WordPress GDPR and CCPA Compliance Guide for Beginners

If you have a WordPress website — especially one that uses plugins — you need to make sure that you are compliant with global data privacy laws. The two most important of these are the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

In this guide we’ll go over what data privacy regulations you need to comply with if you are a WordPress website owner.

WordPress GDPR Requirements

The GDPR provides a variety of rights to users. These rights are meant to ensure all companies take steps to protect users’ personal data. The primary rights users have under the GDPR include:

• Jurisdiction: The GDPR doesn’t just apply to companies that operate inside the European Economic Area (European Union, Norway, Island, Lichtenstein), UK, and Switzerland — it also applies to any company that stores and processes the personal data of people living in these countries. Users and website visitors (users) have the right to be covered no matter where a website is located.
• Valid consent or other lawful reason for processing: Any user whose data is stored must give clear and explicit consent through positive action. A user’s consent can’t be implied simply because they continuously browse on a website — they must be able to check a box or click a button to give express consent to the storage of their data. Companies need to process users’ data in a lawful manner that relies on one of the lawful grounds for processing found in Article 6 of the GDPR.
• Access rights: Users have the right to access any of their personal data that a company has stored. They can also request information relating to how that data is used.
• Right to deletion: Users have the right to ask companies to delete their personal data. They can also restrict any further usage or sale of that data.

The European Data Protection Board Guidelines for Valid Consent

The European Data Protection Board is an independent body established to ensure the consistent application of the GDPR. It has adopted guidelines specifying what constitutes valid consent to collect data. They include:

• No pre-checked boxes: There should be no pre-ticked checkboxes in your WordPress site’s cookies banner. Apart from strictly necessary cookies, consent options for all other types of cookies need to be unchecked so that users can provide explicit consent.
• Free choice: Restricting access to portions of your website if a user rejects your cookies does not constitute valid consent. Users should be free to make their preferences known for all categories of internet cookies and choose which they would like to enable or disable.
• Positive action: Consent needs to be explicit and positive. Implied consent by continuous browsing on the website does not constitute valid consent. A user must actively provide their approval through the use of a checkbox, button, or some other positive action.

GDPR Compliance Built Into WordPress

WordPress 4.9.6 — released after the enactment of the GDPR — made WordPress compliant with the law. The WordPress team added various enhancements to do this, which include:

• Opt-in comments: Generally, WordPress stores a user’s information to validate a comment. Commenting usually requires users to register and provide an email address. The new version has added an opt-in text box that obtains the user’s consent to store that information through the use of cookies.
• WordPress privacy policy page: WordPress now includes a pre-built privacy policy page that is essentially a series of templates providing the essential information you need to give users to comply with the GDPR. Admins have the option to edit these templates to ensure their websites are fully compliant.
• Data storage: WordPress has added an “Export Personal Data” function that allows users to download or delete any of their data stored by your website. This feature is accessible from the Tools tab on the WordPress admin dashboard.

What Do I Have To Do To Comply With the GDPR?

To ensure your WordPress site complies with the GDPR, you will need to do the following things:

• Notify users about cookies: Users need to be provided with a cookie notification message that includes a link to a comprehensive cookie policy indicating clear information about the various cookies used by your WordPress website. That includes the kind of data they store and process, the purpose for storage, and where that data is going. In addition, privacy information should be easy to access.
• Have a plan for cookie usage and consent: Before activating or enabling any non-essential cookies, you must implement a way for your WordPress site to get cookie consent.
• Keep a data log: Sites need to keep a record of all consents obtained from users. It’s standard practice to delete all backups after three months and all financial records after a set amount of years.
• Provide actual choice: Users should be able to see a list of all cookies in use on your WordPress site and select which ones they’ll accept or reject. Of course, the site must still be functional despite the user’s rejection of cookies.
• Allow users to change preferences: Users should be able to change their cookie settings and preferences at any given time.
• Protect data: Any personal data the company stores must be secure.
• Provide breach alerts: Companies must notify authorities of any data breach unless it’s not considered a risk to personal data. Common data breaches include cyber attacks, employee data theft, human error, and asset loss. Having a breach protection plan in place is essential for compliance. The plan needs to include a regularly updated list of user emails and a plan to inform concerned authorities and users within 72 hours of a breach.

Non-compliance with the GDPR risks a hefty fine of up to 20 million euros or 4% of your company’s annual turnover, whichever sum is higher.

WordPress CCPA Requirements

The CCPA is California’s privacy law regulating companies that store and process personal data. It was enacted to protect the privacy of Californian citizens and grants them the following rights:

• The right to know what personal data is being stored
• The right to know if personal information is being sold or sent to third parties, and if so, to whom
• The right to reject the sale of personal data
• The right to request the deletion of personal data
• The right to access personal data stored by the website

According to the CCPA, organizations don’t need to obtain opt-in consent to use cookies. However, there is a requirement to provide a cookie warning that informs users of the data collected by any cookies used on your website — and how that data may be further distributed. Companies are also required to provide an easy way for users to opt out from the use of non-essential cookies and the sale of their data.

