WordPress 4.9.6 Beta 1 Adds Tools for GDPR Compliance

WordPress 4.9.6 Beta 1 is available for testing. It’s the first step in bringing GDPR (General Data Protection Regulation) tools to WordPress. In addition to 10 bugs being fixed, this release heavily focuses on privacy enhancements.

One of the first changes is the addition of a Privacy tab on the successful update screen. The message informs users that their sites may send data to WordPress.org for plugin and theme updates with a link to the WordPress.org privacy policy.

WordPress 4.9.6 Privacy Information

Privacy Policy Page Creation and Template

WordPress 4.9.6 includes the ability to create a Privacy Policy page from the backend. Simply browse to Settings > Privacy and select an existing page or create a new one where the policy will be displayed.

Privacy Policy Page Settings

Privacy policy pages will likely become as ubiquitous as About Us pages thanks to the GDPR, but the information that’s displayed is unique to individual sites. WordPress helps out by providing a template with suggestions on what information to display.

Privacy Policy Template

Personal Data Export and Removal Tools

To comply with the GDPR, sites need to provide a way for users to obtain their personal data and request that it be removed. WordPress 4.9.6 does not give users a button to make these requests. Instead, a site’s privacy policy needs to  include information on where to send such requests.

Once a request for a data export or removal is received, site administrators or the Data Protection Officer can browse to Tools > Export Personal Data or Tools > Remove Personal Data and send that user a verification request.

Export Personal Data Verification UI
Data Removal Request Verification UI

When an admin enters a username or email address into the send request field, they’ll receive an email with a confirmation link. Once clicked, the site will display an Action Confirmed notice and that the site administrator has been notified and will fulfill the request as soon as possible.

Here’s what a confirmed notice looks like in the backend.

Confirmed Data Export Request

One thing I noticed is that after a user confirms the request, the site administrator has no way of knowing that they confirmed unless they visit the Data Export or Removal page.

Perhaps a new notification bubble can be created, similar to pending comments and updates that takes admins to the appropriate place for confirmed requests.

When WordPress finishes creating the zip file, a link is sent to the user. For security purposes, the file will automatically be deleted after 72 hours.

My Personal Data Export

To test this feature, I exported my personal data from WP Tavern. My data export arrived in a zip file as one Index.html file. This file contains my comments, user meta data, links to attachments, and more. The data provides me with an opportunity to see what data the site has and what would be deleted if I requested full data removal.

Commenter Cookie Notification and Opt-in

Cookies save data so that visitors don’t have to fill in the Author, URL, and Email fields each time they want to leave a comment. In 4.9.6, visitors will be informed of this data storage and will need to check mark a box to opt-in.

Checkbox For Consenting to Data Storage

WordPress 4.9.6 isn’t your typical minor release. It introduces new UI, options, and a bunch of privacy related enhancements. The development team is aiming to officially release 4.9.6 before GDPR goes into effect later this month, but these features need battle tested now, especially on multi-site configurations.

I encourage you to check out 4.9.6 on a staging site and go through the process of requesting, confirming, and obtaining user data. Now is a good time to experience what users will be going through.

You can download WordPress 4.9.6 beta 1 here or obtain it by using the WordPress Beta Tester plugin. If you encounter any issues, please report them on the Alpha/Beta section of the support forums.