April is WordPress Plugin Privacy Audit Month

With less than 45 days until the game-changing EU GDPR law takes effect, it is a good time for WordPress administrators to do a privacy review of the plugins they have installed on their site. This information will help you create or update a privacy policy for your site – a must have for any modern web presence.

Administrators are well advised to first deactivate any plugins they no longer need – a good security practice in itself. But don’t delete it right away! If you suspect that plugin might have collected personal data, you’ll want to contact the developer and make sure that deleting their plugin will also clean up any personal data it collected.

Next, administrators should review the privacy policy for each plugin. Most plugins haven’t written these – privacy by design is a new concern for many software developers – so you will probably have to contact each developer and ask them directly.  Here’s the questions you’ll want answered:

  • What data the plugin collects from site users and visitors
  • What the plugin does with the data / why the data is collected
  • What third-parties does the plugin share the data with
  • Where does the plugin store data (both on the site itself and on any cloud based resource), how access to the data is protected
  • How long the plugin retains the data
  • What options administrators and users have about data collection and use
  • How the administrator or users can access, update or delete the data the plugin collects
  • Assurance that, when deleted, the plugin also cleans up any data it collected

Happy Spring Cleaning and Privacy Policy writing!