How to make Paid Member Subscriptions forms GDPR compliant

Starting with 25 May 2018, the EU General Data Protection Regulation (GDPR) will supersede current national data protection laws of all EU Member states.
More information about this regulation can be read on their website and if you want to ensure the right measures are taken for the GDPR compliance of your website, you should seek legal counsel.

If you use Paid Member Subscriptions to register or manage users, you are affected by this law as well. This page looks to provide information about how to make forms created with Paid Member Subscriptions – GDPR compliant.

1. Ask the user for consent
The first thing you need to do is ask the user for his permission that you collect his personal data with the intent to store it.
In order to do this we need to add the field to the PMS registration form using custom code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
add_action('pms_register_form_after_fields', 'pmsc_gdpr_checkbox_field');
function pmsc_gdpr_checkbox_field($atts) {
    $field_errors = pms_errors()->get_error_messages('user_consent');
 
    $html = '<li class="pms-field ' . ( !empty($field_errors) ? 'pms-field-error' : '') . '">';
    $html .= '<label for="pms_user_consent"><input id="pms_user_consent" name="user_consent" type="checkbox" value="1">';
    $html .= __('I allow Dummy Company to collect and store my data.*', 'paid-member-subscriptions') . '</label>';
    $html .= pms_display_field_errors( $field_errors, true );
    $html .= '</li>';
 
    echo $html;
}
 
add_action('pms_register_form_validation', 'pmsc_gdpr_checkbox_validation');
function pmsc_gdpr_checkbox_validation() {
    if (!isset($_POST['user_consent']))
        pms_errors()->add('user_consent', __('This field is required.', 'paid-member-subscriptions'));
}
 
add_action( 'pms_register_form_after_create_user', 'pmsc_gdpr_checkbox_save' );
function pmsc_gdpr_checkbox_save( $user_data ) {
 
    if ( !empty($user_data['user_id']) && isset( $_POST['user_consent'] ) && $_POST['user_consent'] == 1 )
        update_user_meta( $user_data['user_id'], 'user_consent', 'yes' );
 
}

This code can be added either in the functions.php file from your theme or in a custom plugin as explained at the top of this page.
The label can be modified on this line:

1
$html .= __('I allow Dummy Company to collect and store my data.*', 'paid-member-subscriptions') . '</label>';

and the error message can also be modified on this line:

1
pms_errors()->add('user_consent', __('This field is required.', 'paid-member-subscriptions'));

The field will be placed after the Repeat Password field but before the Subscription Plans:

2. The users right to access his data
The data we store is associated with a WordPress user account and stored in the standard `*_usermeta` table. Easiest way for users to view it is to go to a page which has the [pms-account] shortcode, this will also allow them to edit it.

As an admin, you can also provide an export of this data, if requested. You can find instructions for how to do this here.

3. The users right to be forgotten
As an admin, to delete an user, you can go to your Dashboard -> Users page and then hover over the user entry and press Delete. This will remove the user account and any data associated with it.

There’s also the possibility to allow users to delete the account themselves. In order to have this option, you need to download and install this add-on.

After adding it, users will see the delete link on the edit profile form after the last field:

Pressing the button will trigger a confirmation box and if this is validated the user account and all data will be deleted.

If you have any questions about these implementations you can always send us a ticket.