Guide to Conform to GDPR
Important: you do not need to reconfirm all your subscribers. A few software providers, including MailChimp, have erroneously recommended this and even built tools for this purpose. If your subscribers have joined your list, you can consider this as sufficient consent.
The goal of General Data Protection Regulation (GDPR) is to give citizens in the European Union (EU) access and control over their personal data and change the approach of how organizations act towards data privacy.
Similar rules have come into effect before though they have been much less restrictive one of which is the now rather ubiquitous "EU Cookie Law."
We're not really here to explain "what" or "why", but rather how to implement the GDPR rules for MailPoet. If you'd like to learn more about the theory behind the GDPR, have a read of this GDPR information website.
1. Create a Privacy Notice Page
First, you'll need to publish a Privacy Notice page on your website. For example, here’s MailPoet’s own.
WordPress has created a tool for this purpose in which MailPoet provides example text for you to use.
To create your page navigate to your wp-admin > Settings > Privacy
You can then either choose from one of your existing pages or create a new page.
Once created, you’ll then see the default Privacy Notice text that you can edit.
2. Ask for Consent in Your Forms
Part of the GDPR consists of getting users explicit consent to collect, store and process their data in relation to your Privacy Notice. Any form of signup form or subscription based form must ask for the users consent.
There are two ways to do this.
A. Include consent text and a link to your Privacy Notice page (recommended).
You can add the consent text by adding a "Custom text or HTML" widget to your form with the following code:
B. Add a checkbox for visitor to click for consent.
This is required if you have Signup Confirmation (double opt-in) disabled in your MailPoet settings.
Check out our guide on How to add a checkbox field to a MailPoet form.
3. Add a Link to Your Privacy Notice in the Footer of Your Emails
You can optionally add a link to your Privacy Notice in the footer of your emails.
4. The Default WordPress Users List
This recommendation is only valid for those who have a membership website in which visitors can create a user account.
MailPoet automatically creates a WordPress users list on install. This list contains all of your WordPress users registered on your site with every role.
You'd need to add a consent box on your WordPress user registration form with a link to your Privacy Notice.
The exact steps to take will depend on if you use the standard forms, an eCommerce plugin such as WooCommerce or some type of Membership plugin.
Since version 3.31.0 released on July 2nd, 2019, WordPress users are added as "Unconfirmed" to the WordPress Users List, so they can opt-in to join your subscriber's list and receive newsletters from you. You can simply re-send the confirmation email by following the steps listed here.
5. Subscribe in Post Comments and User Registration Page
MailPoet allows you to set an option to allow an end user to subscribe to Newsletters when leaving a comment. No action is required on these as WordPress will implement the consent on both forms.
6. Exporting Subscriber's Personal Data
If you're using WordPress 4.9.6 or above (released in 2018/05), go to WordPress > Tools > Export Personal Data
You can export your subscriber's personal data by requesting their permission to do so.
After they've accepted, you can download their personal data and later remove the request.
By downloading their personal data, you'll be able to export:
- subscriber's information (email, personal data and subscription lists);
- list of emails a subscriber viewed;
- list of links a subscriber clicked.
7. Right to Be Forgotten and Anonymized
You can anonymize user identifiable data that you hold for a visitor, or user, or customers of your website. Just go to WordPress > Tools > Erase Personal Data
Just like the Exporting tool, you'll need to request the subscriber's permission to erase their data.
8. Proof of Consent
It is required that you prove your subscribers' consent to joining your list. This is achieved by:
- Linking to your Privacy Notice in your forms, see point 2 above;
- Enabling Settings > Signup Confirmation;
- Recording the IP address of signups (MailPoet does this automatically);
- Recording the date of signup (MailPoet does this automatically);
- Recording the source of signup (read below).
MailPoet records by which mean subscribers are added to your list (starting in 2018/05) by adding a "source" field to the subscribers' data. This field is viewable by exporting Subscriber's Personal Data (point 6) with one of the following values:
- form - subscription via a MailPoet subscription form
- unknown - grandfathered subscribers without source (if necessary);
- wordpress_user - subscriber information synchronized via WP user sync;
- api - added by a 3rd party via MailPoet 3 API;
- administrator - created by the administrator via Subscriber > Add new interface;
- imported - imported by the administrator via "Subscriber Import".
The "source" is not viewable in the user interface of MailPoet and is not added on MailPoet's own Export tool.