GDPR tools arrive in WordPress 4.9.6
WordPress 4.9.6 was released last Thursday (17th May). It’s a bit different from a standard minor release, as it contains new features – primarily to address some of the requirements of the GDPR. Here are the key points:
- A checkbox has been added to the blog comments form asking the user whether they want their name, email and website to be saved in the browser (i.e. in a cookie) for the next time they comment. This is a change that may need a styling tweak if you have a custom theme (to ensure the checkbox/label are presented nicely). Get in touch if you need help on this.
User Data Requests
- Site owners can now initiate a process whereby a user is sent a .zip file containing their personal data held on the website – this includes data gathered by WordPress and participating plugins (i.e. only data gathered by plugins that have implemented the required protocols – not necessarily all user data on the website). It’s a multi-step process that involves clicking a button to send a verification email to the user, then once verified, clicking a button to email the actual data export to the user.
- Likewise, there is a similar process in place for data erasure – site owners initiate the process, the user verifies via email, then the site owner clicks a button to erase data. As with data export, this will only erase data collected by participating plugins – so it’s not necessarily a catch-all.
It’s a huge positive that the WordPress community has pulled together and created this release in response to the requirements of GDPR – albeit rather close to deadline! It doesn’t automatically imply compliance – that would be a totally unreasonable expectation – but it does provide some useful tools to help site owners on their journey towards compliance. I see it being particularly useful for small organisations who work primarily or exclusively online.
I hope we will see the data export/erasure functionality widely adopted by plugin authors. Arguably this element of the release will only be really useful if this is the case – and perhaps therefore there is an argument that the official plugin directory should mandate use of the data export/erasure protocol (I’ve no idea how easy this would be to enforce). In it’s current form, and for my own use cases, I see limited scope for using this functionality – partly because there may be plugins in use that are storing data and haven’t adopted the protocol, and partly because often there will be data held outside the website, which also has to be taken into account. It would be useful to have the ability to view/download a particular user’s data without having to involve the end user – for aggregation into a wider data export, parts of which are likely to be pulled together from other systems or manually.
The official post for the release is here: https://wordpress.org/news/2018/05/wordpress-4-9-6-privacy-and-maintenance-release/