This new EU regulation, although primarily focused on technical aspects having to do with data collection, processing, and data storage, requires other important activities to be addressed.

Specifically, GDPR demands your attention on several areas and activities that have little to do directly with what you are required to develop to comply, but rather with third-party tools you’re using and other areas that are closer to UX concerns.

So what are these 4 lesser-known yet key activities you need to take care?

1. Discuss the situation with third-party service providers

As GDPR is all about data and privacy, first and foremost you’ll need to understand how all service providers managing user data you work with are going to approach GDPR. Especially, you should inquiry them on what they’ve done related to GDPR compliance.

If you’ve some technical background and a good understanding of GDPR, you might want to jump on a one-to-one call with their developers and present them with their respective plugin/tool and just ask. If you’re not feeling comfortable doing that, you can hire a developer do that on your behalf and report back to you. WordPress developer and Codeable expert Robin Scott explains how to go about it:

As part of this call, I’d suggest asking the developer of that tool, or the company behind that tool, something along the line of: ‘We think your tool or this task within your tool is against GDPR. What measures did you take?’ It could be the case that they might satisfy you say: ‘Well, actually here’s the opt-in, it shows up on the screen just before checkout. If people opt-in, we store their data. If they say no, we turn it off.’

That’s an important aspect you need to be aware of because as a business using that tool or service, you need to disclose that in your privacy policy (see below) and, of course, be aware to what extent third-party tools or services handle your user data.

Third-party providers you want to engage with about GDPR compliance:

• Hosting
• Third-party scripts provider
• Shipping handlers and partners
• Plugin developers collecting and storing user data you currently use (or plan to use)
• Emailing service providers

2. Refresh your privacy policy and privacy notices

Given how great the domain of GDPR is for a website or online store, a major revision of your current documentation around user data and privacy is also required. As Chapter #3, Art. 12 dictates, you should convey all of the information pertaining to how you handle and process user data in a way that’s:

1. In clear and plain language
2. Easily accessible
3. Concise
4. Transparent
5. Intelligible
6. Free of charge

That means, of course, your privacy policy and privacy notices might need to be revised to reflect these requirements.

Here’s a good example provided by the ICO:

3. Use consistent icons (and wait until standard icons are being implemented)

Explicit consent to obtain personal information is the cornerstone of GDPR, although not the only lawful basis you could use. Any website or store – yours as well – collecting personal data and information will have to carry icons that will facilitate your users understand in detail what consent they’re about to give. Robin explains:

It’s very specific in the GDPR: icons should be consistent. And what the creators of GDPR mean by this is they would like to see a global standard coming up for icons related to personal data. There is nothing in place yet but I think quite quickly we’ll start to see it springing up because they want to create a standard.

To give you a better idea of these privacy icons you should expect to see under GDPR, here’s an academic project from Aza Raskin of Mozilla who developed privacy icons inspired by Creative Commons that seems to simplify privacy policy.

Once the new standard for privacy icons will be adopted, you’ll need to use them in a consistent manner on your forms, checkout pages, privacy policy and privacy notices, and anywhere your users’ personal data is required.

The benefits of standard icons

Once people start getting accustomed to seeing a new set of icons for they privacy concerns, that is the right time to have a UX specialist and a designer have these icons designed and put on to your website or store allowing the users to know and be at ease with the change. Robin pitches in:

Visitors to your website will start to get used to them. They’ll start to say: ‘Okay, this is a consent about how my data is being used.’ They will either pay attention to it, or they’ll blindly tick the box because they’re already used to it.

4. Embrace the trial and error approach until clearer guidelines are available

All the changes that accompany the new EU regulation are not going to be immediate. They will be implemented slowly and website owners, store managers, and developers themselves will have to see which ones are the most imperative to deploy first and which ones can be implemented afterward.

Since the EU hasn’t provided any clear and factual guidelines businesses can refer to in a standard way. Many aspects covered by GDPR will require a different approach from your part, where temporary uncertainty and trial and error workflows to implementing the new requirements might temporarily drive your future choices.

As a result, you should keep informed about the latest news and use cases about GDPR but also be ready to act fast into addressing what you ought to have to make your WordPress website or WooCommerce store GDPR-compliant.

Wrapping up

GDPR is an important piece of legislation that shook a lot of what the market knew and used to do in its day to day flow of transactions, communications, data gathering, and so on.

The earlier you start preparing your business for GDPR, whether it is a WordPress website or a WooCommerce store, the least will be the impact of this earthquake on it.

