Whether you are building a website for yourself or for a client, you have probably run into WordPress. WordPress is a free and open source content management solution that can be used to build websites with a wide variety of features, from a simple blog to a complex online store and everything in between. WordPress has long been one of the favorites of website builders, not only due to its ease of use and adaptability to your needs, but also for its large and supportive community. This community regularly meets at WordCamps to share knowledge, make new friends, and volunteer to work on the WordPress project.
One relatively new feature of WordPress is the ability to create a Privacy Policy using WordPress’ Privacy Policy template. WordPress’ team of volunteers that has created this template is full of wonderful and knowledgeable individuals. The template is meant to raise awareness of the requirement for websites to have a Privacy Policy and it does a phenomenal job at raising such awareness. However, how does the template stack up to actual privacy law requirements? Keep reading to learn more about WordPress’ Privacy Policy solution, whether it actually complies with privacy laws that can apply to you, and whether using it can subject you to privacy-related fines and lawsuits.
To access the WordPress Privacy Policy template, log in to your admin dashboard, click “settings”, select “privacy”, and click “create new page.” The first and perhaps most important issue with the template is that it does not help you determine what privacy laws apply to you, nor does the template state what privacy laws it helps you to comply with. There are several privacy laws in the United States and the rest of the world that may require your website to have a Privacy Policy. Each of these privacy laws has very specific requirements as to what a Privacy Policy needs to contain. As with any compliance effort, the first step is to determine what laws actually apply, and then a Privacy Policy is created to ensure that the disclosure requirements of these laws are met.
As WordPress’ Privacy Policy template does not help you determine what privacy laws apply to you, nor what privacy laws the template attempts to comply with, it is up to you to determine:
- What privacy laws you need to comply with; and
- Whether the template actually meets the disclosure requirements that apply to you.
It is important to note that just these first two tasks could potentially take up hours of your time if you are attempting to complete them without help.
Since the template does not state what privacy laws it helps you comply with, the following chart analyzes WordPress’ Privacy Policy template against the requirements of the following privacy laws:
- California Online Privacy and Protection Act of 2003 (CalOPPA);
- California Consumer Privacy Act (CCPA);
- Delaware Online Privacy and Protection Act (DOPPA);
- Nevada Revised Statutes Chapter 603A;
- General Data Protection Regulation (GDPR);
- United Kingdom Data Protection Act 2018 (UK DPA);
- Personal Information Protection and Electronic Documents Act (PIPEDA); and
- Australia Privacy Act of 1988.
| Disclosure requirement | Required by which law(s)? | Does WordPress’ Privacy Policy template include this disclosure? |
| Effective date | CalOPPA, DOPPA and Nevada Revised Statutes Chapter 603A | No |
| Your name and contact information | CalOPPA, CCPA, DOPPA, Nevada Revised Statutes Chapter 603A, GDPR, PIPEDA, and Australia Privacy Act of 1988. | No, although the WordPress Privacy Policy Guide recommends that you should include this information. |
| What Personally Identifiable Information you collect (note that some privacy laws require you to disclose the categories of PII that you collect, while others state that you need to provide the specific pieces of PII that you collect) | CalOPPA, CCPA, DOPPA, Nevada Revised Statutes Chapter 603A, GDPR, UK DPA 2018, PIPEDA, and Australia Privacy Act of 1988. | Yes |
| Sources from which you collect PII | CCPA, PIPEDA, and Australia Privacy Act of 1988. | No |
| Purposes for which you will be using the PII | CCPA, GDPR, UK DPA 2018, PIPEDA, and Australia Privacy Act of 1988. | No |
| Whether you share PII and, if you do, the categories of third parties with whom you share the PII | CalOPPA, CCPA, DOPPA, Nevada Revised Statutes Chapter 603A, GDPR, UK DPA 2018, PIPEDA, and Australia Privacy Act 1988. | No, although the WordPress Privacy Policy Guide recommends that you should include this information. |
| How your website responds to Do Not Track Signals | CalOPPA and DOPPA | No |
| How you will notify users of changes to your Privacy Policy | CalOPPA, DOPPA, and Nevada Revised Statutes Chapter 603A | No |
| Whether you sell PII and, if you do, what rights consumers have regarding such sales | Nevada Revised Statutes Chapter 603A and CCPA | No |
| The privacy rights afforded to consumers | CCPA, GDPR, UK DPA 2018, PIPEDA, and Australia Privacy Act of 1988. | Yes. However, the suggested text does not include the full list of privacy rights afforded by each of these laws. |
| How consumers can exercise their privacy rights | CCPA, GDPR, UK DPA 2018, PIPEDA, and Australia Privacy Act of 1988. | No, although the WordPress Privacy Policy Guide recommends that you should include this information. |
| How consumers can make a complaint to the relevant authorities about your privacy practices | GDPR, UK DPA 2018, and PIPEDA | No |
| Legal bases for processing PII | GDPR and UK DPA 2018. | No, although the WordPress Privacy Policy Guide recommends that you should include this information. |
