WordPress has released its latest version, 4.9.6, which includes privacy-related updates intended to help your site comply with the European Union’s General Data Protection Regulation (GDPR). Continue reading for background information on these updates and to explore the three new GDPR-related tools in WordPress 4.9.6 and Paid Memberships Pro 1.9.5, including:
- Included membership information in the personal data export, and
- The membership data that will be erased or anonymized as part of the user’s right to delete their personal information.
On May 25th, 2018 the grace period for the European Union’s resolution instituting better privacy standards will end. The GDPR demands that site administrators, as well as all parties involved in the production of a site, pay careful attention when handling user data, as well as make accommodation for a user’s data to be exported or erased upon request.
Whether or how this regulation applies to websites outside of the EU is a legal question being discussed vigorously right now, but my general understanding is that these regulations would apply to any site worldwide with EU visitors. And so unless you specifically target a certain geography or exclude EU users, this would mean the GDPR applies to your site. Even if you aren’t concerned with the legal implications, many of the GDPR-related suggestions offer a good way to be more transparent with your users regarding their data privacy.
Back in April, we published a blog post outlining the GDPR requirements from a high level. In this post we will review the recent changes in WordPress core to assist you with attaining compliance, how Paid Memberships Pro will integrate with those core processes, and discuss the implications of the new regulations for site owners, administrators, designers, and developers.
There are 3 new tools in WordPress 4.9.6 that PMPro is now integrating with to help you to update your privacy policies and attain GDPR compliance.
Data Collected to Manage Your Membership
At checkout, we will collect your name, email address, username, and password. This information is used to setup your account for our site. If you are redirected to an offsite payment gateway to complete your payment, we may store this information in a temporary session variable to setup your account when you return to our site.
At checkout, we may also collect your billing address and phone number. This information is used to confirm your credit card. The billing address and phone number are saved by our site to prepopulate the checkout form for future purchases and so we can get in touch with you if needed to discuss your order.
At checkout, we may also collect your credit card number, expiration date, and security code. This information is passed to our payment gateway to process your purchase. The last 4 digits of your credit card number and the expiration date are saved by our site to use for reference and to send you an email if your credit card will expire before the next recurring payment.
You should make sure to update this default text based on how you’ve specifically implemented PMPro on your site, what your payment gateway options are, and which PMPro Add Ons your are using. If you are using Add Ons that integrate with third parties (e.g. email marketing services), be sure to mention what information is shared and how. If you are using Add Ons that collect additional information at checkout, be sure to mention what that information is and how it’s used.
Terms of Service
Prior to PMPro version 1.9.5, the TOS checkbox was required but did not store any data to track that agreement. So if you added the TOS sometime after launch, there was no way to tell which of your users actually agreed to the TOS besides checking the date they signed up vs when you published your TOS.
As of PMPro version 1.9.5, we now store a “consent log” for each user marking the post ID and date modified of the TOS page at the time of checkout. This information is linked to and shown on the order in the WP dashboard and on the edit user profile page in the dashboard.
A way to require existing (pre-version 1.9.5 users) to agree to the TOS or require users agree to the TOS again after it has been updated would be a useful feature. We are working on a way to do this with PMPro, and will include it in a future release.
Export Personal Data
The GDPR includes regulations related to the “Right to Access”, which basically is the right for users to request a copy of all personal data a website tracks for them. In WordPress core, this has been implemented as a tool to “Export Personal Data” for any email/user on your site (with most WP setups, it’s possible to comment on a blog post without being a user).
By default, exporting a user’s personal data is a manual process kicked off by a WP admin. You enter an email address into the form to send a request. The user then needs to click a link in that request email to approve the export. Once the link is validated, the admin will have a button to click to send the user their data as a zip file in email, as well as a link to download the zip file directly.
There are some plugins coming out that try to make this process easier, so users can make the request from the frontend of your website without the admin needing to get involved. I believe that there should always be a manual admin step to export the data to enable you to confirm that the request is legitimate. One thing you can do is update your contact form/page to include a subject line suggestion for “Request an Export of Personal Data”, and then manage the rest of the process manually from the Tools -> Export Personal Data page in the dashboard.
Version 1.9.5 of PMPro adds all PMPro-related data into the export. This includes the user’s business address, the expiration date and last 4 digits of their credit card if one was used, their membership history, their order history, and the log of logins/visits/views that PMPro tracks.
Some information is notably excluded from this export. If you use Stripe or Braintree as your payment gateway, we do not share the user’s “customer ID”. In our opinion, this information was generated by your site for your site use and does not constitute “personal data”. We also do not include the “Notes” section of the orders exported. Traditionally the notes section is used by Add Ons for various tracking purposes (e.g. to note an affiliate code used) and may contain sensitive information written by the site owner not intended to be viewed by the customer.
Soon our Add Ons, including Register Helper, will also include their data in these exports.
Erase Personal Data
The GDPR includes regulations related to “Right to be Forgotten”, which basically is the right for users to request that their personal data be deleted from a website. In WordPress core, this has been implemented as a tool to “Erase Personal Data” for any email/user on your site.
Similar to the Export Personal Data tool, by default a WordPress admin must manually start the process to erase a user’s personal data. Again, we suggest adding a subject line suggestion to your contact form for “Request Erasure of Personal Data”, and then handling the rest of the process manually from the Tools -> Erase Personal Data page in the dashboard.
Version 1.9.5 of PMPro adds an “eraser” script. The script deletes some data stored in “user meta”, including the user’s billing address, the expiration date of their credit card, the last 4 digits of their credit card, and the login/visit/view tracking data.
The script does not delete the member history or any orders associated with the user. In our opinions, this information usually needs to be retained for business records. The GDPR does allow for information to be retained at the site owners discretion.
The script also does not cancel any memberships or subscriptions at the gateway. In most situations, you will probably want to do this as well for your members by canceling their membership manually from the edit user page or by deleting the user.
Note that “erasing” a user is not the same as deleting them. Erasing will delete or anonymize certain data about a user based on rules implemented by WP and the plugins you are using. Deleting a user will be a harsher action that will delete all information stored about the user. When a user is deleted (vs erased), PMPro will delete the user’s membership history and will cancel their membership and any subscriptions stored at the payment gateway. Any orders associated with the user will be retained, but unlinked from that user.
Let us know if you have any questions about these new privacy features, the GDPR in general, or other issues we didn’t address in this post. We will provide updates to our blog here as we update our core plugin and add ons as new features become available.