General Data Protection Regulation has been enforced in May 2018. As business owners scramble to know more about the domains it covers and the implications it will bring along, there is still a lot that has to be discovered in terms of the exact applications of the regulations.
One critical area, though, has to do with how you collect email addresses and how you use them. And these are strictly related to all types of forms you have on your website or WooCommerce store and how much you know about your users.
Email addresses, forms, user profiling, abandoned carts, checkout pages. How do you need to change them to comply with GDPR?
Let's dive in!
For more detailed information about GDPR, we published these additional blog posts you might want to check: 4 Lesser-Known Activities You Need To Take Care Of Before GDPR Comes Into Effect and What GDPR Means For Your WordPress And WooCommerce Business - A Starter Guide On What's Important To Know And Do First
The basic element is (explicit) consent
The new law has been specifically designed to ensure the protection of consumer data privacy and, as a result, it provides them a new range of authoritative powers to control the ways in which their data can be collected and used by websites.
In this regard, GDPR changes what used to be the somewhat routine of collecting as much data around a user as possible for marketing purposes.
In other words, profiling users under GDPR will change.
GDPR regulations pertaining to profiling for marketing purposes
What's profiling under GDPR?
Profiling [...] consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her.
Profiling has always be seen as a standard procedure for website and store owners, but now with the GDPR come into effect, users will need to be informed about the processing of their data and how to exercise their rights.
WordPress forms and customer data collection under GDPR
A great portion of user data is collected through forms: contact page, checkout pages, form to request information or a quote, a landing page to download a free resource. Usually, it's on such forms that we ask more than what we actually need to proceed.
A common example is featuring a field on our form asking for some kind of information that is not strictly relevant right now but we assume it will be in the future. This is not acceptable under the GDPR, as Robin explains:
If you've got an element in your data capture form or checkout page that you're thinking 'I don't need it but I might use it in the future.' well, if that future usage you haven't obtained consent for, technically speaking, you shouldn't then use it for profiling, which means basically you'll need to take it out of your form - or get consent to use it for profiling.
Given how important and used forms are, let's see how to set them up and some best practices to comply with GDPR.
Examples of how to add an opt-in option to your WordPress forms for GDPR compliance
Before we start, let's clear the air here: not all forms are per se wrong and require adjustments. If you're collecting anonymized data, or you aren't storing data at all, your form is perfectly GDPR-compliant.
I picked three of the major WordPress form providers to exemplify the process for adding the required opt-in box to your forms:
GDPR-compliant example for Ninja Forms
GDPR-compliant example for Gravity Forms
Here's the official documentation on how you can do it.
GDPR-compliant example for Contact Form 7
Here's more about Contact Form 7
Bonus: Advanced Custom Fields
Here's how you can do it. Note: the resourced linked shows you how to add an age-verification field, but the process is the same for adding the explicit consent opt-in box.
The case for asking for street addresses
Street addresses are a more specific case pertaining to eCommerce or WooCommerce-based websites that require this information during checkout and are dealt with in much the same way as email addresses are under the GDPR. Robin explains:
You can ask for street address eventually for the card validation to occur, depending on the payment service provider you're using. So the rule still stands: if the transaction wouldn't work without the street address, hence it's necessary to collect that user data, then definitely you can. On the other hand, if you don't strictly need it to process the purchase and payment, just think about not collecting it.
Street addresses are important in digital downloads and online payments because cybercrime and fraud are one of the biggest nuisances today and if a customer is using a stolen card, this can be cross-checked by analyzing if the address provided matches the one on the card. In this regard then, asking for street addresses is not a problem.
It's worth mentioning that you don't need consent to collect personal data which is necessary for the transaction to occur.
