[wp-trac] [WordPress Trac] #59445: Emoji Caching could violate GDPR / CCPA
WordPress Trac
noreply at wordpress.org
Sun Feb 4 18:57:24 UTC 2024
#59445: Emoji Caching could violate GDPR / CCPA
--------------------------+-----------------------------------
Reporter: antmg | Owner: (none)
Type: defect (bug) | Status: reopened
Priority: normal | Milestone:
Component: Emoji | Version: 6.3
Severity: major | Resolution:
Keywords: close | Focuses: performance, privacy
--------------------------+-----------------------------------
Changes (by jankarres):
* status: closed => reopened
* resolution: wontfix =>
Comment:
I take it from your answer that the legal advice only asked whether this
commit needs to be reverted on the basis of the commit and the discussion
of this ticket. The technical explanation and evaluation of the
functionality was the responsibility of the legal advisor, without the
support of a software developer.
I work in the area of consent management for EU law and, in my experience,
the approach described is often not helpful, as there are very few lawyers
who have a sufficient IT background to be able to evaluate the case
technically themselves, which is essential for a correct legal assessment
of the case.
In the following, I would like to present my legal opinion with regard to
the scope of application of the EU and EEA, as well as the concrete
implementation of the legislation in Germany. This statement is not legal
advice, but only a statement of my legal opinion.
**Technical evaluation of the process:**
The commit https://core.trac.wordpress.org/changeset/56074 extends the
function `wpEmojiLoader()` in the file `trunk/src/js/_enqueues/lib/emoji-
loader.js`, whereby, among other things, the detection of whether Twemoji
(library) needs to be loaded is to be improved. Twemoji should only be
loaded in if the browser used does not support emojis, which only applies
to very old browsers. The function `testEmojiSupports()` checks whether
the browser supports emojis by addressing a functionality of the browser
for rendering emojis, which only works if the browser has implemented it.
New in the commit is that after the tests have been executed, the new
function `setSessionSupportTests()` is called, which persistently writes
the test results including a UNIX timestamp of the storage time to the
session storage object `wpEmojiSettingsSupports` on the end device.
With a further call, the `getSessionSupportTests()` function reads out
whether test results have already been persistently saved. If these have
been saved, it checks whether they are not older than one week. If they
are less than a week old, the saved test results are used to decide
whether Twemoji should be loaded.
The aim of data processing is to avoid having to perform the check again
each time a page is called up within the browser tab (scope of validity of
session storage objects) and thus save < 1 ms of website loading time.
**Legal evaluation in terms of the relevant legislation in the EU and
EEA**
''GDPR''
The subject matter of the GDPR covers, among other things, the automated
processing of personal data (Art. 2 GDPR; https://gdpr-
text.com/read/article-2/).
The test result as to whether the browser used technically supports the
rendering of emojis allows a vague conclusion to be drawn about the
software used, but not about the concret user, which is why I do not see
any personal data reference here. The UNIX timestamp of the writing of the
session storage object allows a conclusion to be drawn about when the
browser tab of the end device last called up the website if the time is
greater than one week and when the test was last executed if the time is
less than or equal to one week. A personal reference to this date cannot
be established without other essential information such as the website
vistors IP address. Consequently, I do not consider this to be personal
data within the meaning of the legal requirement.
Consequently, I do not consider the session storage object to be within
the scope of the GDPR.
''ePrivacy Directive''
The Directive 2002/58/EC (https://eur-lex.europa.eu/legal-
content/EN/ALL/?uri=CELEX:32002L0058), amended by Directive 2009/136/EC
(often called "ePrivacy Directive"; https://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=celex%3A32009L0136) is a directive that must be
transposed into national law by the respective nation states in order to
ensure the protection of privacy in terminal equipment. In Germany, for
example, Art. 25 f. TTDSG (https://dejure.org/gesetze/TTDSG/25.html; in
German) has been implemented the directive into national law. In the
following, I will refer to the ePrivacy Directive in order to take into
account the regulations applicable in the EU and EEA. Implementations such
as in the TTDSG in Germany cover the essence of the directive.
Recital 66 of 2009/136/EC explains that the storage or reading of data
from terminal equipment (including session storage) requires website
visitors to be provided with "clear and comprehensive information when
engaging in any activity which could result in such storage or gaining of
access". In addition, the website visitor must have the right to refuse
this data processing. In judgment C-673/17
(https://curia.europa.eu/juris/liste.jsf?language=en&num=C-673/17), the
ECJ clarifies that an opt-in procedure must be used for this purpose, as
sufficient information must first be provided and an informed decision
must then be able to be made. "Exceptions to the obligation to provide
information and offer the right to refuse should be limited to those
situations where the technical storage or access is strictly necessary for
the legitimate purpose of enabling the use of a specific service
explicitly requested by the subscriber or user." It is therefore necessary
to check whether `wpEmojiSettingsSupports` falls under this exception.
When accessing a WordPress website, I think it should be the explicit wish
of the website visitor to see its full content, which does not lead to any
further data processing by third parties. I think this also includes the
display of emojis, which is common in all modern applications. However, I
think it is questionable whether "technical storage or access is strictly
necessary", as the test as to whether the browser allows emojis can be
executed again each time a page is called up without any technical
obstacles. It does not burden the website visitor's end device in a way
that makes it impossible to access the website (less then 1 ms calculation
time).
As a result, I see an obligation under the ePrivacy Directive to obtain
consent for `wpEmojiSettingsSupports`.
The question of whether the loading time of the website is slightly worse
as a result or whether there is no technical added value in checking the
emoji functionality of the browser over and over again is irrelevant for
the legal regulation.
**Summary of the evaluation and recommendation**
I am of the legal opinion that the session storage object (cookie-like
information) `wpEmojiSettingsSupports` can only be set in the EU and EEA
with consent. Therefore, I recommend removing this function for setting
the session storage object from the WordPress core so that it can be used
in relation to the modified code without the need for a consent management
solution.
@peterwilsoncc I hope the shared legal opinion with sources is useful to
check again if the commit should be changed!
--
Ticket URL: <https://core.trac.wordpress.org/ticket/59445#comment:27>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list