WordPress 4.9.6 Beta 1 Adds Tools for GDPR Compliance

WordPress 4.9.6 Beta 1 is available for testing. It’s the first step in bringing GDPR (General Data Protection Regulation) tools to WordPress. In addition to 10 bugs being fixed, this release heavily focuses on privacy enhancements.

One of the first changes is the addition of a Privacy tab on the successful update screen. The message informs users that their sites may send data to WordPress.org for plugin and theme updates with a link to the WordPress.org privacy policy.

WordPress 4.9.6 Privacy Information

Privacy Policy Page Creation and Template

WordPress 4.9.6 includes the ability to create a Privacy Policy page from the backend. Simply browse to Settings > Privacy and select an existing page or create a new one where the policy will be displayed.

Privacy Policy Page Settings

Privacy policy pages will likely become as ubiquitous as About Us pages thanks to the GDPR, but the information that’s displayed is unique to individual sites. WordPress helps out by providing a template with suggestions on what information to display.

Privacy Policy Template

Personal Data Export and Removal Tools

To comply with the GDPR, sites need to provide a way for users to obtain their personal data and request that it be removed. WordPress 4.9.6 does not give users a button to make these requests. Instead, a site’s privacy policy needs to  include information on where to send such requests.

Once a request for a data export or removal is received, site administrators or the Data Protection Officer can browse to Tools > Export Personal Data or Tools > Remove Personal Data and send that user a verification request.

Export Personal Data Verification UI
Data Removal Request Verification UI

When an admin enters a username or email address into the send request field, they’ll receive an email with a confirmation link. Once clicked, the site will display an Action Confirmed notice and that the site administrator has been notified and will fulfill the request as soon as possible.

Here’s what a confirmed notice looks like in the backend.

Confirmed Data Export Request

One thing I noticed is that after a user confirms the request, the site administrator has no way of knowing that they confirmed unless they visit the Data Export or Removal page.

Perhaps a new notification bubble can be created, similar to pending comments and updates that takes admins to the appropriate place for confirmed requests.

When WordPress finishes creating the zip file, a link is sent to the user. For security purposes, the file will automatically be deleted after 72 hours.

My Personal Data Export

To test this feature, I exported my personal data from WP Tavern. My data export arrived in a zip file as one Index.html file. This file contains my comments, user meta data, links to attachments, and more. The data provides me with an opportunity to see what data the site has and what would be deleted if I requested full data removal.

Commenter Cookie Notification and Opt-in

Cookies save data so that visitors don’t have to fill in the Author, URL, and Email fields each time they want to leave a comment. In 4.9.6, visitors will be informed of this data storage and will need to check mark a box to opt-in.

Checkbox For Consenting to Data Storage

WordPress 4.9.6 isn’t your typical minor release. It introduces new UI, options, and a bunch of privacy related enhancements. The development team is aiming to officially release 4.9.6 before GDPR goes into effect later this month, but these features need battle tested now, especially on multi-site configurations.

I encourage you to check out 4.9.6 on a staging site and go through the process of requesting, confirming, and obtaining user data. Now is a good time to experience what users will be going through.

You can download WordPress 4.9.6 beta 1 here or obtain it by using the WordPress Beta Tester plugin. If you encounter any issues, please report them on the Alpha/Beta section of the support forums.


62 responses to “WordPress 4.9.6 Beta 1 Adds Tools for GDPR Compliance”

  1. I was surprised to see the WordPress team do this, but can definitely say this is going to be a BIG help for many people, especially for sites that collect data from e-commerce activity, sign-ups, and even just basic user registration.

    Definitely going to try this out on a test site.

  2. Great and important article Jeff! GDPR is real challange for devs and CMSes, the penalties are just insane…but the consumer inside me was waiting for sooo long for that. Hope it will reduce any kind of spam, personalised ads, and all the excess data bandwith caused by metadata.

    What about Sarah? She did not post this year.

    • It was a good article and saw it on my twitter and dropped everything to come read it. I also took the liberty to message Joomla to see if they will be doing something similar (yes, I use Joomla for my own site). If not, who knows, maybe I will change up to WordPress just for that! But the penalties are insane and just because someone isn’t in Europe, won’t save them.

      • “…just because someone isn’t in Europe, won’t save them…”
        This post isn’t about the application if the said law, GDPR, but I think I should point is out. EU law isn’t a world law. Neither can EU enforces their law on Africa, etc. to do so is monopoly.

