Hey there! If you’re diving into the digital world, you’ll know how big a deal data privacy is these days. Ever heard of the General Data Protection Regulation (GDPR)? It’s this EU law thing that’s all about keeping people’s data safe. And if you’re a WordPress user, WordPress GDPR compliance is a must-know. Don’t sweat it; I’ll break it down for you, especially if you’re using Ninja Forms.
So, what’s GDPR Compliance and where does WordPress fit in?
Back in May 2018 (the 25th, to be exact), GDPR kicked in. In simple terms, it says businesses should let folks see their personal data and, if they want, delete it. That’s what they call the Right to Access and the Right to Be Forgotten. Cool, right? If GDPR still sounds like Greek to you, maybe check out an article we wrote before. It’ll clear things up.
Here’s the thing: WordPress got on the GDPR train with some new updates. Pop into ‘Tools‘ in your dashboard, and you’ll spot ‘Export Personal Data‘ and ‘Erase Personal Data’.
With these, you can look up data by email or username and decide to share or delete it. But heads up! This only handles data from basic WordPress stuff. Plugin data, say from form submissions, is another story unless the plugin peeps have added that feature.
Ninja Forms jumped in with a solution. We rolled out these templates called ‘Delete Data Request‘ and ‘Export Data Request‘. Connect them with WordPress, and voilà!
If someone asks for their data, you’ll see it pop up in ‘Tools‘. A click and you’re done! Plus, Ninja Forms lets you label data fields. So when someone asks to delete their data, you can just make it anonymous and keep the rest untouched.
Ninja Forms WordPress GDPR Compliance features
- Automate GDPR data management with Store Submission
- Customize as needed: easily add Export/Delete options to any WordPress form
- Easily mark fields as personal data
- Customize your data collection with selective field saving
- Set submission data to expire on a timer
1. Automate GDPR data management with Store Submission.
We’ve revamped the Record Submission action for easier user data management and automated compliance. Now, both registered and non-registered WordPress users can auto-process Export and Delete Data requests. Find this in your Emails & Actions tab!
Simply link the submitter’s email with the form submission using the new request forms.
2. Customize as needed: easily add Export/Delete options to any WordPress form.
Simply map the form’s email field to the Designated Submitter’s Email Address. While you can link it to other fields. We advise using email for seamless export and erase requests.
3. Easily mark fields as personal data.
Fields come with a toggle for designating as ‘Personally Identifiable Data‘. Some default fields are pre-marked, but you can toggle any:
For Delete Data Requests, you can choose to anonymize, not delete. Only marked fields get anonymized; others stay unchanged. Activate this option in the Advanced settings of the Delete Data Request:
4. Customize your data collection with selective field saving.
If a form mixes personal and non-personal data fields, and a user doesn’t consent to share personal details, you can still collect non-personal data. Now, you can individually choose which fields to save to the database.
5. Set submission data to expire on a timer.
By popular demand, we’ve added an option for submission data to auto-expire. Head to the ‘Record Submission‘ under ‘Emails & Actions‘ to find this:
Dive into ‘Advanced settings’, activate it, and submissions will auto-delete after 90 days by default. Adjust the duration as you see fit. Expired data lands in ‘Trash‘ in Ninja Forms > Submissions, so remember to clear it if you want the data fully gone.”
Extra tip: GDPR-ready cookie plugins for WordPress
While Ninja Forms is packed with GDPR tools, we don’t handle Cookie Notices. But don’t worry! Here are some top-notch, GDPR-friendly cookie plugins to help you display banners and policies on your WordPress site.
- CookieYes – The CookieYes GDPR Cookie Consent plugin will assist you in making your website GDPR (RGPD, DSVGO) compliant by adding a cookie banner to your site.
- Complianz – GDPR/CCPA Cookie Consent – Complianz is a GDPR/CCPA Cookie Consent plugin that supports GDPR, ePrivacy, DSGVO, TTDSG, LGPD, POPIA, APA, RGPD, CCPA/CPRA and PIPEDA with a conditional Cookie Notice and customized Cookie Policy based on the results of the built-in Cookie Scan.
- Cookie Notice & Compliance for GDPR / CCPA
To wrap it up
Nailing the whole GDPR thing with WordPress? It’s a breeze if you’ve got Ninja Forms by your side. True, you’ll need to step in for some stuff, but these tools make it loads easier. Want to learn more about GDPR compliance? Check out our documentation here.
Dustin Stout says:
So, just so I know I’ve got this right…
1. If the user submitting the Delete Data Request form is a “registered” user (meaning they have an account/login for that specific WordPress install) then all one needs to do is head to the Erase Personal Data page in WordPress and click the “Delete” button.
2. If the user submitting the Delete Data Request form is NOT registered (meaning they do not have an account/login on that specific WordPress install) then that submission will just remain in the typical Ninja Forms Submissions location, and we’ll need to see it there, search for that email address in ALL of our Ninja Forms submissions lists and delete every instance manually?
Also, is there any sort of record of these deletions that Ninja Forms is producing? I guess I could just try all this out myself on my dummy sites, but figured its worth asking…
(Gosh all this GDPR stuff is a headache… lol)
Quay Morgan says:
Dustin,
Hey! That’s correct. The WordPress Export/Delete feature will identify all data associated with the verified email that’s handled by WordPress core- user meta, comments, etc. Plugins still need to hook into that feature to have it also handle data collected by the plugin. Right now we do in the case of registered users, so submissions data for those users will also be scooped up by the WordPress feature when using one of these forms or actions.
Ninja Forms will do this for non-registered users very soon as well. We’re actively working on that now, but it wasn’t shippable in time for this update. We didn’t want to hold up the rest for that one item, but it should be ready very soon and the registered/non-registered status won’t make a difference. We’re also working on a global submissions search feature to complement that. Afaik there’s no internal record being produced, but I’ll ask our dev team and update if I’m incorrect there 🙂
Cheers,
Quay
Jennifer says:
Is there anything planned about retention/automated deletion? We reuse many of our forms on an annual basis or throughout the year and it would be useful if we could have a function to remove data after a certain period has elapsed, allowing us to comply with the retention periods we advertise on the site instead of doing it manually.
Quay Morgan says:
Yes! I actually just updated the article to reflect this. Look for it to be a standard feature very soon.
Cheers,
Quay
Collins Agbonghama says:
This is awesome. I can’t for the life of me figure why the WP core team left out a frontend form in the GDPR release.
Thanks NF Team for filling the gap with this.
Kim~madeinaday says:
Help! I added these new fields to be able to have my readers submit to remove their info. Which is great by the way. I got a submission today for a “delete data request” and was sent an email alert. I opened the submissions page and now I am unsure of what to do. I hit the delete info button next to the email. Does it send them a message that their info was deleted? Do I need to send them an email that I deleted their info? Do I save the email in the submissions area for proof? I am confused and I guess I need more instruction on what to do once we have a request and if we delete it how do we prove it say if the person decides to take action.
Quay Morgan says:
Kim,
Hey! This is getting into legal advice territory here, so all I can do is speculate, unfortunately. When I tested, I did not receive a confirmation email from WordPress that data was deleted (that process under Tools is a WordPress feature, not Ninja Forms- we just hook into it). I’m honestly not certain if further communication is a legal obligation on your part or not- Article 17 of the GDPR requires a ‘response’ to a request for data erasure within 30 days, but I’m not certain if that is legally met via simply erasing the data, or if further communication is required.
To be on the safe side, I’d tend to say to comply with requests as they come in and keep a detailed record of such. Then consult appropriate legal counsel on the particulars as you’re able. Sorry I can’t be more specific, but I hope that helps. I need to go to law school… :p
Cheers,
Quay
Enda says:
Hi Quay,
If we use the Ninja Forms to run a sign up form that collects sensitive customer info – do Ninja Forms have any access or visibility to that information considering we would be using your plugin to run it?
Thanks,
Enda
Quay Morgan says:
Enda,
Hey! Great question. No, we do not. We never view or record any data collected by your forms. The only data we ever collect, if you specifically opted-in on plugin install, is basic site telemetry like WordPress version, PHP version, and related metrics that help our development team plan. You’re opted out of that by default. If you’re unsure of your status on that, you can view and change it under Ninja Forms > Settings > Advanced Settings > Telemetry.
Cheers,
Quay
Enda says:
That’s great. Thanks for the feedback Quay. Much appreciated.