website’s operations. In this article, we’ll explore the key differences between these regulations and help you determine which one is relevant to your WordPress site, enabling you to uphold the highest standards of data protection and user privacy.

What does the law states

Compliance points for administrators and owners who maintain websites:

The following settings apply to HTTP/S cookies, to flash cookies, to “local storage” (local storage) implemented in HTML 5, to identification by calculating the digital footprint of the terminal device, to identifiers generated by operating systems (whether for advertising purposes or not: IDFA, IDFV, Android ID, etc.), to hardware identifiers (MAC address, serial number or other device identifier), etc.

In the current article, the term “tracker” will be used as the most appropriate to refer to these cookies and their respective tracking techniques.

Obligation to Obtain Consent and Exceptions

  1. In order to place a tracker on a terminal device, the consent of the user is required in principle, regardless of whether personal data is ultimately processed through it.
  2. The trackers that are exempt from the obligation to obtain consent are those that are considered technically necessary to make the connection to the website or to provide the internet service that the user himself has requested.

Indicative categories of trackers (cookies and related technologies) that fall under the above exception are those that are necessary:

  • to identify and/or maintain content entered by the subscriber or user during a connection (session) to a website throughout the duration of the specific connection, such a “shopping cart”. 
  • to connect the subscriber or user to services that require authentication
  • for user safety and general security reasons
  • for carrying out the technique of load balancing (load balancing) on ​​a connection to a web page
  • to maintain the user’s choices regarding the presentation of the website, e.g. language selection, save search history
  1. Trackers installed for the purpose of online advertising (online advertising) do not fall under the exception, so they are only allowed if the user’s consent has been obtained after appropriate information.
  2. The use of third-party trackers, such as the Google Analytics service for the purpose of statistical analysis (web analytics), can only be done with the consent of the website user.
  3. Similarly, Hubspot cookies are not necessary cookies, therefore user consent must be given prior to installing them on user’s device.

Common bad practices that are 100% against the law:

  1. Trackers necessary for the operation of the website are used, but no information is provided to the user.
  2. The use of Google Analytics for the purpose of statistical analysis (web analytics) is done only with information to the user without giving the possibility of rejection or without any information at all.

How to inform visitors

  1. Information and consent can be given through the internet service provider’s website using appropriate mechanisms (e.g. with pop-up windows or a banner).
  2. It is legitimate to provide the information through several levels, it is sufficient to ensure that the user’s consent is sought after the user has been specifically informed, at least about the categories of trackers used.
  3. Through the information message (whether it is a pop-up window or otherwise) specific information must be provided for the purpose of each tracker used, and not general information about the use of trackers.
  4. For each tracker or category of trackers for the same purpose, the duration of operation, the identity of the controller, the recipients or categories of recipients of the data should be stated.
  5. The content of the update should be easy to read regardless of the terminal device from which it is accessed (portable or fixed device).

Bad practices for informing visitors

  1. Only a general information on the use of trackers is provided within a general data protection policy text.
  2. The information about the use of trackers in the first level of the pop-up window is limited to only general text that mentions that such techniques are used, e.g. cookies for the best experience, best presentation, etc.
  3. The text of the update is not easy to read due to not adapting to the type of terminal device from which it is accessed (portable or fixed device).

Acquiring user consent 

  1. Consent requires clear affirmative action. Pre-filled boxes, simply continuing to navigate or scrolling are not acceptable forms of consent.
  2. It is not considered that there is consent of the user in the case where the navigation program has as an option the acceptance of cookies.
  3. In the absence of any selection event (neither acceptance nor rejection), no unnecessary tracer shall be used.
  4. The user should be able, with the same number of actions (“clicks”) and from the same level, either to accept the use of trackers (those for which consent is required) or to reject it, either all or each category Separately.
  5. The user must have the possibility to withdraw his consent in the same way and with the same ease with which he declared it.
  6. Not giving consent to the use of trackers should not lead to exclusion from accessing the content of the website (avoidance of “cookie wall”).
  7. To ensure that the user is not influenced by design choices in favor of the accept option over the reject option, it is recommended to use buttons and font of the same size, accent and color, which provides the same ease of reading.
  8. Regardless of accepting or rejecting the trackers, the pop-up window to re-prompt the user must be done after the same amount of time. That is, the length of time the user’s choice is “held” is the same whether the user opts out or accepts the trackers. It goes without saying that the use of a tracker to store this selection of a user is technically necessary.

