A WordPress blogger’s guide to creating a privacy page that doesn’t suck or leave you screwed.

GDPR has been filling everyone’s inbox, yet so many bloggers have been left in the dark about what to do.

I’ll be honest. Ignorance is bliss.

Self admittedly, I wanted to avoid touching on this topic all together, and not have to change anything.

People are just behaving like lemmings” I thought…“there’s not anything to worry about.”

(narrator: he was wrong, there was plenty to worry about)

My blog/business is in the USA, this shouldn’t affect me right?

The truth is, if you have a blog, your website is GLOBAL and can get targeted by law-savvy people who just found a new loophole to exploit you LEGALLY.

But without too much fear mongering, or going into the mixed ethics of this whole ordeal, this article aims to give you practical next steps to help keep you (and your blog) safe.

This post is for people who didn’t pass the bar exam.

I’m not a lawyer…and really, you shouldn’t be either.

But you want to be able to protect what you’ve created.

Luckily, you’re not alone.

If you use WordPress, you’ve got some secret awesome tools you can use to keep your blog safe and GDPR compliant.

But first, you’ll need to take a few (easy) steps:

  1. Update WordPress to 4.9.6
  2. In your WordPress backend, go to the Settings tab
  3. In Settings there’s a new tab called “Privacy” (select the Privacy tab)

This new WordPress tab will include help and suggestions for your privacy policy page.

As a blogger/website owner, it’s your responsibility to use this section appropriately, providing the information that your privacy page requires, keeping that information up to date.

The first thing this page will ask for is to Change/Create a Privacy Policy page.

If you have one, great.
Select your privacy page from the dropdown.

If you don’t have one, don’t worry.
Select the button “Create New Page” below the dropdown. This will create a brand new privacy page template.

The Privacy Page Template Overview

Fortunately for you, WordPress has put together a template will help you to create your website’s privacy policy.

They’ve suggested the sections you will need. We’ll go over each section heading so you can figure out what information you should provide to get started.

Some of these sections include suggested policy content. The other sections will have to be filled in by you with information (from your theme, plugins, or other 3rd party tools like Mailchimp or Google Analytics).

You’ll want to make sure to edit your privacy policy template. Make sure to delete the default summaries, and add any additional information (themes, plugins, 3rd party tools, etc).

Once publish/update your page, add it to your navigation menu or footer where it can be easily accessible.

It is your responsibility to write a comprehensive privacy policy.

As an explicit disclaimer, this article is not professional legal advice. Neither myself, this blog, my business, or WordPress is responsible for the contents of your privacy policy or your adherence (or lack thereof) to applicable laws.

But hopefully you find it helpful 🙂

Who we are

In this section, put your website address, as well as the name of the company, organization, or individual behind it, and accurate contact information.

The amount of information varies here depending on your local or national business regulations.

But to cover all the bases: display a physical address, a registered address, and your company registration number (if applicable).

WordPress Suggested text: Our website address is: https://www.yourwebsite.com

What personal data we collect and why we collect it

In this section, include what personal data you collect from users and site visitors.

This can be personal data, such as name, email address, personal account preferences; transactional data, such as purchase information; and technical data, such as information about cookies.

Include any collection of saved sensitive personal data, such as data concerning health.

You also need to include a note on why you collect it.

These explanations must include either the legal reasons for your data collection and retention or that active consent has been given by the user.

Personal data is not just created by using your site.

It’s also generated from contact forms, comments, cookies, analytics, and third party embeds.

By default, WordPress does not collect any personal data about visitors, and only collects the data shown on the User Profile screen from registered users.

But, some of your plugins may collect personal data.

You should add any plugin/3rd party privacy information in this section.

Comments

In this subsection, include what info is captured through comments. WordPress will add the data which they collect by default.

WordPress Suggested text: When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

In this subsection, include the info that is disclosed by users (if they can upload media files). All uploaded files are usually publicly accessible.

WordPress Suggested text: If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Contact Forms

Good news, by default, WordPress does not include a contact form.

Bad news, if you use a contact form, you’ll need to find their privacy info and put it here.

Use this subsection to note what personal data is captured when someone submits a contact form, and how long you keep it.

Include notes about how you keep form submissions for a certain period for customer service purposes, but you do not use the information submitted through them for marketing purposes…unless you’re like me: I totally use contact forms PURELY for marketing purposes.

Here’s a few of the most popular forms for WordPress and their GDPR work:

https://wpforms.com/docs/how-to-create-gdpr-compliant-forms/

https://ninjaforms.com/gdpr-compliance-wordpress-forms/

https://contactform7.com/2018/04/16/how-to-make-privacy-friendly-contact-forms/#more-26352

Cookies

In this subsection, list the cookies your website uses, including those set by your plugins, social media, and analytics.

WordPress provides the cookies they use by default.

Cookies? My website uses Cookies?

Q: How do I find out what Cookies my website uses?

