The contents of this article cannot be considered a substitute for professional legal advice.
What I intend to provide here are some thoughts about how these regulations may affect users of the Participants Database WordPress plugin. Please note that you may also have site-wide issues that you will need to address: this article deals only with issues that affect the use of the Participants Database plugin within the context of the GDPR.
Complying with the new European General Data Protection Regulation is potentially a big deal for your website. If you have any users from the European Union or European Economic Area (even if they are not in Europe at the time) they and their personal information is protected by the GDPR. This would potentially include any site that offers an open registration form.
What is Personal Information?
I do not know what kinds of information can be considered personal and therefore protected by GDPR, and in many ways this is an open question that will eventually be decided in the courts. To be on the safe side, any information submitted by a user should be considered personal information, including meta values such as an IP address.
Key Points of the GDPR that May Affect Participants Database
Since Participants Database does (in most cases) store personal information, it is subject to the GDPR. Here are what I see are the key points to address:
- clear statement of use – a form that obtains consent to use personal data must include a clear, honest and unambiguous statement of how the data will be used. This can possibly be on a separate page where you have published your privacy statement.
- evidence of consent – you must have a record of the user’s consent to use their personal data. This should probably include a date and an IP address so that you can show that the person submitted their consent on a specific occasion.
- opt-in only – you cannot use an opt-out checkbox or an opt-in checkbox that defaults to being checked. The user must take the step of consenting to the use. This is critical.
- means to see what information is stored – you need to be able to provide to your users, on request, all of the data you have stored for them.
- ability to delete data – you need to provide a way for a user to have all of their personal information deleted from the database.
- server security – you need to take care to protect the security of the data stored on the server. In most cases, this will be up to the hosting provider, but if you are managing your own server, you’ll need to demonstrate that the server has been secured against data breaches. Installing a security plugin is a very good idea.
- notice of data breach – if you do experience a hack or data breach, you are required to let your users know their data may have been compromised.
Let’s go over each point where I offer some suggestions for addressing them.
Clear Statement of Use
What may be sufficient here is a brief statement on your registration or consent form that states how the data will be used. Include a link to your formal privacy statement where you can go into more detail. The privacy statement is an important feature where you can notify the user of their rights and options to manage their personal data. It is also a good place to explain how the data will be safeguarded.
I recommend you have a detailed privacy statement somewhere on your site, and then provide easy-to-find links to it.
Evidence of Consent
In my understanding, any registration form or consent form must contain a checkbox that is not checked by default where a clear statement of consent is agreed to…for example:
I agree to allow the use of this information as described in the Privacy Statement
When that form is submitted, it is important to also record the time of the submission and possibly the IP address in use at the time. The timestamp is automatic on registration forms, but on a consent form (that is, a form that is submitted after the initial registration has been taken) you will need to use a hidden field that records the time of the submission, and this is explained below. This information can be used to show that the user submitted their consent at a specific time and from a specific place.
If you are collecting any kind of personal information, you must provide an “Opt-In” checkbox (or other means of getting their consent) that does not default to being checked. You must show that your users have taken an explicit step to authorize your use of the data. It cannot be any kind of passive consent, such as “use of this site implies consent” statements or silent enrollment in marketing. The user must actively consent to give you the legal right to use the data under the GDPR.
Means to See What Information is Stored
You must provide a way for the people for whom you have personal information to see what exactly you have stored for them. I believe it is sufficient to provide a way for them to email you and ask for the information. If you have a huge site, you may want to consider having this handled automatically.
Ability to Delete Data
You should provide your members or participants a way to request to have their data deleted. Again, an email requesting the deletion may be sufficient. It is important you respond to this with a confirmation that is kept as a record of the deletion. Of course, you must actually delete the information. Whether this needs to also include backups, I don’t know.
There is no such thing as perfect server security. I mean, even the NSA can’t keep hackers out…therefore, what is needed is a good-faith effort to keep your servers secure. You may be depending on your hosting provider for this. In that case, it may be a good idea to ask them to tell you what kind of security safeguards are in use. Keep their response as a record. It’s also a good idea to install a security plugin. If you are managing your own server, you’ll need to be able to demonstrate that reasonable precautions against a data breach have been taken.
Notice of Data Breach
If you become aware of a security breach on your server that could expose personal data, you must notify your users. It doesn’t matter if the breach happened a long time ago, as soon as you become aware of it, you must notify your users. In some cases, you will be depending on your hosting provider to alert you that the server was compromised. If the breach happens on your site (as opposed to on the server) you may be depending on your security plugin to let you know this happened. It’s a good idea to investigate any mysterious events (such as files appearing on your site with no explanation) you may notice.
