Hi there!
> ask users to consent to our Privacy Policy when they enter the site for the first time
I’m not sure if this is necessary. According to our friends at law office Triniti, using your site implies consenting to the Privacy Policy anyway.
Have you seen any major sites do this?
> ask users to consent to each new revision of the Privacy Policy
Versioning the policy and requiring new consent if the old one is no longer valid is something that’s planned in one of the next releases. We have a lot of work to do with cookies and WordPress v4.9.6 integration, but after that it’s the next priority.
> and how could we track each of their consents?
You can currently view consents in each user’s profile or with the next plugin update (scheduled for tonight), also via Tools > Privacy > Data Subjects. There are also actions triggered on giving and withdrawing consent for custom development, see: https://codelight.eu/wordpress-gdpr-framework/developer-docs/
Let me know if you have additional questions!
Sorry, my question was not clear enough.
When you register you give (at least) your email address. So you should agree to the Privacy Policy first. So you need a checkbox on the Subscription Form / Checkout form, saying I agree with the Privacy Policy. How can we do this with your plugin?
Hi there!
It depends on the form. Agreeing to your Privacy Policy is implied by using the website at all. You don’t necessarily need explicit consent to the privacy policy in case of newsletter of contact forms (although it would be good to mention the terms).
As for a checkout page – yes, in this case it’s needed. Your checkout page probably has the Terms & Conditions checkbox anyway. So as a shortcut, you can write in your T&C that this also includes the Privacy Policy.
If you’re talking about WooCommerce, we’ll start tracking the checkout T&C consents at some point as well.
Obtaining clear and unambiguous consent in advance of collecting personal data is mandatory. Implied consent and consent given simply by visiting a site is not enough!!!
We need a consent for the Privacy Policy on all forms that collect personal data:
– on the new user registration form on My Account page
– contact form, comments form, product reviews form
– on the checkout form next to the Terms and Conditions checkbox
When we update our Privacy Policy the users must be informed and asked for a re-consent.
Every 12 months, the consent should be renewed upon the user’s first visit to the site.
And one more thing: all consents must be logged
You are somewhat correct, but it’s not that bad. There is a lot of gray area and a lot of things depend on the context.
We will definitely not require visitors to accept the privacy policy before being able to visit the site (unless there is a court precedent or until someone gets fined for not doing this). This would defeat the whole point of GDPR if you’d have a privacy policy popup on each and every website – users would just mindlessly click ‘accept’ and ignore the contents or alternatively, leave. So this is something that most likely will not be included in the scope of this plugin because it is (1) not required and (2) drives away visitors.
As for cookies – even more conservative groups such as the ICO accept that some essential cookies do not require explicit consent – see for yourself: https://ico.org.uk/media/for-organisations/documents/1545/cookies_guidance.pdf
However, their statements are not to be interpreted as the law – this is just an opinion. I’m still working on gathering info on cookie compliance, but I’m leaning towards not having to ask for consent on Google Analytics for example. Analyzing this in the spirit of GDPR, the risk to users is negligible when using anonymized data. It currently looks like the ICO has a different viewpoint, but again, we’ll keep an eye out on court decisions.
> We need a consent for the Privacy Policy on all forms that collect personal data:
I also do not agree with this (and the lawyers at Triniti don’t agree either). Nowhere in GDPR does it say that you need explicit consent to Privacy Policy – or does it?
As for logging consents and re-consent, you are completely correct.
After I have the same passsword entered twice profile update when GDPR Framework is enabled issue solved (I opened another thread about this), I would like to use GDPR Framework to track user consent.
Thing is: On the blog I administrate only I can create users. So someone asks me to create a user and then… I create it. But then I did not have a formal and recorded agreement to privacy policy. So I would like if the user is asked on first login to agree to the privacy policy. For registered users – not for unregistere site visitors – I am not sure whether assuming consent is enough. I think for removing the consent users should be asked to delete their data.
Currently I require users to add their agreement in their biography field which is not very convenient. I could of course also set up a restricted page where users need to comment something and check the privacy policy checkbox, but this is also not very convenient.
How would this work:
1) set up a form using Contact Form 7
2) create a required ‘acceptance’ type checkbox with the machine-readable name ‘privacy-policy’
3) have the users enter their user creation requests through that form
We’re going to add consent tracking to Gravity and Formidable as well. I’m not quite sure when exactly, but at some point it will be possible to use them as well.
P.S. if you do this, please make sure to test if it works properly 🙂
Forgot to add: you’ll want to create the user with the same email address you collect from the CF7 form. The consents are tracked not per user but per email address, so it doesn’t matter if the user exists or doesn’t exist yet.