Compliance With the CCPA

To ensure compliance with the CCPA when using WordPress, you must do the following:

• Allow opt-out: You should provide your users with an opt-out feature through a “Do Not Sell My Personal Information” option on your website. It should allow users to opt out of the sale of their personal data to third parties.
• Notify users about the personal data you collect and sell: Either during or before the point of collection, you must provide a notice to the user letting them know what kinds of personal information your company stores and why it’s stored.
• Stop selling to third parties when requested: If a user requests to opt out of having their personal data sold, you must follow through within 15 days. You must also inform all third parties you’ve sold data to in the past 90 days that it must be deleted.
• Allow minors to opt in: For users under the age of 16, companies must obtain opt-in consent to sell their personal data. On top of that, a parent or legal guardian’s consent is required for any user under the age of 13.

Other WordPress Compliance Requirements

Other privacy laws such as the PECR also affect how you need to design and run your WordPress site and how you need to maintain cookies on your WordPress site.

Furthermore, while not strictly a requirement, performing a regular audit of your data collection and WordPress cookie performance is helpful to stay in legal compliance.

PECR (Privacy and Electronic Communications Regulations)

The Privacy and Electronic Communications Regulations (PECR) work together with the GDPR. They implement the European Directive 2002/58/EC, which aims to provide specific regulations relating to communication and privacy.

While the GDPR regulates the processing of the personal data your website collects, the PECR regulates when you may activate certain cookies.

If you’re based in the UK, PECR regulations take precedence over the GDPR. All this means that to ensure WordPress cookie compliance, you must confirm compliance with both the PECR and the GDPR.

Fortunately, the PECR derives most of its critical regulations from the GDPR.

For example, the standard for consent under the PECR is identical to that in the GDPR — positive action using a checkbox or button. Like in the GDPR, the use of pre-checked boxes for permission is not considered valid.

The PECR also requires approval for non-essential cookies, including those of third parties used for targeted advertising or analytics.

Audits

One of the ways to ensure you stay compliant with the GDPR and other laws is to conduct regular audits on how your WordPress site — and its cookies — collect and process personal data.

Your audits should help determine:

• The purpose behind your site’s processing of personal data
• The type of data being stored and processed
• The safeguards put in place to ensure data protection
• How long a user’s personal data is stored for and when that data is deleted
• The process through which users get notified and updated of your data storage and usage
• What third parties have access to collected personal data

Ensuring compliance is not a one-time struggle. It requires continuous assessment, review, planning, and implementation. Anyone involved in your company needs to be aware of the relevant laws and how they affect your business so that nothing about your site gets changed that might throw it out of compliance.

Considerations During Website Planning

Creating and designing a WordPress website that is compliant with GDPR, CCPA, and PECR requires you to work on the following aspects during the website planning stage:

Is My WordPress Website Compliant With GDPR/CCPA?

To understand whether or not your WordPress site is compliant with data privacy protection laws, you need to know what parts of your website are likely to be impacted.

Things on Your WordPress Site That Are Impacted by the GDPR

When it comes to the GDPR, as a WordPress website owner, you will need to be aware of the following:

• How you collect and handle user data
• The various ways cookies get used on your website

In addition to keeping those on your mind, the following areas of your website are also impacted by the GDPR:

Analytics

If you use any analytical tool such as Google Analytics, your website may store data such as users’ IP addresses, cookies, IDs, and more. If you’re using third-party plugins for analytics, you must inform your users. As good practice, avoid using analytics to track users’ IP addresses.

Contact Information Forms

Nearly all websites use contact forms. As a result, if your website uses any of the stored personal data for targeted advertising, your users need to be informed. A consent checkbox with a simple explanation is often sufficient under the GDPR. This explanation should disclose why you are asking for data and how you will use it.

Opt-in Marketing Forms

Similar to contact forms, email marketing opt-in forms require you to get user consent before using any personal data for marketing-related purposes. You can get this opt-in consent either by requiring a double opt-in — sending a validation email with a link they need to click on to authorize the usage of their personal data after receiving their email address — or adding a checkbox.

Membership and Ecommerce

If your website is an ecommerce or a membership website, you’ll need to keep a few things in mind. If your website uses personal data obtained during sales for email marketing or advertisements, you need to inform your users and give them an option to opt out. If you’re collecting financial data, it’s a good idea to get it through third-party services such as PayPal. If your website gets breached and personal data is lost or stolen, it’s more serious when financial data is involved.

Media

Embedding content such as images may allow third parties to collect your website users’ personal data — including their IP addresses — and retrieve cookies that store their data. On top of that, this may also allow third parties to embed additional tracking cookies or software in your users’ browsers. This means if you’re embedding third-party content, that information needs to be included in your privacy policy.

Advertising

If your website uses targeted advertising that relies on collecting your users’ personal data, the users need to be informed.

Things on Your WordPress Site Impacted by CCPA

The CCPA mainly has an impact on your WordPress site’s privacy policy.

It requires you to have information on what, why, and how personal information is collected and processed outlined in your privacy policy. This policy should also have information on how users can change, delete, or request access to any data your website has collected.

You’ll also need to have a method of verifying the person’s identity making the requests.

Other Things to Consider

Any cookies, themes, and plugins you use on your WordPress site might need to comply with the GDPR, CCPA, or other data privacy protection laws. Therefore, you need to know how these things affect your WordPress site’s use of cookies.

Given that there are many considerations and complications in ensuring your WordPress cookies usage follows the laws, you can use plugins that automate some aspects of GDPR and CCPA compliance.

Some recommended WordPress plugins for compliance with the GDPR and CCPA are as follows:

More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author