This blog post features Robin Scott, an experienced WordPress developer who’s also one of the founders of Silicon Dales, an agency focused on WordPress, WooCommerce, and a variety of other services. Robin has specialized in several areas such as Custom Plugins, Gravity Forms, Hosting Transfer, Maintenance, and WooCommerce Extensions, just to name a few.

The post 4 Lesser-Known Activities To Make Your WordPress Site GDPR-Compliant appeared first on Codeable.

One critical area, though, has to do with how you collect email addresses and how you use them. And these are strictly related to all types of forms you have on your website or WooCommerce store and how much you know about your users.

Email addresses, forms, user profiling, abandoned carts, checkout pages. How do you need to change them to comply with GDPR?

Let’s dive in!

For more detailed information about GDPR, we published these additional blog posts you might want to check: 4 Lesser-Known Activities You Need To Take Care Of Before GDPR Comes Into Effect and What GDPR Means For Your WordPress And WooCommerce Business – A Starter Guide On What’s Important To Know And Do First

The basic element is (explicit) consent

The new law has been specifically designed to ensure the protection of consumer data privacy and, as a result, it provides them a new range of authoritative powers to control the ways in which their data can be collected and used by websites.

In this regard, GDPR changes what used to be the somewhat routine of collecting as much data around a user as possible for marketing purposes.

In other words, profiling users under GDPR will change.

GDPR regulations pertaining to profiling for marketing purposes

Let’s start with the definition of profiling, which is discussed under the “Rights of the data subject” section Chapter #3; Art. 12, but it’s better presented in Recital #71:

What’s profiling under GDPR?

Profiling […] consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her.

Profiling has always be seen as a standard procedure for website and store owners, but now with the GDPR come into effect, users will need to be informed about the processing of their data and how to exercise their rights.

WordPress forms and customer data collection under GDPR

A great portion of user data is collected through forms: contact page, checkout pages, form to request information or a quote, a landing page to download a free resource. Usually, it’s on such forms that we ask more than what we actually need to proceed.

A common example is featuring a field on our form asking for some kind of information that is not strictly relevant right now but we assume it will be in the future. This is not acceptable under the GDPR, as Robin explains:

If you’ve got an element in your data capture form or checkout page that you’re thinking ‘I don’t need it but I might use it in the future.’ well, if that future usage you haven’t obtained consent for, technically speaking, you shouldn’t then use it for profiling, which means basically you’ll need to take it out of your form – or get consent to use it for profiling.

Given how important and used forms are, let’s see how to set them up and some best practices to comply with GDPR.

Examples of how to add an opt-in option to your WordPress forms for GDPR compliance

Before we start, let’s clear the air here: not all forms are per se wrong and require adjustments. If you’re collecting anonymized data, or you aren’t storing data at all, your form is perfectly GDPR-compliant.

I picked three of the major WordPress form providers to exemplify the process for adding the required opt-in box to your forms:

GDPR-compliant example for Ninja Forms

Here’s the official documentation on how to do it. The important thing left is having a clear Privacy Policy page that fully disclouse how you collect, store, and process data.

GDPR-compliant example for Gravity Forms

Here’s the official documentation on how you can do it.

GDPR-compliant example for Contact Form 7

Here’s more about Contact Form 7

Bonus: Advanced Custom Fields

Here’s how you can do it. Note: the resourced linked shows you how to add an age-verification field, but the process is the same for adding the explicit consent opt-in box.

The case for asking for street addresses

Street addresses are a more specific case pertaining to eCommerce or WooCommerce-based websites that require this information during checkout and are dealt with in much the same way as email addresses are under the GDPR. Robin explains:

You can ask for street address eventually for the card validation to occur, depending on the payment service provider you’re using. So the rule still stands: if the transaction wouldn’t work without the street address, hence it’s necessary to collect that user data, then definitely you can. On the other hand, if you don’t strictly need it to process the purchase and payment, just think about not collecting it.

Street addresses are important in digital downloads and online payments because cybercrime and fraud are one of the biggest nuisances today and if a customer is using a stolen card, this can be cross-checked by analyzing if the address provided matches the one on the card. In this regard then, asking for street addresses is not a problem.

It’s worth mentioning that you don’t need consent to collect personal data which is necessary for the transaction to occur.

