In preparation for the new GDPR legislation, WordPress 4.9.6 and Event Espresso 4.9.62 have been released. This post will help you become familiar with the GDPR and the new tools in WordPress and Event Espresso that will help with your registration and ticketing website.
GDPR, Registration Data, and Your Ticketing Website 
Article Outline
What is the GDPR?
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union coming into effect on the 25th of this month. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
In (very) short. GDPR states that if a website collects, store or use any data related to a European Union citizen. You must comply with the following:
- Tell the user: who you are, why you collect the data, for how long and who receives it.
- Get explicit consent, before collecting any data
- Let users access their data, and take it with them
- Let users erase their data
- Let users know if data breaches occur
See this helpful infographic from the European Commission.
Even if you don’t deal with users from EU, complying with GDPR is a good step in ensuring transparency in the handling of data. If you’d like to know the finer details, you may want to go through the regulation in detail. Remember, not complying can result in administrative fines up to €20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
In the following post, I will cover what the GDPR means for your Event Espresso and WordPress powered site.
Registration Data and Your Website
All registration data from ticket sales captured directly from your website, via the Event Espresso plugin, are stored in a database on your website server. In addition to this functionality, in general, your WordPress website, and some plugins might capture additional data from your site visitors. Although the final responsibility lies with the site owner, WordPress itself is working on its processes to become compliant. As of February 2018, there is a proposed roadmap for adding privacy tools to the core. You can follow the GDPR tickets on Make WordPress Core.
Common Questions About GDPR
Here are a few common questions we’ve gotten about GDPR and Event Espresso:
Do I have to comply with GDPR even if I’m not in the EU?
Yes, GDPR applies to all companies that control and process EU data, no matter where your business is. That includes you if you collect the email addresses of any EU citizens. As a website owner, you may need to follow national or international privacy laws. For example, you may need to create and display a privacy policy.
Does the Event Espresso Team have access to registration data on my website?
No, the team at Event Espresso does not have access to registration data or records stored on your website. The only time someone from our team would have access to those records is if you purchase a support token and you permitted us to login to your website, at which time you would securely share a temporary set of credentials with our support staff.
Does the Event Espresso plugin share registration information with a third-party service?
No. Out of the box, the Event Espresso plugin does not share registration information with any third-party service. However, Event Espresso can be modified, by way of add-ons, extensions, or custom programming, to share information to a third-party service, such as MailChimp and Infusionsoft.
It can also be said that if you are using a payment gateway, such as Authorize.NET, PayPal, or Stripe accept paid registrations or sell tickets, then mostly, you are sharing relevant registration information with a third-party service.
GDPR Features in Event Espresso 4
Along with the new GDPR regulations comes new features in WordPress and Event Espresso 4. The latest Privacy and Maintenance release of WordPress, 4.9.6, comes with many features to help your website become GDPR compliant. Event Espresso has contributed to those new features, and makes use of them in Event Espresso 4.9.62. Below is a list of new features that are shipping with Event Espresso to support the new GDPR regulations.
Export Personal Data
WordPress 4.9.6 allows admins to generate a report of an individual’s personal information and send it to them. In Event Espresso 4, we add the individual’s registration details to the report automatically when it’s being created.
Erase Personal Data
Along with the ability to export data, WordPress 4.9.6 adds a tool that allows site admins to erase personal data stored in their WordPress site. When an admin erases an individual’s personal data, Event Espresso makes sure their registration data is also erased.
GDPR/Privacy Policy Content Tool
Per GDPR regulations, site owners need to have a Privacy Policy page. By default, WordPress doesn’t collect any data from visitors unless they post a comment. However many plugins add third-party services that collect visitor data. WordPress 4.9.6 adds a Privacy Policy guide to help you create a comprehensive “Privacy Policy” page. Event Espresso 4.9.62 adds suggested text to this guide page, to help you know what Event Espresso is doing with regards to user privacy.
Additional GDPR Features
Here’s a shortlist of minor GDPR related features we’ve added recently:
- Added an option to deactivate payment method logging
- Anonymize registrant IP address (as under the GDPR, a user’s IP address is considered personal data and shouldn’t be stored unless explicit consent is given)
Upcoming Features
We have other features in the works we’d like to let you know about
Consent Checkbox
For GDPR compliance, users should consent to your website’s privacy policy before you store their data. To do that, in the registration form on your website, you should display a short message informing verifying they understand and consent to your privacy policy. You can currently create a custom question to do this, but we want to make things even easier by adding the checkbox and link for you.
Easier Registration Data Removal
GDPR encourages “Privacy by Design” which, in a nutshell, means don’t store any personal information you don’t need. After an event is finished, you might not need the personal information of its attendees. So we’re going to make it easier to remove an expired event and its attendees from your system.
Wrapping it Up
The new tools available in Event Espresso 4.9.62 and WordPress 4.9.6 are going to be a great asset in helping site owners comply with the GDPR and other privacy laws. If you have any questions or concerns, please let us know in the comments below or reach out to us via email.