A: Yes, your website uses Cookies. You probably wouldn’t know how to find them either. It’s not super easy to find. I found this free tool to be quite helpful:

https://www.cookiebot.com/en/gdpr-cookies/

WordPress Suggested text: If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

This subsection is a kind of a catch-all statement that covers things like embedded youtube videos, Pinterest pins, etc.

WordPress Suggested text: Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged in to that website.

Analytics

In this subsection, include the analytics platform you use, how users can opt out of analytics tracking, and a link to your analytics provider’s privacy policy, if any.

WordPress does not collect any analytics data by default. However, many web hosting accounts collect some anonymous analytics data.

You may also have installed a WordPress plugin that provides analytics services. In that case, add information from that plugin here.

Most savvy bloggers use Google Analytics (or use a plugin that accesses Google Analytics)

If that’s you, you’ll want to add that in this section and also add the plugin’s privacy details here too.

Here’s the link to Google Analytics Privacy Policy for your convenience:

https://www.google.com/policies/privacy/

Who we share your data with

In this section, list all third party providers with whom you share site data.

This includes partners, cloud-based services, payment processors, and third party service providers, and include notes on what data you share with them and why.

Link to their privacy policies when possible.

WordPress does not share any personal data with anyone by default.

How long we retain your data

You need to explain how long you keep personal data collected.

For example, you may want to say that you keep contact form entries for six months, analytics records for a year, and customer purchase records for ten years.

As a blogger/Google Analytics user, you’ll need to go into Google Analytics and select how long you want to keep it.

You can choose how long Analytics retains data before automatically deleting it:

  • 14 months
  • 26 months
  • 38 months
  • 50 months
  • Do not automatically expire

When data reaches the end of the retention period, it is deleted automatically on a monthly basis.

You can always set it to not expire. Here’s a link on how to get to those settings:

https://support.google.com/analytics/answer/7667196?hl=en

After choosing your data retention, add a note here in this sub section.

Suggested text: If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

You need to explain what rights your users have over their data, also including how they can use those rights.

As a side note, I would recommend writing a plan for yourself about what happens when a user wants their data purged from your platform and it’s various data collecting tools. Create a simple protocol in advance, so you’re not frantically taken off guard by this kind of request…this will hopefully give you peace of mind.

WordPress Suggested text: If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Here’s where the GDPR gets a little more specific.

You’ll need to list all transfers of your site data outside the European Union.

Describe how that data is protected to European standards.

This could include your web hosting, cloud storage, or other third party services.

European data protection law requires data about European residents which is transferred outside the European Union to be safeguarded to the same standards as if the data was in Europe.

Alongside mentioning where data goes, you should describe how you ensure that these standards are met either by yourself or by your third party providers, whether that is through an agreement such as Privacy Shield, model clauses in your contracts, or binding corporate rules.

WordPress Suggested text: Visitor comments may be checked through an automated spam detection service.

Your contact information

Provide your contact method for privacy-specific concerns. This can be a contact form specifically for privacy inquiries. List your name and full contact details (email or phone).

Additional information

If you blog for commercial purposes (if your blog/website makes money through products, ads, affiliate commissions, etc.) and you engage in more complex collection or processing of personal data, include the following information in your privacy policy.

How we protect your data

Explain what you have done to protect your users’ data.

This could include things like:

  • Encryption (like SSL Certificates, and hosting security)
  • Two factor authentication
  • Training in data protection
  • Taking a Privacy Impact Assessment

What data breach procedures we have in place

Explain what plan you have in place to deal with data breaches, either potential or real.

What internal reporting systems can you use, who will you be contacting, what kind of specialists will get involved.

Ok, I know how scary that sounds…here’s a great article on how to be prepared incase you get hacked. Include your plan of action in this subsection.

https://bloggingwizard.com/wordpress-security-you-need-sucuri/

https://blogs.intralinks.com/2013/10/6-steps-for-data-breach-recovery-and-prevention/

What third parties we receive data from

If your blog receives data about users from third parties, including advertisers, this information must be included within this section of your privacy policy.

What automated decision making and/or profiling we do with user data

IF your blog provides a service which includes automated decision making

For example:

  • Allowing customers to apply for credit/loan
  • Aggregating data into an advertising profile (like a specific email segmentation)
  • Automatic Subscription Purchases

Include that this is taking place, noting information about how that information is used.

You’ll want to add what decisions are made with that aggregated data, and what rights users have over decisions made without human intervention.

If you have a recurring subscription service, monthly e-course, or any kind of recurring purchases, or recurring (free) purchases, put those details here, and how to opt out or cancel a recurring subscription.

Industry regulatory disclosure requirements

If you are a member of a regulated industry (for example, Health, Financial, Legal), or if you are subject to additional privacy laws, you may be required to disclose that information here.

ALL DONE! Wrapping up:

After defining these sections, go ahead and hit publish. Make sure to add a link to that page either in the header or footer navigation of your website where it’s easily accessible.

Kudos for you getting through this whole thing.

You deserve some ice cream.

Seriously, go treat yourself 😉