The issue with abandoned carts and checkout pages

Sticking to issues related to profiling for marketing, abandoned carts at checkouts fall under the same banner because a number of online retailers capture the customer’s email address as soon as they enter it, even when they don’t complete the respective purchase. Robin elaborately lays this out:

The problem with abandoned carts and abandoned checkout for users who have not purchased from you ever is a big gray area. And when I say gray area, I mean, an interpretation of the GDPR would indicate to me that most abandoned cart practices currently in use are a breach of the requirement for consent. A lot of stores capture the email address before you’ve done anything and then send an email a couple of days later saying: ‘We noticed you have this in the cart. Would you like to check out now?’ How was consent collected there?

The first answer to that crucial question is: they didn’t get any explicit consent from their customer. So, if you’re just silently collecting email addresses from your checkout pages and you’re not getting explicit consent, it’s very likely that this falls outside of the spirit of the GDPR.

So how can you get explicit consent for abandon checkout pages?

It’s hard to provide a one-size-fits-all solution without knowing your specific use case, but there’s a relatively simple one you can implement to make it clearer to your customers. Specifically, as it was for other types of forms, it needs to have the option to explicitly give permission – they can tick to opt in – to store user data through your checkout form. But not only: in this specific scenario, your form should also have some sort of explanation of when the checkout process begins, because it’s from that moment on that you need the explicit consent to collect user data. Robin explains:

You can’t just say on your forms: ‘I accept any data usage on this website’ because that won’t cover abandoned carts.’ You would have to have, for example, something that says: ‘Checkout does not begin unless somebody expressly agrees to the abandoned cart collection’ and put in place custom functionality that triggers if conditions are met. That would be an affirmative agreement. But, and this is important, you still need to allow a checkout if the user did not agree to the abandoned cart procedure. You cannot deny them service based on this.

You should never forget that, under the GDPR, it’s not okay to enable a service if people opted out of it. Silent or soft opt-ins are no longer acceptable for GDPR consent.

Sending emails to your customers and users under GDPR

Contact forms, incomplete checkout pages, resource download pages, and the like, have all the same purpose: collect someone’s email address and additional details (if any). That’s what GDPR directly affects.

One of the major issues with the collected personal information on websites is that, once email lists have been created, some bombard the customer’s inbox with promotional emails. Or, they segment their email lists and start promoting a completely different product to the same people (who didn’t opted-in in the first place). Robin sheds some light on this tricky aspect:

You’ve got the real thing to focus on: the opt-in and what did people opt-in for. If your newsletter always mentions products and you might even have affiliate links in – you should disclose them – that’s your business. That’s okay because your users have opted-in. However, the GDPR would come down hard on you if you take these customers that opted in for your newsletter and put them in a separate list for marketing a completely different business because that would be a violation of the customer’s privacy.

Here again, silent or soft opt-ins are no longer acceptable. So, for example, pre-ticked box to also subscribe to your newsletter has to stop as recital 32 reads:

Silence, pre-ticked boxes or inactivity should not constitute consent.

As a great example, I’m adding this from JimmyChoo online store:

As you can see, the possibility for the user to opt-in to get the latest news is not only unticked but also prominent because it’s highlighted.

Wrapping up

GDPR isn’t an easy topic to understand.

There are a variety of cases that GDPR has on websites collecting personal information from users resident in EU. Chief among these is the fact that for every piece of data collected, customer consent has to be obtained explicitly and by stating the exact purpose of where and how the data will be used. This means user consent has to be collected without blurring out any even minute detail.

Given how many things should be changed, or at least tweaked to make a WordPress website or WooCommerce store compliant, what should be your next step, then?

I’d start assessing what’s your current status by auditing what type and how much data you’re collecting from your users. That will give a clear picture on the areas you’ll need to make GDPR-compliant and allow you to prioritize the required work accordingly. You can have a specialist do that for you or help you understand what should come first.

GDPR is a regulation (law), not a suggestion. All websites and online stores with EU users have to comply eventually unless they want to risk it and get fined.

This blog post features Robin Scott, an experienced WordPress developer who’s also one of the founders of Silicon Dales, an agency focused on WordPress, WooCommerce, and a variety of other services. Robin has specialized in several areas such as Custom Plugins, Gravity Forms, Hosting Transfer, Maintenance, and WooCommerce Extensions, just to name a few.

The post Understanding GDPR And WordPress: Your Guide To Customer Data, Forms, Abandoned Carts, & Email Opt-Ins appeared first on Codeable.

How is that GDPR thing related to WordPress websites or WooCommerce stores even? Well, here’s how…

Let’s drill down into the details of this new law and, more importantly, how that all comes to you and your WordPress/WooCommerce business.

