As part of the core-privacy team’s roadmap the team has started development on a Consent API An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. as a feature plugin.
We welcome all thoughts on this proposal, which you are welcome to leave as comments on this post, or share with us directly in the #core-privacy channel on Making WordPress Slack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/.. We host weekly office hours on Wednesdays at 19:00 UTC, see the meetings page for times in your timezone.
A standard way for WordPress core Core is the set of software required to run WordPress. The Core Development Team builds WordPress., plugins, and themes to obtain consent from users should be established to provide a consistent and stable experience for administrators, developers, and users of all kinds.
Currently it is possible for a consent management plugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party to block Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience. third party services like Facebook, Google Maps, Twitter, if a user does not give consent. But if a WordPress plugin places a PHP The web scripting language in which WordPress is primarily architected. WordPress requires PHP 5.6.20 or higher cookie, a consent management plugin cannot prevent this.
Lastly, the blocking approach requires a list of all types of URL’s that place cookies or use other means of tracking. A generic API which plugins adhere to can greatly help a webmaster in getting a site compliant.
Does usage of this API prevent third party services from tracking user data?
Third-party scripts have to be blocked by a blocking functionality in a consent management plugin. To do this in core would be too intrusive, and is also not applicable to all users: only users with visitors from opt in regions such as the European Union require such a feature. Such a feature also has a risk of breaking things. Additionally, blocking these and showing a nice placeholder, requires even more sophisticated code, all of which should not be part of WordPress core, for the same reasons.
That said, the consent API can be used to decide if an iframe or script should be blocked.
How does it work?
There are two indicators that together tell if consent is given for a certain consent category The 'category' taxonomy lets you group posts / content together that share a common bond. Categories are pre-defined and broad ranging., e.g. “marketing”:
- The region based consent_type, which can be optin, opt out, or other possible consent_types;
- The visitor’s choice: not set, allow or deny.
The consent_type is a function that wraps a filter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output.,
wp_get_consent_type. If there’s no consent management plugin to set it, it will return false. This will cause all consent categories to return true, allowing cookies and other types of tracking for all categories.
If optin is set using this filter, a category will only return true if the value of the visitor’s choice is allow.
If the region based consent_type is opt out, it will return true if the visitor’s choice is not set or is allow.
Clientside, a consent management plugin can dynamically manipulate the consent type, and set the applicable categories.
A plugin can use a hook to listen for changes, or check the value of a given category.
Categories, and most other stuff can be extended with a filter.
- Example plugin. This plugin basically consists of a shortcode A shortcode is a placeholder used within a WordPress post, page, or widget to insert a form or function generated by a plugin in a specific location on your site., with a div that shows a tracking or not tracking message. No actual data tracking 🙂
Plugins used to set this up:
The feature plugin A plugin that was created with the intention of eventually being proposed for inclusion in WordPress Core. See Features as Plugins. should at least handle the following functionality:
- PHP functions to set the consent level and consent type.
- PHP functions to retrieve the consent level and consent type.
Introducing the Feature Plugin
Once the plugin is confirmed as a feature plugin, the next steps would be:
- To increase the number of users of the feature plugin.
- To add other interested privacy team members and core developers as contributors of the plugin.
- To have additional Third-Party consent management plugins to adopt the API.
- To iterate on the feature plugin development.
- To audit some specific aspects of the feature plugin:
- coding-standards and documentation
- To create a Trac An open source project by Edgewall Software that serves as a bug tracker and project management tool for WordPress. ticket Created for both bug reports and feature development on the bug tracker. to handle a potential future merge proposal – if the feature plugin deserves it.
Post written by @rogierlankhorst / @paapst and reviewed by @garrett-eclipse / @carike