Welcome to the MetaMetaMeta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. Team!
The Meta team is responsible for maintaining and managing WordPress.orgWordPress.orgThe community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ websites. Our work is mostly done on the meta trac. If you see a bug, file a ticket!
Protecting Children’s Privacy On WordPress (through the lens of COPPA)
Nothing in this proposal constitutes professional advice, legal or otherwise.
Although substantial care was taken when compiling this post, no guarantee is made with regards to its accuracy.Please exercise your own judgement.
Common beliefs about WordPress and COPPA:
To start off, let’s examine a couple of common beliefs about WordPress and COPPA:
“This is a wider platform issue.”
Yes and no.
WordPress.orgWordPress.orgThe community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ has thus far appeared to be a general audience platform – and therefore did not appear to have specific obligations under COPPA.
WordPress.org can become subject to COPPA requirements by: 1. Publishing child-directed content; or 2. Obtaining specific knowledge that children under 13 are using the platform.
Publishing KidsCamp content on Learn WordPress appears to “trigger” COPPA obligations because the content is directed at children. However, as Learn WordPress makes use of wider WordPress.org infrastructure (and default WordPress installations are not COPPA friendly), becoming COPPA-compliant would require some platform-wide changes.
“We are not collecting any personal information.“
Personal information is collected when a user registers for a WordPress.org profile.
Here the username itself is personal information, as it functions in the same manner as online contact information (@-mentions).
Users can sign up for a WordPress.org account from pages that contain child-directed content.
There is no neutral age verification mechanism when registering for a WordPress.org account, or when accessing other parts of the website.
Feedback forms, registration for and participation in discussion groups, notifications and comments all include personal information.
Furthermore, the FTC has specifically indicated that personal information includes information that is associated with any persistent identifier – so that would include usernames, user ids, identifiers in cookies, IP addresses and more.
It also includes any such information that is collected by plugins, or third party services on behalf of WordPress.org, including, but not limited to Jetpack, GravatarGravatarIs an acronym for Globally Recognized Avatar. It is the avatar system managed by WordPress.com, and used within the WordPress software. https://gravatar.com/. and Meetup.com.
So… How can WordPress.org become COPPA-compliant?
COPPA-compliant privacy policies need to be prominent. As such, the usual privacy link in the footer does not qualify.
Audit Data Practices on WordPress.org
This includes determining and documenting exactly what information is being collected, where it is stored and any parties with whom the information is shared and for what purpose.
Obtaining parental consent that is verifiable can be a significant administrative burden (outside of physical KidsCamps, where volumes are more manageable), as a simple checkbox will not do the trick.
Do Not Collect Data From Child-Directed Content
A Consent APIAPIAn API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. (incorporating #51188) can provide a basis to ensure that information is not collected on child-directed content.
Where information is needed to support internal operations, data should be compartmentalized so that it cannot be accessed for other uses.