WordPress

last person joined: 5 days ago 

A place for nonprofit WordPress developers and content managers of all skill levels.The WordPress group is an engaged network of WordPress developers and content managers, for all skill levels, by WordPress users for WordPress users, to encourage the usage of and advocate for WordPress.

Our goal: to support nonprofit organizations using (or interested in using) WordPress. Additionally, this is a safe and friendly place for beginning WordPress developers and users to ask questions and connect to like-minded people.

GDPR Support in WordPress & Across the NTEN Community

  • 1.  GDPR Support in WordPress & Across the NTEN Community

    Posted Jun 07, 2018 16:46
    If you're still wrapping your head around the new GDPRified world (I sure am!), both WordPress and NTEN have been helping provide awesome features and information toward becoming compliant (or just improving your privacy policies in general!). I thought it might be helpful to share some good links.

    First off, WordPress 4.9.6 added tools for exporting user data, deleting user data, and creating a Privacy Policy page. WP Tavern posted a good overview of the release along with a preview of each feature.

    And across NTEN, there have been so many great posts and conversations about GDPR. If you missed any of these, take a moment to browse and respond or comment:

    ​​​So thanks to everyone who has shared their knowledge so far, and I look forward to learning even more from the amazing NTEN community.

    Since this is the WordPress forum, has anyone setup a new Privacy Policy with the new template in WordPress 4.9.6. What about anyone who has had a person request an export or deletion of their data? Let us know how these web-wide changes are impacting your sites!

    ------------------------------
    Mark Root-Wiley

    MRW Web Design / MRWweb.com / @MRWweb
    Thoughtful WordPress Website for Nonprofits & Mission-Driven Organizations
    Seattle, WA
    ------------------------------


  • 2.  RE: GDPR Support in WordPress & Across the NTEN Community

    Posted Jun 08, 2018 13:03
    We used the privacy policy generator as a start for our policy. We did a lot of editing and customization based on our plugins, policies, and site activities. I'm sure it's still not perfect but its better than what we had. I appreciated the guide from WP. While working on it I also had many different site policies open as references and ideas of what I needed to consider. It was also a great education for me in understanding what cookies and such were on our site and how to audit them.

    PS if anyone has suggestions or critiques I'm open to hearing them.

    ------------------------------
    Kai Williams
    Executive Director
    The IWRC
    Eugene, OR
    ------------------------------



  • 3.  RE: GDPR Support in WordPress & Across the NTEN Community

    Posted Jun 11, 2018 17:31
    Nice job and thanks for sharing, @Kai Williams! Given how much information you need to include, that seems well-organized.

    Like you, I've been impressed by the sheer number of data-related things that even "simple" sites have since looking at the Privacy Policy generator. I noticed that within about a week of it's release, a lot of the major plugins like Akismet and BackupBuddy have already started adding their own information to the Privacy Policy helper. Unfortunately, Jetpack has their own tool that's separate for now.

    Anyone else wrestling with their privacy policy's this week or have questions before making one?​

    ------------------------------
    Mark Root-Wiley

    MRW Web Design / MRWweb.com / @MRWweb
    Thoughtful WordPress Website for Nonprofits & Mission-Driven Organizations
    Seattle, WA
    ------------------------------



  • 4.  RE: GDPR Support in WordPress & Across the NTEN Community

    Posted Jun 12, 2018 05:36
    Biggest problem I've had is identifying which plugins and third party tools set their own cookies. I can look up what cookies are in use, but tracing them back to a specific plugin is tricky. It gets even trickier when the client wants users to opt in to their own choice of cookies.

    It doesn't help when twenty organizations all descend on me in the same week, in an unnecessary panic, asking for advice that I'm not qualified to give.

    ------------------------------
    Jason King
    Freelance WordPress development and Google Ad Grant management
    Mirepoix, France

    www.kingjason.co.uk

    Twitter: @jasoncsking
    ------------------------------



  • 5.  RE: GDPR Support in WordPress & Across the NTEN Community

    Posted Jun 13, 2018 11:54
    Edited by Heather Gardner-Madras Jun 13, 2018 11:57

    Hi,
    I have also been challenged by the cookies issue. Especially this idea that you need to ask permission before ever setting one (which is what I read, please correct me if that's not true).

    I think the cookie notice on this page is the most comprehensive I have seen yet and plan to dig in and see what they did here: https://elegantmarketplace.com/privacy-policy/

    Privacy Policy


    EDIT: I should have clicked further before writing this - they use a cookie finding service - https://www.cookiebot.com/en/


    My current plan is to do a pop-up, but not this extensive with instructions for users to modify cookies in their browser controls. I have seen that done quite a bit but don't know if it is truly in compliance. What are other doing for this?


    Thanks for this thread - both the information and commiseration are appreciated :)

    heatther



    ------------------------------
    heather gardner-madras
    gardner-madras | strategic creative
    ------------------------------



  • 6.  RE: GDPR Support in WordPress & Across the NTEN Community

    Posted Jun 13, 2018 15:02
    We're advising a different approach, that asks for permission base on functional categories, rather than a full listing of each cookie.

