[wp-trac] [WordPress Trac] #59445: Emoji Caching could violate GDPR / CCPA

WordPress Trac noreply at wordpress.org
Sun Feb 4 18:57:24 UTC 2024


#59445: Emoji Caching could violate GDPR / CCPA
--------------------------+-----------------------------------
 Reporter:  antmg         |       Owner:  (none)
     Type:  defect (bug)  |      Status:  reopened
 Priority:  normal        |   Milestone:
Component:  Emoji         |     Version:  6.3
 Severity:  major         |  Resolution:
 Keywords:  close         |     Focuses:  performance, privacy
--------------------------+-----------------------------------
Changes (by jankarres):

 * status:  closed => reopened
 * resolution:  wontfix =>


Comment:

 I take it from your answer that the legal advice only asked whether this
 commit needs to be reverted on the basis of the commit and the discussion
 of this ticket. The technical explanation and evaluation of the
 functionality was the responsibility of the legal advisor, without the
 support of a software developer.

 I work in the area of consent management for EU law and, in my experience,
 the approach described is often not helpful, as there are very few lawyers
 who have a sufficient IT background to be able to evaluate the case
 technically themselves, which is essential for a correct legal assessment
 of the case.

 In the following, I would like to present my legal opinion with regard to
 the scope of application of the EU and EEA, as well as the concrete
 implementation of the legislation in Germany. This statement is not legal
 advice, but only a statement of my legal opinion.

 **Technical evaluation of the process:**

 The commit https://core.trac.wordpress.org/changeset/56074 extends the
 function `wpEmojiLoader()` in the file `trunk/src/js/_enqueues/lib/emoji-
 loader.js`, whereby, among other things, the detection of whether Twemoji
 (library) needs to be loaded is to be improved. Twemoji should only be
 loaded in if the browser used does not support emojis, which only applies
 to very old browsers. The function `testEmojiSupports()` checks whether
 the browser supports emojis by addressing a functionality of the browser
 for rendering emojis, which only works if the browser has implemented it.

 New in the commit is that after the tests have been executed, the new
 function `setSessionSupportTests()` is called, which persistently writes
 the test results including a UNIX timestamp of the storage time to the
 session storage object `wpEmojiSettingsSupports` on the end device.

 With a further call, the `getSessionSupportTests()` function reads out
 whether test results have already been persistently saved. If these have
 been saved, it checks whether they are not older than one week. If they
 are less than a week old, the saved test results are used to decide
 whether Twemoji should be loaded.

 The aim of data processing is to avoid having to perform the check again
 each time a page is called up within the browser tab (scope of validity of
 session storage objects) and thus save < 1 ms of website loading time.

 **Legal evaluation in terms of the relevant legislation in the EU and
 EEA**

 ''GDPR''

 The subject matter of the GDPR covers, among other things, the automated
 processing of personal data (Art. 2 GDPR; https://gdpr-
 text.com/read/article-2/).

 The test result as to whether the browser used technically supports the
 rendering of emojis allows a vague conclusion to be drawn about the
 software used, but not about the concret user, which is why I do not see
 any personal data reference here. The UNIX timestamp of the writing of the
 session storage object allows a conclusion to be drawn about when the
 browser tab of the end device last called up the website if the time is
 greater than one week and when the test was last executed if the time is
 less than or equal to one week. A personal reference to this date cannot
 be established without other essential information such as the website
 vistors IP address. Consequently, I do not consider this to be personal
 data within the meaning of the legal requirement.

 Consequently, I do not consider the session storage object to be within
 the scope of the GDPR.

 ''ePrivacy Directive''

 The Directive 2002/58/EC (https://eur-lex.europa.eu/legal-
 content/EN/ALL/?uri=CELEX:32002L0058), amended by Directive 2009/136/EC
 (often called "ePrivacy Directive"; https://eur-lex.europa.eu/legal-
 content/EN/TXT/?uri=celex%3A32009L0136) is a directive that must be
 transposed into national law by the respective nation states in order to
 ensure the protection of privacy in terminal equipment. In Germany, for
 example, Art. 25 f. TTDSG (https://dejure.org/gesetze/TTDSG/25.html; in
 German) has been implemented the directive into national law. In the
 following, I will refer to the ePrivacy Directive in order to take into
 account the regulations applicable in the EU and EEA. Implementations such
 as in the TTDSG in Germany cover the essence of the directive.

 Recital 66 of 2009/136/EC explains that the storage or reading of data
 from terminal equipment (including session storage) requires website
 visitors to be provided with "clear and comprehensive information when
 engaging in any activity which could result in such storage or gaining of
 access". In addition, the website visitor must have the right to refuse
 this data processing. In judgment C-673/17
 (https://curia.europa.eu/juris/liste.jsf?language=en&num=C-673/17), the
 ECJ clarifies that an opt-in procedure must be used for this purpose, as
 sufficient information must first be provided and an informed decision
 must then be able to be made. "Exceptions to the obligation to provide
 information and offer the right to refuse should be limited to those
 situations where the technical storage or access is strictly necessary for
 the legitimate purpose of enabling the use of a specific service
 explicitly requested by the subscriber or user." It is therefore necessary
 to check whether `wpEmojiSettingsSupports` falls under this exception.

 When accessing a WordPress website, I think it should be the explicit wish
 of the website visitor to see its full content, which does not lead to any
 further data processing by third parties. I think this also includes the
 display of emojis, which is common in all modern applications. However, I
 think it is questionable whether "technical storage or access is strictly
 necessary", as the test as to whether the browser allows emojis can be
 executed again each time a page is called up without any technical
 obstacles. It does not burden the website visitor's end device in a way
 that makes it impossible to access the website (less then 1 ms calculation
 time).

 As a result, I see an obligation under the ePrivacy Directive to obtain
 consent for `wpEmojiSettingsSupports`.

 The question of whether the loading time of the website is slightly worse
 as a result or whether there is no technical added value in checking the
 emoji functionality of the browser over and over again is irrelevant for
 the legal regulation.

 **Summary of the evaluation and recommendation**

 I am of the legal opinion that the session storage object (cookie-like
 information) `wpEmojiSettingsSupports` can only be set in the EU and EEA
 with consent. Therefore, I recommend removing this function for setting
 the session storage object from the WordPress core so that it can be used
 in relation to the modified code without the need for a consent management
 solution.

 @peterwilsoncc I hope the shared legal opinion with sources is useful to
 check again if the commit should be changed!

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/59445#comment:27>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list