Practical Guide to GDPR compliance for WordPress plugin & theme developers.
Last updated: 05/14/2018 4:00 am EST.
You are likely here because you have a WordPress plugin that manages user data in some way and your users are SCREAMING about GDPR Compliance (as they should be). This is currently the only guide to GDPR compliance for WordPress plugins until the WP Codex is updated.
This will help you get started with what support WordPress core is bringing in the near future. I will keep this updated as new features are offered.
There was a 3rd party GDPR standards plugin being developed but it got enough attention to get co-opted into the core at least in theory. It used class-based implementations in PHP, where core chose to go the more common WP way using hooks & filters.
The final details of how these functionalities will work for users and site owners are still in the works, but users will be able to request their data for export or removal, and site admins will be able to approve these requests in an automated fashion. Here is a quick rundown of what is known so far.
WP Core v4.9.6 will include several new Privacy functions functionalities including:
- Privacy Settings
- Personal Data Exporter
- Personal Data Eraser
- Helper Functions
- Guide Change Notes
There are a few other items coming such as general cookie consent messages, GDPR optin fields on all core forms and a few other things to make site owners lives simpler when dealing with compliance. Below I will detail each of the v4.9.6 functionalities and how to use them for your plugin.
A new settings page available at Settings -> Privacy has been added to the admin & network admin areas.
This page also introduces a new user capability manage_privacy_options which allows limiting which site administrators have access to change these settings apart from manage_options.
Multisite Note: By default, only network admins will be able to set these options. There will be an additional option to change it from Network Wide Policy to Per Site Policy. Only when the network admin sets it to Per Site will the extra Settings -> Privacy page for every single site appear. These pages will be hidden otherwise.
With the latest copy of core v4.9.6-
Now when editing the Privacy Page a notice like this will be shown instead, linking to a (currently hidden) inner admin page. You can access it manually by visiting the /wp-admin/tools.php?wp-privacy-policy-guide=1 on your domain.
As of now these are the processes I have noticed during testing.
- New options in the admin allow changing this assigned & mandatory page.
- Eventually (I believe) core will include agreeing to checkboxes and possibly a cookie notice that points to these policies.
The example below shows how this would look.
Personal Data Exporter – GDPR Right of Access
Data portability requirements mean that users will be able to request all data a site has stored about them and site admins will be able to approve and send them a zipped HTML file by email that includes all of their information.
This works by looping through a list of registered data exporters and rendering the info passed back. It is still in the early but very reliable stages of development, and already available in the WP nightly betas as of now.
Registering a custom Personal Data Exporter for your WordPress plugin is rather easy. The following is a basic example for a fictitious plugin that adds additional user profile information via user_meta. For a version that includes a pagination example such as how core handles comments, see here
Personal Data Eraser – GDPR Right to be Forgotten
The term “eraser” in this context refers to a process that will either anonymize or remove all data related to a user per their request. If the data cannot be removed for some reason an explanation should be given.
Erasers work in much the same way as the exporters. You first register a callback and label. Erasers do 2 things:
- They attempt to anonymize or remove the user’s data.
- When data cannot be removed, it returns a message indicating why that data could not be erased or anonymized.
As such an exporters return should always look like this.
return array( 'items_removed' => false, // Boolean whether items were anonymized or removed. 'items_retained' => false, // Boolean whether items were not able to be anonymized and were retained. 'messages' => array(), 'done' => true, );
Note: items_retained refers to data that couldn’t be erased, for instance, a WooCommerce order that has not shipped yet.
Registering a custom Personal Data Eraser for your WordPress plugin is just as simple as the exporter. Here is an example based on our social profiles example above. Example of how core anonymizes comments found here
Helper functions to make it easier.
Function to anonymize any data type. Types include email, url, ip, date, text, longtext.
get_privacy_policy_url(); the_privacy_policy_link( $before, $after );
There are also a couple functions to help anonymize data when possible rather than removing it.
/** * Helper to anonymize data. * * @param $type string accepts email, url, ip, date, text, & longtext. * @param $value string value to be anonymized. * * @return string */ wp_privacy_anonymize_data( $type, $value );
/** * Helper to anonymize IP addresses. * * @param $ip_address string IP adddress to be anonymized. * * @return string */ wp_privacy_anonymize_ip( $ip_address )
If you develop products that extend WooCommerce check out this guide for some tips on doing that quickly.
The purpose of this log is to keep track of changes after publishing in case you want to know exactly what has changed since you began implementation.
- 05/29/2018 – Added link to WooCommerce specific developer information.
- 05/12/2018 – Added section for Privacy Settings page, new user capability & network admin options.
Daniel Iser is a professional WordPress plugin developer, and the author of plugins such as Easy Modal & Popup Maker. Founder of Wizard Internet Solutions he has been working with WordPress for over 7 years creating websites and tools for clients & blog authors.