New WordPress Privacy Tools

You may have noticed that data privacy has been in the news in recent months—for lots of reasons. One of the more significant developments has been implementation of the European Union’s General Data Protection Regulation, or GDPR. This new regulation takes effect on May 25, 2018.

Although GDPR is a European regulation, it has a global scope covering any interactions with European residents. With this new regulation in mind, the WordPress core development team has created new privacy features in the latest release, WordPress version 4.9.6.

In this post, I’m going to give you a brief overview of what’s changing in WordPress and what you should start thinking about for your website.

  1. GDPR in a Nutshell
  2. New Privacy and Data Management Tools
  3. How This Impacts You

GDPR in a Nutshell

Among other things, GDPR regulates the collection, storage, and sharing of user data. User data includes things like names and email addresses, IP addresses, and anything else that could be used to identify the person who visited your website. GDPR establishes that:

  • Users must provide consent for their data to be collected, stored, and shared.
  • Users have a right to know how what your process is for managing their data.
  • Users have a right to request access to view the data you’re storing about them.
  • Users have a right to request removal of any data you’re storing about them.

There’s more to it than just that, but those are the key points for understanding some of the changes made to WordPress. Importantly, these rights still apply even if EU residents are interacting with non-EU entities.

How NC State units comply with GDPR, how it fits into record retention laws, and how your website or web apps may need to change are questions that are bigger than this blog post can answer. The Office of General Counsel has prepared a GDPR overview document for campus to help answer those questions. If you receive a request from a user to view or remove personal data, contact General Counsel for guidance on how to respond.

Besides talking to the Office of General Counsel, think about what kind of data your website or web app collects, and how you’re using it. If nothing else, GDPR is a good excuse to talk to your development and web hosting teams to have a conversation about what your processes and retention policies are. If our office does development or manages hosting for you, please don’t hesitate to contact us.

New Privacy and Data Management Tools

Pop-up notice titled "Personal Data and Privacy." with headings "Personal Data Export and Erasure" and "Privacy Policy."
Administrators will see this when they log into WordPress after upgrading.

After upgrading, admin-level users will see a message indicating that new privacy tools have been added under the Dashboard > Tools menu and under the Dashboard > Settings menu.

After you click “Dismiss” in the bottom right-hand corner of the notice, you shouldn’t see that notice again.

Personal Data Export and Erasure

Under the Dashboard > Tools menu, there are now two new menu items: Export Personal Data and Erase Personal Data. Both have very similar interfaces designed to help you respond to user data requests, including:

  • Requesting confirmation of a user data request (so someone impersonating a user doesn’t gain access to their data).
  • Generating and sending an export file containing all data connected to the requesting user.
  • Removing from the WordPress database all personal data connected to the requesting user.

It is not possible to inadvertently share or delete user data using these new tools without first receiving confirmation from the user.

As mentioned above, campus units that receive these requests should check in with the Office of General Counsel before responding. If you ever need assistance using these WordPress tools when responding to a request, please contact us.

Important note for campus developers: The WordPress Plugin Handbook has a new Privacy section with information on connecting your plugins to the data exporter, data eraser, and privacy policy generator (see below).

Export personal data interface, with a tool to request user confirmation, track user request statuses, and to fulfill user requests.
Screenshot of the Export Personal Data interface, courtesy WordPress.org.

Privacy Settings

Under the Dashboard > Settings menu, there is a new menu item labeled Privacy. This feature provides a tool for generating a privacy policy page for your website. WordPress generates a privacy policy template with some information pre-filled and some information that site administrators have to fill out.

Note that campus websites should already be linking to the university privacy statement (like in the footer of this page). Per our conversations with OGC, we believe this should be sufficient for most of campus. As of this writing, we are not recommending that you create a privacy policy for your website using this tool.

If you’re concerned about something specific on your site that isn’t covered by the university privacy statement, now is a great time to contact the Office of General Counsel. And contact us if you have questions about how to use the WordPress privacy policy tool.

How This Impacts You

Here’s the good news: On most days, these changes to WordPress won’t affect you!

GDPR is absolutely important, and if or when you receive a request from a user, you’ll be glad that WordPress has added these features. But there’s no reason to expect a flood of data export or removal requests for NC State websites. Now that the features are there, you can reliably ignore them most of the time.

But that doesn’t mean this doesn’t matter to you. Now is a good time to:

  1. Think about how you’re using and storing user data. Get your team together and have a conversation about what you’re collecting, how long you keep it, and whether you’re keeping more than you need to.
  2. Pay attention to data privacy when adding WordPress plugins. Don’t add plugins that collect unnecessary data, and only add plugins that work with the new WordPress data management tools. (There aren’t many of those yet, but we expect that to change quickly.)