MemberPress & GDPR
On May 25th, 2018 GDPR regulations went into effect. By now you're probably familiar with what the GDPR is and who it affects, but we'd recommend reading through the FAQ here if you still have any questions about it.
More likely, you're here because you want to know how MemberPress can help in making your WordPress Membership Site GDPR compliant.
Disclaimer: Though we have added some tools and features to MemberPress to make it easier for our customer's to comply with GDPR - we are not lawyers and still strongly recommend that you seek professional counsel on ensuring your site and policies are consistent with GDPR and other applicable Privacy laws. Compliance and what you're required to put in place will depend on what hosting, plugins, theme's, and other services you utilize. If you handle personal data for any customer in the European Union then GDPR applies to your business.
WordPress recently released version 4.9.6 which included some special features specific to user privacy and GDPR. We have monitored the WordPress core efforts and have released MemberPress version 1.3.35 which integrates with the tools WordPress has made available for developers. MemberPress now takes full advantage of these tools provided by the WordPress core team.
How MemberPress can help you utilize these new tools for GDPR are outlined below:
Privacy Policy Page
WordPress 4.9.6 introduced a new Privacy Policy page with some sample text and advice to help get you started. We recommend that you update or add your privacy policy page before continuing with the rest of this article. A Privacy Policy page must be set in order to utilize most of the tools outlined below.
To set your Privacy Policy page in WordPress first ensure that you're updated to WordPress 4.9.6 or later. Once updated, you'll see the following new page in your WordPress -> Settings menu.
You can either tell WordPress to use an existing page which you can find in the dropdown menu. Or you can tell WordPress to create a new page.
Once the page is created, you'll be able to view the sample policy text and adjust it to fit your requirements.
MemberPress adds some sample text which can be found in the Policy Guide. You can view the guide by clicking the following link when editing your WordPress Privacy Policy page.
Then click on the "MemberPress" section in the Guide.
For a more detailed description of what data MemberPress collects, processes, or shares - Please review this article.
Note: You may be required to add DPA's (Data Processing Addendum) to your Privacy Policy if you use 3rd party payment gateways, analytics software, or email marketing services which also store and/or process your user's personal information. You would need to contact your 3rd party services to inquire if they provide or need to provide you with a DPA. MemberPress.com does not collect, store or process any information about your members, as such you do not need a DPA from MemberPress.com.
Right to be Informed
As part of the GDPR - your EU user's now have the right to be informed about how you collect, share, process, and otherwise use their personal information.
This information should all be contained in your Privacy Policy (see above).
MemberPress now has a new option that will let you gather consent from your users when they fill out your registration forms. They must check a box that confirms their consent for your business to utilize their personal information as outlined in your Privacy Policy.
To enable this feature you must first have a WordPress Privacy Policy Page setup (see above).
Then you can enable the feature from your MemberPress -> Settings -> Account tab.
You can change the text to whatever you'd like. The text between the %'s will be linked to the Privacy Policy page which will open in a new tab when the user clicks on it.
When users register on your site afterwards, they will be presented with this checkbox (unchecked by default) on the signup form. The user must consent to the Privacy Policy before they can register.
When the user signs up, their agreement is logged in the database. You can view it in the User's WordPress Profile.
Right to Data Portability
The GDPR also states that your EU users should be able to see what personal information you have collected about them. WordPress 4.9.6 addresses this with a new "Export Personal Data" feature found in the WordPress -> Tools menu.
MemberPress adds its data (in addition to the user data WordPress and other plugins already exports) to this export file which currently includes the following:
- Address Information (if collected)
- VAT number (if collected)
- Geo-Located Country
Note: We will likely be adding the ability to export your Custom Fields in a future release as we realize many users will collect things like birthdays, phone numbers, additional names or emails etc. with their Custom Profile Fields.
Right to be Forgotten
In addition to Data Portability (see above), GDPR also requires that user's have a way to request to be forgotten. WordPress 4.9.6 addresses this with a new "Erase Personal Data" feature found in the WordPress -> Tools menu.
When a user requests erasure, WordPress will erase the personal data from the WordPress User and give other Plugins and Theme's an opportunity to also wipe any personal data associated with the user. MemberPress utilizes this feature and will erase the same data mentioned in the list above under the "Right to Data Portability" section. The user's Transactions, Subscriptions, and Events are left in place for historical and reporting purposes.
Note: According to the WordPress developers documentation, this feature does not remove the user account from the site. That is an additional step the site Admin can take if wanted/needed. More Info.
Emails Footer - Privacy Link
MemberPress now allows you to include a link to your Privacy Policy page in the footer of all emails that get sent out by MemberPress. To enable this feature go to the MemberPress -> Settings -> Emails tab and enable the following checkbox.
After enabling that checkbox, and saving the settings. All emails sent by MemberPress will include a link to your Privacy Policy page.
What's Coming?
We're continually watching the WordPress GDPR core tickets here: https://core.trac.wordpress.org/query?status=!closed&keywords=~gdpr
As the WordPress team adds new features or alters existing features, we will continue to ensure that MemberPress remains compatible. This article will be updated continually as new features or changes are released.
If you have any questions about the information above please don't hesitate to reach out.