WordPress.org

Make WordPress Core

Opened 7 weeks ago

Last modified 10 days ago

#43938 new enhancement

Make it clear to administrators that not all plugins support privacy policy content, personal data export and erasure

Reported by: allendav Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: trunk
Component: Privacy Keywords: gdpr needs-patch needs-design ui-feedback ux-feedback privacy-roadmap
Focuses: Cc:

Description

It is likely that there will be many plugins that will not implement the new privacy policy content hooks nor the personal data export and erasure hooks for some time (if ever).

It would be unfortunate for administrators to overlook privacy policy impacts from such plugins, or to assume that personal data export and erasure included personal data collected by such plugins.

As part of privacy policy content UX, as well as export and erasure UX, we should come up with a way to prompt administrators to take this into consideration.

Attachments (3)

erase.png (377.9 KB) - added by allendav 5 weeks ago.
Rough draft of erase notice
export.png (355.1 KB) - added by allendav 5 weeks ago.
Rough draft of export notice
privacy-policy-guide.png (523.6 KB) - added by allendav 5 weeks ago.
Rough draft of privacy policy guide notice

Download all attachments as: .zip

Change History (19)

This ticket was mentioned in Slack in #gdpr-compliance by allendav. View the logs.


7 weeks ago

#2 @idea15
7 weeks ago

I'd agree that we can strengthen the language we use to remind administrators that they are responsible for the accuracy of their privacy notices, but when you say "prompt" I think another dashboard admin notice. What did you have in mind?

#3 @desrosj
5 weeks ago

  • Component changed from General to Privacy

Moving to the new Privacy component.

#4 @allendav
5 weeks ago

@idea15 - i was thinking less a notice and more a not-missable always-present blob o' text on the export and erasure management pages making it clear which exporters and erasers are present and calling to the admin's attention that they are responsible for separately managing exports/erasure for anything not listed.

#5 @idea15
5 weeks ago

Sure. Let's work on the text.

@allendav
5 weeks ago

Rough draft of erase notice

@allendav
5 weeks ago

Rough draft of export notice

@allendav
5 weeks ago

Rough draft of privacy policy guide notice

#6 @allendav
5 weeks ago

@idea15 @melchoyce rough draft ideas above (the blue barred sections added to the top of each of the three pages)

Last edited 5 weeks ago by allendav (previous) (diff)

#7 @idea15
5 weeks ago

I'd take out "please note" as it's a bit stiff from both.

When we say "this tool only erases the personal data stored by WordPress", remember that a lot of people have no understanding of what is and isn't of the box WP.

Also, when we say "non participating plugins", that could be interpreted as privacy shaming.

#8 @xkon
5 weeks ago

The participating plugins is a bit confusing to me. Even if I was to translate it on my native language it would still not make much sense all for a simple user 'all installed plugins are participating somehow since they are in there' if that makes sense.. Also the names of the exporters wouldn't mean anything to most people I guess as well.

@allendav would it be more wise to find to just show the names of the plugins that are using the erasure/export instead and leave it at that maybe?

This way we could say something like This tool only exports the personal data stored by WordPress and the plugins listed below. It is your responsibility to export any personal data from plugins that you might have installed and are not seen in this list. - [List of plugins names].

#9 @allendav
5 weeks ago

@xkon - I would love to just list the plugins that require manual export/erasure, but we don't have a way of getting the list of "participating" plugins... although plugins can register exporters and erasers, we can't work from that list back to the "participating" plugins - because we don't enforce/require plugin slugs during the current registration process.

Maybe we should fix that oversight.

This ticket was mentioned in Slack in #gdpr-compliance by allendav. View the logs.


4 weeks ago

This ticket was mentioned in Slack in #gdpr-compliance by desrosj. View the logs.


4 weeks ago

#13 @desrosj
4 weeks ago

Related: #43750.

#14 @allendav
3 weeks ago

  • Keywords ui-feedback ux-feedback added

#15 @allendav
3 weeks ago

Hopefully we can use the plugin header work ( #43750 ) to make it so we can just present the plugins NOT participating - that will make it easier for the end-user to know what they need to do.

#16 @desrosj
10 days ago

  • Keywords privacy-roadmap added
Note: See TracTickets for help on using tickets.