Europe’s General Data Protection Regulation (aka the GDPR) is a new and far-reaching privacy regulation, built on a number of fundamental principles. Among these principles are personal data ownership, transparency, security, and individual choice.
At Automattic, we have a long-standing commitment to the principles of the GDPR, and have honored many of them — including data minimization, control, portability, and security — before they were required by law.
Today, we wanted to take some time to explain how Jetpack has been built — and recently improved — to honor the important rights guaranteed by the GDPR. We also wanted to share how you can use some of the new features and tools in Jetpack and WordPress core to honor the rights and principles of the GDPR for your own site visitors.
Before we get started, it’s important to remember one thing: the GDPR is based on principles, not rules. This means that there is no standard checklist to follow, and no merit badge awarded for compliance if you check a few boxes.
The beauty of WordPress is that every site is unique and different — and because of this, no two site owners will or should take the same steps to comply with the privacy laws of their country or the countries that their site visitors come from.
This may sound a little scary, but we’re all in this together. As one of millions of WordPress site owners, you’re part of a larger community that is focused on understanding and honoring individuals and their rights. GDPR requirements might be intimidating, but they’re not insurmountable if we all work together.
The WordPress (and Jetpack) way
WordPress is built on a foundation of openness and transparency, and Jetpack is no different. Unlike many proprietary products or services, you can look directly at our code.
At the same time, Jetpack includes a powerful package of hosted services. When you set up Jetpack, your site is connected to Automattic’s servers and shares site data with Automattic. This is done in order to power features like site backups, speed and performance, and security.
With great power comes great responsibility, and we take our responsibilities as stewards of your data very seriously. Our responsibilities begin with being fully transparent about the data we collect, use, store, share, and process on your behalf, starting when you first connect your site.
We understand that by downloading Jetpack and connecting your site to Automattic, you have placed your trust in us to keep your data secure, private, and use it in ways that you understand, expect, and agree to.
With the GDPR as a framework, we’ve put a lot of time, thought, and effort into upping our game on transparency, and building new features and tools to comply with new privacy regulations like the GDPR.
Similarly, the WordPress open source project has also made a number of feature improvements, and has articulated guidelines on how WordPress plugins (like Jetpack) should handle data, in line with GDPR principles. We’ve worked very hard to implement these principles as we’ve developed and improved Jetpack.
Jetpack’s privacy features in detail
Here is a brief tour of the Jetpack features that we’ve updated and improved with the GDPR in mind.
Our key goals for these improvements are to add greater transparency around Jetpack’s data habits, and give Jetpack users more control over how Jetpack uses their data.
To enhance the transparency of Jetpack, we’ve created a number of new documents, notifications, and explainers that give Jetpack users more information about the data Jetpack collects and uses. These include:
When you first install Jetpack, you’ll be prompted to connect your site to Automattic’s servers. This connection enables many of Jetpack’s features. This doc explains the data Jetpack syncs to Automattic’s servers after you connect your Jetpack site. It also covers data used by WooCommerce Services, which rely on the Jetpack connection.
You can read this doc anytime, but we’ve included a link to it on the connection screen, so that the information is available and easy to find right at the time Jetpack syncs your data to our servers.
Each feature or “module” in Jetpack uses different data. To help make this information clearer, we’ve added a section to the support page for each module to detail the “Data Used”, “Activity Tracked” and “Data Synched” for each module. We’ve also broken down this information to distinguish between data about Jetpack site owners, and visitors to Jetpack sites.
It is important to note that Jetpack syncs all the data required by all of its modules, whether they are activated or not, to Automattic’s servers.
To make this information easier to find, we’ve added pop-up notifications, with links to each feature privacy statement, right in the Jetpack dashboard:
We’ve also added a chart that shows which modules are activated by default, and which you need to activate yourself.
Jetpack Privacy Center
To make it easier to find all of this new and updated information, we created the Jetpack Privacy Center. Here, you can learn more details about all of our privacy related features and documents.
We’ll continue to add more information to the Privacy Center as we develop and launch new privacy-focused features.
Giving you more control
To give Jetpack users more control over how their data is used for analytics, we’ve also added:
Like many services, we monitor certain user activities that take place within our products — like page views and clicks on our dashboards — to better understand how our products are used. However, we offer a way to opt out of this usage tracking.
You can switch off our analytics system from the Jetpack Privacy Settings, which you can reach by clicking on the Privacy link in the footer of your Jetpack dashboard. You can read more about our analytics and how our opt-outs work here.
Activating or de-activating modules
Jetpack syncs data from your site to Automattic’s servers when you connect your site. After this connection, the data that Jetpack uses is largely determined by the modules that you have activated.
In addition to giving you more information about what data each Jetpack module uses, we have also added better, clearer information about how to turn each module on or off. You can find this information on the support page for each module.
Access to your data
You can now request a copy of the data that Automattic has associated with your wordpress.com account. To do so, please contact Jetpack Support, and a Happiness Engineer will help you with your request.
Disconnect Jetpack and close your WordPress.com account
If you’d like to disconnect your Jetpack site from Automattic’s servers, or close your account with us for good, we would be sad to see you go… but you do have the tools to do so. Just follow these steps to disconnect your site, and these steps to close your account.
Tools for ongoing compliance
Just as Jetpack is providing enhanced transparency and tools to honor your privacy rights as a site owner, you should do the same for visitors to your site. Under the GDPR, you should let your site visitors know how you collect, store, and use their data in a clear and transparent way. You should also let site visitors request a copy of their data, as well as delete their data (if you store it).
Jetpack and WordPress now include tools to help you meet these commitments. These include:
We developed a new tool that makes it easier to gather the information you need to build a clear and accurate privacy notice for your site.
This tool will be integrated directly into Jetpack in a future release.
Cookies and Consent widget
The new Cookies and Consent widget creates a notification banner for your site to alert visitors to the cookies that you’re setting when they visit. This notification is especially important for sites that participate in Jetpack Ads, or run other advertisements.
We also added a new setting letting you control the expiration date of the consent banner, plus a new filter,
jetpack_disable_eu_cookie_law_widget, that will disable the banner entirely.
Access and deletion requests
An important piece of the GDPR is honoring requests from registered users on your site to access or delete their data. WordPress now includes tools to assist you with these requests.
Export Personal Data lets you export a ZIP file of a user’s personal data from WordPress and certain plugins. Erase Personal Data lets you delete a user’s personal data, including data collected by participating plugins. You can find both of these features on your WordPress dashboard (again, as long as you’re running WordPress 4.9.6).
It is important to note that Jetpack does not integrate with these tools yet, but may in the future. For the time being, please see “Access to your data” above in order to request a copy of the data Jetpack has collected for you or a user on your site, or to request its deletion.
Honoring your rights globally
As we wrap up this post, we’d like to make one final note: we think that your rights and those of your site users are global, not specific to a certain geography. All of the tools and features we’ve included in Jetpack apply and work globally by default.
If you’d like to delete your account, request your data, or choose whether to participate in our analytics system, you can. Every single one of these features are available to you no matter where you (or your website) lives.
If you have questions about any of the choices we’ve made, tools or features we’ve created, or feedback on how we can make this all a little bit easier, we’d love to hear from you in the comments.
Thanks for your time today!