GDPR-compliant Comments with WordPress
With the 4.9.6 release WordPress has introduced some functions to comply with the General Data Protection Regulation. Unfortunately, the implementation seems rather disgruntled than enthusiastic. In the comments you can now activate a checkbox with which you give permission to save the name, e-mail and website of the commenter for later use in his browser. A cookie agreement, therefore.
The fact that with the sending of a comment
- Name, e-mail and IP address, i.e. personal data, stored in our database and
- eMail and IP address, as said personal data, without knowledge of the commentator, will be disclosed towards Gravatar
is not treated. And in my opinion this weighs more heavily than setting a cookie with my personal data in my own browser.
The fact that WordPress handles the GDPR so casually has to do on the one hand with the fact that we Europeans are really annoying with our data protection laws, right?! On the other hand, personal data, especially on a large scale, Big Data with referrers, ip- and email-addresses in this case, represent a considerable value. WordPress is distributed by Automattic and Gravatar also belongs to Automattic. To deliver an option with WordPress where Gravatar does not receive any data by default would therefore be bad for Automattic.
But we prefer not to afford the luxury of casual handling of the GDPR. We should improve the comment function of our WordPress page regarding GDPR. First of all, we need a solid strategy.
A solid Strategy
The purpose of the GDPR is to ensure transparency and control of personal data. We therefore want to ensure that our commentators know which data we process and how and why. Let us first take care of the on-board resources.
For our privacy checkbox, we would like to have the following features
- Mandatory field checkbox for information on the data protection declaration
- Is stored correspondingly Cookie checkbox and then automatically set, or even not
Of course, we have been using a Child Theme, in wise foresight for exactly such a case. We add the following code to the functions.php of our Child Theme.
We use the register_pll_strings function in Polylang to register strings for our checkbox, which we can then edit in multiple languages.
In the custom_comment_consent_field function, we use these strings by injecting our checkbox into the form.
If a confirmation cookie is set, i.e. the commenter has already confirmed and at the same time given permission to save form entries in a cookie in his browser, we automatically set the checkbox to checked.
Checking the Mandatory Field
Since our confirmation checkbox is a mandatory field, we check in verify_policy_consented before sending the form whether it was also checked. If not, we issue an error message. If already, we write our cookie if the permission for that was given. If the cookie was denied, we delete our cookie for safety’s sake, even if it was not set at all. In terms of processing time, this is often cheaper than checking whether the cookie was set, and only deleting it if it was.
Certainly the whole of Europe laughs at us Germans because we actually take the GDPR seriously. In Germany, however, the situation is special because of our competition law and the resulting warnings. I use comments only again by the, in my opinion, bulletproof variant described here with Gravatar approval and confirmation of the data protection declaration knowledge.
We could now drill the approval procedure further by documenting that set checkbox in the comment metadata in order to be able to prove that the data subject has consented to the processing of his or her personal data (Art. 7 EU-GDPR 1). In my opinion, however, this already happens when the data subject sends the commentary in full knowledge of the data protection declaration. In addition, data subjects can revoke explicitly given consent. In this case, we legitimize the processing with our legitimate interest anyway.
What do you think about GDPR-compliant comments? No problem at all or have you deactivated the comment function?