Your site, Automattic’s Privacy Policy and the GDPR

Beginning May 25, 2018 all sites on the web operating within the EU or having site visitors from the EU will be subject to the European Union’s General Data Protection Regulation (GDPR).

I have tried to wrap my sorry head around the requirements mandated under this regulation and am still reading sites like the ICO.org.uk website and WebDevLaw, among others to get a better understanding. (This infographic is a very clear, at-a-glance aid.)

Disclaimer: I am not a lawyer and the following is my initial layman’s thoughts on the subject. Nothing here should be taken as legal advice. 

I will admit to feeling overwhelmed by the implications the GDPR has on the entire concept of blogging and personal websites. Even if you remove every comment, contact and payment form from your website, where people are actively providing personal data (i,e. name email ), your site, like every site on the internet, is still collecting passive data from site visitors, including IP address, pages visited, computer OS, browser, screen resolution, monitor color depth, language preferences, etc. What you see in your WordPress.com Stats dashboard is only a small glimpse of that collected data.

pexels-photo-262488.jpegBeyond requiring disclosure of what user data is collected and the reason for its collection, how long data is stored, how that data is safeguarded and how data is shared and with whom, the GDPR also requires providing users a means to exercise their rights over that data, including its removal.

To give you an example, again – comments. Until now, on both standalone WordPress and WordPress.com sites, we have been consistently told that comments left on someone else’s site became the property of that site owner. And now under the GDPR? (What this implies for comment discussions and forums is just mind-boggling.)

Although Automattic has updated and clarified its Privacy Policy (and IMO there’s a lot in that policy that is better suited to an “About” page), and coupled it with a support guide to Automattic and the GDPR, this section in the updated Privacy policy gave me pause:

Our Users’ Websites

If you are a visitor to one of our users’ websites–a self-hosted WordPress site that has installed Jetpack, for example–please note that this privacy policy doesn’t apply to you in regard to that specific site. We process information that visitors provide to our users’ websites on behalf of our users and in accordance with our user agreements. We encourage our users to post a privacy policy that accurately describes their practices on data collection, use, and sharing of personal information.

If “we process information …on behalf of our users” refers to data actively submitted by site visitors for a contact, comment or payment form, then yes. However, we users/aka site owners do not control the passive data our hosting company, Automattic, collects from our site visitors. “Control” and “Process” have very specific definitions within the context of the GDPR. (Also note that in Automattic’s Privacy policy it states “At this time, Automattic does not respond to “do not track” signals across all of our Services.” Perhaps this is also due to the aptly-named Firehose.)

Under GDPR you’ll need to include a privacy policy or statement on your website detailing your site’s data collection and use.

Another example: Having been actively involved in the community forums for a number of years, I’ve seen forum threads where site owners ask to obtain their list of subscribers in order to be able to send them direct emails beyond the automatic notice of new blog posts or move their subscribers to a different email marketing service. Site owners do not have access to users’ email addresses when the subscriber is a logged-in WordPress.com user and Staff do not provide that information to site owners. However, if that subscriber is not a logged-in user and enters their email address in the Follow Site widget, then the site owner can download a CSV file of those email addresses from their My Sites>People dashboard.

Taking that process a step further, if a site owner moves from WordPress.com to a Jetpack-connected,  standalone WordPress site, it is currently possible to move the list of WordPress.com subscribers to the new WordPress site (reference). How will the GDPR affect this?

To say “it’s complicated” and far-reaching would be an understatement.  The working group for the ORG core software, on which our WordPress.com platform is based, is currently in discussion on how to bring core into compliance with the GDPR and hopefully they have the needed legal experts involved.

Beyond the software itself, Automattic needs to bring our blogging platform into compliance, including  the Jetpack plugin in use here on WordPress.com. Staff has indicated that both the Privacy Policy and GDPR support guide will be updated with the changes needed ahead of the May 25 deadline. I’ll be updating my sidebar’s Privacy Statement along with it.

While I applaud giving users control over the data collected about them and the ability to remove it, implementation is a minefield. Will there be one set of data procedures for European visitors and another set for everyone else?

Meanwhile, someone pour me a scotch. Legalese is a parching business.

If you want to get an in-depth look at the GDPR and how it affects you, the University of Groningen offers a free 4-week online course. (NAYY) May 25th is just around the corner.

5 thoughts on “Your site, Automattic’s Privacy Policy and the GDPR

  1. I now have what I think is probably a reasonable shot at a GDPR Privacy policy and a cookie policy on my blogs and a more extended one on our e-commerce site. I can see the sense of these on an e-commerce site, but on a blog?? When I think of the effort that has been expended on this…

    1. You are entirely welcome. As far as I can see, there is no distinction made between a commercial site and a personal blog, and I guess that is as it should be. I’ll be interested to know what you think of the course. 🙂

  2. And I thought the CFR (Code of Federal Regulations) in the U.S. was tough – I got a headache without going to any of the links,

    Thanks I guess, maybe WordPress needs to send us yet another link we can post on our site?

    1. Hey, thanks for stopping by, captnmike. 🙂 Automattic did the EU cookie widget thing in the end and that pales in comparison to the GDPR. I don’t believe they can get around GDPR by stating that US/California law takes precedence. They also have offices in Ireland.

Comments are closed.