        WordPress should be more concern in developing the core, and not implementing a minority law.
        There are programmers and plugins that cantake good care of things like GDPR just as jetpack is taking care of EU cookies law.

        WirdPress should focus on feature and functions.

        • Just wondering, when people like Facebook, Google, even WP comply because they have a big EU presence, where does that leave me? Do I say it’s not my issue, blame them? I think “stuff” flows down hill.

  3. I have lost all trust and faith in Automattic, after all the propaganda regarding Gutenberg. They are proving their worth here once again – “From time to time, your WordPress may (MAY?????) send data to wordpress.org” !!!

    I want one credible and honest core developer to explain just one instance where my WP site will not sent any data back to them. My point is, I know it always sends data, you know it always sends data, we ALL know it as a fact, so why lie about it? Just for once don’t be creepy, and just say that it sends data – period, and drop the “may”.


    • When the user has generated or chosen a page for the Privacy Policy, there is an option saved with the name ‘wp_page_for_privacy_policy’ that stores the post_id of that privacy policy.
      That way you can link to it from the frontend.

  4. The title of the Privacy policy suggests that it actually has scanned both theme and plugins and the output is based on that.

    This suggested privacy policy text comes from plugins and themes you have installed.

    However, when reading through the generated privacy policy, it only shows general information and it does the exact opposite of what it says it does.

    For example on the box where I installed the 4.9.6-beta1 release, there is no analytics plugin present, however the text suggests me to add the details of such.

    Can’t help to get the feeling that this is yet another half-baked WP Core effort.

    • I imagine that plugins and themes will have to add the functionality on their end. But seeing as it is still in beta, it’s likely no plugins or themes have added that functionality.

      I seriously doubt WP scans your plugins and comes up with its own text to insert based on what you have activated. There’s no way for WP core to know enough about every plugin to do that.

      • I seriously doubt WP scans your plugins and comes up with its own text to insert based on what you have activated. There’s no way for WP core to know enough about every plugin to do that.

        Then the text that shows is misleading at best…

    • If you eventuelly get the data, then yes, you do need to consider GDPR. If on the other hand only store data in the browser to prefill information in forms or similiar it isn’t GDPR-data in this regard, it does however potentially fall under ePrivacy, which is another new EU law dealing with cookies and trackers.

      ePrivacy isn’t part of the GDPR and will be finalized at a later stage. Once it is in effect you will need to obtain consent to set cookies/trackers and provide ways of using your product without cookies/trackers, as opposed to today where you just have to inform the user about them.

      Again, as long as you don’t actually get the data from the browser it shouldn’t be considered GDPR-data you need to have a plan for.

  5. First of all, I have to applaud this effort to make a platform that is used by all types of users, from advanced programmers to beginners, to comply with a regulation that seeks to preserve everyone’s privacy.

    It could have been left in plugins’ territory, but I think this was the best decision, to have an application prepared to respect the GDPR from the moment it is installed.

    Thanks for the review.

  6. I am curious as to how websites admins will deal with the whole privacy issue.

    For each site I own/run and the sites from other people that I help run…

    I have the theme and plugins running on those sites. Most of those sites display tweets, facebook and instagram on the sidebar.

    What about the “log in with…facebook/twitter/G+/etc…” sites?

    A lot of the sites have 20-ish plugins. Looking at the privacy policies of all those plugins will be take a while.

    • Well, we have to at least create a privacy policy and because we save data submitted to us through the Jetpack Contact form module, we need to add that to the policy. Then there’s all the plugins we use, like Google Analytics. Guess I have some work to do like so many others.

    • As long as WP Tavern targets EU/EEA citizens, which they do, they will have to comply regardless of where in the world the website and it’s contributors are based.

      WP Tavern covers European WordPress news and WordCamp EU, which means there is at least partial EU/EEA targeting. The only way around it would be completely removing Europe from the site.

    • It is required to as long as its readers are from (and in) Europe. This is probably the biggest misunderstanding of the whole GDPR: entities outside of Europe thinking that they’re “safe”.

      As long as there is a remote chance that your site is going to be visited by people in Europe, your site has to be GDPR-compliant.

