Your old privacy policy is NOT GDPR compliant - don't be misled
Important Update
Kyle has written about how the GDPR affects us as website owners. Please read what he has to say and then update your privace policy in accordance with the new Privacy Template in Site Content. Make sure you adapt the Privacy page to match your own individual needs.
GDPR Compliance. Our Official Take.
Despite what you may have read elsewhere on this platform or anywhere else, your old privacy policy is not GDPR compliant.
You have a WordPress website and people leave comments on WordPress websites. When they leave a comment they leave their email address. To comply with the GDPR, your privacy policy must tell people what happens to their email address. Even if our websites are not based in Europe they are visible in European countries. And so we must comply with GDPR.
If you have linked to your old privacy policy then please make some changes.
Go to Settings > Privacy and click Create New Page.
This should give you a template for creating your privacy policy page. Some of the headings will need to be edited as well as the text.
I'm still in the process of updating my own privacy policy according to the GDPR requirements, so I can't do it for you.
Loes and MozMary have written extensively on the subject:
GDPR Requirements in layman's language
Summary of GDPR for Affiliates and Bloggers: More than a Privacy Policy and Cookies
We still have a few days left before the law takes effect so hopefully Kyle or Carson will provide a privacy policy template quickly.
Recent Comments
130
Thank you so much. I am not really good at understanding all of this GDPR and there are some others here that are posting info also. I am more confused than ever. According to another member we don't have to do anything if we don't collect any other info other than email address. I wish there was one template, article, or something that could explain exactly what to do like a training that would help us now and for future members. You are good at what you post and do. Thanks again. Best Wishes!
Most of us have been following the privacy policy template in the training, so I'm sure that K&C will be addressing this matter soon.
How do we know what changes to make and what are Kyle and Carson going to come up with? I don't even know where to start as there are no guidelines to draw from.
It's easy for someone to say we need to make these "changes" but what are the changes that need to be made? Where do we find the info?
The more I read on GDPR the more confused I become. I am wasting valuable time trying to understand what is expected but am struggling to make heads or tails of it all.
I had asked Kyle about a month ago about the Privacy Policy and if they'll come out with something new for it instead of us trying to figure this out on our own, he said they were rolling something out on this and so I held off. But now it's the 20th, not sure when they will do this or if they will still update it.
While GDPR legitimately tries to protect consumers from scammers and companies trying to collect information they shouldn't, it drives a whole series of idiot-proofing that, in the end, is dumb because who actually reads all of the privacy policies we 'accept', let alone the "idiots" being 'protected'. I say idiots because we are writing policies that are stating the obvious. Yes, when we have a form that asks for a name and email address, we collect and store that information. duh. When we have your email address, we will send you emails. Again, duh... Yes, cookies are used to keep you logged into websites... duh... Seems so silly that we need to add these statements to privacy pages that no one reads anyways just so we can blog effectively... *sigh*
A bit like quality assurance stuff and terms and conditions. I do read them as that was part of my old work. But what a lot of obvious information. And usually written so it takes days to actually decipher what they mean!
I am guessing the people that need the privacy policy, the one they are not going to read, are the same people that need the label that says not to stick your hair dryer in the bath tub.... :-P
And probably the same people who install a free app without reading about the spyware, malware and unwanted programs that get added to their computer.
Yes! I completely understand when people get upset about a shady app that does something that they absolutely did not mention anywhere in their privacy policy but not when it is clearly listed. Unfortunately, it seems everything must be dummy proofed. I am not sure if it is part of the sue happy place we have found ourselves or the lack of quality public education. I know I learned in science class not to mix electricity and water, that a living thing cannot breathe when placed in a sealed environment, etc but we still end up with these warnings.
Thanks, but what’s the point of using the GDPR plugin? Doesn’t that have all visitors agree to the GDPR privacy policy that includes the capturing of info?
With not knowing the exact text that needs to be in the new privacy policy, I wish that there was a updated template to use. Why wouldn’t WordPress update their template to conform?
Thanks,
Marcus
The latest WordPress update (4.9,6) includes a privacy policy template and a couple of new tools. But it doesn't take everything into consideration such as Google Analytics. I'm sure that Kyle and Carson will soon provide a template we can all use.
Thanks for the reminder. I have been notified of this on other platforms as well, I'm also an Etsy seller, and I need to get around to update my privacy policy on there as well. I wish they provided a template like the ones we use for WP, but instead I need to write one from scratch, and my brain just isn't up to it.
I know what you mean. My brain is still spinning from trying to grasp the whole concept of GDPR.
I asked Carson if they were going to address GDPR anytime soon because there was a lot of confusion as to what we need to do. And that I was confused also. I received a reply about 2 days ago that they would be putting out a blog post about this very very soon.
That's good news, DJ. I sent a message to Carson myself but I haven't heard back yet. It's the weekend so it may take a few days.
Marion, thank you. As ever, awesome content and information. I'm still a little in the dark as to what to do with my privacy statements although at this juncture, I don't think any of my sites pose any threat. I just haven't managed to make decent progress yet ... struggling a little.
That aside, thanks again. You're awesome.
Take care
Gary
Thanks, Marion. I've read so many things here and elsewhere that I finally got confused. I hope Kyle and Carson will address this soon.
As part of the European email law changes, I've started working on my email responders too.
This whole GDPR requirement is taking away so much of my writing time, but I guess it's necessary.
See more comments
Hi Guys, I just received this re: GDPR, hope it helps
General Data Protection Regulation (GDPR) For Websites.
• Cookie Consent and Management
• Terms and Conditions & Privacy Policy
• Right to be forgotten requirement
• Data Access requirement
• Data Breach notification & Data Rectification system
1 – Cookie Consent
You need to inform people who visit your website that your website uses cookies (if it does) and then link to your cookie policy. Yes, you need a cookie policy.
2 – Terms & Conditions and Privacy Policy Documents
You need to have a clear Terms & Conditions document that has a checkbox allowing users to confirm their acceptance of those T’s & C’s – and the same for your Privacy Policy Documents.
3 – Clear Disclosure & The Right to be Forgotten
You need to have a checkbox that displays for anyone in the EU – they need to check the box before they’ll be able to subscribe. The box CAN’T be pre-checked and the text needs to clearly explain what they’ll be getting and who from. You also need to have a system in place to be able to remove the person and all their data if requested. That means everything, all of your cookie data, your facebook retargeting pixels and of course your subscriber data.
5 – Data Access
Along with the right to be forgotten, people can request an export of the information you have on them.
6 – Data Breach & Rectification
You need to have something in place to connect with your subscribers in the event of a data breach, i.e. anything goes haywire and someone hacks your data you need to contact them, explain the situation and what steps you’ve taken to remedy it – and allow them update their data when safely protected. By law you have 72 hours to notify your subscribers if there has been a data breach.
Cheers
My understanding is checkboxes are not the only way to provide consent. As long as you are clear in your message what you will do - e.g. send them occasional emails - and they need to take an action - e.g. type in their email and hit a button - you are fine.