What to do Immediately
If your registration forms do not include a checkbox giving consent to use the data, add a consent checkbox to your signup form. Make sure that there is an explanation of how the data will be used and protected: I think this can be stated briefly in the form while including a link to your formal privacy statement.
If you do not have a good privacy statement published, take care of that right away. It should include an honest, explicit explanation of how the data will be used, and what steps are taken to protect the data. I doubt you need to be too detailed about that last part.
Make sure that links to the privacy statement are easy to find, and certainly displayed on registration pages and any other page where Participants Database forms are displayed.
Re-Authorizing Your Consent to Use Personal Information
Re-Authorizing means sending out an email to everyone you have personal information for to get their explicit consent to use that information. This usually means sending them a link to your consent form. You should be prepared to delete the information for all persons who do not consent to its use.
I recommend you consider re-authorizing your use of personal data if any of these apply:
- you do not have good evidence of consent
- your privacy and/or terms-of-use statements were updated or changed
- you were using an opt-out or default opt-in consent agreement when your data was collected
- you did not obtain explicit consent from your users to use their personal data (silent opt-in)
- you just want to be careful to be in compliance with GDPR
The Consent Form
In my understanding, a consent form needs to accomplish three things:
- explanation of how the personal data will be handled and used (i.e., your privacy statement)
- obtain explicit consent to use the data (like a checkbox)
- record the time and IP used to submit the consent for evidence that consent was given
I suggest you set up a special form that is only for the purpose of getting consent. Here are some instructions for doing that:
Setting Up a Consent Form in Participants Database
First, you will need to create a page to hold the form. Use the [pdb_record] shortcode on that form. In that shortcode, specify only the fields you need. At least one consent checkbox (you many need to get consent for more than one thing) and the timestamp and IP address. Your shortcode will look something like this:
To create a timestamp field, create a new field (perhaps named “Consent Timestamp”), make it a hidden read-only field and put “SERVER:REQUEST_TIME” in as the default value. This will record the Unix timestamp of the submission.
To record the IP, set up a hidden field (perhaps named “Consent IP”) with the default value of SERVER:REMOTE_ADDR. If your site uses some kind of firewall or service such as CloudFlare that does not place the user’s originating IP in the REMOTE_ADDR field, you will need to use a different setup for this. Check the documentation for the service for the details.
Last, set up your consent checkbox (or checkboxes). Make sure the title and help text for the checkbox make it clear exactly what permission is begin given for. Do not set it up to default to being checked, the user must check the box themselves.
Setting Up the Re-Authorization Email in Participants Database
If you want to use Participants Database to send the email, you will need to use the Email Expansion Kit add-on. This is really only a viable option if you have a list smaller than a couple hundred records, because it’s not set up to send thousands of emails. If you need that, use an email service such as MailChimp and check the next section for how to set that up.
To open the Participants Database re-authorization form, you will need to provide the user with a private link so the form knows which record to update with the consent. Normally, the private link goes to the Participant Record Page. You can use that page to show your re-authorization form, but if you want to set up a special page for the form, you will need to build the private link yourself.
Let’s say your re-authorization page is called “reauthorize” If it was on my site, the URL for that page could be something like “https://xnau.com/participants/reauthorize” To include a reauthorization link in your Participants Database email, you can build the link like this: https://xnau.com/participants/reauthorize?pid=[private_id]
Reauthorizing by Mass Email
If you are using a mass-email service to ask for re-authorization, you probably can’t use a Participants Database private link to send them to the reauthorization form. Instead, you can use a special signup form to do the job. The way this works is if their email can be used as a unique identifier, then you can use a signup form and have them enter their email as well as provide their consent. When submitted, the form will match an existing record’s email address and update the record with the consent.
Make sure that you have the “duplicate record settings” (under the Signup Form” tab) set up to update a record with a matching email.
Set up the signup form shortcode the same as described above for the record shortcode, only you need to include the identifying email field…for example:
Do I Really Need to Do This?
Is what all site operators are asking themselves about this. I certainly can’t answer that question, but there is a lot at stake. It remains to be seen whether small operators will see legal consequences, but having a European court judge against your site can’t be good for business. For email marketers, this is an agonizing choice because the potential is to lose a large part of your mailing list. What we, as small site operators, are supposed to do is ask a lawyer for advice on how to proceed—there are legal technicalities involved—but of course nearly all of us can’t afford that.
For myself, I am betting that my good-faith efforts to abide by these regulations will be enough to keep me out of legal trouble.