🇪🇺 GDPR compliance for Bitcoin and Altcoin Wallets
Version 3.3.0
of Bitcoin and Altcoin Wallets for WordPress assists website administrators towards GDPR compliance.
If your website is being visited by citizens of the European Union, then your website's privacy policy must comply with the General Data Protection Regulation (GDPR) which will come into effect on the 25th of May, 2018. In response to this, the WordPress dev team has added features that will help site administrators comply with the regulations. Themes and plugins can and should use these new features to help you with this task. This article is not intended to be legal advise, and you should consult a legal professional or other sources for a complete list of your legal obligations as a site owner.
Because the policy affects any handling of data that can be used to personally identify a user, this can also touch on Bitcoin and Altcoin Wallets. The plugin handles blockchain addresses and transaction IDs. This data can be used by blockchain analytics tools to personally identify a user, and can therefore be considered to be "personal data".
In short, you have at least the following three legal obligations as a site operator:
- You must provide a privacy policy that clearly explains what personal data you collect and how you use it. WordPress receives privacy policy text fragments from the installed plugins and helps you assemble a policy text. Go to Admin → Settings → Privacy to construct your privacy policy page. Bitcoin and Altcoin Wallets hooks into this mechanism and suggests appropriate text that you can insert into your policy. Users who sign-up to your site must explicitly consent to that policy via an opt-in mechanism, such as clicking on an initially unchecked checkbox that says "I agree to the privacy policy". The cloud wallet extensions will soon be updated to suggest some additional text, since some of the personal data is transmitted to third-party services.
- You must be able to give out a copy of all personal user data to any user that requests it. The process involves an authorization step, to make sure that you do not give out data to anyone else rather than the owner. WordPress assists you in that process via the new tool under Admin → Tools → Export Personal Data. Bitcoin and Altcoin Wallets hooks into this mechanism and attaches all of the deposit addresses and transaction IDs of a user into the data export.
- You must be able to erase all personal data that you hold on behalf of any user at their request. The process is similar to that of data export (see 2 above), and the functionality will be available at Admin → Tools → Erase Personal Data. Bitcoin and Altcoin Wallets hooks into this mechanism and deletes all of the deposit addresses and transaction IDs of a user when an admin performs data deletion at the request of that user. If there are any coins in the user's balance they will be returned to the site's wallet. Presumably the user should withdraw any remaining balance before requesting that their account is deleted.