Making WordPress Legally Compliant

How to Make Your WordPress Blog Legally Compliant

One of the most important steps to take as a blog owner before your site goes live is to ensure it is legally compliant. This serves to protect your users’ privacy and will help shield you from legal liabilities in the future.

Penalties for noncompliance include a loss of credibility, huge fines, and everything in between.

The WordPress Privacy settings provide a starter template and an easy interface to set up GDPR compliance. However, setting up and maintaining compliance will require a few more features than what’s offered by WordPress’ core.

In this article, we will discuss what it means for your WordPress blog to be legally compliant, as well as how you can maintain it.

Let’s get started!

What It Means to Be Legally Compliant (And Why Your Blog Needs it)

If your website interacts in any way with user data, you have a legal requirement to have a privacy policy. Specifically, you will, at the very least, need a privacy policy that informs your users of any personal data you collect.

This includes why that data is collected and what will be done with it (including any third parties the data might be shared with).

Example scenarios where you may be said to be interacting with user data include:

  • If you collect any personal data such as names, usernames, email address, IP addresses, session activity or payment details such as during signup, login, or checkout.
  • If you have a contact form or newsletter, you will usually ask for a minimum of an email address. This is enough to warrant a privacy policy.
  • You may be using some third-party widgets or services – such as Google Analytics or AdSense – that collect usage activity or serve targeted ads based on previously collected usage data.

Being legally compliant is an absolutely critical element. This is because a non-compliant blog or website can result in hefty fines, litigation, and loss of credibility for you.

The Most Important Privacy Laws You Should Know About

One important detail to keep in mind is that privacy laws target residents of a particular region, so they may apply to you whether or not you are located in the region.

For this reason, you’ll need to be familiar with laws which have global jurisdiction as well as some national or state laws with greater reach.

CalOPPA and the CCPA are state laws protecting California residents. If there is any chance your users might be residents of California, you’ll want to make sure you have a visible and easily accessible privacy policy that adheres to all its requirements.

The GDPR requires that all companies based in the EU, as well as companies which interact with the data of EU residents – no matter where they are located – implement a privacy policy.

There are other laws too. For example, the EU’s ePrivacy (also known as the Cookie Law) which covers how tracking technologies like cookies can be used.

Many third parties e.g Google will also require you to meet legal requirements by having the correct documents in place. For example, Google Analytics states in their terms that you are required to have a privacy policy in place and potentially cookie-related documents if applicable.

Since Google Analytics uses cookies to track user behaviour and cookies collect personal information such as IP addresses, you’ll need to comply with the ePrivacy and GDPR laws if you have EU users.

How to Make Your WordPress Blog Legally Compliant (In 3 Steps)

Once you’ve understood what it means for your blog to be legally compliant, you’ll want to get to work. Let’s discuss the three steps we recommend, including implementing a privacy policy, disclosing endorsements, and setting up a method for receiving or rescinding consent.

1. Set Out the Main Information for Your Privacy Policy

At a minimum, you should include your business name and contact details within your policy. Also include information on the data you’re collecting – whether directly or indirectly – as well as
details on how you’re using it.

You’ll also want to outline the following key points at a minimum:

  • Why you’re collecting information.
  • How the site stores data.
  • Who you are sharing the data with (third-parties, sub-contractors etc.).
  • How users can opt-out of data collection (non-EU )
  • The legal basis for processing user data (EU users)

Note that more requirements can potentially apply depending on your circumstances. Once you have these basics in place, you can move onto more complex policy additions.

As mentioned earlier, WordPress offers an interface for setting up some measure of GDPR compliance. To set up a privacy policy page, go to Settings > Privacy from your dashboard.

WordPress Privacy Settings

Here, you can either use the default policy page provided or create a new one. The benefits of this method include:

  • It makes it easy to integrate your document into your website in a native and brand-consistent way
  • The starter text helps you to consider the categories of data you process and the related disclosures you’ll need to include.
  • Automatically adding links to the privacy policy in registration and login pages.

However, while this looks like an easy way to set up legal compliance for your blog – this method on it’s own is not complete. Remember, privacy policies need to be specific to your business, use case, and the type of activities and data associated with it.

Personalizing Disclosures

These personalized disclosures are critical to creating a legally compliant privacy policy. While WordPress’ basic template is a good indicator of some of the things you should think about
when preparing your privacy policy, it is not actually compliant or usable as is, and requires much more work to be suitable.

Here’s an excerpt from the accompanying guide for the Privacy Policy creation process:

…the new [privacy policy] page will include help and suggestions…However, it is your responsibility to use those resources correctly, to provide the information that your Privacy Policy requires, and to keep that information current and accurate.

