WP Optin Wheel and the GDPR

Please note this is not legal advice and you should contact a qualified lawyer to know more about GDPR and local laws. This article merely helps you on your way to be GDPR compliant.

On May 25th, the General Data Protection Regulation (GDPR) becomes enforceable in all EU member states. This article explains what we’ve implemented in WP Optin Wheel (free or pro) to help you make your website, and in particular the usage of our plugin, GDPR-compliant.

Obtaining Consent

Every time you collect a visitor’s personal information, such as an email address or name, you should obtain active consent from that visitor, in which they agree you can use that data.

WP Optin Wheel allows you to add consent checkboxes to the forms you build. You have the option to make this checkbox mandatory. These checkboxes are not pre-ticked, which is also a requirement of the GDPR.

Here’s how you can add a checkbox to your forms:

  1. Edit or add a wheel.
  2. Go to the form builder step.
  3. Click Add New Field in the upper right corner.
    Add consent checkboxes
  4. Create your consent checkbox.
    Create a consent checkbox

Consent Should Be Specific and Freely Given

You’re most likely using WP Optin Wheel to grow your email list (if not, you can skip this part). That means you’ll have to inform the user of this (= specific consent) and allow them to opt into it (= freely given).

Optin form with checkbox

The image above adds a consent checkbox in which your user will agree to your privacy policy. The policy probably entails that you need the email address to send users their prize and to prevent cheating. It does not say that the user will also be subscribed to your newsletter. So at this point, your wheel may not be compliant in terms of consent.

So how can we fix this?

Opinions are divided over what it means to make a popup compliant in terms of consent. Here are 2 popular statements:

  1. Some experts say you are already compliant when your copy is clearly stating what the user is opting into. Something like “by playing the game, you are okay with receiving your prize via email, as well as occasional news and promotions about our service”.
  2. Other experts claim you should have a separate checkbox for opting users into your list. Even more so: it shouldn’t be mandatory since opting into your list is not necessary to play a wheel of fortune game.

Whichever solution you choose is up to you. We prefer #2, but that’s just our opinion! Please note that the 2nd solutions would mean people can play your wheels without being opted into your list.

How to only subscribe people to your list if a checkbox is checked?

If you want to give your users the ability to play the game and optionally subscribe them to your list if they choose to do so, here’s how you can do it:

  1. Add a checkbox to your form, as described above.
  2. When editing your wheel, go to Step 5: Settings > GDPR Settings.
  3. Check the box the user has to check before sending their data to your email list. If the user does not check the box, they will still be able to play but won’t be subscribed to your list. If you leave this setting blank, the user’s data will always be transfered to your list (this is the default behavior you’re used to).
    optional consent

Transparency

When you collect data, it must be clear to your users why the data is being collected and what it will be used for. You can solve this by writing a clear, understandable privacy policy.

We’ve created a document in which we explain what WP Optin Wheel collects and why. You can use this information to edit your privacy policy. Our guide is also available on your WordPress install (if you run on 4.9.6 or higher) under Settings > Privacy, click on Check out our guide.

Right to Access Data

Under the GDPR, users have the right to view their data. If you are running WordPress 4.9.6 or higher, you can easily generate an export of all the data pertaining to a specific user. Go to Tools > Export Personal Data > and enter the email address of the user. WordPress will then collect all the data from that user and generate a ZIP file. Our plugin is hooking into that process, and as such, data WP Optin Wheel collects will also be included in the export.

Right to Be Forgotten

The GDPR states that visitors can request you to hard-delete their data. In WordPress 4.9.6 or higher, you can hard-delete personal data by navigating to Tools > Erase Personal Data. WP Optin Wheel also hooks into that process, so any data we keep in your WordPress database on the user will be anonymized. Data sent to 3rd-party tools, such as MailChimp, should be deleted there.

Please note that we are still keeping the email address and a unique hash of the user so we can prevent them from cheating (playing multiple times).