Jetpack and The GDPR: What You Need to Know

Europe’s General Data Protection Regulation (aka the GDPR) is a new and far-reaching privacy regulation, built on a number of fundamental principles. Among these principles are personal data ownership, transparency, security, and individual choice.

At Automattic, we have a long-standing commitment to the principles of the GDPR, and have honored many of them — including data minimization, control, portability, and security — before they were required by law.

Today, we wanted to take some time to explain how Jetpack has been built — and recently improved — to honor the important rights guaranteed by the GDPR. We also wanted to share how you can use some of the new features and tools in Jetpack and WordPress core to honor the rights and principles of the GDPR for your own site visitors.

Before we get started, it’s important to remember one thing: the GDPR is based on principles, not rules. This means that there is no standard checklist to follow, and no merit badge awarded for compliance if you check a few boxes.

The beauty of WordPress is that every site is unique and different — and because of this, no two site owners will or should take the same steps to comply with the privacy laws of their country or the countries that their site visitors come from.

This may sound a little scary, but we’re all in this together. As one of millions of WordPress site owners, you’re part of a larger community that is focused on understanding and honoring individuals and their rights. GDPR requirements might be intimidating, but they’re not insurmountable if we all work together.

The WordPress (and Jetpack) way

WordPress is built on a foundation of openness and transparency, and Jetpack is no different. Unlike many proprietary products or services, you can look directly at our code.

At the same time, Jetpack includes a powerful package of hosted services. When you set up Jetpack, your site is connected to Automattic’s servers and shares site data with Automattic. This is done in order to power features like site backups, speed and performance, and security.

With great power comes great responsibility, and we take our responsibilities as stewards of your data very seriously. Our responsibilities begin with being fully transparent about the data we collect, use, store, share, and process on your behalf, starting when you first connect your site.

We understand that by downloading Jetpack and connecting your site to Automattic, you have placed your trust in us to keep your data secure, private, and use it in ways that you understand, expect, and agree to.

With the GDPR as a framework, we’ve put a lot of time, thought, and effort into upping our game on transparency, and building new features and tools to comply with new privacy regulations like the GDPR.

Similarly, the WordPress open source project has also made a number of feature improvements, and has articulated guidelines on how WordPress plugins (like Jetpack) should handle data, in line with GDPR principles. We’ve worked very hard to implement these principles as we’ve developed and improved Jetpack.

Jetpack’s privacy features in detail

Here is a brief tour of the Jetpack features that we’ve updated and improved with the GDPR in mind.

Our key goals for these improvements are to add greater transparency around Jetpack’s data habits, and give Jetpack users more control over how Jetpack uses their data.

To enhance the transparency of Jetpack, we’ve created a number of new documents, notifications, and explainers that give Jetpack users more information about the data Jetpack collects and uses. These include:

Jetpack Sync

When you first install Jetpack, you’ll be prompted to connect your site to Automattic’s servers. This connection enables many of Jetpack’s features. This doc explains the data Jetpack syncs to Automattic’s servers after you connect your Jetpack site. It also covers data used by WooCommerce Services, which rely on the Jetpack connection.

You can read this doc anytime, but we’ve included a link to it on the connection screen, so that the information is available and easy to find right at the time Jetpack syncs your data to our servers.

Jetpack modules

Each feature or “module” in Jetpack uses different data. To help make this information clearer, we’ve added a section to the support page for each module to detail the “Data Used”, “Activity Tracked” and “Data Synched” for each module. We’ve also broken down this information to distinguish between data about Jetpack site owners, and visitors to Jetpack sites.

It is important to note that Jetpack syncs all the data required by all of its modules, whether they are activated or not, to Automattic’s servers.

data synced

To make this information easier to find, we’ve added pop-up notifications, with links to each feature privacy statement, right in the Jetpack dashboard:

privacy info in pop-up

We’ve also added a chart that shows which modules are activated by default, and which you need to activate yourself.

Cookies

Like most services, Jetpack uses cookies to help our product function more smoothly and track other data that we use to power features. We list these cookies and give you information on how to control them here.

Privacy Policy

Jetpack’s data practices fall under the Automattic Privacy Policy, and we’ve made a number of updates to it in recent months to make it more accessible and easier to understand. You can read the privacy policy here, and read about what’s new here.

Jetpack Privacy Center

To make it easier to find all of this new and updated information, we created the Jetpack Privacy Center. Here, you can learn more details about all of our privacy related features and documents.

We’ll continue to add more information to the Privacy Center as we develop and launch new privacy-focused features.

Giving you more control

To give Jetpack users more control over how their data is used for analytics, we’ve also added:

Analytics opt-out

Like many services, we monitor certain user activities that take place within our products — like page views and clicks on our dashboards — to better understand how our products are used. However, we offer a way to opt out of this usage tracking.

