GDPR for WordPress Project Seeks to Provide a Standard for Plugin Compliance

WordCamp Denmark organizer Kåre Mulvad Steffensen and WP Pusher creator Peter Suhm are working on a GDPR for WordPress project that aims to provide an industry standard for getting plugins compliant with EU General Data Protection Regulation (GDPR) legislation. The deadline for compliance is May 28, 2018, approximately 200 days from now. The Danish duo met at WordCamp Europe a few years ago and were inspired to work together on several projects, with GDPR compliance for WordPress sites being the most urgent item on their list.

“We want to create a standard for plugin creators to describe what kind of data they store and how to handle it,” Suhm said. “With a standard like this it will be possible to build tools to make WP sites compliant with GDPR. That basically means things like generating privacy policies, tools to export sensitive data, and tools to delete it completely. GDPR is pretty complex, so there will likely be a lot of tools around this. The first thing we need is a standard. It’s critical especially for EU based companies, and I can tell you that it’s something people discuss in every meetup and WordCamp over here.”

The GDPR for WordPress site includes a summary of website owners’ obligations in regards to collecting data related to EU citizens. It’s not comprehensive but gives an idea of what items the standard will need to cover:

  • Tell the user: who you are, why you collect the data, for how long and who receives it.
  • Get a clear consent, before collecting any data
  • Let users access their data, and take it with them
  • Let users delete their data
  • Let users know if data breaches occur

Steffensen and Suhm’s first step is surveying WordPress plugin developers to gauge their awareness of the GDPR. They also want to know if developers would be interested in using a free, open source solution, like a simple file with a map of personal and sensitive data stored by their plugins. The GDPR for WordPress team would then use the tool as a foundation to build tools that can take care of compliance by parsing these files.

“When we have the survey data we will continue to work on the standard,” Suhm said. “It will be 100% open source, so everyone can use it to build whatever they see fit afterwards. So far it’s just a lot of ideas and we really want to collect as much input as possible so we can get everyone onboard.”

The team has created a roadmap that that they will update based on feedback from plugin developers. They plan to work on the following:

  • Methodology to describe how a plugin collects, stores, and uses personal data
  • Methodology file builder for plugin developers to use
  • Provide a clear visual compliance indicator on every plugin installed
  • Privacy policy text builder based on installed (compliant) plugins
  • Provide an administrative overview on each users data being stored, across plugins
  • Provide an administrative way to send user data to a specific user upon request
  • Provide an administrative way to delete user data on a specific user upon request
  • Add site wide Explicit consent checkbox, with detailed yet plain English on what data is stored, how it is used and how long. (This is a replacement for the cookie popup) – possible disablement of submitting actions until consent is given? The request to collect data should happen to every user before any data is collected, that might also mean cookies.

Despite the quickly approaching deadline, solutions aimed at helping WordPress sites to be compliant with the GDPR are virtually non-existent. There are currently only six plugins in the directory with descriptions that mention having been built with GDPR compliance and privacy in mind. Many site owners will be woefully unprepared to comply with the legislation.

A couple of months ago we looked the Wider Gravity Forms Stop Entries plugin, which helps site owners protect the privacy of form submissions by preventing them from being stored in the database. Since many plugins don’t have these options built in, other plugin developers have to extend them to suit their users’ needs. At the moment, there is no standard way of doing this because of the wide variance in how plugins store their data.

This solution the GDPR for WordPress team is proposing is different in that it aims to give plugin authors a standard for including a meta description of the personal and sensitive data that their plugins stores. The GDPR doesn’t prohibit plugins from storing personal identifiable data but it does require website owners to detail what, where, and for what purpose it is stored.

“The problem right now is that it is almost impossible to figure out what information a WordPress plugin stores and where it is stored,” Suhm said. “This will make it possible to build general solutions across plugins to ensure GDPR compliance. An example could be a tool to delete sensitive data from a WordPress site, including the data stored by plugins. That is only possible if plugin authors include some sort of description of their ‘data footprint.'”

The biggest challenge the team has is rallying plugin developers to get on board with following a new standard and updating their plugins to provide a data footprint. This is not an easy task as the burden of compliance falls to the website owners, not individual plugin developers. Even if site owners are motivated to educate themselves, the prospect of figuring out what data is being stored and where can be daunting. If the GDPR for WordPress team can successfully get the plugin developer community on board, they can work together to build a suite of tools that help end users get a broad overview of their sites’ GDPR compliance.

15 Comments


  1. I think this is an important issue that impacts more than EU plug-in developers. It impacts site owners as well so people should get acquainted with the policy. Last I heard the regulation was 360 pages long and not done.

    And if I understand correctly, it impacts site owners outside of the EU if they have EU customers. Which means, many of us also need to audit our plug-ins and 3rd party services to see what data they collect. The fines are substantial.

    From a presentation I heard, it also impacts things like how we set up forms. For example, you shouldn’t have certain options checked by default (e.g. automatically subscribing them to a newsletter). You have to have the user explicitly check those items as opposed to having them turn them off.

    Report

    Reply

    1. You are right Anne. This does impact any site that has EU citizen users. How that is going to be regulated, I’m not sure – it’s a massive undertaking.

