Make WordPress Core

Opened 7 months ago

Last modified 4 days ago

#44464 reviewing defect (bug)

Guide to write privacy policy: inexact point?

Reported by: Paride15 Owned by: garrett-eclipse
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.9.6
Component: Privacy Keywords: reporter-feedback
Focuses: Cc:


Hi, i'm not sure to be in the right place, the assistance from dpo[at]wordcamp.org send me here...

In the privacy tool, on the guide for write a privacy policy page, it said that WordPress won't collect data by default, i think this is inexact. Integrated services by default, like CDN resources, pingback/trackback collect IP address, this is considered a personal data from European Court...

Change History (2)

#1 @garrett-eclipse
9 days ago

  • Focuses docs administration privacy removed
  • Keywords reporter-feedback added
  • Owner set to garrett-eclipse
  • Status changed from new to reviewing
  • Version set to 4.9.6

Hi @Paride15 thank you for flagging to us here.

There's alot of references to 'By default WordPress' in the current guide so wanted to be sure of which point specifically you're speaking of. If you could quote it that'd be helpful.

Here's some options I found;

  • Under 'What personal data we collect and why we collect it'; "By default WordPress does not collect any personal data about visitors, and only collects the data shown on the User Profile screen from registered users. However some of your plugins may collect personal data. You should add the relevant information below."
  • Under 'Analytics'; "By default WordPress does not collect any analytics data. However, many web hosting accounts collect some anonymous analytics data. You may also have installed a WordPress plugin that provides analytics services. In that case, add information from that plugin here."
  • Under 'Who we share your data with'; "By default WordPress does not share any personal data with anyone."

Please be as specific as you can not only on which verbiage but also what makes it invalid/inexact.

Some notes on your points;

  • Integrated services - By default, only Gravatar is integrated. There are oEmbed capabilities but that requires the admin or an author/editor to add the embed.
  • CDN resources - By default WordPress doesn't have any CDN resources, all third-party scripts are localized.
  • pingback/trackback collect IP address - This is the server IP address and not a user IP so isn't considered Personally Identifiable Information.

So correct me if I'm wrong but it seems by default only Gravatar collects Personal information in the form of IP. That's currently being looked at in #44067 and #14682 as well as is on the Privacy roadmap.

This ticket was mentioned in Slack in #core-privacy by garrett-eclipse. View the logs.

4 days ago

Note: See TracTickets for help on using tickets.