1. Anne H

    I think this is an important issue that impacts more than EU plug-in developers. It impacts site owners as well so people should get acquainted with the policy. Last I heard the regulation was 360 pages long and not done.

    And if I understand correctly, it impacts site owners outside of the EU if they have EU customers. Which means, many of us also need to audit our plug-ins and 3rd party services to see what data they collect. The fines are substantial.

    From a presentation I heard, it also impacts things like how we set up forms. For example, you shouldn’t have certain options checked by default (e.g. automatically subscribing them to a newsletter). You have to have the user explicitly check those items as opposed to having them turn them off.


    • Kåre Mulvad Steffensen

      You are right Anne. This does impact any site that has EU citizen users. How that is going to be regulated, I’m not sure – it’s a massive undertaking.

      For the standard we’re trying to create, and the many plugins that can be created around that, we’re not too concerned about your geolocation, but rather that you as a website owner and administrator, is able to comply with the GDPR, using it as a measure for how well you handle personal data.


    • Rick Gregory

      I’m actually thinking of blocking EU visitors on some client sites where there’s zero benefit to the client in having those folks visit. For example, a local non-profit.

      Now, the odds that these sites would GET any EU visitors and that those visitors would want to interact with the site in a way that requires personal information is tiny… but the downside is high.


  2. Leo

    Such a plugin would be very welcome, because it will reduce the effort needed by website developers to be able to play by the rules.

    In the article it says:

    This is not an easy task as the burden of compliance falls to the website owners, not individual plugin developers.

    However, we can expect website owners to install only GDPR-compliant plugins in the future. Given 2 plugins that offer the same functionality, one being GDPR-compliant and one not, the first one should be the preferred option. So, all plugins should strive to be GDPR-compliant (whatever that means) as much as possible, and the “GDPR for WordPress” project could help achieve this.


    • Kåre Mulvad Steffensen

      I believe we will see an adoption much like the EU Cookie Law (adopted in JetPack 4.9). It takes time, and not all websites will get it at first.

      However, the ones that will adapt quickly are medium and large organizations that have a strong obligation to obey such EU regulations. Now, I don’t have the numbers, but I’m guessing it’s a huge amount of WordPress sites, that all of a sudden becomes un-trustworthy – which is not acceptable to their owners.

      If the community does not set a standard that fits the ecosystem, then those companies might need to seek a more custom build website. A loss for WordPress and the community in general.

      On a more personal level, you could say, that no matter the legislation, there is a strong surge towards privacy, and users are beginning to ask for this kind of protection and knowledge that their data is not misused.


  3. Ross Wintle

    I hate to be a pedant, and I really appreciate what these guys are doing – it will be really useful. But their site doesn’t have a privacy policy and they have an email subscription box.

    I see this a LOT in the world of GDPR compliance: people who say “We’re building something/providing training on GDPR compliance. Sign up here. Send us your email address. Give us your personal data!”…

    …but they have not obeyed even the simplest of data protection rules, and not a bit of GDPR guidance.

    If people want trust in their ability to inform us about GDPR, then they need to show that they are, themselves, not only knowledgable about it, but also implementing some of it.

    I strongly suggest that these guys tell us, when they collect email addresses:

    – who they are, why they collect the data, for how long and who receives it
    – how users can access their data and take it with them
    – how users can delete their data


    • Kåre Mulvad Steffensen

      Your point is very valid Ross, and we’ve been too eager to share our initial idea that the actual website wasn’t the biggest concern for us. I’m sorry for that, and even though we do not fully comply with the future GDPR – we now do have a Privacy Policy that seeks to answer your questions.


      • Ross Wintle

        Thanks. That’s great. And as I’ve stated elsewhere, I support this project and I’m thankful that you’re taking initiative on it.

        One observation here is that GDPR will make launching small projects much harder. You can’t just fire up an instance of BuddyPress or bbPress – you need to consider the ramifications of your data collection.

        This is a GOOD THING!!! We should be paying attention when we collect personal information for any project.


    • Tai

      Yeah, this is a tough concept to enforce. I tried an ethical policy standard a while back internally and it worked well with our internal teams. I then tried a public “call for contributors” in a toxic WP group and got blasted by whiney #wpbabies who spend their lives criticizing other people trying to do some good.

      I also reached out to Mika to see if she thought if an ethical policy standard was a good idea, she said “Yes, but nobody would ever comply.” I just gave up.

      So, I applaud this effort, but it takes a lot of support and compliance from the community, without prejudice, or else it will just open the flood gates for trolls. Good luck!


  4. Matt Scheurich

    Probably one of the single most important things to affect website owners, managers and developers for a long time. I should expect that it will upend a lot of core, plugin, and website developers all across the world — not just EU — due to the global focus of many internet sites that rely on WordPress technology (magazines/publishers face some of the biggest challenges).

    I would say that an open source community solution suits this challenge and urge these guys to establish some kind of non-profit entity to be able to collect funding to empower them and other developers to invest time and effort into this. 200 days is a pretty significant deadline!


  5. Luke Cavanagh
  6. Daron

    I have a feeling this will go the way of the a11y law, at least when it comes to American plugin developers. These are some big changes that need to be implemented in massive plugins in a short amount of time.

    Regarding the portable/deleting data, how would that affect store metrics? Can I store that purchase amount anonymously if the customer wants to delete it? Can I store their country anonymously after they delete their account/data?

    Lots of questions, especially surrounding eCommerce sites. It will be interesting to see how this progresses.


  7. Mitchell

    How will the GDPR affect European minors using WP?

    From GDPR FAQ:

    Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.

    Since WP requires an email address, and email is personal, will European users have to be 16 years old to use WordPress?

    Thank you,


  8. Kåre Mulvad Steffensen

    Status on the GDPRWP project, now ready on:


Comments are closed.

%d bloggers like this: