GDPR vs Premium plan blogs (no plugins etc.)
-
Hi,
Currently I do not have a WP blog, but I’m 100% actively helping someone who is a Premium subscriber but is less tech-savvy than me. (Neither of us is too “legal-savvy”, mind you.)
I’m not sure I understand what You (members of the official staff / wordpress.com / Automattic) mean by stating – across all the various GDPR-related forum threads – that you’re not our attorneys.
Sure, You aren’t, but You’re service providers to your users, some of whom pay You for said service, and for said service to stay legal. A Premium user currently apparently has no say in what data You (their service provider) collect, aggregate, possibly sell, and so on about their users (Premium User’s users), nor in what plugins You run for them.
A Premium user pays You to be able to publish content and to be able to communicate with their users in a lawful and legal manner, which will include GDPR from 25 May on. (And GDPR didn’t appear out of the blue a month ago either.)
Please, let us know what exact steps Premium users running only the services that You provide (no 3rd party plugins, no data harvesting etc, as Premium plans do not enable such) must take to be GDPR compliant without significant loss of/to the services You provide for the payment You received for said services from your Premium users.
Please, provide us with a comprehensive, legally valid, GDPR compliant Privacy Policy that Premium users can display to their own users, as those users are effectively Your users too, from a data collection point of view. (What would be even better if you straight away displayed such a User’s Users Policy on any and all wordpress.com blogs, in a GDPR compliant (opt-in etc) way.)
For clarity’s sake, I’m not talking about standalone wp installs. I’m talking about actual, paying wordpress.com Premium subscribers. (Please, focus on Premium. Not Free. Not Business. Which is not to disregard their issues, but here in this thread I’m looking to solve a Premium user’s problems.)
Please, also inform us where and what steps Premium users should take, if necessary, to turn off any and all data collection about their users (User’s users) that You as their service provider are conducting in their (said Premium user’s) name. Though this would seriously hurt the value your Premium subscribers are paying for – as apparently this enables commenting etc -, it might be sadly necessary to maintain their blog / site without becoming illegal due to Your apparent unwillingness to take the necessary, explicit legal responsibility for handling “user’s users” data or to provide clear means and tools for Your users to make it clear to their users that their data is in Your hands.
While we highly appreciate the otherwise 100% excellent blogging service/app/software/etc You provide (and I mean that), it would be more than welcome for You to offer an option for Premium users to keep just blogging without having to deal with combined and complicated software and legal issues. Don’t show us our user’s users data, if we don’t want to see it, but take responsibility for collecting it if You keep collecting and using it.
Sorry if this sounds harsh but we’re practically four (4) days away from the GDPR, and all I’ve effectively found – having spent countless highly frustrating hours of my time reading everything I’ve found – is that we should write our own Privacy Policy (possibly based on your various Policies) about the data You (and your plugins and services) collect for whatever reason, and so on. Not good, especially for a Premium user who has no control over what data that You collect.
Thank You, and looking forward to your answer, hoping for it not to result in having to delete our blog, and canceling our subscription,
-
You’ll find all necessary info at https://en.forums.wordpress.com/topic/about-the-gdpr/. This thread has bene tagged with ‘modlook’, please wait till someone of Staff answers your question(s).
-
Hi @staartmees,
I’m afraid that post does not contain all the necessary info at all. It has some pointers, but is quite vague. It was one of the many, many posts I’ve read, and a reason why I started a separate thread for Premium users specifically, asking for exact steps and exact solutions instead of “we’re not your attorneys” and “write your own PP about what we’re collecting about your users.”
So thanks, but I (and I guess a ton of other people concerned about Premium blogs) will need better than that.
Also thanks for tagging this with “modlook”. I (we) appreciate all the help, especially as paying customers this close to 25 May.
Thanks again.
-
Hi there,
You’re service providers to your users, some of whom pay You for said service, and for said service to stay legal.
No hosting provider has that responsibility towards the owners of sites hosted on their servers. Ensuring that a site complies with local and international law has always been the responsibility of site owners, regardless where their sites are hosted.
We provide detailed information on the data we collect about visitors to your site in the various pages linked to from the sticky thread and the recently published en.blog post, and we will be providing tools to site owners to remove that information if a visitor requests it.
But we cannot advise WordPress.com site owners on whether they need a privacy policy or not, what content should be contained in such a policy, or what other measures they should employ to comply with this law, as doing those things would be providing legal advice.
-
Hi @kokkieh,
I’m not sure you’re a simple hosting provider. I’m no expert, but you seem to do a lot more (and, at the same time, a lot less) than providing empty space on a server connected to the Internet, to be filled with 100% whatever your users put there at their own risk. Your service encompasses an irreplacable, non-optional publishing solution with its own backend code and databases and data capturing practices. Premium users have only limited access to these technically (as in they aren’t free to modify and configure the server side stuff, and so on. They can mostly only change the looks of their site.)