      • “…As long as there is a remote chance that your site is going to be visited by people in Europe, your site has to be GDPR-compliant…”
        You don’t travel to another man’s country with your own country law. The moment you crossed the border, your country’s law is no longer admissible. So it is when you forgo the sites that operates in your country, following your country’s standard to visit a site that is hosted elsewhere, owned by a citizen of another country, that does not reside in your country.

        My question is; does the internet belong to EU?

      • @UgoChukwu

        It’s understandable why it’s confusing how the EU can enforce laws on behalf of its own residents beyond its own territories.

        The EU has now effectively created a global standard through the GDPR that other countries want to abide because that is the cost of doing business with EU citizens. It can be enforced through a number of means.

        First of all, it’s not true that national laws stop being applicable to foreigners or foreign businesses simply because they operate outside the border. If a foreign actor defrauds a citizen of a country, it is committing crimes according to the laws of that country. That countries’ authorities or government can pursue the matter in a number of ways. Countries typically cooperate to hold those committing offenses to justice and set up mechanisms to enforce agreements. This mostly set out in international law. The EU is a huge market and has countless agreements with other countries that facilitate this kind of reciprocity.

        Privacy and strong data protection standards should be basic rights afforded to everyone. It should not be okay for any business to exploit data of people for commercial or to store data without proper safeguards. Misuse of data has made the web and the world a worse place. Don’t you agree?

        If you do agree, how would you go about creating better safeguards and ensuring that rights are enforced and protected?

      • I don’t believe a small town USA barbershop really cares that the EU wants them to do this or that on their website since they are providing haircuts to local Americans mostly. After all Europeans aren’t going to fly over the pond to get a haircut or make an appointment on their website.

  7. Yes, GDPR is to be regarded if the website can be accessed in the EU. So even if an arctic experiment group had a website that can be reached from the EU, and that website collects personal data in any way, the website must be GDPR compliant. Period. Not so easy to achieve nowadays as even if you have a just plain HTML website, most probably you still use an analytic solution…

    Again as a user i am really happy about GDPR, but there might be some interesting scenarios… what about someone typing in a fake email address upon registration which happens to be the address of some else’s email, etc?

      • “Good luck enforcing that.”

        ^ Yep.

        Protecting privacy is a good idea but in practicality GDPR enforcement will be limited almost entirely to companies with a physical presence inside the EU. The EU simply does not have authority in non-EU countries. And no, as much as some people glow over the idea, the US government is not going to force European law on its citizens. Foreigners have no representation or vote on the matter, do they?

        Compliance outside of the EU will only be accomplished by fear-mongering (which clearly is working very well so far) and indirectly by major corporations requiring something resembling GDPR-compliance from users of their services (Google Analytics, AdSense, etc.?).

        Remember how [extremely not] well VAT MOSS went outside of the EU? There was the same demand for compliance and the same fear tactics. But virtually nobody outside of the EU cares anymore. GDPR is more noble, but the legal mechanics are not any stronger. Nice intentions though. It probably will clean things up a bit, but it will be far from universal outside of the EU, because it is EU law and that is all.

      • Good luck enforcing that.

        You have completely missed the point. The EU doesn’t need to enforce the GDPR worldwide in order to reach those outside the EU.

        What will happen is this. Organizations with a presence in the EU (and many others doing business with persons in the EU) will adopt polices that comply with the GDPR. This will mean that they will, among other things, contractually require that anyone providing services to them will also have to comply with the GDPR. If those service providers have any sense, they will also include such contractual terms with anyone from whom they obtain services. And so on …

        That’s the EU’s objective achieved. It won’t need to go beyond enforcement against those with a presence in Europe because enforcement outside the EU will, ironically, be done by those found in breach of the GDPR. This is because any such organization will then seek to recoup any fine it pays by pursuing compensation via a claim for breach of contract against any of its service providers who failed to comply with the contractual provision that demanded compliance.

      • @Tim

        Again, good luck with that. Do you honestly think ANY big company is going to just roll over and pay up if found in violation?

        Of course not. They will go through a very lengthy legal battle that will take YEARS and could find the EU on the losing end. Google or Facebook? That’s the only question now. Either will fight it to the bitter end.

        When the EU loses that fight the GDPR will be dead. Period.

        While we don’t have EU clients at this moment, when the day comes that we do (and it will), I have no intention of giving a rat’s ass about what the EU thinks. Come and get me all the way here in Canada. Pffffftttttt…..

