When I signed into Twitter today, they informed me of “Important Updates” – which take effect on May 25, 2018 (coincidentally the same day the GDPR takes effect, but the GDPR is not mentioned.)
Instead of the lovely bold “Got It” button, I went for the “Review settings” link below it in fine print:
I was surprised how much was enabled:
But not anymore!
Props to Twitter for 1) notifying me of the changes when I log in, 2) providing a link to review the settings (even though it was tiny, it was there) and 3) making it easy for me (even as a non EU resident) to opt-out of individual uses of my personal data. You’ve set an example for others to follow.
Administrators are well advised to first deactivate any plugins they no longer need – a good security practice in itself. But don’t delete it right away! If you suspect that plugin might have collected personal data, you’ll want to contact the developer and make sure that deleting their plugin will also clean up any personal data it collected.
What data the plugin collects from site users and visitors
What the plugin does with the data / why the data is collected
What third-parties does the plugin share the data with
Where does the plugin store data (both on the site itself and on any cloud based resource), how access to the data is protected
How long the plugin retains the data
What options administrators and users have about data collection and use
How the administrator or users can access, update or delete the data the plugin collects
Assurance that, when deleted, the plugin also cleans up any data it collected
With the GDPR deadline looming, it is an excellent time for WordPress plugin developers to finish adding or updating that often skipped, often neglected plugin uninstall code – you know, the “clean-up” code that deletes options and meta data and tables that the plugin added to the site?
There are, of course, other aspects of the GDPR that apply to the way plugins handle personal data or expose site visitors to data collection by 3rd parties, and solutions to those are coming in WordPress core (see below), but this area (data clean-up on plugin deletion) is one area that developers can attend to now if they haven’t already.
Not a bad overview at all – I think it is useful to clarify that:
the GDPR covers not EU citizens but EU residents, and
that data portability (Article 20) requires being able to request and send a machine readable copy of data to another controller but doesn’t require that controller to have software ready to actually read it