Easy Digital Downloads and General Data Protection Regulation (GDPR)

Lately, you may have received an influx of emails from various businesses informing you about changes to privacy policies. These emails are frequent, and often ignored. This time around, there is a common cause for these emails, a cause that may affect your business. We should talk about it.

After reading a few of these emails, you’ve probably noticed the term “personal data” used repeatedly. This is due to a new European Union (EU) regulation called General Data Protection Regulation (GDPR), designed to protect the personal data of individuals within the EU, as well as give those individuals more control over their personal data.

GDPR’s official implementation date is May 25, 2018. Businesses around the world (literally) have made strides to meet the new requirements by the implementation date. The emails you have received, whether explicitly mentioning GDPR or not, are most likely written to inform you of changes made to meet GDPR requirements.

As an Easy Digital Downloads user, it is likely that you need to meet GDPR requirements as well. Not only does the Easy Digital Downloads plugin collect information from customers that is categorized as personal data, but you may also be using other plugins or tools that collect personal data from your website visitors.

Your business does not have to be based in the EU for this new regulation to affect you. If there is a possibility that an EU resident will visit your website, you’ll want to be GDPR-compliant.

Below, we’ll discuss what this means for your website, what Easy Digital Downloads has done to help you meet the new requirements, and how to make sure you are taking advantage of all available tools.

Understanding GDPR

GDPR is a set of guidelines that regulate how data controllers (businesses that have your personal data) manage your personal data and what rights you have in regards to knowing what is done with your personal data as well as removing your personal data upon request.

Here’s a general list of requirements that must be met under GDPR:

  • Disclose what personally identifiable information is collected on your website (via Privacy Policy).
  • Disclose why your website collects the personally identifiable information (via Privacy Policy).
  • Disclose how long personally identifiable information is retained for (via Privacy Policy).
  • Disclose whether or not personally identifiable information is shared with third-party entities (via Privacy Policy).
  • Provide access to personally identifiable information upon request (via export).
  • Provide a means for erasure of personally identifiable information upon request.
  • Inform individuals of their rights under GDPR (via Privacy Policy).

Meeting those requirements takes a specialized set of tools, detailed information in your Privacy Policy, and a clear understanding of what kind of data is being handled.

GDPR’s overall focus is to create a standard for personal data collection and handling.

WordPress and GDPR

Easy Digital Downloads is a WordPress plugin. While it collects personal data through functionality like the checkout system, WordPress still plays a significant role in not only collecting personal data, but also storing, managing, and using that data through your website’s ecosystem.

That said, WordPress itself has taken steps to provide the tools needed to meet GDPR requirements.

WordPress 4.9.6 Privacy and Maintenance Release

The first step towards GDPR compliance as a WordPress user is to update your website to WordPress 4.9.6 (or higher), which is a release focused mainly on functionality needed to meet GDPR requirements. You can read about the release here.

New tools for creating and displaying a Privacy Policy Page, allowing commenters to decide if their personally identifiable information will be displayed with public comments, and personal data handling have been implemented in this release.

The Privacy Policy Page functionality gives you the ability to designate one page as your Privacy Policy, link to that page automatically from your login and registration forms, and even copy suggested Privacy Policy text from plugins and themes that have taken the time to provide an overview of what kind of personal data is collected from your website visitors/users as they interact with your website (more on this later).

The data handling functionality gives you the tools needed to either export or delete personal data upon a user’s request. While WordPress itself is prepared to handle data according GDPR requirements, it is also extensible, allowing plugins and themes to include collected data in the export and deletion processes.

While it is possible for these tools to be implemented in a custom manner, we highly recommend that your first step to GDPR compliance is updating to the latest version of WordPress.

All Easy Digital Downloads GDPR enhancements are accessed through functionality provided in WordPress 4.9.6 or higher. Please update.

Now let’s have a look at Easy Digital Downloads and its tools for GDPR compliance.

Easy Digital Downloads and GDPR

Easy Digital Downloads collects personal data about customers, mainly through the checkout process and related functionality. Personal data includes things like name, email address, address (when necessary), IP address, and more.

While WordPress has provided tools to easily export and delete personal data, it does not automatically have knowledge of additional data collected by Easy Digital Downloads. Instead, we’ve worked to integrate our plugin with WordPress’ tools. Those enhancements are available in Easy Digital Downloads 2.9.2 (or higher).

Easy Digital Downloads 2.9.2 Release

The first step towards GDPR compliance as an Easy Digital Downloads user, once updated to WordPress 4.9.6 or higher, is to update Easy Digital Downloads to version 2.9.2 or higher. You can see the 2.9.2 Changelog here.

To make Easy Digital Downloads compliant with GDPR, we have made the following general enhancements:

  • Added support for WordPress Core Privacy Exporter and Eraser, ensuring that all personally identifiable customer information is included in the WordPress export and delete processes.
  • Added a sample template for WordPress Core Privacy Policy editor, providing you with suggested Privacy Policy text that outlines what personally identifiable customer information Easy Digital Downloads will collect, and why it is collected.
  • Added new Privacy settings to the Easy Digital Downloads Settings screen, allowing more control over how your store handles personal data and how it displays your Privacy Policy to customers.

As you may be thinking, it can be quite difficult to maintain an accurate history of your business transactions if your customers are requesting that their information is erased. That’s a valid concern, which is why it is important to understand data anonymization.

Anonymizing customer data

In Easy Digital Downloads 2.9.2, all personally identifiable customer information has been structured so that exporting or erasing all of the data at once is an easy task. While exporting the data may require no change to the data itself, deleting data during erasure requests could disrupt the reporting history of your store. This is where we introduce data anonymization functionality, a method of encrypting or removing personally identifiable information. This allows us to only remove personal data while purchase amounts and other non-personal data remains.

Under GDPR, a customer has the right to request that all personal data be removed from your website. Our data anonymization functionality allows your store to maintain things like a historical payment records and financial data while anonymizing all personally identifiable customer information, effectively erasing a particular person or entity from your data history.

Using our tools, you can anonymize customer records, payment records (by payment status), file download history, and more. You may also choose to fully delete such data if you deem it necessary.

Easy Digital Downloads extensions that collect personally identifiable customer information have also been updated to be included in the export and delete functionality. If you have questions or concerns about an official extension, please feel free to open a support ticket.

Again, these tools are only available on WordPress 4.9.6 (or higher) and Easy Digital downloads 2.9.2 (or higher). For more information about Easy Digital Downloads GDPR tools, please see the documentation.

What you should do next

While this information may be new to you, making sure your website is GDPR-compliant does not have to be a complicated process. Get the ball rolling by following the steps below.

  1. Do your own general research to learn more about GDPR. The European Commission’s Data Protection page is a great place to start.
  2. Consider hiring legal counsel to help you meet all GDPR requirements based specifically on your business. General tools can only get you so far. It is up to you to ensure that your business is fully GDPR-compliant.
  3. Before updating WordPress or Easy Digital Downloads, back up your database and files. If you need help performing a back up, see the WordPress Codex.
  4. Update your website to WordPress 4.9.6 or higher. Familiarize yourself with the new tools and functionality.
  5. Update your website to Easy Digital Downloads 2.9.2 or higher. Read the documentation to understand how to use the new enhancements.
  6. Make any necessary adjustments to your Privacy Policy page and inform your users of the policy changes if necessary.

As usual, if you have any questions feel free to leave a comment below or open a support ticket.

Developer information

For details about how to integrate your extensions and custom functionality with the new tools, please read our development blog post.

Comments

Thorough research and crystal clear explanation (as always)! Thanks for helping us step into GDPR compliance with all the necessary information! I really appreciate your transparency and commitment in this long (and sometimes murky) process.

Reply

Thanks, Nick! Murky indeed, but we’re all trying to work through it. We’ll keep approving our approach as time goes on.

Reply

I received a lot of emails about GDPR but I just opened you email.
Thank you for this useful information.

Reply

No problem! Thanks for taking the time to read it.

Reply
Mr. Right R. Anonymous

Yes, thank you for the thorough primer and tools. One of the best I’ve seen.

I’m not buying that a non-EU business is actually bound by the laws of a foreign country (remember when they claimed non-EU business must collect VAT?) but it’s very clear that the world is adopting GDPR principles and I think that is a good thing in general for privacy. The cost of doing business did just go up, though, and I’m afraid this puts small EU business at a competitive disadvantage versus a great number of non-EU Internet-based companies who will be compelled to spend resources on compliance.

Anyway, hat tip to the EDD team and Sean for the writeup.

Reply

I definitely feel the same way as you. Not only is this move good for privacy, I don’t think the EU is alone in this change. Only time will tell but I think this just gave the rest of the world a bit of a head start.

Reply
Solopreneur

This is unduly burdensome for single-person businesses. I can’t afford hire legal counsel. Is there no exemption for teeny tiny businesses? I don’t live in the UK, but I have to prepare for a single individual from the UK who may use my website?

Reply

Hi there! First, let me say that I can’t provide legal counsel on the subject. It would be irresponsible of me to do so. I agree that this is a burdensome change. Businesses of all sizes are affected and it’s easier for some to handle than it is for other.

If I had to give a tip, I would say to just research as much as you can about GDPR. When/if you have a decent understanding about the purpose of the regulation, you can then re-evaluate the plugins and tools you are using to see if they hinder your ability to meet the regulations. Contact their support if you have questions. Look for updates to plugins (like we’ve pushed out) and policies. Remove tools that you don’t actually need. These things won’t automatically make you GDPR-compliant. But it doesn’t hurt.

Ultimately, this is a legal matter and eventually it may require that you hire legal counsel.

