Support » Plugin: Wordfence Security - Firewall & Malware Scan » Your Privacy Policy & GDPR compliance???

  • Resolved lalaloo

    (@lalaloo)


    Accepting your new Privacy Policy is a very serious matter for us. And we have questions. I am not a legal specialist, so i am more than willing to eat my words if I am wrong anywhere. But, closing a thread and deleting posts with very valid questions from a number of worried customers is not acceptable.

    This thread : https://wordpress.org/support/topic/https-www-wordfence-com-privacy-policy/
    The fact that you chose to delete the better part of the conversation (a very serious conversation) from this thread, is worrying. You would also have noted that the thread poster agreed with what was being questioned about your Privacy Policy. After all, your clients are subject to a €20 million fine for not complying with the GDPR and all the questions in that thread are extremely important to clarify.

    (PS to @kerry on that thread : Are you saying you didn’t change some of the working in your Privacy Policy in the last 24 hours?)

    So, I’ll go thru some of them one more time :

    In your Privacy Policy :
    Automatically Collected Information.
    You say : We may automatically collect information using various mechanisms, including but not limited to cookies and pixels.

    GDPR compliance : You are required to tell clients exactly how you gather information. The “including but not limited to” bit is not compliant with the GDPR.

    Pixel tracking.
    Per your Privacy Policy : ““Pixels” are tiny graphics with a unique identifier that are used to track the online movements of web users. Unlike cookies, which are stored on a computer’s hard drive, pixels are small graphics that are about the size of the period at the end of the sentence that are embedded invisibly on web pages or in HTML-based emails. Our third-party analytics providers may place pixels on the Site that track what other websites you visit (both before and after visiting the Site). Our third-party analytics providers use information obtained from pixels to help us improve our business and the Service. We do not control the use of pixels by third parties.”

    GDPR compliance : By “the site” I guess you mean YOUR site. Not MY site. And you also say these tracking pixels will be included in HTML emails. To whom? From whom? Emails sent out from you to me, your customer? Or does it also include emails sent out to my clients by my site?

    Per your Privacy Policy, if I accept this clause in your Privacy Policy, I am legally obliged to tell my site’s visitors that my site runs plugins like Wordfence who have an anonymous 3rd party tracking them before and after visiting my website??? You serious??

    Furthermore, if WF is adding pixels to my website, then I, the webmaster, am officially the “data controller”, which means that I must legally get consent from my site’s visitors to gather their user data BEFORE the pixel is fired, regardless of my agreement with you as your customer.

    Your Privacy Policy has not made this clear to your customers and there seem to be many who are blindly agreeing to your new Policy without realising they are setting themselves up for legal trouble.

    “Do Not Track” Settings
    Your clause on this matter is not GDPR compliant. Too vague.
    And, again, what are you referring to? Visitors to YOUR site? Or visitors to MY site, as your client??

    Information Retention.
    Is this clause really GDPR compliant? especially the last line…

    Affiliated Entities and Service Providers.
    Again, not sure if it affects me, as your client, or, if it also affects visitors to my site. And how do I, the webmaster, comply with “The right to be forgotten” clause of the GDPR?

    Users have a right to demand a copy of every bit of data that is collected about them. Users will also have to be provided a copy of their data. So, how do I legally comply with this if WF grabs this data from my site? And then shares it with 3rd parties that I, the webmaster, can’t even name?

    Your Privacy Policy is so confusing from a webmaster’s perspective that I don’t even know how to attempt to add this to our site’s Privacy Policy.

    You have now added a “Defiant Data Processing Agreement” where you are basically asking your clients who receive EU traffic to legally assume all risk. There’s a 20-page agreement that I must contract a lawyer to guide me through?? Seriously?

    Please also reply to all the other customers with very serious and valid questions, like :
    https://wordpress.org/support/topic/wordfence-sub-processors/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Wordfence

    (@mmaunder)

    Hi there,

    We do not have the ability to delete posts. A moderator did that. That moderator is not a member of our team. They are a volunteer.

    We did not change our privacy policy or DPA, as you have suggested.

    I think the confusion here is that you are reading our Privacy Policy which applies to the plugin AND our website. Our website does not specifically target European customers and we are not based in the EU, and so our own website is held to different compliance standards.

    The Wordfence plugin is what you are concerned about because that is what you are running on your own website. Our plugin is GDPR compliant. As Kerry previously pointed out to you, if you want to understand what data we collect and who we share it with via the Wordfence plugin, all that information is in the DPA (data processing agreement). We are very clear on who we use to store data and what the vendor names are. It’s also important for you to understand that we aren’t “sharing” data with outside marketing companies via the plugin. Instead, we use these services, like AWS, to provide the functionality of the plugin. e.g. we have to store some data on disk, and in some cases we use Amazon Web Services for that. They are GDPR compliant, they are a sub-processor of ours, and if you have a user request deletion, we ensure that our sub-processors delete that data.

    I also think there is some misunderstanding on your part. You said:

    “You have now added a “Defiant Data Processing Agreement” where you are basically asking your clients who receive EU traffic to legally assume all risk. There’s a 20-page agreement that I must contract a lawyer to guide me through?? Seriously?”

    This is how the GDPR works. If you are required to be GDPR compliant, are a data controller with a website that users visit and you use services that process user data to provide things like security, email services, blog comments, data analytics etc, you need to have a DPA with those data processors. We are a data processor and you are a data controller. To establish that relationship under GDPR, we have a DPA that we both sign.

    I should add that our organization has spent hundreds of hours working with one of the best law firms in the world to become compliant. This included a comprehensive data audit, removing sub-processors who are not GDPR compliant, ensuring that we clearly list our compliant sub-processors, updating our ToS and Privacy Policy, creating the DPA, creating the processes whereby you can download a pre-signed DPA from us and email it to privacy@defiant.com and appointing team members to key security and privacy roles. A lot of work and thought has gone into this. As a website operator, if you are required to be GDPR compliant, you may want to consider seeking legal advice, as we have. The GDPR is complex and unfortunately it creates a significant compliance burden for smaller website owners and service providers.

    Mark.

    …yet you evade answering pretty much every question I asked.

    The GDPR does not work the way you say. Your DPA is there to oblige me, your customer, to assume all responsibility of potential GDPR non-compliances. Between your Privacy Policy and your DPA, things are extremely muddy.

    So, I think we need to keep things simple – can you please explain how I can completely delete WordFence from my site, including pixels?

    Thank you.

    Plugin Author WFSupport

    (@wfsupport)

    If you haven’t talked to a lawyer yet about the parts of GDPR that concern you specifically then I’d recommend you do so sooner rather than later. You’re making some false assumptions and in this situation you are likely to end up on the wrong end of a fine with or without Wordfence. I cannot stress this enough. If you are concerned about GDPR talk to a legal professional sooner rather than later.

    Lastly, if you want to delete Wordfence make sure and check “Delete Wordfence tables and data on deactivation” in the General Wordfence Options section of the Wordfence Dashboard > Global Options page. If the Firewall is running in extended protection mode there should be a button on the Configure WAF page that says ‘remove extended protection’. If so, then click it. If it says ‘optimize firewall’ you are good to proceed. Then go to the Plugins page on your website and deactivate and delete Wordfence. Good luck with whatever security solution you find.

    Tim

    • This reply was modified 2 years, 1 month ago by WFSupport.
    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    *Reads*

    Best reply today for any GDPR topic. This is the whole works and I’m going to repeat it again.

    If you haven’t talked to a lawyer yet about the parts of GDPR that concern you specifically then I’d recommend you do so sooner rather than later. You’re making some false assumptions and in this situation you are likely to end up on the wrong end of a fine with or without Wordfence. I cannot stress this enough. If you are concerned about GDPR talk to a legal professional sooner rather than later.

    I’m closing this topic. GDPR is very important and we all get that. But these are not GDPR forums and honestly, any advice here that can be grossly and horrifically wrong.

    Please give this post a read. It sums up everything I could say on the topic.

    https://wordpress.org/support/topic/gdpr-your-plugins-and-themes/

    Don’t take anyone’s word on GDPR. Read the regulations (Article 17 is my favorite and no, I’m not kidding) and do the work. Seek professional support for that, GDPR is important.

    But please, don’t open a new topic about this again here. It just does not belong here about any plugin or theme.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Your Privacy Policy & GDPR compliance???’ is closed to new replies.