24 May

ACF and GDPR: What You Need to Know

While everyone’s inboxes are overflowing from privacy policy emails, and with GDPR (EU General Data Protection Regulation) taking effect on May 25, 2018, we thought it would be a good time to fill you in on how this new user data privacy regulation will affect Advanced Custom Fields.

First, we’ll introduce you to the very basics of what GDPR is, along with a few helpful resources you can use to dig further into the details. Next, we’ll discuss some specifics of ACF and ACF PRO’s GDPR compliance and provide you with some useful tips for ensuring that your own website is compliant. Lastly, we’ll brief you on our own commitment to data privacy as well as links to our new and updated policies.

This is a very important subject that we know is in the front of every developer’s mind. So, without further delay, let’s get started!

A (Brief) Introduction to GDPR

GDPR is a regulation that aims to protect the privacy of EU (European Union) citizens. Among other things, it provides users with more control over the personal data that they share with websites.

Users have a right to know what personal data a website collects, why it is collecting the data, what that website does with the data for how long and who receives it. It also empowers users to access any personal data that they have shared and even to have that data purged upon request.

In a nutshell, GDPR puts users in the driver’s seat when it comes to their own data. For websites, this means that the entire process of how personal data is collected, stored and used must be transparent to the user.

And, even though GDPR only covers users in the EU, its impact is being felt worldwide. Any website that collects data from EU citizens is bound by the regulation – no matter where it’s located. In other words, this affects just about everyone.

Want to learn more about GDPR and, more specifically, how it affects WordPress websites? Here is some recommended reading:

Is the ACF plugin GDPR Compliant?

In short, the answer is “Yes”👌 Both ACF and ACF PRO are compliant with GDPR. But we’d also like to elaborate a bit more on a few key items of interest:

ACF Doesn’t Collect Personal Data

You should know that, when installed and activated on your website, ACF doesn’t collect, store or send any personal data from either you or your site’s visitors.

The only time data is collected is during an ACF PRO license activation or update request. This data is as expected and includes the license key, ACF version, WordPress version, website name, website URL, website language and timezone.

What about cookies?

The ACF plugins use cookies within the WordPress administration area in order to provide a better user experience. For example, a cookie may be set that leaves specific repeater field rows expanded or collapsed depending on how you left things that last time you logged in to your site. However, no personal data is collected or stored in this process. If you are interested to know more about what cookies are created, please read our new Cookie Policy.

Remember that Every Website is Built Differently

Being such a flexible tool for editing content, ACF can easily be used to collect personal data. For example, functions such as acf_form() or fields that interact with a third-party service (such as the oEmbed field) could require GDPR compliance on your part.

It’s important that you take note of any such features on your website and what types of data they collect. Ultimately, it’s up to you to ensure that these features comply with GDPR or any other relevant laws or regulations.

Tips for Making Your WordPress Website GDPR Compliant

WordPress is an incredibly flexible platform. As such, there are a virtually endless amount of possible configurations when it comes to plugins and themes. Therefore, every website will have different needs when it comes to GDPR compliance.

Here are a few things to keep in mind:

🔍 Review what data your website is collecting

The first step towards GDPR compliance is by thoroughly reviewing your website. Look at your site’s theme and plugins to determine which, if any, are collecting personal user data.

Data can be collected in a number of ways including when a user provides it knowingly and when it is obtained automatically. So, you will want to pay attention to features on the site’s front-end that collect data such as analytics, forms, embeds and shopping carts.

Once you know what data your collecting, you’ll be able to develop a plan for compliance.

🙈 Anonymize data when possible

Like most website owners, you’re likely using Google Analytics to get website stats. This means that it is possible that you’re collecting or tracking personal data like IP addresses, user IDs, cookies and other data for behavior profiling. To be GDPR compliant, you need to do one of the following:

  1. Anonymize the data before storage and processing begins
  2. Add an overlay to the site that gives notice of cookies and ask users for consent prior to tracking

Lucky for us, Google have made the task of anonymizing data easy! The good folks over at iubenda have written up an amazing guide to cover this feature which you can read about on their blog here.

💬 Communicate with your website visitors

A privacy policy is a great way to communicate with users regarding what data you collect and how you use it. WordPress now makes setting up a privacy policy easier than ever with its Privacy Settings screen (found in Settings > Privacy). This allows you to either link to an existing policy or create one of your own using a handy template. You can list the types of data you collect as well as detail how that data is handled.

👋 Keep user data organized and accessible

GDPR requires website owners to export and/or delete a user’s personal data upon request. Starting with WordPress 4.9.6, new privacy tools have been added to help export and erase user data. This makes it much easier to handle personal data requests from users. The export tool (Tools > Export Personal Data) allows you to directly email a registered user’s data to them, while the erase tool (Tools > Erase User Data) enables the deletion of a user’s personal data.

When it comes to any such data collected via custom fields, you’ll want to familiarize yourself with how ACF stores this data in your site’s database.

Assuming that you are using ACF’s default functionality, all custom field values are stored in the “meta” tables within your site’s database (wp_postmeta, wp_usermeta, wp_termmeta, wp_commentmeta and wp_options). So, the simplest way to delete any personal data within custom fields is to simply delete the associated post (or user, comment, term, etc) and allow WP to delete the meta for you. However, depending upon the setup of your site, this may not be the best approach.

As for exporting custom field data in a readable format, you might consider a plugin such as WP All Export or Simple CSV/XLS Exporter. If those plugins don’t serve your needs, a custom solution may be necessary.

👀 Consider Third-Party Interactions

Many websites have features that interact with various third-party service providers. ACF has two such fields that enable this kind of functionality: Google Map and oEmbed. Other examples could include social media feeds or sharing buttons, iframe content, mailing list subscription forms, etc.

It’s important to note that, when integrating content from an outside site or service, that provider may well be collecting a user’s personal data. Plus, if a user is already logged into their account with this provider, that may be reflected when viewing content on your site.

Therefore, you’ll want to make users aware that their data may be subject to collection by any third parties that your site is interacting with or consider adding a click to play feature on embedded content.

🤝 Ask for User Consent Where Necessary

When you’re collecting personal data through a form, it’s important to ask users for their consent. One simple way to do this is to create a checkbox field that asks for consent and is “required” for the user to submit the form. By default, the checkbox should be left unchecked.

This helps users to better understand what they are signing up for and allows them to provide you with explicit consent.

The Bottom Line

Each website is unique in both its goals and functionality. In that way, the path to achieving GDPR compliance will vary depending on the needs of your site.

The most important thing you can do as a developer is to get to know what sort of data your website is collecting and then create a plan of action for keeping it safe. Then, ensure that processes are in place to communicate your policies and manage user data requests.

Our Commitment to Data Privacy

We at ACF believe in ensuring that our collection and use of user data is treated with the utmost respect for both privacy and compliance.

With that in mind, please take a moment to review the following documents that outline our policies regarding user data and other important information:

And, as regulations change over time, we’ll put in the hard work required to ensure that our plugins remain compliant. What’s more, we will continue to develop ways for ACF to make your compliance responsibilities easier, as well.

Legal Disclaimer / Disclosure

We are not lawyers. Nothing on this website should be considered legal advice. Due to the dynamic nature of websites, no single plugin or platform can offer 100% legal compliance. When in doubt, it’s best to consult a specialist internet law attorney to determine if you are in compliance with all applicable laws for your jurisdictions and your use cases.