| How long you store PII | GDPR, UK DPA 2018, and Australia Privacy Act of 1988. | Yes. The template states that certain PII is retained indefinitely, which can be a violation of GDPR’s data storage requirements. |
| Whether you plan on using PII for direct marketing purposes and, if you do, how consumers can opt out of such direct marketing | GDPR, UK DPA 2018, and Australia Privacy Act of 1988. | No |
| Whether you plan on using PII for automated decision making and profiling. If you do, you must disclose the logic underlying such processing. | GDPR and UK DPA 2018. | No, although the WordPress Privacy Policy Guide recommends that you include this information. |
| Whether you plan on transferring PII to a third country | GDPR, UK DPA 2018, PIPEDA, and Australia Privacy Act of 1988. | No, although the WordPress Privacy Policy Guide recommends that you include this information. |
| If you have a Data Protection Officer, their name and contact details | GDPR and UK DPA 2018. | No, although the WordPress Privacy Policy Guide recommends that you include this information. |
| How you protect the PII that you collect | PIPEDA and Australia Privacy Act of 1988. | No, although the WordPress Privacy Policy Guide recommends that you include this information. |
| Your other policies, procedures, standards and codes | PIPEDA | No |
| Your use of cookies and other tracking technologies | CalOPPA, CCPA, DOPPA, Nevada Revised Statutes Chapter 603A, GDPR, UK DPA 2018, PIPEDA, and Australia Privacy Act of 1988. | Yes |
| Whether you are required to collect the PII by an Australian law, court or tribunal order. | Australia Privacy Act of 1988. | No |
| Whether you subscribe to any Australian Privacy Codes and if so, which ones. | Australia Privacy Act of 1988. | No |
| Whether you participate in any Australian external privacy dispute resolution scheme and if so, which one. | Australia Privacy Act of 1988. | No |
| Whether you combine or link other PII that you hold about an individual. | Australia Privacy Act of 1988. | No |
As you can see from the chart above, WordPress’ Privacy Policy template does not include the disclosures required by any privacy laws. Thus, if you need to comply with one or more privacy laws and use this template, you would not be in compliance and would be at risk for privacy-related fines and complaints. The following can serve as illustrative examples as to why this Privacy Policy template should not be used:
- The template states that you will export any PII that the user has provided to you and delete any PII upon request. If you do not need to comply with certain privacy laws, you would not be obligated to erase or give access to PII, which is a fairly big obligation. Fulfilling this obligation would require you to do an overhaul of your operations, including training staff, figuring out how to actually delete PII, and responding to requests. On the other hand, if you do need to comply with a privacy law that provides consumers with privacy rights, your Privacy Policy needs to list all of the privacy rights that consumers have. This Privacy Policy template fails to provide that full list.
- While the template starts off by providing suggested text, multiple paragraphs toward the end consist of nothing more than a title. While a guide is provided, you are responsible for filling out most, if not all of this Privacy Policy template yourself. This endeavor could literally take you days. And, at the end of the process, you could still end up with a Privacy Policy that does not contain all of the required disclosures.
- The suggested text includes language that is in direct violation of certain privacy laws. For example, the suggested text states that certain PII is retained indefinitely. However, this is in direct violation of the GDPR, which requires PII to be kept for a certain time period only (e.g. 1 year) or to state the criteria that will be used to determine the storage period for PII (e.g. we retain your PII until you unsubscribe from our emails).
Finally, the WordPress Privacy Policy template states that you are responsible for keeping it up to date with changing and new privacy laws. The template will not update, nor will you receive a notice when new privacy laws are enacted that require changes to that Privacy Policy. With over twenty privacy bills that have been proposed in the United States, keeping track of these bills and updating your Privacy Policy yourself will be a very time consuming task. Most small businesses simply do not have the time, nor the resources to keep their Privacy Policy up to date themselves.
WordPress’ Privacy Policy solution is unfortunately lacking in the key areas necessary to comply with the various privacy laws that can apply to your small business website. Using the template means that you are putting yourself at risk of privacy-related fines and lawsuits. And, at $2,500 per violation (per website visitor) or more, the amount of fines that you could be subject to further emphasizes the fact that a free Privacy Policy template created by a team of volunteers is not appropriate for business websites. This template will consume much of your time and resources in setting it up and keeping it up to date, making it a non-viable bandaid to your problem of complying with privacy laws now and in the future. If you are serious about privacy compliance, speak with a privacy attorney or consider using a Privacy Policy generator.
Hans is the Vice President of Termageddon, an auto-updating website policies generator. With Termageddon, you can generate a comprehensive set of policies for your website, and then receive automatic updates to your policies when the laws change. When not working on Termageddon, you can find Hans gardening, beekeeping, fishing or taking care of his chickens.
