Protecting Children’s Privacy On WordPress (through the lens of COPPA)

Disclaimer:

Nothing in this proposal constitutes professional advice, legal or otherwise.

Although substantial care was taken when compiling this post, no guarantee is made with regards to its accuracy. Please exercise your own judgement.

Common beliefs about WordPress and COPPA:

To start off, let’s examine a couple of common beliefs about WordPress and COPPA:

This is a wider platform issue.”

Yes and no.

WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ has thus far appeared to be a general audience platform – and therefore did not appear to have specific obligations under COPPA.

WordPress.org can become subject to COPPA requirements by:
1. Publishing child-directed content; or
2. Obtaining specific knowledge that children under 13 are using the platform.

Publishing KidsCamp content on Learn WordPress appears to “trigger” COPPA obligations because the content is directed at children.
However, as Learn WordPress makes use of wider WordPress.org infrastructure (and default WordPress installations are not COPPA friendly), becoming COPPA-compliant would require some platform-wide changes.

We are not collecting any personal information.

WordPress offers users the ability to add personal information,
including bios and origin stories, to their profiles.

Personal information is collected when a user registers for a WordPress.org profile.

Here the username itself is personal information, as it functions in the same manner as online contact information (@-mentions).

Visitors to KidsCamp content on Learn WordPress can sign up for a WordPress.org account.

Users can sign up for a WordPress.org account from pages that contain child-directed content.

There is no neutral age verification mechanism when registering for a WordPress.org account, or when accessing other parts of the website.

Learn WordPress offers users the ability to register for discussion groups.

Feedback forms, registration for and participation in discussion groups, notifications and comments all include personal information.

Furthermore, the FTC has specifically indicated that personal information includes information that is associated with any persistent identifier – so that would include usernames, user ids, identifiers in cookies, IP addresses and more.

It also includes any such information that is collected by plugins, or third party services on behalf of WordPress.org, including, but not limited to Jetpack, GravatarGravatar Is an acronym for Globally Recognized Avatar. It is the avatar system managed by WordPress.com, and used within the WordPress software. https://gravatar.com/. and Meetup.com.

So… How can WordPress.org become COPPA-compliant?

A Prominent Privacy Policy

COPPA-compliant privacy policies need to be prominent. As such, the usual privacy link in the footer does not qualify.

Audit Data Practices on WordPress.org

In order to compile a COPPA-compliant privacy policy, it would be highly advisable to do a full code and data audit to create a data flowchart for CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. and any plugins that are running on WordPress.org

This includes determining and documenting exactly what information is being collected, where it is stored and any parties with whom the information is shared and for what purpose.

#51092 could provide a solid approach.

Verifiable Parental Consent

Obtaining parental consent that is verifiable can be a significant administrative burden (outside of physical KidsCamps, where volumes are more manageable), as a simple checkbox will not do the trick.

Do Not Collect Data From Child-Directed Content

A Consent APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. (incorporating #51188) can provide a basis to ensure that information is not collected on child-directed content.

Where information is needed to support internal operations, data should be compartmentalized so that it cannot be accessed for other uses.

List of abbreviations:

COPPA: Children’s Online Privacy Protection Act (United States)

FTC: Federal Trade Commission (United States)

Licensing:

This content is made available under Creative Commons 4.0. BY SA.

Please add your thoughts below:

Please add any concerns, questions and suggestions below.

Your input is greatly appreciated.