For more detailed information about GDPR, we published these additional blog posts you might want to check:

• GDPR And WordPress: Your Guide To Customer Data, Forms, Abandoned Carts, & Email Opt-In
• 4 Lesser-Known Activities You Need To Take Care Of Before GDPR Comes Into Effect

What follows is not legal advice and it’s intended to give WordPress and WooCommerce website managers a better understanding of GDPR.

What is the General Data Protection Regulation (also known as GDPR)?

The GDPR is a new law that has been in the works for quite some time and was passed in 2016. After a two year transition period, it has entered into force on May 25th, 2018.

It replaces its predecessor from 1995 with updated guidelines that govern and protect the privacy of individuals in the European Union. WordPress developer and Codeable expert Robin Scott highlights:

GDPR is a regulation, not a directive. And without going into details that means it’s not just an advice, it’s the law. This is very important to the Union and you’ve really got to pay attention to it.

Here’s a nice and informative infographic from the European Commision about GDPR.

What is the purpose of GDPR?

The purpose of this new set of regulations is pretty elaborate but mainly focuses on giving EU citizens more control over their personal data they share with websites. This will, of course, resolve into a different approach from companies and organizations worldwide towards privacy, data management, data collection, security, and profiling of their users. As Robin sums it up:

GDPR really sets down the idea that persons – as opposed to companies – have the right to have their personal data protected. By calling it a ‘right’, it should be clear how important and strong EU want businesses to interpret this law.

What are the rights GDPR stands for?

The following individual rights are those provided by GDPR:

• Right to be informed [Chapter #3; Art. 12]
• Right of access [Chapter #3; Art. 15]
• Right to rectification [Chapter #3; Art. 16]
• Right to erasure [Chapter #3; Art. 17]
• Right to restrict processing [Chapter #3; Art. 18]
• Right to data portability [Chapter #3; Art. 20]
• Right to object [Chapter #3; Art. 21]

Besides these, GDPR also has provisions for automated individual decision-making and profiling.

Now, that you’re getting the gist of it, let’s see how GDPR and WordPress or WooCommerce relate each other.

Does my WordPress website / WooCommerce store need to be GDPR-compliant?

Likely, yes.

If your WordPress website or WooCommerce store collects any personal data from EU users, you need to get it GDPR-compliant. In other words, all websites that collect personal information from individuals and citizens within the EU will fall under the jurisdiction of the GDPR.

I see the look on your face now: personal data, right? Is an email address considered personal data, for example? GDPR has a clear definition of what consists personal data.

What is considered as Personal data?

As the regulation defines it (Chapter #1; Art. 4, point 1):

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

For a website or store manager, those words can be more easily grouped into something like this:

The important thing to understand here is this: since your WordPress website is accessible from everywhere in the world and, if it is somehow collecting data from individuals within the European Union, it falls under the jurisdiction of the GDPR.

I don’t sell anything via my WordPress website! Should I comply with GDPR?

The focus of GDPR isn’t about the type of WordPress website or WooCommerce store you’re managing. The regulation doesn’t care about it. The main thing which GDPR resolves around is data and that can occur through a simple contact form on one of your pages. As Robin elaborates:

If you have a WordPress website and you have a comment form, and people put their name and email address into your comment form, you are collecting personal data. And if your website is available to people in the European Union, you are collecting personal data from people in the European Union. So it’s kind of you might think ‘Oh, that does not apply to me’ but it might do. Every WordPress website is likely to be potentially impacted by this.

How to make WordPress website or WooCommerce store GDPR-ready?

Short answer is having a strategy in place. One where data is collected, stored, and protected as the regulation requires but also one accounting for the procedures that any website/store manager will need to have for data breach, data portability, and data erasure.

That’s a good starting point because the main thing GDPR is aiming at is about enriching the security of personal data. And that goes through an overhaul of your current strategy of how you not only handle and store user data; it starts with how you collect it.

Specifically, you should tweak all your copy and untick all those options on your form to let people subscribe without them directly doing anything and, instead, clearly ask for customer consent.