      For the standard we’re trying to create, and the many plugins that can be created around that, we’re not too concerned about your geolocation, but rather that you as a website owner and administrator, is able to comply with the GDPR, using it as a measure for how well you handle personal data.

      Report

      Reply

    2. I’m actually thinking of blocking EU visitors on some client sites where there’s zero benefit to the client in having those folks visit. For example, a local non-profit.

      Now, the odds that these sites would GET any EU visitors and that those visitors would want to interact with the site in a way that requires personal information is tiny… but the downside is high.

      Report

      Reply

      1. Is it only EU citizens who deserve to be protected by our poor data protection handling techniques? Do citizens of other countries not fear identity theft?

        Instead of blocking EU citizens you could develop (more) secure sites.

        Report


  2. Such a plugin would be very welcome, because it will reduce the effort needed by website developers to be able to play by the rules.

    In the article it says:

    This is not an easy task as the burden of compliance falls to the website owners, not individual plugin developers.

    However, we can expect website owners to install only GDPR-compliant plugins in the future. Given 2 plugins that offer the same functionality, one being GDPR-compliant and one not, the first one should be the preferred option. So, all plugins should strive to be GDPR-compliant (whatever that means) as much as possible, and the “GDPR for WordPress” project could help achieve this.

    Report

    Reply

    1. I believe we will see an adoption much like the EU Cookie Law (adopted in JetPack 4.9). It takes time, and not all websites will get it at first.

      However, the ones that will adapt quickly are medium and large organizations that have a strong obligation to obey such EU regulations. Now, I don’t have the numbers, but I’m guessing it’s a huge amount of WordPress sites, that all of a sudden becomes un-trustworthy – which is not acceptable to their owners.

      If the community does not set a standard that fits the ecosystem, then those companies might need to seek a more custom build website. A loss for WordPress and the community in general.

      On a more personal level, you could say, that no matter the legislation, there is a strong surge towards privacy, and users are beginning to ask for this kind of protection and knowledge that their data is not misused.

      Report

      Reply

  3. I hate to be a pedant, and I really appreciate what these guys are doing – it will be really useful. But their site doesn’t have a privacy policy and they have an email subscription box.

    I see this a LOT in the world of GDPR compliance: people who say “We’re building something/providing training on GDPR compliance. Sign up here. Send us your email address. Give us your personal data!”…

    …but they have not obeyed even the simplest of data protection rules, and not a bit of GDPR guidance.

    If people want trust in their ability to inform us about GDPR, then they need to show that they are, themselves, not only knowledgable about it, but also implementing some of it.

    I strongly suggest that these guys tell us, when they collect email addresses:

    – who they are, why they collect the data, for how long and who receives it
    – how users can access their data and take it with them
    – how users can delete their data

    Report

    Reply

    1. Your point is very valid Ross, and we’ve been too eager to share our initial idea that the actual website wasn’t the biggest concern for us. I’m sorry for that, and even though we do not fully comply with the future GDPR – we now do have a Privacy Policy that seeks to answer your questions.
      https://www.gdprwp.com/privacy-policy/

      Report

      Reply

      1. Thanks. That’s great. And as I’ve stated elsewhere, I support this project and I’m thankful that you’re taking initiative on it.

        One observation here is that GDPR will make launching small projects much harder. You can’t just fire up an instance of BuddyPress or bbPress – you need to consider the ramifications of your data collection.

        This is a GOOD THING!!! We should be paying attention when we collect personal information for any project.

        Report


    2. Yeah, this is a tough concept to enforce. I tried an ethical policy standard a while back internally and it worked well with our internal teams. I then tried a public “call for contributors” in a toxic WP group and got blasted by whiney #wpbabies who spend their lives criticizing other people trying to do some good.

      I also reached out to Mika to see if she thought if an ethical policy standard was a good idea, she said “Yes, but nobody would ever comply.” I just gave up.

      So, I applaud this effort, but it takes a lot of support and compliance from the community, without prejudice, or else it will just open the flood gates for trolls. Good luck!

      Report

      Reply

  4. Probably one of the single most important things to affect website owners, managers and developers for a long time. I should expect that it will upend a lot of core, plugin, and website developers all across the world — not just EU — due to the global focus of many internet sites that rely on WordPress technology (magazines/publishers face some of the biggest challenges).

    I would say that an open source community solution suits this challenge and urge these guys to establish some kind of non-profit entity to be able to collect funding to empower them and other developers to invest time and effort into this. 200 days is a pretty significant deadline!

    Report

    Reply

  5. I have a feeling this will go the way of the a11y law, at least when it comes to American plugin developers. These are some big changes that need to be implemented in massive plugins in a short amount of time.

    Regarding the portable/deleting data, how would that affect store metrics? Can I store that purchase amount anonymously if the customer wants to delete it? Can I store their country anonymously after they delete their account/data?

    Lots of questions, especially surrounding eCommerce sites. It will be interesting to see how this progresses.

    Report

    Reply

  6. How will the GDPR affect European minors using WP?

    From GDPR FAQ:

    Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.

    Since WP requires an email address, and email is personal, will European users have to be 16 years old to use WordPress?

    Thank you,
    Mitchell

    Report

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *