WordPress.org

Make WordPress Core

Opened 6 weeks ago

Last modified 3 weeks ago

#44001 new enhancement

GDPR: oEmbed two click / local emoji scripts

Reported by: yoursql719 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: major Version: 4.9.5
Component: Privacy Keywords: gdpr needs-patch
Focuses: Cc:

Description

Hi,

the first beta release 4.9.6 has a few optimziations due to the GDPR, but I think, WordPress is missing two very relevant features. With the latest beta release, WordPress would not be legal for use within the EU - except you´re using WordPress as private notepad!

1) oEmbed two click solution: similar to the shariff plugin, all embedded items via the core WordPress oEmbed function need a two click privacy. Only when the user first clicks on the embedded item, the scripts should be active and the user can view / listen to the embedded item.

2) The emoji script is loaded from Automaticc. There is no possibility to disable this behaviour or the best would be: load all scripts locally. This is one of the relevant of GDPR: you cannot tell your users or lawyers, why it is relevant for using your site, when specific scripts like emoji are loaded from a CDN. There is no need for a CDN.

It would be great, if you could still imagine to implement those both things, because they are rather important than a general privacy policy page, which the most users of WordPress had already created as a single page. And I think not all related core features needs an extra plugin, when it´s time to develop the core further. WordPress should go ahead and implement more features to the core than letting even more plugins used for a proper website.

Thanks and regards,

Change History (8)

#1 @swissspidy
6 weeks ago

  • Keywords gdpr added

#2 follow-up: @swissspidy
6 weeks ago

The emoji script is loaded from Automaticc

The emoji stuff is loaded from the WordPress.org CDN. It has nothing to do with the company Automattic.

As for the suggestions: IANAL, but I don't think these steps are necessary for GDPR compliance. But I leave that for the experts to decide.

#3 in reply to: ↑ 2 @yoursql719
6 weeks ago

Replying to swissspidy:

The emoji script is loaded from Automaticc

The emoji stuff is loaded from the WordPress.org CDN. It has nothing to do with the company Automattic.

Thanks for clarification. Even loading a script from a CDN must be clarified, if this CDN stores any user cookies / informations. Till now there is no information about what infos are stored to the wordpress servers everytime this script is loaded.

As for the suggestions: IANAL, but I don't think these steps are necessary for GDPR compliance. But I leave that for the experts to decide.

I can show you several posts about this problem and it is very relevant and one of the main parts of the GDPR: youtube and other providers stores cookies, when an user is accessing your site. Therefore it is not enough only to tell the user, that you´re doing this. You need the user to have a choise, wether he would like the see the video or not. It should NOT be loaded whithout any kind of opt in. This is especially a german jurisdiction problem and yes if affects the e-privacy law partly, which comes with 2019, but some parts will be relevant on the may 25th.

#4 follow-up: @TimothyBlynJacobs
6 weeks ago

See also #43713

#5 in reply to: ↑ 4 @yoursql719
6 weeks ago

Replying to TimothyBlynJacobs:

See also #43713

Thanks. It´s a similar topic, but removing makes no sense. A two click option would be the best: what should happen to already embedded content? Disabling oEmbed in backend would be the worst solution ever.

This ticket was mentioned in Slack in #gdpr-compliance by allendav. View the logs.


6 weeks ago

#7 @desrosj
5 weeks ago

  • Component changed from General to Privacy

Moving to the new Privacy component.

This ticket was mentioned in Slack in #core-privacy by desrosj. View the logs.


3 weeks ago

Note: See TracTickets for help on using tickets.