What is GDPR?
GDPR is a new Data Protection Regulation law that applies to EU citizens, going into effect on 25th May, 2018. It gives EU citizens rights over their data and it sets rules for how and when you can collect personal information from your EU visitors and users.
Data such as IP addresses, email, names all fall under the category of personal data. To collect this data you either need consent (an action by the user like a click on checkbox or button), or a lawful basis (e.g. network security).
You can learn more about GDPR here: https://ec.europa.eu/justice/smedataprotect/index_en.htm
What GDPR asks of you:
- Tell the users who you are, why you collect the data, for how long and who receives it. (Right of information)
- Let users access their data, and take it with them. (Right to Access)
- Let users delete their data. (Right to be Forgotten)
- Breach Notification: Let users know if data breaches occur.
- Get a clear consent, before collecting any data.
What you need to do:
All of this is available with WordPress v4.9.6 (update now!) which have tools to create a privacy page (#1), export personal data (#2) and erase personal data (#3). For #4, you just have to notify your users via any communication channel you have, in case of a site hack or data breach.
You will have to review your third-party plugins to see if they’re collecting any personal data that may require consent or a privacy page mention. You will also have to review third-party widgets you may have embedded.
Note The plugins included with ContentBerg theme do not collect any personal data.
WordPress v4.9.6 includes the tools to create your privacy page.
- Go to Settings > Privacy. Click check out our guide to see samples and info for privacy page. Copy sections you may want to use.
- Click Create New Page and that’s all.
You may want to link this privacy page in one of your site navigation menus. Also make sure you have mentioned an email address or a contact form to contact you from for users to Request Access to their data or exercise their Right to be Forgotten.
If you include YouTube videos, Instagram Embeds, SoundCloud or Tweets in your posts, you will also have to mention that third-party social media sites are used which may set cookies.
2. Newsletter & MailChimp
For newsletter, first thing you have to do is identify if you have what’s called an unbundled or single-intent form.
a) You will use email address just to send newsletter:
You have to do nothing here. Since the subscribe box says Newsletter – the form is unbundled and has the single intention of subscribing the user to a newsletter. Clicking Subscribe button here is consent to receive newsletter.
It’s still a good practice to include a small message on what you will use this email for. And always use double opt-in.
b) You will use the email address for marketing or sending promotional emails:
Now this becomes a bundled form. The user didn’t consent to anything other than a newsletter.
Note You may still be able embed special offers if they’re part of your newsletter emails (do mention in advance) but won’t be able to send separate promotional emails.
So what should you do here? You need consent for each activity, with checkboxes that can’t be pre-ticked under GDPR law. You also have to add additional messages explaining your marketing activities. Unfortunately, including that on multiple widgets on the website will be distracting and make the site look ugly.
The good news is, we have a unique solution that shows a popup for consent and integrates with any existing mailchimp form or widget:
Installing Easy GDPR Consent Forms (for MailChimp):
This plugin will let you add a consent popup for your MailChimp forms without affecting your site design. First install it:
- Go to ContentBerg > Install Plugins.
- Install and Activate the Easy GDPR Consent Forms – MailChimp plugin (if it’s not shown, it’s already installed).
Next you have to configure it for your widgets. Here’s a video with text instructions below:
- Open a new tab and login to your MailChimp account.
- Go to MailChimp > Lists. Click on your list you are currently using.
- Click Manage Contacts > Groups > Create Groups.
- The default setting should be selected as a checkbox. Enter Group Category: Consent. Under Group Names, enter the consent you would need, such as Special Offers and Advertising.
- Click Save.
- Next, click Signup Forms and choose Embedded Form.
- Select and copy the code presented on this page.
- Now go to your WordPress Dashboard. Go to GDPR Consent Forms > Add New
- Enter any name for the widget.
- Paste the code you copied in Step 7 to the Form Code text box and click Detect
- Configure rest of fields as you see fit and save the form. You probably want to configure the checkboxes labels to be proper sentences.
- (Optional) If you have any cache plugin active, clear the caches.
- (Optional) These checkboxes may be shown in your live form and if you use these forms elsewhere, you may not want that. You can hide them by editing your form (instructions here).
With everything configured, you can now segment your newsletter list by those who did give consent and those who did not. These checkboxes (called “Interest Groups” at Mailchimp) will help you segment users based on whether they gave a particular consent or not. You can learn more about how to create segments at MailChimp KB.
3. Contact Forms
What if it’s not single intent? If you’re asking for more information than necessary or if you’re going to keep this data around for longer than needed, or if you wish to use it for other purposes like Marketing or subscribing them to a Newsletter, you need a consent checkbox.
Contact Form 7 supports acceptance checkboxes. Remember to create a unticked checkbox for each type of activity. For example, if it’s for Newsletter and Marketing, you will need two checkboxes.
4. Google Fonts
Do note that there are several advantages of using them such as:
- Speed via Cache: Billions of sites use Google Fonts so most of the fonts are already cached in your visitor’s browser.
- Speed via CDN: Google has one of the best networks in the world so they serve the fonts from the nearest datacenter. CloudFlare is an alternative for self-hosted.
However if your legal counsel has determined Google Fonts shouldn’t be used, we have a solution to self-host them automatically so they’re served from your server locally:
Self-Hosted Google Fonts
- Go to ContentBerg > Install Plugins.
- Install and Activate the Self-Hosted Google Fonts plugin (if it’s not shown, it’s already installed).
- Go to Settings > Self-Hosted Google Fonts. Set Enable Processing to Yes and Save.
- If you have any cache plugin installed, empty the caches.
5. Google Analytics
If you use Google Analytics, you will need to take some steps to be compliant.
- IP Anonymization: You can use a plugin that has *IP Anonymization feature like this plugin.
- Add a cookie notice plugin to inform users about cookie usage. We recommend cookie notice plugin.
- Review data retention at Google
Notice: If you use Google Analytics for personalized advertising (most of the bloggers don’t), you will likely need consent before Google Analytics is even loaded (info here).
6. Cookie Notices
Consider cookies from these categories:
- Functional cookies required for an important function of the website or app, such as login, security etc. These require no notice and you can just mention them in Privacy police.
- Preference & Statistics cookies related to user settings and 3rd party Web Analytics. These require a cookie notice.
- Tracking cookies or cookies with personal data, set to track user for marketing or to show personalize ads and so on. This category requires cookie notice and consent.
For a blogger using no 3rd party Analytics service and no third party embeds, no action is needed.
Adding A Cookie Notice
If you determined that you need a cookie notice, for example because you use Google Analytics, here are the plugins we recommend:
About Notice and Consent Category (#3):
It unusual for bloggers but some of you may install web beacons or pixels from services like Facebook Ads to show personalized ads to the users. As explained in #3, these may require notice and consent.
What this is means is the user must accept (click a button or a checkbox) before you can load these pixels/beacons or set any tracking cookies for marketing.
Fortunately, Cookie Notice plugin has a solution to block scripts before user accepts it.