WordPress.org

Make WordPress Core

Opened 7 weeks ago

Closed 3 weeks ago

Last modified 9 days ago

#43721 closed enhancement (fixed)

Adding links to imprint and privacy policy pages on WP login screens

Reported by: voneff Owned by: desrosj
Milestone: 4.9.6 Priority: normal
Severity: normal Version:
Component: Privacy Keywords: gdpr commit fixed-major
Focuses: Cc:

Description

As the GDPR asks for links to Imprint/Legal Notice and Privacy Policy pages on every page a website vistor could possibly land on – would it not be necessary to easily being able to include respective links to the WP login and logout pages?

Maybe this could be done via the customizer where website owners could be given the option to enter names and links to aforementioned pages and then have them displayed at the bottom of the login screens.

(This is my first core ticket so please bear with me if this is the wrong way to address this! ;-P)

Attachments (9)

43721.preview.jpg (102.3 KB) - added by xkon 5 weeks ago.
43721.diff (999 bytes) - added by xkon 5 weeks ago.
login-register_privacy.png (76.8 KB) - added by melchoyce 5 weeks ago.
43721.2.diff (999 bytes) - added by xkon 5 weeks ago.
43721.3.diff (1.2 KB) - added by xkon 5 weeks ago.
43721.4.diff (1.0 KB) - added by chetan200891 5 weeks ago.
43721.5.diff (1.2 KB) - added by xkon 5 weeks ago.
43721.6.diff (998 bytes) - added by xkon 4 weeks ago.
43721.7.diff (987 bytes) - added by desrosj 4 weeks ago.

Download all attachments as: .zip

Change History (39)

#1 @swissspidy
7 weeks ago

  • Keywords gdpr added

@xkon
5 weeks ago

@xkon
5 weeks ago

#2 follow-up: @xkon
5 weeks ago

Hello @voneff and welcome to core trac!

In my opinion you're absolutely correct, websites that do use the default registration/login pages should include a link to their Privacy Policy page if that exists as well.

In 43721.diff as we now have the handy get_privacy_policy_url() it adds the links in the current nav if a policy page link exists.

@melchoyce would you be ok with this added in the nav as seen in 43721.preview.jpg ?

@azaozz after taking a look at this do you think we could enhance the get_privacy_policy_url() to check if the page defined is of status Publish as well? Since the function returns just the url at the moment without the Publish check, if it still a 'draft' you end up having a 404 link basically if used for Front End as here. Or should the check be made manually in the template itself?

#3 in reply to: ↑ 2 @azaozz
5 weeks ago

Replying to xkon:

@azaozz after taking a look at this do you think we could enhance the get_privacy_policy_url() to check if the page defined is of status Publish as well?

Ah, good catch! Will fix that shortly.

This ticket was mentioned in Slack in #gdpr-compliance by xkon. View the logs.


5 weeks ago

#5 @melchoyce
5 weeks ago

That list of links is specifically geared towards helping people sign up or log in, so adding the Privacy Policy link there wouldn't be appropriate.

If this is absolutely legally necessary, I'd recommend sticking a smaller link (13px or smaller) to the bottom of the screen. See attached image.

#6 @desrosj
5 weeks ago

  • Owner set to xkon
  • Status changed from new to assigned

@xkon
5 weeks ago

@xkon
5 weeks ago

#7 @xkon
5 weeks ago

  • Keywords has-patch 2nd-opinion added

43721.2.diff was a false upload, sorry wrong click.

In 43721.3.diff moved the Privacy Policy link on the bottom of the page as @melchoyce suggested above.

@chetan200891
5 weeks ago

#8 @chetan200891
5 weeks ago

@xkon I have tested your patch and made some changes, and added new patch 43721.4.diff. Removed 'login_link_separator'. Also made some changes to CSS.

#9 @xkon
5 weeks ago

Oh good catch @chetan200891 I forgot about the separator from moving the code :) thank you!

@xkon
5 weeks ago

#10 @xkon
5 weeks ago

43721.5.diff updates the code to be more consistent as used in #43715 as well.

This ticket was mentioned in Slack in #core by chetan200891. View the logs.