You can switch off our analytics system from the Jetpack Privacy Settings, which you can reach by clicking on the Privacy link in the footer of your Jetpack dashboard. You can read more about our analytics and how our opt-outs work here.

privacy opt-out settings in jetpack

Activating or de-activating modules

Jetpack syncs data from your site to Automattic’s servers when you connect your site. After this connection, the data that Jetpack uses is largely determined by the modules that you have activated.

In addition to giving you more information about what data each Jetpack module uses, we have also added better, clearer information about how to turn each module on or off. You can find this information on the support page for each module.

Activating and deactivating Jetpack features

Access to your data

You can now request a copy of the data that Automattic has associated with your wordpress.com account. To do so, please contact Jetpack Support, and a Happiness Engineer will help you with your request.

Disconnect Jetpack and close your WordPress.com account

If you’d like to disconnect your Jetpack site from Automattic’s servers, or close your account with us for good, we would be sad to see you go… but you do have the tools to do so. Just follow these steps to disconnect your site, and these steps to close your account.

Tools for ongoing compliance

Just as Jetpack is providing enhanced transparency and tools to honor your privacy rights as a site owner, you should do the same for visitors to your site. Under the GDPR, you should let your site visitors know how you collect, store, and use their data in a clear and transparent way. You should also let site visitors request a copy of their data, as well as delete their data (if you store it).

Jetpack and WordPress now include tools to help you meet these commitments. These include:

Privacy Policy Helper

We developed a new tool that makes it easier to gather the information you need to build a clear and accurate privacy notice for your site.

The Privacy Policy Helper allows you to select which Jetpack features you’ve activated on your site, then generates the appropriate visitor-focused privacy policy content and copies it (in text or HTML format) to your clipboard.

This tool will be integrated directly into Jetpack in a future release.

Cookies and Consent widget

The new Cookies and Consent widget creates a notification banner for your site to alert visitors to the cookies that you’re setting when they visit. This notification is especially important for sites that participate in Jetpack Ads, or run other advertisements.

The widget includes some new, consent-oriented functionality. It also lets you specify a link to your privacy and cookie policy, making it easy for visitors to find. If your site has a Privacy Policy page set (introduced in WordPress 4.9.6), we’ll automatically populate the widget’s settings with the URL.

We also added a new setting letting you control the expiration date of the consent banner, plus a new filter, jetpack_disable_eu_cookie_law_widget, that will disable the banner entirely.

EU cookie banner on jetpack site

Access and deletion requests

An important piece of the GDPR is honoring requests from registered users on your site to access or delete their data. WordPress now includes tools to assist you with these requests.

Export Personal Data lets you export a ZIP file of a user’s personal data from WordPress and certain plugins. Erase Personal Data lets you delete a user’s personal data, including data collected by participating plugins. You can find both of these features on your WordPress dashboard (again, as long as you’re running WordPress 4.9.6).

It is important to note that Jetpack does not integrate with these tools yet, but may in the future. For the time being, please see “Access to your data” above in order to request a copy of the data Jetpack has collected for you or a user on your site, or to request its deletion.

Honoring your rights globally

As we wrap up this post, we’d like to make one final note: we think that your rights and those of your site users are global, not specific to a certain geography. All of the tools and features we’ve included in Jetpack apply and work globally by default.

If you’d like to delete your account, request your data, or choose whether to participate in our analytics system, you can. Every single one of these features are available to you no matter where you (or your website) lives.

If you have questions about any of the choices we’ve made, tools or features we’ve created, or feedback on how we can make this all a little bit easier, we’d love to hear from you in the comments.

Thanks for your time today!

This entry was posted in Jetpack News and tagged . Bookmark the permalink.

Explore the benefits of Jetpack plans

Compare plans in detail to see how Jetpack can help you design, market, and secure your WordPress site.

Compare plans

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

Comments

  1. I deleted Jetpack from my system, because Jetpack and Firefox don´’t work together. Jetpack makes backend and starting my homepage very slowly. Goodbye!

    Like

  2. pazzaglia1 says:

    So, there is no information on how to access the “cookies and consent” widget – I can’t find it. All the settings used to be on one page – now I have to click on tabs and I can’t find anything remotely called that. : /

    The article does not make it clear which feature (policy maker or cookies and consent) will be available in a future release.

    Ciao,

    L

    Like

    • Thank you for reaching out to us about the GDPR! We have a helpful support article on the Cookies & Consents Banner here.

      Privacy Policy Helper will be integrated directly into Jetpack in a future release, but is currently available as a standalone tool here.

      Like

  3. Hi, please let me know if I am disabling Stats module, the tracking pixel is still sending data to WordPress.com servers? If so, then disconnecting JetPack will silence that tracker? Or uninstalling JetPack is the only way to get rid of that tracker?

    Like

  4. Jane Adams says:

    I saw a popup telling me about enabling jetpack cookie agreement popup but now I cant find it.

    Liked by 1 person

  5. Is the Widget Visibility button supposed to be missing now? Breaks a major component in how we use our sidebar…

    Like

  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 105,162 other followers

  • Our most popular posts

  • Browse by topic

  • %d bloggers like this: