WordPress.org

Make WordPress Core

Opened 4 weeks ago

Last modified 4 weeks ago

#44186 new enhancement

Possibles enhancements to 4.9.6 privacy tools

Reported by: mnzhc Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.9.6
Component: Privacy Keywords:
Focuses: Cc:

Description

-- User should start a request from frontend

User can create his own request starting from privacy page. Form are similar to the change password and login forms. Maybe, in first time, wordpress do not provide directly the form, but let developer start a request from a form submission hooking to a specific hook or using a function provided by the core.

-- Automatic request processing

User could receive first email without admins starts or confirm the process as for change password request. For large websites is unthinkable they rely on the wordpress system to manage privacy requests if tasks of this kind has to be done by admins, they will go for other plugins to do that. We need to include an options to disable automatic request processing and let things as in 4.9.6.

-- Automatic send data

As for request processing, user could confirm the link on the second email and get directly the datas without admins work.

-- User should see their data on a webpage (Frontend Personal Data Profile Page?)

I guess the zip download has been long discussed.. but in my personal opinion is a real bad practice. We are talking about privacy and data protections and we should not stimulate the proliferation of pieces of personal datas spreading in internet and devices.

I’m thinking of a request started from a mobile device, the user can have his own datas and can delete it from your website. But this in some case this is not a real data erasure, but it is just a data transfer as, after the request, on his download folder of the mobile device it has a PDF containing a lot of personal informations like Addresses, Family Status, Accounts name, Phone numbers, etc… People are not educated to take care of their personal datas..

Using a web page to show the personals data we could achieve more than one goal:

  • we strength the overall privacy avoiding data proliferations
  • people will remain on the website (marketers will love it)
  • we could get granular erasure of datas
  • user can update datas

-- Granular erasure of data

As 4.9.6 the request of deleting personal data is an all or nothing actions. People can request to delete all the data from the website and maybe delete his / her account. People may want to delete just some part of the datas (maybe a second address, the family status, their phone number) but let other to be processed for their sake (they want to be in your interest based newsletter).

And again for the sake of the website admins, the relationship with the user will continue.

Example of an overall process.

  • User start a data export request
  • Website send an email to be confirmed
  • User confirm the email
  • Website send a second email with the link to see (and eventually download and erase) the personal datas
  • On the Frontend Personal Data Profile Page the user delete an address, his marital status and update the phone number.

Every single step in the process could be automatic or manual depending on admins preferences.

Change History (4)

#1 @Clorith
4 weeks ago

  • Component changed from General to Privacy
  • Version set to 4.9.6

#2 @Clorith
4 weeks ago

Hi there, and welcome to the WordPress trac!

I had a quick read of the ticket, and personally I think this all sounds like ideal candidates for plugins. In most cases, users won't receive that many requests that they need a front-end system for data requests, and any request for sending and erasing data should be validated by the site owner before it's carried out.

Any major site that is likely to receive these will already have established procedures to follow and will, as you mentioned, not necessarily use the built in features in WordPress either.

As for the process of sending data as zip files, there are a few scenarios where this is beneficial (and it has become sort of a standard as you don't know how much data will be sent, and what data it will include, if someone extends the exporter to include files for example). Let's also not forget that as soon as there's a front-facing version of a page, it is susceptible to caching, if a URL is cached, and then brute force attempts at finding a hashed address carry through, you've got a much bigger issue on your hands. (just to name some of the more likely scenarios).

#3 @mnzhc
4 weeks ago

Thank you @Clorith for explanations. Then it would be useful to know the functions to start the request and eventually automatically validate the confirmation so people can develop his own functionality.

This ticket was mentioned in Slack in #forums by clorith. View the logs.


4 weeks ago

Note: See TracTickets for help on using tickets.