The WordPress privacy policy does not make your website compliant with the applicable data protection laws. You need your own privacy policy to be compliant with any data protection law applicable to your business.
Nevertheless, it is not as hard as it may seem at first sight. This article will explain to you why you need it and how to comply easily.
WordPress Privacy Policy
Many WordPress website owners assume that their websites are compliant with the GDPR, CalOPPA, CCPA, and other data protection laws just because WordPress complies with them. They assume that Automattic, the company behind WordPress, does the job for them. That is simply not true.
Data protection laws require compliance by data controllers, i.e. from businesses. Each business is responsible for the data they collect and process.
Your business and WordPress are two separate businesses. Therefore, WordPress compliance does not automatically mean your business’ compliance, despite the fact that your website is built on its platform.
The privacy policy of WordPress ensures only the compliance of WordPress. Your own privacy policy ensures the compliance of your own business. If you don’t have one, you need to get one as soon as possible. If you were wondering where to start, the Secure Privacy privacy policy generator is a quick and simple way to comply.
What Does the WordPress Privacy Policy Mean for Your Business?
The WordPress privacy policy means nothing to your business. It is important to you only in relation to your personal data as a WordPress customer, but your business is not affected in any way.
The WordPress Terms of Service, on the other hand, affect your business. The Terms of Service are the contract between you and WordPress. It serves as a legal basis for the provision of WordPress services to you.
Section 7 of the Terms of Service (General Representation and Warranty) explicitly require you to comply with the data protection laws applicable to you.
This means that despite the data protection laws themselves, your contract with WordPress also requires you to comply with them. The compliance, of course, includes a privacy policy compliant with all the privacy laws applicable to your business.
What Data Protection Laws Require From Your Privacy Policy?
Data protection laws, in general, require your business to be transparent to the users. You can provide them with the required transparency by providing a privacy policy where you explain all your privacy practices.
Some laws, such as the CalOPPA (California Online Privacy Protection Act) explicitly require a privacy policy. Most other laws, such as the GDPR and the ePrivacy Directive, require just transparency. However, having a privacy policy is by far the most practical way to be transparent.
Your privacy policy will be compliant if it contains all the necessary information you need to provide your users with.
Each law has specific requirements about the essential elements of the privacy policy.
The following short summary will give you an idea of what you need to include, depending on the laws applicable to your business:
GDPR and ePrivacy
Your ePrivacy and GDPR-compliant privacy policy need to inform your users about the following:
- The categories of personal data you collect
- How you collect data
- Why do you collect data
- With whom you share data and the purposes of sharing
- Data subject rights and how to exercise them
- Data retention information
- Data transfer information
- Information on children’s information, if applicable
- Changes to the privacy policy
- Information about the Data Protection Officer, if any
- Your contact information
CalOPPA and CCPA
CalOPPA is the only law in any US state that explicitly requires a privacy policy from every single business that interacts with California users. The CalOPPA-compliant privacy policy has to contain at least:
- The categories of personal information collected and/or processed
- The third parties with whom you share the personal information
- How you notify consumers about changes in the privacy policy
- The effective date of the privacy policy
- How you respond to “Do Not Track Signals”
- Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service, or provide a link to an explanation about that.
In addition, if your business meets the applicability thresholds for CCPA, then it has to contain the following:
- Information on consumer rights
- The methods designated for submitting consumer requests, as well as consumer verification methods.
- A list of the categories of personal information it has collected about consumers in the preceding 12 months, as well as categories of sources of information.
- If your business discloses (shares) personal information with third parties or sells personal information, then:
- A list of the categories of personal information it has sold about consumers in the preceding 12 months
- A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months
- Categories of third parties to whom the information was sold or disclosed. - For businesses that process personal information of more than 10 Million consumers, the metrics about the received and answered consumer requests
- Information on the sales of personal information of consumers under 16 years of age, if any
- Contact information
- Date of the last update of the policy
Read more about how to make your privacy policy compliant with the CCPA.
LGPD
LGPD requires a privacy policy with the following elements:
- The specific purpose of processing data
- Type and duration of the processing
- Identity and contact information of the controller
- Information about who the data is shared with and why
- Responsibilities of the agents that will carry out the processing
- The data subject rights
You have to show the link to the privacy at the moment of data collection as well as a link on the homepage. It has to be written in plain language so that the average internet user would understand easily what you do with their personal data.
Every data protection law prescribes specific requirements for a privacy policy. You have to figure out what laws are applicable to your business and ensure that your policy contains all it needs for compliance.
Getting a Privacy Policy: Is a WordPress Privacy Policy Generator or Plugin Good Enough for Compliance?
There are three ways in which online businesses get privacy policies for their WordPress websites, and not all ensure compliance.
Copy-paste from other websites. Many online businesses do this, particularly in the early stages, but this is wrong as it can get. You should never copy-paste the privacy policy from other websites because no two businesses are the same and will likely get you into IP legal troubles with the other business.
Your privacy policy has to be specific for your business. If you collect phone numbers, but the other business from which you copied the policy does not, you are about to violate the data protection laws and get a penalty.
Use of WordPress plugins. You need to be very careful with WP plugins that generate privacy policies and provide cookie banners. Many are just not compliant. They usually provide privacy policy templates that may not be compliant without extensive editing. Do not use them without caution.
Lawyer. If you can afford to pay a lawyer to draft a privacy policy for you with the help of your tech personnel, that would be ideal.
However, this is the most expensive option. It may not be necessary to call a lawyer for a privacy policy because they use templates anyway, so it may not be cost-effective to pay hundreds of dollars for an edited template.
WordPress privacy policy generator. Generators are in the middle ground between all these options. They combine a privacy policy template with user input and provide a compliant and affordable solution for businesses.
The Secure Privacy privacy policy generator asks questions about the specifics of your business. It will ask you what laws you need to comply with, why you collect data, how you process it, how can users exercise their data subject rights and other questions. Then, it will use that input to edit the privacy policy template automatically.
Adding a privacy policy to your website with Secure Privacy is a breeze. Adding a privacy policy button on your website is equally easy. And if you use Magento and need Magento cookie compliance with a privacy policy, or you use Hubspot, we’ve got you covered.