Reply
Solopreneur

I clearly understand the purpose of the regulation. I’m saying it’s unreasonably burdensome to single-person businesses. It would be easier to just block all non-US IP’s from visiting my website.

Reply

Solopreneur,

Regs are always tough for the small biz/solopreneur.

I wanted to share that in my newsfeed this morning, I read an article that talked about a number of larger brands (publishers, too) who simply have blocked applicable EU areas from their website. They put up a notice saying why some visitors won’t be able to access the content citing GDPR.

BTW, Shawn, thanks for the good article.

Reply

Sorry, Sean, just caught my typo! !!

Thanks!

While blocking is an option, I’m willing to bet this sort of regulation will be the norm in the very near future. The EU probably won’t be the last to introduce something like this.

In my eyes, this push gives us a head start on what’s to come.

Thanks for reading!

John

Yes, it’s a bit of burden to check all the software to be compliant but on the other hand it’s generally a move in the right direction.

One aspect of GDPR that I see rarely mentioned is that every GDPR-compliant organization is required by law to use GDPR-compliant data processor in order to keep the GDPR protection intact between all the systems involved. So if e.g an EU-based business wants to use a (SaaS) help desk solution developed by US-based company, the US-based company has to be GDPR-compliant, otherwise the EU-based business IS LEGALLY NOT ALLOWED to use it. And in order for the help desk provider to be GDPR-compliant, he has to make sure that all his data subprocessors (e.g. hosting provider, virtual assistants, etc.) are also GDPR-compliant. And what you can see, many US firms are already working hard to make themselves GDPR-compliant in order not to loose customers. Some examples:
https://www.infusionsoft.com/legal/data-protection-faq
https://www.helpscout.net/company/legal/gdpr/
https://wistia.com/support/account/gdpr

Therefore I think with the time more and more software providers will include features to help comply with GDPR because businesses will be more and more asking for those. And noone would like to say “sorry, we’re not going to provide those” because they will start loosing customers. With the growing data awareness it will bring harm to reputation not to be GDPR-compliant:

“Even if you’re not being slapped with heavy fines, there will be reputational damage for not complying. And with all eyes on the commercial use of personal data right now, staying compliant with the current laws will only help you as new rules and regulations are developed.”
https://www.digitalmarketer.com/gdpr-summary/

Reply

Great information there, and I agree.

Originally, I felt like GDPR was a bit annoying and was one of those systems I’d rather ignore if given the opportunity. But I think the entire business world is going to move in this direction very soon (and I think it should).

Implementation was intense, and the coming weeks may be the same. But overall, I’m happy that this has been introduced the way it has. It helps us all. And I wouldn’t be surprised if the US had similar regulations sooner than later.

John

And if you listen to the interview in the last link I provided, you will see that implementing GDPR is not necessary that difficult as many people think.

For now I see the following main pain points (I’m also a solopreneur):
– to make sure a software provider is GDPR-compliant and his subprocessors are also GDPR-compliant
– to make sure a software has an easy way to export, modify, delete/anonymize personal data of an user
– to compile a list of everything that is collected, stored, tracked, shared by a software, in order to evaluate this and inform my customers about it in the privacy policy

I hope every software provider will have a GDPR-page where this information will be available.

Reply
John

Ups, my intention was to reply under myself:

“John May 25, 2018 at 4:13 pm”
Yes, it’s a bit of burden to check all the software to be compliant but (…)

Reply
Tom

Do you have any form to fill and get data processing agreement? I think it is necessary to be OK with GDPR.

Reply
John

Hi Tom,

Such an agreement is necessary between a data controller (e.g. you as a business owner) and data processor who processes (and this term includes also storage) of your customers data (e.g. your hosting company or SaaS applications).

I believe no customer data is ever sent to the company behing EDD, which means they are not a data processor when it comes to your customers data, so no data processing agreement is needed.

Reply
John

Disclaimer: I’m not a lawyer and the above is not a legal advice. Just my understanding of GDPR.

Reply

This is correct.

Sorry for the slow response, Tom. What John said is accurate.

Easy Digital Downloads (the business) is not a data processor for your customers. As an Easy Digital Downloads (the plugin) user, you’d be considered a data controller, and other systems you choose to use could end up being a data processor.

So the Data Processing Agreement you’re referring to would be between your company and those data processors. If you use the MailChimp extension, for example, MailChimp would be a data processor and you would be the the data controller. Then you’d need to refer to information like the following to make sure your data processing agreement with MailChimp is in place: https://mailchimp.com/legal/forms/data-processing-agreement/?_ga=2.193088621.1389689362.1516996571-1291562841.1512052313

Just as John stated, I am not a lawyer and this is not legal advice. Likewise, Easy Digital Downloads is not providing legal advice. This information is just to let you know that you do not need to have a data processing agreement with us.

Reply

Leave a Reply

Your email address will not be published. If you need technical assistance, please open a support ticket.