With an estimated 4.39 billion internet users today, data privacy is no laughing matter. Between the flood of data breach scandals, the influx of targeted advertising, and concerns over information shared on social media — people are worried about the security of their data.
The legal landscape has been quick to address these data security concerns. In May of 2018, the EU’s General Data Protection Regulation (GDPR) came into force, setting off a domino effect of data privacy laws.
The age of data privacy is here, and site owners need to pay attention. To address both user demand and legal requirements, your WordPress site should follow these four simple steps — or pay a steep price.
Emphasize Transparency
The million-dollar word in the data privacy era is transparency. People want it, and laws demand it. But what does transparency really mean?
Transparency is all about making your data collection and handling practices clear and apparent to your site’s visitors.
GDPR Article 12 explicitly demands transparency from businesses, stating:
The controller shall take appropriate measures to provide any information […] relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form.
Other laws, like the incoming California Consumer Privacy Act (CCPA), similarly require transparency in data collection. So how exactly can you employ transparency on your WordPress site?
Offer a Comprehensive Privacy Policy
Across these privacy acts and laws, the most commonly mandated approach to transparency is to offer a privacy policy. While the exact statements and clauses you include in a privacy policy will vary based on your customers and operations, here are some key best practices to consider when you generate a privacy policy:
- Be comprehensive: Detail all aspects of your data collection — including what data you collect, where you source it, why you collect it, and who it may be sold to or shared with in your privacy policy. There’s no such thing as extraneous information when it comes to meeting the transparency standards of today.
- Be clear: Use simple and clear language, and arrange your policy in a user-friendly format. A privacy policy won’t get you far — with your site visitors or the law — if it’s incomprehensible.
- Be committed: Add a section to your privacy policy that states what rights users have to their data, how they can exercise those rights, and who they can contact with questions or concerns. These aren’t just words on a page — provide your users with legitimate ways of addressing their privacy concerns, and establish systems capable of handling those complaints or requests.
Privacy policies are nothing new. But now more than ever, websites — no matter how big or small — need to offer clear, comprehensive, and actionable privacy policies.
Make Your Efforts Known
You aren’t operating transparently if users have to hunt down information about your data handling. Make your efforts to emphasize user privacy known by clearly displaying your privacy policy. Here’s how to display your efforts toward transparency without affecting the aesthetics or functionality of your WordPress site:
- Link your privacy policy in the footer: Add links to your privacy policy and other important pages regarding data collection (like a cookie policy) in the footer of your site.
- Bulk up your “About Us” page: Show your users that data privacy is a fundamental part of your operations by mentioning it on your “About Us” page. Add a line or two about how you value your site visitors’ privacy, and link to your privacy policy.
- Send out an email: Whenever you revamp your privacy policy and data protection efforts, make sure your users know about it. Send an email or add a section to your newsletter that explains to your subscribers the steps you’ve taken to better protect their personal information.
It’s no secret that websites collect data. Citizens and lawmakers know that sites need to gather information to give internet users the experiences they’ve come to expect. But with the dangers of data mining becoming more known, you need to reassure your site’s visitors by coming clean about exactly how and why you need to collect their data.
Ask for Cookie Consent
Midway through 2018, the internet was abuzz talking about the banners and popups appearing on website after website, asking visitors to consent to cookies. The sudden appearance of these banners was more than just an internet meme. Under the GDPR and the ePrivacy Directive (otherwise known as the EU Cookie Law), cookie consent is a legal necessity.
So if your site isn’t running one of those consent banners yet — it needs to be.
Cookies “remember” interactions between a given user and your site. They can keep track of IP addresses, preference settings, social media login information, browsing habits, and so much more from your site’s visitors. To do this, cookies have to collect data.
Given their nature as data-magnets, cookies are becoming more heavily regulated by privacy laws. Luckily, complying with the cookie guidelines of laws like the ePrivacy Directive and the GDPR is easier than it may appear. Here’s what you need to do:
- Create a cookie policy: While your use of cookies needs to be specified in your privacy policy, you should further detail these practices in a cookie policy. Within your cookie policy, cookies and other trackers that your site uses should be organized into categories (e.g., analytics, customization, functionality, social media, etc.).
- Run a consent banner or popup: Notify your users that you use cookies on your site and allow them to consent or set their preferences through a banner or popup. This interactive message should appear when a user visits you site for the first time, and non-essential cookies (cookies that aren’t necessary for your site’s function) should be blocked from running until a user has given their consent.
- Allow users to set their preferences: Not only should users have the ability to consent to your use of cookies through a consent banner, but they should also be able to set cookie preferences. Add a preference link to your consent banner that directs users to a page or form where they can opt in to specific categories of cookies.
- Honor opt outs: This one’s simple — if users don’t opt in to cookies, don’t deploy cookies. Even if they do opt in, give them methods of withdrawing that consent at any time (and honor it!).
Cookies are one of the hottest topics right now in data privacy. In fact, a new law is in the works to replace the ePrivacy Directive — the ePrivacy Regulation.
This law is poised to be more far-reaching and strict on cookies than the ePrivacy Directive. How exactly it will affect WordPress sites is yet to be seen, but cookie consent is sure to factor heavily into the ePrivacy Regulation.
Embrace Privacy Behind the Curtain
Data privacy isn’t just about what you tell your site visitors about their data — it’s also a matter of how you actually handle their data.