WooCommerce 4.3 includes the following useful features, which will allow you to have more control over customer data:

• Personal data eraser the eraser
• Data retention settings
• Checkout page display options
• Privacy policy snippets

Obtaining consent can be hard on WordPress websites but even trickier on WooCommerce sites

The most basic feature that GDPR introduces is that, although consent was being asked before, now it has to be asked very clearly and explicitly. Robin elaborates:

The consent has to be clear, really clear. The word they use in the regulation is unambiguous. So it can’t be ‘Maybe I’m agreeing to be put on a newsletter list.’ No, it has to say, ‘I’m agreeing.’ And so on with other points of contact with the website or store. In addition, the consent needs to be for each purpose that you collecting data and you also need to give consent on each occasion. And you also need to describe what you’re using it for

WooCommerce forms and obtaining permissions on them is difficult because of the tweaks required in order to make them effective. Robin points out:

In the WooCommerce context, there’s a couple of eCommerce issues that might be more difficult to deal with to get consent on: abandoned carts, abandoned checkouts for example. Another one is segmentation of customers based on orders. So if you’re using a service like MailChimp, for example, and you have it connected to eCommerce data that is segmenting customers based on previous purchases. For that, you’re going to need to obtain consent for doing that, and that’s actually hard in checkout because you’re going to have to add an extra field.

There are some things to think about in there for retailers that will be strictly related to business decisions about ‘Okay, what’s more important to us?’ In which case, we need to obtain specific consent. Or: ‘Are we going to have to stop segmenting users in this way?’ That’s the type of decision for the store owner.

Handling personal data is like borrowing someone else’s car

This regulation states that everything should be made crystal clear than ever. Robin explains this key point with a great analogy, where the car plays the role of personal data:

It’s like borrowing someone’s car. You have to state clearly when you need it and for what reason. An important thing to remember here is that you’re only borrowing the car, it’s not your property. So as a result, you can’t use it without authorization, you can’t sell it and, if it gets damaged somehow, you inform the owner and the relevant authorities about it.

What are the very first things that need to be implemented to become GDPR-compliant?

There are a number of features that need to be implemented in accordance with this new law, and as a website or store manager, you should start with these 3 main areas.

3 aspects to focus on immediately for website/store managers:

• Breach notification
• Data collection, processing, and storage
• How plugins running on your website/store handles data from user

To help you with that, there are free WordPress plugins already available on the repository:

WordPress plugins for GDPR: WP GDPR Compliance

Through a bunch of options, you can toggle on and off, this plugin will help website and store managers to comply with GDPR. As stated on the plugin page, currently this plugin supports Contact Form 7 (>= 4.6), Gravity Forms (>= 1.9), WooCommerce (>= 2.5.0) and WordPress Comments. Additional plugin support will follow soon.

WordPress plugins for GDPR: WP GDPR

This plugin will help you dealing with users asking to see which personal data is collected on your website/store and will enable them to either download or ask for data removal.

GDPR plugin standard initiative: GDPR for WordPress

This one is in the making and, at least for website and store managers, there’s nothing currently available. But the initiative is brilliant as the involved developers aim at developing standards so that anyone within the WordPress ecosystem will benefit from a shared solution.

Beside website and store managers, this initiative is working on solutions to give plugin developers a simpler way to validate plugins and make them GDPR-compliant. Here’s the documentation on GitHub.

It might seem that this GDPR is a kind of a big deal, doesn’t it? Well, here’s what businesses who don’t comply can risk.

What are the consequences of not complying with GDPR?

The consequences of ignoring GDPR are pretty severe. If your guilt is determined and you’re found to be in violation of it, the penalty is a fine, a very heavy fine in fact: €20 million (~$24.6 million USD) or 4% annual global turnover of the company, whichever is greater.

Given such numbers, would you feel confident risking it? Your call!

Wrapping up

GDPR brings a new set of strict regulations that concern and govern most websites especially WordPress and WooCommerce-based ones that collect data from customers. Therefore, it is important to study the regulation and have the necessary strategy relevant to it made to your website or store at the earliest.

This is a pretty technical topic which you can dig deeper with the help of some good resources such as: GDPR FAQs, ICO.’s guide on GDPR, and Silicon Dales Guide to GDPR.

For more detailed information about GDPR, we published these additional blog posts you might want to check:

• GDPR And WordPress: Your Guide To Customer Data, Forms, Abandoned Carts, & Email Opt-In
• 4 Lesser-Known Activities You Need To Take Care Of Before GDPR Comes Into Effect

If you have no idea what you should do at first, jumping on a call with a WooCommerce expert might be a cost-effective solution.

This blog post features Robin Scott, an experienced WordPress developer who’s also one of the founders of Silicon Dales, an agency focused on WordPress, WooCommerce, and a variety of other services. Robin has specialized in several areas such as Custom Plugins, Gravity Forms, Hosting Transfer, Maintenance, and WooCommerce Extensions, just to name a few.

The post What GDPR Means For Your WordPress And WooCommerce Business – A Starter Guide On What’s Important To Know And Do First appeared first on Codeable.