[wp-trac] [WordPress Trac] #44268: GDPR concerns on the core commenting flow

WordPress Trac noreply at wordpress.org
Wed May 30 15:15:22 UTC 2018 

#44268: GDPR concerns on the core commenting flow
---------------------------+------------------------------
 Reporter:  patricedefago  |       Owner:  (none)
     Type:  enhancement    |      Status:  new
 Priority:  normal         |   Milestone:  Awaiting Review
Component:  Privacy        |     Version:  4.9.6
 Severity:  normal         |  Resolution:
 Keywords:  gdpr           |     Focuses:
---------------------------+------------------------------

Comment (by asadkn):

 There's a lot of misinformation around ''consent''. There are six other
 lawful basis in EU GDPR law and legitimate interest does cover things like
 functional needs of software or network security.

 Unless the email is going to be used for something else like marketing
 (bundled form), there’s simply no reason for consent for WordPress
 comments. Storing personal data in a cookie was more of a concern since
 it's not really a necessity but an enhancement, and stores the data in a
 less secure format that's a cookie - WordPress has that covered already
 now.

 In many unbundled forms like these, submitting the form itself is consent.
 You obviously have to mention it in your Privacy Policy, but there's no
 need for consent. In the comment form:

 1. IP address is recorded for network security, spam etc. (Data retention
 shouldn’t be more than needed though)
 2. Name is basic functional need for comments.
 3. Email is needed for avatar, spam prevention, and perhaps
 duplication/flood checks etc. (Though, WordPress should have an option to
 make email optional here if the site owner decides not to use it for
 anything)

 What I believe will be helpful:

 - A message to meet right to be informed. This can be a statement below
 the comment form with a link to privacy policy such as (just a quick
 example, not concrete): "When adding a comment, your email addresses will
 be used to display your Gravatar and your name will be displayed. Review
 our Privacy Policy."

 - Data retention policies on IP address for comments.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44268#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list