    Categorize your cookies into the following groups:
    • Essential for the functioning of the site, but that don't collect personal data
      - No option to turn off, but inform users that these are necessary and don't collect personal data
    • Cookies for analytics
      - Explain to users why you want to collect this information (to improve site performance and quality of content) but provide an on/off option
    • Cookies for user preferences
      - Explain to users how these cookies benefit them and what they will lose if they turn this off, but provide on/off
    • Cookies for marketing
      - Explain to users why these are meaningful (provide revenue to support your charitable activities, help show goods/services you might be interested in, turning these off won't change the quantity of ads, just how relevant they will be), provide on/off


    ------------------------------
    Isaac Shalev
    http://www.sage70.com
    Stamford CT
    @Sage70
    isaac@sage70.com
    ------------------------------



  • 7.  RE: GDPR Support in WordPress & Across the NTEN Community

    Posted Jun 14, 2018 11:24
    Possibly a dumb question that has already been addressed, but how do we find out if our website is using cookies? I definitely haven't intentionally set this up, but it sounds like they could be running anyway.

    ------------------------------
    Melissa Amarello
    Advocates for Snake Preservation
    Silver City, New Mexico, USA
    https://www.snakes.ngo/
    ------------------------------



  • 8.  RE: GDPR Support in WordPress & Across the NTEN Community

    Posted Jun 14, 2018 12:07
    Pretty much all websites are collecting cookies to keep track of basic session data and identify repeat visitors. GDPR doesn't forbid the use of cookies, even for storing personal information. What it does is require you to get explicit consent to store personal information before you do it. If you're not storing personal data in cookies, you have nothing to worry about.

    That said, it's very important to write a privacy policy that states exactly what you're doing, and how you share (or don't share) information you collect. WordPress included a very good sample privacy policy in a recent release. I suggest leaning on it heavily if you don't have a privacy policy already.

    One of the things that gets missed in a lot of GDPR discussions is the notion of "legitimate interest basis." This comes into play specifically if you're doing any e-commerce on your site. If you're doing business with customers, you have a legitimate reason to collect personal information, such as a billing address and an email address to send an order confirmation. By extension, your credit card processing contractor has the legitimate interest to accept a credit card number. Likewise if you're selling memberships or subscriptions, you have legitimate interest to contact a customer to remind them to renew. This is common sense, but it's important.

    Equally as important as compliance with GDPR is demonstrating compliance. That's why it's good to have a privacy policy documenting what you do (or don't do) with personal information you collect. You should also have a formal written policy (not on your website) that covers who in your office has access to – and for what purpose they have access to – personal data. (This can be as simple and common-sense as reminding your staff who processes Woocommerce orders via the WordPress admin to not leave an order up on screen and go to lunch.)

    And last but not least, consider anonymizing IP addresses in your Google Analytics reports. An IP address may be used to infer a specific individual or household, and is considered personal information under GDPR. If you're not using Google Analytics to specifically target fine-grain geographical locations of your site visitors, turn on anonymization.

    In the end, the EU probably isn't going to come after us for GDPR violations. They'll use it to slap the next company that has a huge, multimillion-user security breech.

    ------------------------------
    Dale Bengston
    Webmaster
    The American Association of Immunologists
    Rockville, MD
    ------------------------------



  • 9.  RE: GDPR Support in WordPress & Across the NTEN Community

    Posted Jun 15, 2018 14:29
    Dale, I agree with you 100%

    In fact, the more we've done this compliance work and talked with colleagues and other experts, the less we're willing to rely on consent as a basis for compliance. It's just a really fragile legal basis. Consent is hard to acquire because of unbundling and plain language requirements. It has to be narrowly tailored, so you might have to go back later for more consent. Sometimes you might ask for consent for specific pieces of data, but not have explicit consent for what do with that data when you combine it and view it in context. And consent can be withdrawn, which creates time-based obligations on your organization, without warning.

    Whenever there's an opportunity to use a basis other than consent, that's what we advise our clients to do. Legitimate interests is a much better basis, and allows an organization to construct a policy framework and not be subject to people misunderstanding or changing their minds about data. It's simply a more manageable and administratable approach.

    ------------------------------
    Isaac Shalev
    http://www.sage70.com
    Stamford CT
    @Sage70
    isaac@sage70.com
    ------------------------------



  • 10.  RE: GDPR Support in WordPress & Across the NTEN Community

    Posted Jun 14, 2018 12:48
    We used a similar tact to what Isaac suggests, using the WP plugin GDPR Cookie Compliance to help us with the permissions. It allows us to place our various cookies in three piles - Strictly Necessary, 3rd Party, and Additional Cookies. Of course we still needed to first find the cookies and the link them to the plugin so they turn on or off correctly.
    Kai

    ------------------------------
    Kai Williams
    Executive Director
    The IWRC
    Eugene, OR
    ------------------------------