Bad practices for acquiring user consent

  1. To obtain consent, there is simply a choice of the format “OK, I have been informed” or “OK, I agree”, without the possibility to continue navigation seamlessly (with the removal of the message in question) if the user does not choose the above.
  2. There is no option to decline the use of trackers in the pop-up window, only to accept all.
  3. The possibility to reject the use of trackers is given only at the second level of information, i.e. after “clicking” on a hyperlink with “more information”, “settings”.
  4. Closing the popup/dialog results in the use of unnecessary trackers.
  5. Continued navigation or scrolling after the pop-up window appears leads to the installation of unnecessary trackers.
  6. The size and color of the “accept” or “consent” button strongly predisposes the user to his choice, e.g. is too large and bold and/or defaulted.
  7. The pop-up window only allows the acceptance of non-necessary trackers by referring to a general data protection or privacy policy.
  8. Once accepted or rejected by the user, there is no way to change their preferences.
  9. After acceptance or rejection by the user, a change to their preferences can only be made by changing their web browser settings.
  10. In the case of rejecting the trackers, the user is constantly prompted through the pop-up window to make a new choice. The same does not apply when he accepts, since his choice is maintained for a longer period of time.

Wrapping up GDPR requirements

From gathering all useful points we conclude that the following are the most crucial:

  1. Every cookie which is not required for the browsing of the website should not be served prior to user’s consent. Currently they are served regardless. That includes (but is not limited to) Google Analytics, Hubspot, Google Tag Manager, Google Adwords, etc. A clear acceptance action must take place, like hitting Accept button (scroll down does not count).
  2. There must be a clear option for rejecting cookies, which does not involve making the opt-out process any different from the Accept Cookies process. 
  3. Categories for cookies are not mandatory. They were initially used in order to increase the possibility of the user accepting more cookies, by choosing to reject only some of the categories. It is not a guideline, and on the contrary, it is used to make opt-out process more difficult. This sounds sneaky but is allowed because it has a justified cause, under the mask of serving more options to the visitor.

Additional requirements

DPO – Data Protection Officer

It is mandatory for every company to maintain a Data Protection Officer. She/He will be responsible for any data, resources and communications regarding privacy issues of the website. As UK GDPR states:

The UK GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority or body, or if you carry out certain types of processing activities.

  • DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the Information Commissioner’s Office (ICO). 
  • The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
  • A DPO can be an existing employee or externally appointed.
  • In some cases several organisations can appoint a single DPO between them.
  • DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability.

Data Retention Policy

Data retention policy is a little bit less clear, as the law states that:
‘Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed’.

That clearly has a very wide range, but probably the general UK HR data retention period applies, which is 3 years for private companies and 6 years for public limited companies.

Proof of consent

This is a very important aspect of the law which is usually overlooked. The GDPR states that companies obligated to hold records for proof of consent for any given consent, in a way that can help in any potential disputes between website owner and visitor.

It is required that at any given time, a company must be able to verify:

  • Existence of any given consent
  • Relation between consent and user
  • Information that was acquired at the consent (e.g. what cookies were installed after consent)
  • Infromation that was given prior the consent and actual (e.g. what did the cookie banner text, the Accept button and the Reject buttons write at the time of the consent

Ability to change consent given at all times

Another requirement for GDPR is to have the option of changing consent given available at all times. This means that the user must have the ability to opt-out (or opt-in) after the first choice, with the equal amount of effort. The law states that the “Settings” process must be displayed in every page, although it is not very clear if having the opt button floating and visible at all times is necessary. Worldwide industry implementation (considering only proper GDPR implementations around the web) is using one of the following standards: 

  • Floating settings button
  • Settings button in footer 

Regardless of the 2 above, settings should be also available in the upper part of the Cookie Policy page.

In terms of real word examples, about 25% of the industry is using a floating button and around 75% just keeps the settings button in the footer. (Personally, we usually go with the footer button but this needs a clarification – e.g. by a lawyer in your country)

Implementation on company website

Options for implementing proper GDPR: 

In general, big companies with strick GDPR guidelines and lots of staff, usually use 3rd party automated software to fully implement the Cookie Policy. Options for implementing proper GDPR compliance vary based on the size and resources of a company. While large enterprises with stringent GDPR guidelines and extensive staff often prefer 3rd-party automated software solutions, several notable plugins cater to different website needs:

  1. CookieBot: CookieBot is a well-established 3rd-party solution trusted by many large corporations. It provides comprehensive cookie management, scanning, and compliance tools. It automates the scanning of your website for cookies and generates detailed reports.
  2. CookiePro: CookiePro, another popular choice, offers a suite of tools for cookie consent management, compliance, and website scanning. It simplifies GDPR compliance and provides options for both automated and manual cookie scanning.
  3. GDPR Cookie Consent: For WordPress users, the “GDPR Cookie Consent” plugin is a common choice. It simplifies cookie consent and compliance for smaller websites and blogs. It provides customizable consent banners and cookie scanning tools.

Other ways to help harden the GDPR approach

Backup frequency spread

Currently, our backups go back up to 1 month. Apart from other benefits, keeping records of a backup up to 3 years (or as long as the maximum data retention period is), is going to provide an additional layer of security in terms of record keeping and data restoration capabilities.

Data access archive

It would be good to have some kind of resource (e.g. an excel document), where all company individuals who have access to customer data are recorded. 

About CCPA

On the other hand, CCPA is much more convenient for website administrators. The California Consumer Privacy Act (CCPA) is a significant privacy law that was enacted in the state of California, United States. It empowers California residents with enhanced control over their personal data and has implications for businesses that collect, store, or process this data. While often compared to the GDPR (General Data Protection Regulation) due to its focus on data privacy, it is crucial to understand that the CCPA has its unique set of requirements, including key differences from the GDPR. This comprehensive guide explores the CCPA, its key provisions, and highlights its distinctions from the GDPR.

  1. What Does the CCPA State?

The CCPA is designed to enhance the privacy rights of California consumers by granting them several key rights:

a. The Right to Know: Consumers have the right to request that businesses disclose what personal information they have collected, used, and shared about them.

b. The Right to Delete: Consumers can request the deletion of their personal information held by businesses, subject to certain exceptions.

c. The Right to Opt-Out: Consumers have the right to opt-out of the sale of their personal information, and businesses must provide a “Do Not Sell My Personal Information” link on their websites.

d. The Right to Non-Discrimination: Businesses are prohibited from discriminating against consumers who exercise their privacy rights.

  1. Key Differences from the GDPR:

While both the CCPA and the GDPR aim to protect individuals’ privacy, there are notable distinctions between these regulations:

a. Consent vs. Notice: One of the most significant differences is the approach to user consent. Under the GDPR, explicit consent is often required for data processing, while the CCPA primarily emphasizes providing consumers with notice about data collection and sale practices.

b. Data Subject Rights: The GDPR grants data subjects numerous rights, including the right to access, rectify, and object to data processing. The CCPA focuses on specific rights, such as the right to know, delete, and opt-out of data sales.

c. Applicability: The CCPA specifically applies to businesses that collect personal information from California residents. The GDPR, on the other hand, has extraterritorial reach, affecting businesses worldwide if they process the data of EU residents.

d. Penalties: The GDPR imposes substantial fines for non-compliance, while the CCPA enforces penalties through civil actions and does not have explicit regulatory fines.

e. Data Protection Officers (DPOs): The GDPR mandates the appointment of Data Protection Officers (DPOs) for certain organizations. The CCPA does not require the appointment of DPOs.

  1. Acquiring User Consent under CCPA:

As mentioned earlier, the CCPA does not require the same level of user consent as the GDPR. Instead, it focuses on providing users with clear notice about data practices. While explicit consent is essential under the GDPR, the CCPA’s emphasis is on transparency and the ability for consumers to opt-out of data sales.

  1. Compliance and Best Practices:

To comply with the CCPA, businesses should consider the following best practices:

a. Implement Clear Privacy Notices: Businesses should provide easily accessible and understandable privacy notices to inform users about data collection, usage, and sale practices.

b. Establish Opt-Out Mechanisms: Businesses must offer mechanisms for users to opt-out of the sale of their personal information and provide a “Do Not Sell My Personal Information” link on their websites.

c. Ensure Data Security: Protecting consumer data is vital. Implement robust data security measures to safeguard personal information.

d. Prepare for Data Access and Deletion Requests: Be ready to respond to user requests for access and deletion of their data.

e. Monitor Updates and Amendments: Keep track of changes in CCPA regulations, as it is subject to amendments, and ensure ongoing compliance.

Go “by the book” and Implement your Cookie Policy on WordPress!

Whether you own a WordPress website in Europe (GDPR) or in USA (CCPA), it is crucial to understand the legal requirements that apply to your specific situation. The GDPR and CCPA, though distinct in many ways, share the common goal of protecting users’ privacy rights and data. By staying informed about the relevant regulations and implementing the necessary measures, you can ensure that your website respects the privacy and consent of your visitors, regardless of their location. Remember, compliance is not only a legal obligation but also a commitment to building trust and credibility with your audience. So, take the necessary steps to secure your website and show your dedication to safeguarding user data.

 

WPReveal