One of the most important steps to take as a blog owner before your site goes live is to ensure it is legally compliant. This serves to protect your users’ privacy and will help shield you from legal liabilities in the future.
Penalties for noncompliance include a loss of credibility, huge fines, and everything in between.
The WordPress Privacy settings provide a starter template and an easy interface to set up GDPR compliance. However, setting up and maintaining compliance will require a few more features than what’s offered by WordPress’ core.
In this article, we will discuss what it means for your WordPress blog to be legally compliant, as well as how you can maintain it.
Let’s get started!
What It Means to Be Legally Compliant (And Why Your Blog Needs it)
This includes why that data is collected and what will be done with it (including any third parties the data might be shared with).
Example scenarios where you may be said to be interacting with user data include:
- If you collect any personal data such as names, usernames, email address, IP addresses, session activity or payment details such as during signup, login, or checkout.
- You may be using some third-party widgets or services – such as Google Analytics or AdSense – that collect usage activity or serve targeted ads based on previously collected usage data.
Being legally compliant is an absolutely critical element. This is because a non-compliant blog or website can result in hefty fines, litigation, and loss of credibility for you.
The Most Important Privacy Laws You Should Know About
One important detail to keep in mind is that privacy laws target residents of a particular region, so they may apply to you whether or not you are located in the region.
For this reason, you’ll need to be familiar with laws which have global jurisdiction as well as some national or state laws with greater reach.
There are other laws too. For example, the EU’s ePrivacy (also known as the Cookie Law) which covers how tracking technologies like cookies can be used.
How to Make Your WordPress Blog Legally Compliant (In 3 Steps)
At a minimum, you should include your business name and contact details within your policy. Also include information on the data you’re collecting – whether directly or indirectly – as well as
details on how you’re using it.
You’ll also want to outline the following key points at a minimum:
- Why you’re collecting information.
- How the site stores data.
- Who you are sharing the data with (third-parties, sub-contractors etc.).
- How users can opt-out of data collection (non-EU )
- The legal basis for processing user data (EU users)
Note that more requirements can potentially apply depending on your circumstances. Once you have these basics in place, you can move onto more complex policy additions.
Here, you can either use the default policy page provided or create a new one. The benefits of this method include:
- It makes it easy to integrate your document into your website in a native and brand-consistent way
- The starter text helps you to consider the categories of data you process and the related disclosures you’ll need to include.
However, while this looks like an easy way to set up legal compliance for your blog – this method on it’s own is not complete. Remember, privacy policies need to be specific to your business, use case, and the type of activities and data associated with it.
A quick look at the starter layout makes it clear that many sections are either not applicable in every case, or incomplete. Another important thing to note here is that the GDPR and similar
privacy laws require that policy pages are available from every page of your website – not just login and registration points).
We’ll talk more about this later.
2. Disclose Endorsements
Some regulations, such as those by the US, EU and the International Consumer Protection and Enforcement Network (ICPEN), require endorsements made by bloggers and influencers to not include claims that couldn’t be legally made.
Endorsements should also be non-misleading and fully disclosed. This means users need to be informed when there is a connection between endorser and marketer that they would be interested in knowing, or would change their perception if known.
Some example scenarios include:
- Endorsing a product for which you’re an employee, shareholder, or investor
- If you’re receiving an incentive (financial or otherwise). This applies whether it was a free product/service, direct payment, or you make a percentage from each sale (in the case of affiliate marketing). For example, you may have been given a free night at a hotel in exchange for an endorsement. Or you’ve reviewed a product with an affiliate link that earns money, discounts, or free products. Perhaps you’re getting paid by a brand to post pictures of yourself wearing their clothing
According to ICPEN, it must be clear that you’re being paid to endorse. You must also state whose opinions or experiences are being given. As such, disclosures cannot be generic and will need to be specific to a particular endorsement.
3. Give Users an Easy Way to Give or Take Back Consent
When running a blog, user consent may factor into various things. For example, if you have EU users, consent is required before running cookie scripts like those used for analytics and also for adding users to your mailing list.
While opt-in consent isn’t required for US users (thanks to the CAN-SPAM Act), opt-out is specifically required under the Act. Laws like California’s CCPA requires you to allow users to opt-out of sharing their data (including onsite data).
Inform users what the information is for when they need to give consent. What’s more, the method of obtaining consent should require a clear action, such as clicking an
Agree button or checkbox.
The consent you collect should be specific to the purpose for which it was obtained and must not be coercive.
Consent must also be as easy to withdraw as it was to give, and the withdrawal mechanism must be visible, easy to understand, simple, immediately available, and involve no more than a single web page.
Requests for withdrawal must be honoured within 10 days under US law and within 30 days under EU law.
You’ll want to keep clear records of the consent obtained (required under the GDPR). Records should contain the following information:
- The identity of the user giving consent
- When they consented
- What disclosures were made at the time of consent
- Methods used for obtaining consent (e.g. newsletter form, during checkout etc.)
- Whether there is a withdrawal of consent
While implementing all of these measures could be tricky, there are a number of services available to help you.
4. Use Compliance Tools
To start, enter the name of your website and set a language for your policy. Then, click the Start Generating button.
comprehensive as possible. Using the searchable list in the generator console, you simply need to begin typing and select the services you employ on your website:
The next step is to enter your business and contact info:
Finally, you’ll want to embed the policy on your site. There are three methods – adding a widget to your blog’s footer, using a direct link, or direct embedding the policy on a page:
When it comes to managing consent, you may want to consider iubenda’s Consent Solution, – which provides a way to easily store proof of consent and manage consent and privacy preferences for all users – and Cookie Solution (helps you to comply with the GDPR, CCPA and more).
It could take some effort to make your WordPress blog fully compliant with global privacy laws, but it’s worth it to protect your business, avoid legal liability and protect your users’ privacy. To recap, here are the four steps to start a blog with compliance:
- Declare the basic policy information.
- Disclose any endorsements.
- Give users a way to grant or revoke their consent.
Do you have any questions about making your WordPress blog legally compliant? Share them with us in the comments section below!