      • Bob,

        Who cares about you? The EU certainly doesn’t.

        All you are really saying is that GDPR won’t be followed 100% by 100% of those to whom it applies. Newsflash: that’s true of every law. The GDPR is no different, and the EU doesn’t expect it to be.

        And who said anything about big companies lying down if found in violation? The EU has dealt with Microsoft and Google (among others) before. It knows what to expect and how to win such cases if necessary.

        Perhaps you should check out the results of past EU litigation against such companies before predicting the EU will lose. Just ask Microsoft and Google how that has worked out in the past.

        More importantly, however, the fact that the EU has won such cases before — and obtained huge monetary judgments — means that big companies know very well that the EU has a track record of following through on such things. They know that non-compliance with the GDPR will be expensive in terms of time, money, and other resources. So, for some time, they have been taking steps both to comply and to make sure that others from whom they obtain services also comply.

        So the EU will get its way. In fact, the only real question here is not whether the GDPR will survive, but whether other nations or groups of nations follow suit and, if they do, whether they will go even further.

    • Peter, it is my understanding that GDPR applies if you business/site is based un the EU, or if your business/site is in any Country that may have EU visitors, or if an EU citizen is visiting any country that has access to your business/site, or if you have Employees that are EU citizens (e.g. EVERYONE)

      Is that correct?

    • I for one am very disappointed in GDPR. For one, the penalties are impossible for anybody to comply are very excessive and second, what if you can’t pay? What happens then? And last, but not least, if they can do this, what other regulations are coming that the rest of the world has to comply with?

  8. The whole, “everyone globally must comply” if your site has the potential for EU citizens visiting it is downright silly. There’s no jurisdiction or enforcement mechanism for this outside the EU, Tim’s hypothetical scenario above notwithstanding. Just watch. It’ll be the same as the whole “every sale to an EU citizen must include VAT” scare that went down a few years back. No enforcement mechanism means no VAT is collected from the US organizations unless they have an actual EU presence. Go figure.

    That said, if your organization does have a physical presence in the EU, or does a significant amount of work for hire for EU companies, then compliance isn’t really optional.

    Personally I find this whole thing ironic because in order to prove that our organization is in compliance with this “privacy” law we now need to collect and store more personally identifiable information than we did before. Without it we cannot prove that an individual requested to hear from us, should we ever be challenged. So in our case the law is pretty much doing the opposite of what it purports to do. Go figure.

  9. Jeff, I played with the WP 4.9.6 RC1 today, and I discovered that these privacy tools, can damage your SEO, unless I’m missing something.

    So here are my findings. When a person’s data get’s erased by the core’s personal data eraser Tool, the username used in the comments section gets renamed to Anonymous, (which I’m guessing the hacking group with that name will be ecstatic), and there is a link on all the Anonymous commentators, that point to https://site.invalid, which unless Google ignores this, will result with a number of broken links, if he has a number of comments. Am I wrong in assuming that Google will dearly punish you when this happens (having a bunch of broken links on your website)?

    • Update: They just released RC2 and the https://site.invalid is still there ! If they must place a link on the Anonymous commentor, they could at least point it to the homepage.

      Again, if you erase somebody’s personal data, you will end up with a bunch of broken links – bad for SEO – and now they have 1 day to fix this, which is incredible that out of the hundreds of core developers, nobody saw this before.

      • What if it would link to special WP page containing a translatable message, explaining that the author of the comment has most probably let their personal data removed. That way the link would not be a broken one but even the public could find out why they do not get the content they were looking for? Or maybe just remove the link completely and display a mouseover text.

  10. It’s sad to see that it’s becoming more and more complicated to see another “Google 2”, or “Facebook 2”, etc.

    Remember that these were created in a university dorm, or in a garage with little resources and obviously no lawyers involved (at the beginning).

    I’m curious about the next gen of people trying to make a new-innovative project maybe they’ll just abandon it as it’s impossible for someone with little resources (and by resources I mean money to pay attorneys and to be law abiding in their pages) to be 100% compliant.

    Even for the big companies I doubt they’ll be 100% in compliance with the GDPR, but at least they have the money to appeal and to litigate. Small website owners don’t.

    It’s sad for me (and paradojic) that the increasing in privacy requirements worldwide means more power for the big companies, the ones that have the resources (once again, for resources I’m talking about MONEY) to create.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: