VIP and the GDPR

Europe’s General Data Protection Regulation (aka GDPR) is a new and far-reaching privacy regulation that takes effect in May 2018.

This provides information about the law and our plans for implementing the GDPR’s important principles for WordPress VIP’s products and services, including WordPress.com and VIP Go. We are currently working to add features to enhance user choice and bring more transparency to our practices around the collection, storage, and use of your data.

For example, for your convenience, we now have a VIP data processing addendum available. If your company is exploring how to confirm vendor GDPR compliance, this document can help as it addresses the particular nuances of hosting services.

WordPress VIP products and services will be in compliance with GDPR requirements and will meet the dates as determined by the European Union. Our parent company Automattic is currently preparing all of its services offerings, including Jetpack, for GDPR compliance as well. (Please note that the GDPR readiness of third-party plugins is the responsibility of their respective owners.)

We’ll also provide additional tools and information so that users of our services can take the steps needed to comply with the law, if necessary.

What is it

The GDPR, among other things, requires companies and site owners to be transparent about how they collect, use and share personal data. It also gives individuals more access and more choice when it comes to how their own personal data is collected, used, and shared.

It’s important to understand that while the GDPR is an EU law, its requirements apply to all sites and online businesses who collect, store, and process personal data about residents of the EU.

You can read the full text of the law here. We also found these resources helpful in understanding the principles and specific requirements of the law:

Shared Principles

User privacy is critically important to us at WordPress VIP. Our privacy principles align with many of the GDPR principles, and we built our products and services with those principles in mind.

For example:

  • Data minimalism. When you sign up for WordPress.com, we ask only for limited information needed to set up your WordPress.com account. We require an email address and a username, nothing more. If you purchase a paid plan, we’ll need additional information to process your payment. You are welcome to add other information to your public profile and account settings, but we don’t require you to give us any other personal information to get your account up and running.
  • Control of Your Content. We aim to give you as much control as possible over who can see your content. The Privacy Settings give you choices to make your site public, private, or hidden from search engines. And Page Visibility gives you options about who can see specific pages on your site.
  • Strict Guidelines on Providing User Information to Governments. We understand that safeguarding our users’ private information is a vital aspect of the trust our users place in our services to keep them safe, and in some cases, anonymous. Our Legal Guidelines describe when we will disclose user information in response to requests from law enforcement or from complainants in civil litigation. (And we have a reputation for challenging overbroad requestsーfor example, we successfully argued to lift non-disclosure orders on National Security Letters from the U.S. government that prohibited us from revealing information about those requests to our users).
  • Your Security is Our Priority. While no online service can ever be 100% secure, we work very hard to protect your information from unauthorized access. We support and promote encryption of user data and we encrypt all traffic (serve over SSL) for all WordPress.com VIP sites, by default. You can read more about our WordPress.com security features and Jetpack Security Features. We also require you to use our advanced security settings, like Two Step Authentication for your WordPress.com account or connect to corporate authentication systems, to help protect your account and your data.
  • WordPress Sites are Portable. Your site is yours and your content belongs to you.

Plugins

Users on our platform use customizations and plugins to extend the functionality of core WordPress. Ultimately, as a site operator, you are responsible for the data you collect and the plugins you deploy. We do provide guides that detail how WordPress and many of our plugins collect data, including Jetpack, in our documentation. You have full control of the data you manage and collect.

WordPress 4.9.6 Tools

There are four new GDPR tools in WordPress version 4.9.6: a privacy policy page, a privacy policy editing helper, a personal data export tool, and a personal data erasure tool.

You can learn more about the release schedule and current feature set for WordPress 4.9.6 on the WordPress.org site.