WordPress.org

Make WordPress Core

Opened 20 months ago

Closed 20 months ago

Last modified 19 months ago

#43721 closed enhancement (fixed)

Adding links to imprint and privacy policy pages on WP login screens

Reported by: voneff Owned by: desrosj
Milestone: 4.9.6 Priority: normal
Severity: normal Version:
Component: Privacy Keywords: gdpr commit fixed-major
Focuses: Cc:
PR Number:

Description

As the GDPR asks for links to Imprint/Legal Notice and Privacy Policy pages on every page a website vistor could possibly land on – would it not be necessary to easily being able to include respective links to the WP login and logout pages?

Maybe this could be done via the customizer where website owners could be given the option to enter names and links to aforementioned pages and then have them displayed at the bottom of the login screens.

(This is my first core ticket so please bear with me if this is the wrong way to address this! ;-P)

Attachments (9)

43721.preview.jpg (102.3 KB) - added by xkon 20 months ago.
43721.diff (999 bytes) - added by xkon 20 months ago.
login-register_privacy.png (76.8 KB) - added by melchoyce 20 months ago.
43721.2.diff (999 bytes) - added by xkon 20 months ago.
43721.3.diff (1.2 KB) - added by xkon 20 months ago.
43721.4.diff (1.0 KB) - added by chetan200891 20 months ago.
43721.5.diff (1.2 KB) - added by xkon 20 months ago.
43721.6.diff (998 bytes) - added by xkon 20 months ago.
43721.7.diff (987 bytes) - added by desrosj 20 months ago.

Download all attachments as: .zip

Change History (39)

#1 @swissspidy
20 months ago

  • Keywords gdpr added

@xkon
20 months ago

@xkon
20 months ago

#2 follow-up: @xkon
20 months ago

Hello @voneff and welcome to core trac!

In my opinion you're absolutely correct, websites that do use the default registration/login pages should include a link to their Privacy Policy page if that exists as well.

In 43721.diff as we now have the handy get_privacy_policy_url() it adds the links in the current nav if a policy page link exists.

@melchoyce would you be ok with this added in the nav as seen in 43721.preview.jpg ?

@azaozz after taking a look at this do you think we could enhance the get_privacy_policy_url() to check if the page defined is of status Publish as well? Since the function returns just the url at the moment without the Publish check, if it still a 'draft' you end up having a 404 link basically if used for Front End as here. Or should the check be made manually in the template itself?

#3 in reply to: ↑ 2 @azaozz
20 months ago

Replying to xkon:

@azaozz after taking a look at this do you think we could enhance the get_privacy_policy_url() to check if the page defined is of status Publish as well?

Ah, good catch! Will fix that shortly.

This ticket was mentioned in Slack in #gdpr-compliance by xkon. View the logs.


20 months ago

#5 @melchoyce
20 months ago

That list of links is specifically geared towards helping people sign up or log in, so adding the Privacy Policy link there wouldn't be appropriate.

If this is absolutely legally necessary, I'd recommend sticking a smaller link (13px or smaller) to the bottom of the screen. See attached image.

#6 @desrosj
20 months ago

  • Owner set to xkon
  • Status changed from new to assigned

@xkon
20 months ago

@xkon
20 months ago

#7 @xkon
20 months ago

  • Keywords has-patch 2nd-opinion added

43721.2.diff was a false upload, sorry wrong click.

In 43721.3.diff moved the Privacy Policy link on the bottom of the page as @melchoyce suggested above.

#8 @chetan200891
20 months ago

@xkon I have tested your patch and made some changes, and added new patch 43721.4.diff. Removed 'login_link_separator'. Also made some changes to CSS.

#9 @xkon
20 months ago

Oh good catch @chetan200891 I forgot about the separator from moving the code :) thank you!

@xkon
20 months ago

#10 @xkon
20 months ago

43721.5.diff updates the code to be more consistent as used in #43715 as well.

This ticket was mentioned in Slack in #core by chetan200891. View the logs.


20 months ago

This ticket was mentioned in Slack in #gdpr-compliance by xkon. View the logs.


20 months ago

#13 @desrosj
20 months ago

  • Milestone changed from Awaiting Review to 4.9.6

#14 follow-up: @allendav
20 months ago

@voneff - please cite the article and paragraph where this is required - thanks!

#15 in reply to: ↑ 14 @voneff
20 months ago

Replying to allendav:

@voneff - please cite the article and paragraph where this is required - thanks!

Sure, I should probably have included this from the start.

I think Chapter 3, Section 2, Article 13 of the GDPR applies to every public-facing site of a website:
"Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: …" [Emphasis my own, source: https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/]

This is quite obvious when you allow people to register on your site, such as:

https://login.wordpress.org/register?locale=en_US
http://videos.wpbeginner.com/
https://css-tricks.com/wp-login.php?action=register

But also the /wp-login.php page is public-facing – especially as it is linked to from the meta section in the sidebar on any fresh install. And if you collect personal data such as the IP address with your website this data will be collected here as well.

Is that sufficient? If not, let me know and I'll dig deeper...

Last edited 20 months ago by voneff (previous) (diff)

@xkon
20 months ago

#16 @xkon
20 months ago

  • Keywords needs-testing added; 2nd-opinion removed

43721.6.diff updates previous patches, using the_privacy_policy_link().

This ticket was mentioned in Slack in #core by jeffpaul. View the logs.


20 months ago

This ticket was mentioned in Slack in #gdpr-compliance by desrosj. View the logs.


20 months ago

#19 @desrosj
20 months ago

  • Owner changed from xkon to desrosj
  • Status changed from assigned to reviewing

@desrosj
20 months ago

#20 @desrosj
20 months ago

  • Keywords needs-testing removed

43721.7.diff just makes an adjustment to when the link becomes pinned to the bottom.

This is good to go. I just want confirmation from @allendav that this is necessary and that we are interpreting the guidelines correctly before adding commit.

This ticket was mentioned in Slack in #gdpr-compliance by desrosj. View the logs.


20 months ago

#22 @desrosj
20 months ago

  • Keywords 2nd-opinion added

If necessary, this needs to be backported after #43850.

#23 @allendav
20 months ago

This makes sense - since personal data collection is more likely for registered users, and the privacy policy might have updates which impact registered user personal data collection, it makes sense to provide a link to the privacy policy at this screen BEFORE they login.

#24 @desrosj
20 months ago

  • Keywords commit added; 2nd-opinion removed

This ticket was mentioned in Slack in #gdpr-compliance by desrosj. View the logs.


20 months ago

#26 @iandunn
20 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 43120:

Privacy: Add policy link to login screen.

Personal data collection is more likely for registered users than casual visitors, and the privacy policy might have been updated since a user last logged in. Those changes could impact the collection of personal data from registered users, so it makes sense to provide a link to the policy before users log in.

Props voneff, xkon, melchoyce, chetan200891, desrosj.
Fixes #43721.

#27 @iandunn
20 months ago

  • Keywords fixed-major added; has-patch removed
  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopening for backport to 4.9 branch.

#28 @SergeyBiryukov
20 months ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 43124:

Privacy: Add policy link to login screen.

Personal data collection is more likely for registered users than casual visitors, and the privacy policy might have been updated since a user last logged in. Those changes could impact the collection of personal data from registered users, so it makes sense to provide a link to the policy before users log in.

Props voneff, xkon, melchoyce, chetan200891, desrosj.
Merges [43120] to the 4.9 branch.
Fixes #43721.

#29 @voneff
20 months ago

Wow, we're in the beta – thanks everybody!

Pretty exciting for me as this really was my first core contribution whatsoever.

Credit also goes to Tanya R. Quintieri who raised this issue in a Facebook group and really got me thinking that it should be a core feature.

Cheers!

#30 @desrosj
19 months ago

  • Component changed from Login and Registration to Privacy

Moving to the new Privacy component.

Note: See TracTickets for help on using tickets.