5 weeks ago

This ticket was mentioned in Slack in #gdpr-compliance by xkon. View the logs.


4 weeks ago

#13 @desrosj
4 weeks ago

  • Milestone changed from Awaiting Review to 4.9.6

#14 follow-up: @allendav
4 weeks ago

@voneff - please cite the article and paragraph where this is required - thanks!

#15 in reply to: ↑ 14 @voneff
4 weeks ago

Replying to allendav:

@voneff - please cite the article and paragraph where this is required - thanks!

Sure, I should probably have included this from the start.

I think Chapter 3, Section 2, Article 13 of the GDPR applies to every public-facing site of a website: "Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: …" [Emphasis my own, source: https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/]

This is quite obvious when you allow people to register on your site, such as:

https://login.wordpress.org/register?locale=en_US
http://videos.wpbeginner.com/
https://css-tricks.com/wp-login.php?action=register

But also the /wp-login.php page is public-facing – especially as it is linked to from the meta section in the sidebar on any fresh install. And if you collect personal data such as the IP address with your website this data will be collected here as well.

Is that sufficient? If not, let me know and I'll dig deeper...

Last edited 4 weeks ago by voneff (previous) (diff)

@xkon
4 weeks ago

#16 @xkon
4 weeks ago

  • Keywords needs-testing added; 2nd-opinion removed

43721.6.diff updates previous patches, using the_privacy_policy_link().

This ticket was mentioned in Slack in #core by jeffpaul. View the logs.


4 weeks ago

This ticket was mentioned in Slack in #gdpr-compliance by desrosj. View the logs.


4 weeks ago

#19 @desrosj
4 weeks ago

  • Owner changed from xkon to desrosj
  • Status changed from assigned to reviewing

@desrosj
4 weeks ago

#20 @desrosj
4 weeks ago

  • Keywords needs-testing removed

43721.7.diff just makes an adjustment to when the link becomes pinned to the bottom.

This is good to go. I just want confirmation from @allendav that this is necessary and that we are interpreting the guidelines correctly before adding commit.

This ticket was mentioned in Slack in #gdpr-compliance by desrosj. View the logs.


4 weeks ago

#22 @desrosj
4 weeks ago

  • Keywords 2nd-opinion added

If necessary, this needs to be backported after #43850.

#23 @allendav
4 weeks ago

This makes sense - since personal data collection is more likely for registered users, and the privacy policy might have updates which impact registered user personal data collection, it makes sense to provide a link to the privacy policy at this screen BEFORE they login.

#24 @desrosj
3 weeks ago

  • Keywords commit added; 2nd-opinion removed

This ticket was mentioned in Slack in #gdpr-compliance by desrosj. View the logs.


3 weeks ago

#26 @iandunn
3 weeks ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 43120:

Privacy: Add policy link to login screen.

Personal data collection is more likely for registered users than casual visitors, and the privacy policy might have been updated since a user last logged in. Those changes could impact the collection of personal data from registered users, so it makes sense to provide a link to the policy before users log in.

Props voneff, xkon, melchoyce, chetan200891, desrosj.
Fixes #43721.

#27 @iandunn
3 weeks ago

  • Keywords fixed-major added; has-patch removed
  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopening for backport to 4.9 branch.

#28 @SergeyBiryukov
3 weeks ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 43124:

Privacy: Add policy link to login screen.

Personal data collection is more likely for registered users than casual visitors, and the privacy policy might have been updated since a user last logged in. Those changes could impact the collection of personal data from registered users, so it makes sense to provide a link to the policy before users log in.

Props voneff, xkon, melchoyce, chetan200891, desrosj.
Merges [43120] to the 4.9 branch.
Fixes #43721.

#29 @voneff
3 weeks ago

Wow, we're in the beta – thanks everybody!

Pretty exciting for me as this really was my first core contribution whatsoever.

Credit also goes to Tanya R. Quintieri who raised this issue in a Facebook group and really got me thinking that it should be a core feature.

Cheers!

#30 @desrosj
9 days ago

  • Component changed from Login and Registration to Privacy

Moving to the new Privacy component.

Note: See TracTickets for help on using tickets.