What is GDPR
If your website has visitors from European Union countries, then this law applies to you.
The goal of GDPR is to protect user’s personally identifying information (PII) and hold businesses to a higher standard when it comes to how they collect, store, and use this data.
The personal data includes: name, emails, physical address, IP address, health information, income, etc.
Explicit Consent – if you’re collecting personal data from an EU resident, then you must obtain explicit consent that’s specific and unambiguous. In other words, you can’t just send unsolicited emails to people who gave you their business card or filled out your website contact form because they DID NOT opt-in for your marketing newsletter (that’s called SPAM by the way, and you shouldn’t be doing that anyways).
For it to be considered explicit consent, you must require a positive opt-in (i.e no pre-ticked checkbox), contain clear wording (no legalese), and be separate from other terms & conditions.
Rights to Data – you must inform individuals where, why, and how their data is processed / stored. An individual has the right to download their personal data and an individual also has the right to be forgotten meaning they can ask for their data to be deleted.
This will make sure that when you hit Unsubscribe or ask companies to delete your profile, then they actually do that (hmm, go figure).
Breach Notification – organizations must report certain types of data breaches to relevant authorities within 72 hours, unless the breach is considered harmless and poses no risk to individual data. However if a breach is high-risk, then the company MUST also inform individuals who’re impacted right away.
Data Protection Officers – if you are a public company or process large amounts of personal information, then you must appoint a data protection officer. Again this is not required for small businesses. Consult an attorney if you’re in doubt.
To put it in plain English, GDPR makes sure that businesses can’t go around spamming people by sending emails they didn’t ask for. Businesses can’t sell people’s data without their explicit consent (good luck getting this consent). Businesses have to delete user’s account and unsubscribe them from email lists if the user ask you to do that. Businesses have to report data breaches and overall be better about data protection.
How is WP GDPR Compliant
By default, WordPress used to store the commenters name, email and website as a cookie on the user’s browser. This made it easier for users to leave comments on their favorite blogs because those fields were pre-populated.
Due to GDPR’s consent requirement, WordPress has added the comment consent checkbox. The user can leave a comment without checking this box. All it would mean is that they would have to manually enter their name, email, and website every time they leave a comment.
Data Export and Erase Feature
WordPress offers site owners the ability to comply with GDPR’s data handling requirements and honor user’s request for exporting personal data as well as removal of user’s personal data.
The data handling features can be found under the Tools menu inside WordPress admin.
These three things are enough to make a default WordPress blog GDPR compliant. However it is very likely that your website has additional features that will also need to be in compliance.
Areas on Your Website that are Impacted by GDPR
As a website owner, you might be using various WordPress plugins that store or process data like contact forms, analytics, email marketing, online store, membership sites, etc.
Depending on which WordPress plugins you are using on your website, you would need to act accordingly to make sure that your website is GDPR compliant.
A lot of the best WordPress plugins have already gone ahead and added GDPR enhancement features.
Like most website owners, you’re likely using Google Analytics to get website stats. This means that it is possible that you’re collecting or tracking personal data like IP addresses, user IDs, cookies and other data for behavior profiling. To be GDPR compliant, you need to do one of the following:
Anonymize the data before storage and processing begins
Add an overlay to the site that gives notice of cookies and ask users for consent prior to tracking
Both of these are fairly difficult to do if you’re just pasting Google Analytics code manually on your site. However, if you’re using MonsterInsights, the most popular Google Analytics plugin for WordPress, then you’re in luck.
They have released an EU compliance addon that helps automate the above process. MonsterInsights also has a very good blog post about all you need to know about GDPR and Google Analytics (this is a must read, if you’re using Google Analytics on your site).
The add-on is part of the paid plugin, 199/1, 499/5, 899/25 for $4,076/toal at 25 ($163/each)
How to do if they don’t want or have? The premium plugin offers the ability to either anonymize the data or to enable Consent Box Integrations. WPBeginner article doesn’t say how to solve without MI.
As part of our service, we could do data export/delete.
If you are using a contact form in WordPress, then you may have to add extra transparency measures especially if you’re storing the form entries or using the data for marketing purposes.
Below are the things you might want to consider for making your WordPress forms GDPR compliant:
- Get explicit consent from users to store their information.
