GDPR tools arrive in WordPress 4.9.6

WordPress 4.9.6 was released last Thursday (17th May). It’s a bit different from a standard minor release, as it contains new features – primarily to address some of the requirements of the GDPR. Here are the key points:

Privacy Policy Page

• There’s a tool that allows you to designate a privacy policy page (see Settings -> Privacy). This page is then shown on your login & registration pages (really relevant only to those who have a multi-user site), and there’s an internal function that allows developers to call out the privacy page programatically. If you haven’t already got a privacy policy on your website, this tool also gives guidance on what should be on the page – useful for anyone working last minute to get up-to-speed with GDPR.

Comments

• A checkbox has been added to the blog comments form asking the user whether they want their name, email and website to be saved in the browser (i.e. in a cookie) for the next time they comment. This is a change that may need a styling tweak if you have a custom theme (to ensure the checkbox/label are presented nicely). Get in touch if you need help on this.

User Data Requests

• Site owners can now initiate a process whereby a user is sent a .zip file containing their personal data held on the website – this includes data gathered by WordPress and participating plugins (i.e. only data gathered by plugins that have implemented the required protocols – not necessarily all user data on the website). It’s a multi-step process that involves clicking a button to send a verification email to the user, then once verified, clicking a button to email the actual data export to the user.
• Likewise, there is a similar process in place for data erasure – site owners initiate the process, the user verifies via email, then the site owner clicks a button to erase data. As with data export, this will only erase data collected by participating plugins – so it’s not necessarily a catch-all.

Initial thoughts

It’s a huge positive that the WordPress community has pulled together and created this release in response to the requirements of GDPR – albeit rather close to deadline! It doesn’t automatically imply compliance – that would be a totally unreasonable expectation – but it does provide some useful tools to help site owners on their journey towards compliance. I see it being particularly useful for small organisations who work primarily or exclusively online.

I hope we will see the data export/erasure functionality widely adopted by plugin authors. Arguably this element of the release will only be really useful if this is the case – and perhaps therefore there is an argument that the official plugin directory should mandate use of the data export/erasure protocol (I’ve no idea how easy this would be to enforce). In it’s current form, and for my own use cases, I see limited scope for using this functionality – partly because there may be plugins in use that are storing data and haven’t adopted the protocol, and partly because often there will be data held outside the website, which also has to be taken into account. It would be useful to have the ability to view/download a particular user’s data without having to involve the end user – for aggregation into a wider data export, parts of which are likely to be pulled together from other systems or manually.

I like what’s been done with the privacy policy template tool – although it’s likely a little late for most, it’ll be good for those who haven’t addressed GDPR in their organisation yet. Again, don’t expect it to be a complete solution, but it’s a useful starting point if you don’t already have your own privacy policy.

The official post for the release is here: https://wordpress.org/news/2018/05/wordpress-4-9-6-privacy-and-maintenance-release/