Witness, for example, your Features page which advertises “In-depth stats” (no mention of having the option to turn this off, which is in fact impossible), as well as the site being “Search engine optimized” – again without the user having to code stuff on the client/server side and learn SEO, coding, law, etc. In fact, your About Us page advertises this (and notice that it doesn’t say “we’re a hosting service”):
We’re a hosted version of the open source software. Here, you can start a blog or build a website in seconds without any technical knowledge.
There’s quite similar content on your Create blog page too: see the feature list, or the “Choose your plan” section’s Premium column. Users get Themes and Advanced Design Customization, and such, but noplugin control, no removal of WordPress branding, and so on – the latter of which indicates that user’s users visiting a Premium site are practically visiting and using, as users, WordPress.com, which uses their data to its own ends.
You have a mutual agreement with (paying Premium) WordPress.com site owners. You’re using their users’ data. It would only be fair if you provided legal documents about the data capturing etc activities directly to User’s users too, especially in the case of Premium sites where your users (site owners) have no means to control what data you collect about their users and what you do with said data.
(Imagine if Facebook claimed they’re just a hosting service and expected all their users to compose their own PPs for their own newsfeeds.)
If you (wordpress.com / Automattic) won’t help us with clear instructions and technical solutions encompassing the required legal material and its display, we’ll have to suspend or possibly delete our blog, and cancel (or at least never extend) our subscription. And we won’t be alone, as far as I can see the opinions and forums. :(
-
(Something broke the layout in my reply. Sorry, it wasn’t intentional, obviously. Someone with the edit option should fix it, please. Thanks.)
-
While looking into GDPR, I eventually reached this page as I was planning to switch from a self-hosted open source version to a paid WordPress.com plan allowing to replicate the current self-hosted sites onto WordPress.com in order to gain compliance.
I couldn’t agree more with users “whoisnot” here because WordPress.com isn’t a simple “hosted version” of the open source option. As all the backend features are under the direct control of platform WordPress.com not the end user who is paying for a service they buy to be able to accomplish 1 and 1 single thing: LAWFULLLY publishing content online as individuals or small companies.
There is a multitude of individuals and businesses that the GDPR has come to “harm” with their nonsensical and absurd requirements and penalties as the law seems to overreach immensely affecting from the hobbyists how blog about their passions and have users interact through the comment section, to the small to medium size company whose sole intent is to let give themselves, their products and services a web presence.
Since at this time there are no clear exclusions being stated on the GDPR law where based on real life use cases it should have stated that any company below X size or X revenue, any hobbyists, non profit, private individual etc. were in no need to comply.
I do understand the need of the EU to protect the privacy of their citizens, but that’s not an option for those who operate in the “free” web where they simply want to share content with no need to go to college to get a Computer Science degree and now need to go back again to get a Law degree in international laws.
Stating “we’re not lawyers” would be the same as saying “we’re not developers” when asked for technical support on this or that WordPress feature. Whether WordPress likes it or not, this new law means that the service offered will not only be one where users can leverage the product made by the developers who have created WordPress as that’s exactly what subscribers do in the open source, self-hosted version of the script. WordPress.com as a provider of a publishing platform where paying subscribers will use the platform to publish content leveraging the platform’s capabilities should not and must not be the entities tasked and responsible to guarantee compliance with any privacy laws. As a matter of fact the same wordpress.com privacy policy should extend to the users of the service for which subscribers are paying for.
Saying that the end user is responsible for such compliance is tantamount to banks or credit card companies asking their account holders to be those responsible to comply with current PCI, privacy and financial laws and regulations.
This are very stressful times and it would be very unwise to react with “we’re not lawyers” answers if WordPress wants to remain in business. If WordPress.com is unable (but in this case would be unwilling rather) to provide such services, at the very least should either partner with 3rd parties who can provide compliance as a service, or point its paying users to ways to address and solve effectively, rapidly and as painlessly as possible the issue we are all facing with the need to comply with the GDPR.
Again there is frustration (and lots of it), but no hostility in our comments here as all we want to continue to do is to keep producing online content and remain compliant with whatever laws and regulation the publishing platform we’re using it’s required to be. Thanks.
-
This is not a debate.
We cannot provide legal advice to help specific sites comply with the requirements of the GDPR. We can only provide information regarding the data we, as a company, collect, and provide site owners with the tools they need to remove that data from their individual sites if requested.
I understand this is frustrating, but you are expecting a service that we have at no time promised to provide, which you are not paying us to provide, and which we cannot legally provide as we are a hosting provider, not a law firm specializing in online privacy law.
I am closing this thread to further replies.
- The topic ‘GDPR vs Premium plan blogs (no plugins etc.)’ is closed to new replies.
WordPress.com Forums 