- Get explicit consent from users if you are planning to use their data for marketing purposes (i.e adding them to your email list).
- Disable cookies, user-agent, and IP tracking for forms.
- Make sure you have a data-processing agreement with your form providers if you are using a SaaS form solution.
- Comply with data-deletion requests.
- Disable storing all form entries (a bit extreme and not required by GDPR). You probably shouldn’t do this unless you know exactly what you’re doing.
The good part is that if you’re using WordPress plugins like WPForms, Gravity Forms, Ninja Forms, Contact Form 7, etc, then you don’t need a Data Processing Agreement because these plugins DO NOT store your form entries on their site. Your form entries are stored in your WordPress database.
Simply adding a required consent checkbox with clear explanation should be good enough for you to make your WordPress forms GDPR compliant.
The article says WP Forms has GDPR options, we need to also look to Gravity, CF7 and Ninja.
The easiest way to comply would be to add a required checkbox to any forms that need to be compliant. Adding a simple checkbox field that states something along the lines of “I consent to my submitted data being collected and stored” will usually do the trick.
Be sure to make it a required field, and the first part is done. This way, you’ll know that every submission is compliant because without providing consent, the submission would not complete.
As of Gravity Forms 2.4, a new field named Consent is available to use for this purpose. See the article on the Consent Field for more information.
If you are also using a feed based add-on with your form, such as MailChimp, you can configure conditional logic on the feed so it will only be processed if the user has checked a checkbox field. See the Conditional List Subscriptions article for more details.
Part of GDPR compliance also requires that users are able to request access to their data at any time. WordPress has added the WordPress Export Personal Data and Erase Personal Data tools. As of Gravity Forms 2.4, a new Personal Data tab has been added to the Form Settings to provide integration with these tools. See the article Personal Data Settings for more details.
Gravity also had faq on hiding IP, no storing data, data retention.
Email Marketing Opt-in Forms
Similar to contact forms, if you have any email marketing opt-in forms like popups, floating bars, inline-forms, and others, then you need to make sure that you’re collecting explicit consent from users before adding them to your list.
This can be done with either:
- Adding a checkbox that user has to click before opt-in
- Simply requiring double-optin to your email list
Top lead-generation solutions like OptinMonster has added GDPR consent checkboxes and other necessary features to help you make your email opt-in forms compliant. You can read more about the GDPR strategies for marketers on the OptinMonster blog.
We should look into MailChimp, iContact and Constant Contact, others?
Pop-up manager, split test, integrates with newsletters. They have 20% affiliate commission or we could resell 10/$49 and resell $29/pro for $200/10 or $20/each.
We’d probably need to charge a setup/management fee component. $99-$499 setup quoted?
Seems like a whole offering in itself.
WooCommerce / Ecommerce
If you’re using WooCommerce, the most popular eCommerce plugin for WordPress, then you need to make sure your website is in compliance with GDPR.
The WooCommerce team has prepared a comprehensive guide for store owners to help them be GDPR compliant.
Woo has a whole guide, https://woocommerce.com/gdpr/
Specific steps if so.
If your website is running retargeting pixels or retargeting ads, then you will need to get user’s consent. You can do this by using a plugin like Cookie Notice
WP Security Audit Log
ss-admin/wp-security-audit-log-gdpr-toolkit/ – Guide
Under GDPR, organisations collecting and processing data, whether that is the largest corporation or a one-man-band business, must ensure they create and document technical and security measures. A key aspect of this is monitoring and logging for security issues and attacks.
Tools like WP Security Audit Log can do this job for you.
The plugin logs the changes made by internal users to both content (including posts, pages, tags, categories, custom post types, comments, widgets, and menus), and functionality (user accounts, plugins, themes, databases, and universal settings.) If you use WooCommerce, BBPress, or Paid Membership Pro, the plugin also logs events and changes related to these services.
WP Security Audit Log also monitors for external threats such as hack attempts, automated vulnerability scans, brute force attacks, and new user creations outside defined working hours.
These events are logged in three categories of severity: Notice, Warning, and High. It’s easy to see how these categories span everything from harmless user actions which should nevertheless be logged all the way to active threats. You can configure email alerts for these actions; you may, for example, wish to be immediately alerted to High warnings such as a user deactivating a plugin. Here is a full list of actions which will be recorded by the plugin.
Preparing for data breaches
GDPR requires site administrators to prepare for data breaches, and to take preventive security measures to prevent them from taking place. A data breach does not just mean data which leaks to the outside; it can mean, for example, data being visible to staff members without the appropriate authorisation, or equally, the company giving excessive access to data that an employee does not explicitly require to see.
The sad truth about most data breaches is that not only are they preventable, they happen internally. Sometimes they are accidental, such as an employee using an insecure WiFi connection to access corporate data. Sometimes it is down to carelessness, for example, an intern’s login is left active after they leave the company. And sometimes, as we know, it is malicious: a disgruntled employee leaks data or disables a plugin.
In the event of a data breach, the WP Security Audit Log plugin will help you identify who was using the site at the exact time that a breach took place. It will also show you the IP address they were logged in from. This information will help to inform any internal investigation you do, and can also provide vital clues as to whether a breach was accidental, careless, or malicious. That WordPress audit log data will also provide the information that a regulator (such as the ICO) would require as part of their own inquiry; having that data to hand will show that you are serious about putting things right.
25 Site license is $399 or $16/each retails for $99 or $83/each or $2,076/total at 25.
Reseller Program / Package
Ok, what do we need? Short and long term.
I love the idea of starting to set up componentized offering packages, a nested group of content, affiliate/resources and services to implement/monitor those systems.
Subscriber / Guest pricing?
How to enable Ross/agencies to resell? White label?
So for GDPR, it would reside at www.wpcrank.com/GDPR which would be either a single page or collection of pages with overview/guide/strategy content, links to various resources, and the listing of our services options and the ability to order them along with maintenance packages perhaps. We’d also want a one-pager to circulate which has the overview information and focuses on driving traffic to the URL and can be easily circulated and decimated to decision makers.
What about resellers? Is Ross going to be content to send traffic to WP Crank site? He does now I suppose. How does this look for Ross and how replicable would it be. The big question is how does he upsell, or would be happy with general commission?
What do the numbers likely look like? I’m guessing he might charge ~$1k and I’d be more like $299-$499, 10% commission would be $29-$49 for him, not exciting compared to $500-700 and he’d probably sell them.
If they bought add-ons though, those would be $199/MonsterInsights, $99/Security Audit, $240/Geotargeting would add $439/yr which is $43.90/yr commission. That pretty much erodes our take on those. Maybe no commission on resold services? Maybe we need to add management fee in cases which would be commisssionable?
So we could do a FM specific one-pager, but what if they see our site later saying half the price? Do we dare make partner branded mini-site(s) for them to more easily sell? We made the highest FM price a real price on the site (in theory), maybe we just have some ambiguity based on complexity analysis, so the price we list is more like $99-$299-$499-$999. Maybe we do free review and report?
What if we just gave him some content to put at his own GDPR? Billing would need to show WP Crank, I think/thank for commissions. So it would just be an ordering form. We could probably whip up an API that could feed content, service info, have in there its a partnership with WP Crank and signing up goes into our system.
Or, he just gets them and its one-off, recommendations only plus one-time installation/set up fees.
So, he can use our site and take the 10% when applicable, or, he can do his own and add mark-up / value-added.
Optinmonster is doing it. Have a way to only add intrusive elements to EU visitors.
https://geotargetingwp.com – is very interesting Geolocating service+plugins. Can target built-in WordPress functionality such as menus, pages/posts and widgets, add redirects based on location, etc. It connects via an API for a lookup service and caches results. We can buy in bulk but they provide no domain-level reporting. They also include local database we can download too.
Our Product Offering
$99/review and report?
The following third-party plugins can help with GDPR compliance, they also have integrations for Gravity Forms:
- WP GDPR by Appsaloon
- WP GDPR Compliance by Van Ons
- The GDPR Framework by Codelight
- Gravity Forms Privacy AddOn by Tela
- Double Opt In for Gravity Forms by Albert Brückmann
Table of Contents
- WordPress Security
- WordPress Speed
- WordPress Support
- WordPress Backups
- Web Hosting / Servers
- Custom WordPress Development
- WordPress Maintenance
- Search Engine Optimization
- Converting / Lead Capture
- Domain Name System (DNS)
- Misc Settings