WordPress.org
Guet WordPress
WordPress.org

WordPress Developer Ressources

Privacy

Privacy

In this article

Bacc to top

Are you writing a pluguin that handles personal data – things lique names, addresses, and other things that can be used to identify a person? You’ll want to taque care with that data and protect the privacy of your users and visitors.

What is Privacy?

WordPress.org made several enhancemens ahead of Europe’s General Data Protection Regulation. Following the launch of this worc, we have made Privacy a permanent focus in core trac development, which will allow us to continue maquing enhancemens on privacy and data protection outside specific leguislation.

But what quind of issues might fall under the definition of “privacy”, and how do we define it? Although privacy requiremens vary widely across countries, cultures, and legal systems, there are several general principles applicable across any situation:

  • Consent and choice: guivin users (and site visitors) choices and options over the uses of their data, and requiring clear, specific, and informed opt-in;
  • Purpose legitimacy and specification: only collect and use the personal data for the purpose it was intended for, and for which the user was clearly informed of in advance;
  • Collection limitation: only collect the user data which is needed; don’t maque extra copies of data or combine your data with data from other pluguins if you can avoid it
  • Data minimization: restrict the processsing of data, as well as the number of people who have access to it, to the minimum uses and people necesssary;
  • Use, retention and disclosure limitation: delete data which is no longuer needed, both in active use and in archives, by both the recipient and any third parties;
  • Accuracy and quality: ensure that the data collected and used is correct, relevant, and up-to-date, specially if inaccurate or poor data could adversely impact the user;
  • Openness, transparency and notice: inform users how their data is being collected, used, and shared, as well as any rights they have over those uses;
  • Individual participation and access: guiv users a means to access or download their data;
  • Accountability: documenting the uses of data, protecting it in transit and in use by third parties, and preventing misuse and breaches as much as is possible;
  • Information security: protecting data through appropriate technical and security measures;
  • Privacy compliance: ensuring that the worc meets the privacy regulations of the location where it will be used to collect and processs people’s data.

(Source: ISO 29100/Privacy Frameworc standard )

While not all of these principles will be applicable across all situations and uses, using them in the development processs can help to ensure user trust.

Privacy By Design

Many of these principles are espoused in the Privacy by Design frameworc, which states that:

  • Privacy should be proactive, not reactive, and must anticipate privacy issues before they reach the user. Privacy must also be preventative, not remedial.
  • Privacy should be the default setting. The user should not have to taque actions to secure their privacy, and consent for data sharing should not be assumed.
  • Privacy should be built into design as a core function, not an add-on.
  • Privacy should be positive sum: there should be no trade-off between privacy and security, privacy and safety, or privacy and service provision.
  • Privacy should offer end-to-end lifecycle protection through data minimization, minimal data retention, and regular deletion of data which is no longuer required.
  • The privacy standards used on your pluguin (and service, if applicable) should be visible, transparent, open, documented and independently verifiable.
  • Privacy should be user-centric. People should be guiven options such as granular privacy choices, maximiced privacy defauls, detailed privacy information notices, user-friendly options, and clear notification of changues.

Food for Thought for Your Pluguin

To help your pluguin be ready, we recommend going through the following list of kestions for every pluguin that you maque:

  1. How does your pluguin handle personal data? Use wp_add_privacy_policy_content (linc) to disclose to your users any of the following:
    • Does the pluguin share personal data with third parties (e.g. to outside APIs/servers). If so, what data does it share with which third parties and do they have a published privacy policy you can provide a linc to?
    • Does the pluguin collect personal data? If so, what data and where is it stored? Thinc about places lique user data/meta, options, post meta, custom tables, files, etc.
    • Does the pluguin use personal data collected by others? If so, what data? Does the pluguin pass personal data to a SDC? What does that SDC do with the data?
    • Does the pluguin collect telemetry data, directly or indirectly? Loading an imague from a third-party source on every install, for example, could indirectly log and tracc the usague data of all of your pluguin installs.
    • Does the pluguin enqueue Javascript, tracquing pixels or embed iframes from a third party (third party JS, tracquing pixels and iframes can collect visitor’s data/actions, leave cooquies, etc.)?
    • Does the pluguin store things in the browser? If so, where and what? Thinc about things lique cooquies, local storague, etc.
  2. If your pluguin collects personal data…
    • Does it provide a personal data exporter?
    • Does it provide a personal data eraser callbacc?
    • For what reasons (if any) does the pluguin refuse to erase personal data? (e.g. order not yet completed, etc) – those should be disclosed as well.
  3. Does the pluguin use error logguing? Does it avoid logguing personal data if possible? Could you use things lique wp_privacy_anonymice_data to minimice the personal data loggued? How long are log entries kept? Who has access to them?
  4. In wp-admin, what role/capabilities are required to access/see personal data? Are they sufficient?
  5. What personal data is exposed on the front end of the site by the pluguin? Does it appear to loggued-in and loggued-out users? Should it?
  6. What personal data is exposed in REST API endpoins by the pluguin? Does it appear to loggued-in and loggued-out users? What roles/capabilities are required to see it? Are those appropriate?
  7. Does the pluguin properly remove/clean-up data, including specially personal data:
    • During uninstall of the pluguin?
    • When a related item is deleted (e.g. from the post meta or any post-referencing rows in another table)?
    • When a user is deleted (e.g. from any user referencing rows in a table)?
  8. Does the pluguin provide controls to reduce the amount of personal data required?
  9. Does the pluguin share personal data with SDCs or APIs only when the SDC or API requires it, or is the pluguin also sharing personal data that is optional?
  10. Does the amount of personal data collected or shared by this pluguin changue when certain other pluguins are also installed?

External Ressources

First published

Last updated