A quick look at the starter layout makes it clear that many sections are either not applicable in every case, or incomplete. Another important thing to note here is that the GDPR and similar
privacy laws require that policy pages are available from every page of your website – not just login and registration points).

To make a privacy policy that’s actually compliant, you have a few options. You could get a lawyer to draft one up specifically for you. This is, of course, ideal for many businesses. However, the cost may be high and you’re still left to handle the technical implementation on your own.

A similarly effective but easier – and cheaper – way to obtain a lawyer-written privacy policy is by generating one of our customizable, auto-updating privacy policies. These can be easily integrated into your WordPress site via widget or directly embedded and displayed within any page – including the WordPress privacy policy template.

We’ll talk more about this later.

2. Disclose Endorsements

Some regulations, such as those by the US, EU and the International Consumer Protection and Enforcement Network (ICPEN), require endorsements made by bloggers and influencers to not include claims that couldn’t be legally made.

Endorsements should also be non-misleading and fully disclosed. This means users need to be informed when there is a connection between endorser and marketer that they would be interested in knowing, or would change their perception if known.

Some example scenarios include:

  • Endorsing a product for which you’re an employee, shareholder, or investor
  • If you’re receiving an incentive (financial or otherwise). This applies whether it was a free product/service, direct payment, or you make a percentage from each sale (in the case of affiliate marketing). For example, you may have been given a free night at a hotel in exchange for an endorsement. Or you’ve reviewed a product with an affiliate link that earns money, discounts, or free products. Perhaps you’re getting paid by a brand to post pictures of yourself wearing their clothing

According to ICPEN, it must be clear that you’re being paid to endorse. You must also state whose opinions or experiences are being given. As such, disclosures cannot be generic and will need to be specific to a particular endorsement.

3. Give Users an Easy Way to Give or Take Back Consent

When running a blog, user consent may factor into various things. For example, if you have EU users, consent is required before running cookie scripts like those used for analytics and also for adding users to your mailing list.

While opt-in consent isn’t required for US users (thanks to the CAN-SPAM Act), opt-out is specifically required under the Act. Laws like California’s CCPA requires you to allow users to opt-out of sharing their data (including onsite data).

Inform users what the information is for when they need to give consent. What’s more, the method of obtaining consent should require a clear action, such as clicking an
Agree button or checkbox.

The consent you collect should be specific to the purpose for which it was obtained and must not be coercive.

For example: “I would like to receive weekly offers and deals in my inbox as indicated in the privacy policy (optional)”.

Consent must also be as easy to withdraw as it was to give, and the withdrawal mechanism must be visible, easy to understand, simple, immediately available, and involve no more than a single web page.

Requests for withdrawal must be honoured within 10 days under US law and within 30 days under EU law.

You’ll want to keep clear records of the consent obtained (required under the GDPR). Records should contain the following information:

  • The identity of the user giving consent
  • When they consented
  • What disclosures were made at the time of consent
  • Methods used for obtaining consent (e.g. newsletter form, during checkout etc.)
  • Whether there is a withdrawal of consent

While implementing all of these measures could be tricky, there are a number of services available to help you.

4. Use Compliance Tools

Writing the privacy policy in a language your typical user can understand is imperative. The best way to do this is by using a privacy policy generator.

To start, enter the name of your website and set a language for your policy. Then, click the Start Generating button.

Compliance Tools

If you haven’t done so already, you’ll need to sign up for a free account. Next, you’ll want to select all services you use on your website. Remember, you want your privacy policy to be as
comprehensive as possible. Using the searchable list in the generator console, you simply need to begin typing and select the services you employ on your website:

Free Iubenda Account

The next step is to enter your business and contact info:

Account Contact Info

Finally, you’ll want to embed the policy on your site. There are three methods – adding a widget to your blog’s footer, using a direct link, or direct embedding the policy on a page:

Embed Site Policy

When it comes to managing consent, you may want to consider iubenda’s Consent Solution, – which provides a way to easily store proof of consent and manage consent and privacy preferences for all users – and Cookie Solution (helps you to comply with the GDPR, CCPA and more).

Conclusion

It could take some effort to make your WordPress blog fully compliant with global privacy laws, but it’s worth it to protect your business, avoid legal liability and protect your users’ privacy. To recap, here are the four steps to start a blog with compliance:

  1. Declare the basic policy information.
  2. Disclose any endorsements.
  3. Give users a way to grant or revoke their consent.
  4. Use reliable compliance tools, such as iubenda’s Privacy Policy Generator to help you where needed.

Do you have any questions about making your WordPress blog legally compliant? Share them with us in the comments section below!

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.