The issue with abandoned carts and checkout pages
Sticking to issues related to profiling for marketing, abandoned carts at checkouts fall under the same banner because a number of online retailers capture the customer’s email address as soon as they enter it, even when they don't complete the respective purchase. Robin elaborately lays this out:
The problem with abandoned carts and abandoned checkout for users who have not purchased from you ever is a big gray area. And when I say gray area, I mean, an interpretation of the GDPR would indicate to me that most abandoned cart practices currently in use are a breach of the requirement for consent. A lot of stores capture the email address before you've done anything and then send an email a couple of days later saying: 'We noticed you have this in the cart. Would you like to check out now?' How was consent collected there?
The first answer to that crucial question is: they didn't get any explicit consent from their customer. So, if you're just silently collecting email addresses from your checkout pages and you're not getting explicit consent, it's very likely that this falls outside of the spirit of the GDPR.
So how can you get explicit consent for abandon checkout pages?
It's hard to provide a one-size-fits-all solution without knowing your specific use case, but there's a relatively simple one you can implement to make it clearer to your customers. Specifically, as it was for other types of forms, it needs to have the option to explicitly give permission - they can tick to opt in - to store user data through your checkout form. But not only: in this specific scenario, your form should also have some sort of explanation of when the checkout process begins, because it's from that moment on that you need the explicit consent to collect user data. Robin explains:
You can't just say on your forms: 'I accept any data usage on this website' because that won't cover abandoned carts.' You would have to have, for example, something that says: 'Checkout does not begin unless somebody expressly agrees to the abandoned cart collection' and put in place custom functionality that triggers if conditions are met. That would be an affirmative agreement. But, and this is important, you still need to allow a checkout if the user did not agree to the abandoned cart procedure. You cannot deny them service based on this.
You should never forget that, under the GDPR, it's not okay to enable a service if people opted out of it. Silent or soft opt-ins are no longer acceptable for GDPR consent.
Sending emails to your customers and users under GDPR
Contact forms, incomplete checkout pages, resource download pages, and the like, have all the same purpose: collect someone's email address and additional details (if any). That's what GDPR directly affects.
One of the major issues with the collected personal information on websites is that, once email lists have been created, some bombard the customer’s inbox with promotional emails. Or, they segment their email lists and start promoting a completely different product to the same people (who didn't opted-in in the first place). Robin sheds some light on this tricky aspect:
You've got the real thing to focus on: the opt-in and what did people opt-in for. If your newsletter always mentions products and you might even have affiliate links in - you should disclose them - that's your business. That's okay because your users have opted-in. However, the GDPR would come down hard on you if you take these customers that opted in for your newsletter and put them in a separate list for marketing a completely different business because that would be a violation of the customer’s privacy.
Here again, silent or soft opt-ins are no longer acceptable. So, for example, pre-ticked box to also subscribe to your newsletter has to stop as recital 32 reads:
Silence, pre-ticked boxes or inactivity should not constitute consent.
As a great example, I'm adding this from JimmyChoo online store:
As you can see, the possibility for the user to opt-in to get the latest news is not only unticked but also prominent because it's highlighted.
GDPR isn't an easy topic to understand.
There are a variety of cases that GDPR has on websites collecting personal information from users resident in EU. Chief among these is the fact that for every piece of data collected, customer consent has to be obtained explicitly and by stating the exact purpose of where and how the data will be used. This means user consent has to be collected without blurring out any even minute detail.
Given how many things should be changed, or at least tweaked to make a WordPress website or WooCommerce store compliant, what should be your next step, then?
I'd start assessing what's your current status by auditing what type and how much data you're collecting from your users. That will give a clear picture on the areas you'll need to make GDPR-compliant and allow you to prioritize the required work accordingly. You can have a specialist do that for you or help you understand what should come first.
GDPR is a regulation (law), not a suggestion. All websites and online stores with EU users have to comply eventually unless they want to risk it and get fined.
This blog post features Robin Scott, an experienced WordPress developer who's also one of the founders of Silicon Dales, an agency focused on WordPress, WooCommerce, and a variety of other services. Robin has specialized in several areas such as Custom Plugins, Gravity Forms, Hosting Transfer, Maintenance, and WooCommerce Extensions, just to name a few.