Nevertheless, it is not as hard as it may seem at first sight. This article will explain to you why you need it and how to comply easily.
Many WordPress website owners assume that their websites are compliant with the GDPR, CalOPPA, CCPA, and other data protection laws just because WordPress complies with them. They assume that Automattic, the company behind WordPress, does the job for them. That is simply not true.
Data protection laws require compliance by data controllers, i.e. from businesses. Each business is responsible for the data they collect and process.
Your business and WordPress are two separate businesses. Therefore, WordPress compliance does not automatically mean your business’ compliance, despite the fact that your website is built on its platform.
The WordPress Terms of Service, on the other hand, affect your business. The Terms of Service are the contract between you and WordPress. It serves as a legal basis for the provision of WordPress services to you.
Section 7 of the Terms of Service (General Representation and Warranty) explicitly require you to comply with the data protection laws applicable to you.
The following short summary will give you an idea of what you need to include, depending on the laws applicable to your business:
GDPR and ePrivacy
- The categories of personal data you collect
- How you collect data
- Why do you collect data
- With whom you share data and the purposes of sharing
- Data subject rights and how to exercise them
- Data retention information
- Data transfer information
- Information on children’s information, if applicable
- Information about the Data Protection Officer, if any
- Your contact information
CalOPPA and CCPA
- The categories of personal information collected and/or processed
- The third parties with whom you share the personal information
- How you respond to “Do Not Track Signals”
- Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service, or provide a link to an explanation about that.
In addition, if your business meets the applicability thresholds for CCPA, then it has to contain the following:
- Information on consumer rights
- The methods designated for submitting consumer requests, as well as consumer verification methods.
- A list of the categories of personal information it has collected about consumers in the preceding 12 months, as well as categories of sources of information.
- If your business discloses (shares) personal information with third parties or sells personal information, then:
- A list of the categories of personal information it has sold about consumers in the preceding 12 months
- A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months
- Categories of third parties to whom the information was sold or disclosed.
- For businesses that process personal information of more than 10 Million consumers, the metrics about the received and answered consumer requests
- Information on the sales of personal information of consumers under 16 years of age, if any
- Contact information
- Date of the last update of the policy
- The specific purpose of processing data
- Type and duration of the processing
- Identity and contact information of the controller
- Information about who the data is shared with and why
- Responsibilities of the agents that will carry out the processing
- The data subject rights
You have to show the link to the privacy at the moment of data collection as well as a link on the homepage. It has to be written in plain language so that the average internet user would understand easily what you do with their personal data.
There are three ways in which online businesses get privacy policies for their WordPress websites, and not all ensure compliance.
10 Principles of PIPEDA Explained: A Comprehensive Guide to Privacy Compliance with Canada's Data Privacy Law [Updated 2024]
Explore PIPEDA's 10 principles for robust privacy compliance. Learn key concepts, compare global data protection laws, and stay informed on Canadian privacy regulations. Consult our guide today
- Canada PIPEDA
Understanding the New Swiss Federal Act on Data Protection (FADP)
Explore the significant changes brought by Switzerland's New Federal Act on Data Protection (FADP) effective from September 2023. Learn about its impact on businesses, the key differences from GDPR, and essential guidelines for ensuring compliance.
- Europe GDPR
PIPEDA vs GDPR: Key Similarities and Differences Between Canada Personal Information Protection and Electronic Documents Act and EU General Data Protection Regulation
Explore differences between PIPEDA and GDPR, key principles, scope, and compliance. Navigate data protection in Canada and the EU with this comprehensive guide.
- Canada PIPEDA