WordPress poses another GDPR compliance headache for publishers

Automattic’s WordPress.org division and other contributors to the open source version of WordPress have been working on ways for sites to deal with the risk. On May 17, WordPress released an updated version of the software and added a section to its Plugin Handbook to standardize plug-ins’ privacy information, such as what data a plug-in collects and how that data is used, and make that information available to site owners in the WordPress content management system.

Sites using the updated software will be able to see this information, as well as privacy information related to the core WordPress software and themes a site may use, in a new “Privacy Policy Guide” that has been added to the CMS to help sites create or update their own privacy policies. When plug-ins, themes or the core WordPress software make any updates — or when sites activate or deactivate a plug-in, or switch themes — sites will be notified of the changes within the CMS.

“One of the great things about WordPress is that site owners have complete control of how they host and configure their own websites. The same goes for GDPR: Ultimately site owners will be responsible for what they decide to adopt, or what content to use in their privacy policies. Our goal is to provide the tools to make it easier,” Josepha Haden Chomphosy, WordPress.org division lead for Automattic, wrote in an email.

It’s unclear how easy things will actually be for site owners. A lot depends on to what extent plug-in makers add the privacy information that sites will refer to when creating or updating their own privacy policies. That’s further complicated by the fact that plug-in makers may not be able to adequately answer some of the questions about the personal data that their plug-ins collect and use. Many plug-in makers are individual developers or small companies that lack their own legal teams to advise them.

One of the most popular plug-ins, Contact Form 7, runs on more than 5 million sites but was built by a single developer, Takayuki Miyoshi. He had been receiving questions asking whether the plug-in was GDPR-compliant, and in a blog post published in April, he admitted that he’s unable to say.

Other plug-in makers have opted to disable their plug-ins from collecting data from people in Europe altogether. Ad tech firm Sovrn has developed several WordPress plug-ins that sites can use to do things like show related articles on their pages. To ensure those plug-ins don’t make sites vulnerable to violating GDPR and that the sites don’t disable its plug-ins for fear of violating GDPR, the firm is turning off data collection from users in Europe, said Jack Downey, who leads market development at Sovrn and is vp of its Sovrn Labs division.

If WordPress-powered sites are worried about whether their sites comply with GDPR, well, there is a plug-in for that. Of course, the plug-in’s developer has added the disclaimer, “Activating this plugin does not guarantee you fully comply with GDPR.”

Download the Digiday guide to GDPR for checklists, research and more you’ll need to know before May 25.