Not only are data breaches and the publicity that follows them damaging to your site’s reputation, but failing to keep data secure is more financially detrimental than ever.
Laws like the GDPR and the CCPA threaten new penalties for not adequately protecting the data you collect from users. Under the GDPR, fines can be as high as 20 million euros (~$22 million USD) or 4% of your annual revenue — whichever is higher.
Under the CCPA, in addition to fines for failing to comply with the law, users can bring lawsuits against your site through the Attorney General if their data is breached — even if no physical or financial damages are suffered!
Even with these looming legal threats, there’s only so much you can do to prevent data breaches. But taking a couple of simple steps could go a long way in keeping your users’ data — and your business — safe and secure.
Implement Privacy by Design
Privacy by Design (PbD) is the idea that privacy and protection mechanisms are built into the framework of your website.
PbD relies on seven core tenants that you should keep in mind as you evaluate your WordPress site and how you build privacy into the backend:
- Privacy should be proactive, not reactive
- Privacy should be your default setting
- Privacy integrations should allow full functionality
- Systems should be encrypted end to end
- Privacy should be part of your site design
- Privacy standards should be transparent and easy to find
- All systems need to prioritize user privacy
By embracing these core ideas of PbD, your site will have a built-in layer of security. Not to mention, implementing PbD is a requirement under the GDPR, so you’ll be protecting your user’s data against breach, as well as your business against penalization.
Map Your Data
Another fundamental step in building privacy into your operations is to map your data.
Data mapping is a way of cataloguing and visualizing how data flows through your website.
A data map can be a simple excel spreadsheet, or include charts and graphics to help you better understand the relationship between your WordPress site and the data that moves through it.
A basic data map outlines the following:
- What data you collect
- Where it’s collected from (e.g., signup page, social media logins, cookies)
- Where it’s stored
- How long it’s stored
- Who it’s shared with
- Where it’s shared to
- How it’s transferred
However, these are just the foundation components of your data map. Every site’s map looks different, depending on their relationships with user data.
For example, if you use third-party services for functions like contact forms, make sure you understand where that data goes and how it’s treated by the third party, then include that information in your data map.
One of the best ways to protect your business against data breach is to arm yourself with a full view of how data flows through your site. Creating and maintaining a data map may take time, but in the age of data privacy, it could save you from financial ruin.
Supplement Your Site with Data-Safe Resources
With approximately 75 million sites using WordPress today, there’s a wealth of tools and resources available built specifically for WordPress site operators. Many of these tools and resources can help you keep user data safe.
Ensuring data privacy isn’t easy for any business or website — no matter the size. Get some assistance by taking advantage of these two tools:
GDPR-friendly CRM
For many websites, information is gathered for generating revenue and locking in customers. If this sounds like your game, you probably already know all about customer relationship management (CRM) software.
In fact, you probably already use a CRM service.
The question is — how does your chosen CRM impact your data privacy efforts? Given the amount of user data that passes through CRM software, it’s not only helpful to vet its data safety efforts, but it’s potentially detrimental not to.
Here are some questions to ask yourself so you can better evaluate your current or future CRM system:
- What’s the provider’s privacy policy?
- How does the provider keep data secure?
- Will data collected through the CRM system be transferred to servers in other countries?
- At what points on my site does the CRM system collect data?
- How does the CRM software manage consent?
- Does the system help facilitate user data access or deletion requests?
- How does the CRM software store data?
Integrating a data-safe and reliable CRM system into your site can ease some of the burden of monitoring your site’s data collection.
Privacy-Forward Plugins
Numerous WordPress plugins are built to help sites like yours comply with privacy laws like the GDPR and the ePrivacy Directive.
Here are a few types of plugins that can help usher your site into the new era of privacy:
Form tools: Plugins that help you create and host contact and other forms on your site are similar to CRM systems in that user information travels through them. Use form tool plugins that offer GDPR-compliant contact management to safely gather user information.
- Consent management: You can use WordPress plugins to get consent to your use of cookies, add opt-in checkboxes to contact forms and signup pages, or have users express permission to receive marketing materials. Given the tools available to help you add consent mechanisms at all points of data collection, there’s no reason not to take advantage, and boost your privacy law compliance.
- Data requests: One of the new user rights being established by privacy laws is the right for users to request various actions be taken with their data. For example, consumers under both the GDPR and the CCPA can request access to what information has been collected from them, and can request that information be deleted from the site’s servers. You can make use of plugins specially designed to facilitate these requests.
Just searching terms like “GDPR” and “privacy” in the WordPress plugin library will yield hundreds of results for privacy-forward plugins. Still, be careful to vet your plugins thoroughly and understand their data-handling practices before integrating them into your site. Plugins can be a huge advantage in the privacy game if you choose the right ones.
Key Takeaways
If your site relies on user data, your users rely on you to keep their data safe.
Between public demand and legal necessity, we’ve ushered in a new age of data privacy. It’s time for you to get your WordPress site ready to meet the new standards. Start by following the simple steps we’ve outlined above:
- Create and display a comprehensive privacy policy
- Get consent to use cookies
- Build Privacy by Design into your site
- Keep an updated data map
- Use GDPR-safe CRM solutions
- Install plugins that help with data management
No site is exempt from the new standards that govern how data is collected and treated. Luckily, as a WordPress site owner, you have the tools and tricks at your disposal to navigate this new digital landscape.