GDPR.
It’s the bane of many headaches for many web developers, web admins, and in general anyone who uses the internet. If you’re reading this, it’s probably a headache for you too. So let’s have a real, non-lawyer talk about what’s going on and why you need to care.
Notice: I’m not a lawyer. This post is not legal advice. Please read the EU GDPR Information Portal and research your specific situation.
Everyone Needs to Care
If you thought this only has to do with people who use eCommerce products, think again. The centre of the GDPR is data privacy. That is, the right to have your data removed from websites, when you want. The point to all this is if you have a website, and people visit, you need to care because the following reasons:
- You have ads on your site
- You allow comments
- You use custom avatars (Gravatar)
- You track visitors (Jetpack, Google, etc)
- You embed content (Twitter, YouTube, etc)
Does any of that sounds like you? It sounds like pretty much every public website in existence. And congratulations you need to care about GDPR.
What You Need
There are a lot of moving parts here, but the pared down version is this:
- Know what 3rd party services you use
- Know what your CMS tool tracks
- Have a privacy policy
- Have a way for people to request data deletion
The first two are surprisingly complicated because, in the case of WordPress, you might be tracking a lot more than you think. Remember all those things I mentioned above? They all are common situations where your CMS might be tracking people. But what if I told you that a lot of plugins you use also add on tracking? Or record more data than WordPress knows about?
Like. I wrote a plugin that adds in the IP address used to register an account to the user meta. This means WordPress now records more data. Thankfully that gets deleted when you delete a user account, and it’s generally covered under the broad disclosure that you track users IPs (which every website does). But I have to make sure people who use the plugin know that, and communicate to others.
That’s a very simple example. Take a plugin that logs user activity for, oh, let’s say security. Now you have to tell everyone about exactly what it tracks (browser information etc) and what you use it for. And you get to figure that out for every single plugin you use.
This won’t be easy. Unless you read every single plugin you use, you’re going to be at the behest of developers who may not be aware of exactly what they need to disclose.
Privacy Policies Are a Must
Every site should have a privacy policy. While for most smaller blogs, the odds are low that anything will happen, you should have one anyway. The problem is that no one can tell you exactly what yours needs to have. I try to cover the four basics:
- Terms of Use: all the things you agree to by using this site
- Data Collection: what situations result in my tracking your data, including details on 3rd party services regularly used
- Data Usage: what I do with data and how long I keep it – also how to request it
- Policy Changes: a CYA that they’ll likely change
There are a lot of details in those four sections, especially the Terms, which exculpate me if I get information wrong, allow me time to handle a DMCA, and a whole lot of things. And yes, it’s super daunting, I know. I mean, the privacy policy here isn’t half as robust as some of my other sites.
The Bottom Line
You can distill all this into consent and awareness. People need to know what they’re getting into on your site (or at least be able to know – you can’t help people who refuse to read). And you need to understand exactly what your site does. You need to be aware, as a website owner and a user.
All those terms you ignored when signing up for Google Adsense and Analytics? Now is the time to knuckle down and read, because you need to cover that. All those extensions (plugins and themes) you added? Read up on them too. If they don’t explain what they do with data, ask the developers.
Developers? Step up. Document exactly what data you save. If you allow for the saving of different kinds of data, based on what the user picks, explain that. But you have to tell people what’s being saved and how to delete it. Most CMS apps now have tools to hook into to aid deletion, so research.
GDPR kicked in four days ago, but it’s not to late to fix things.
