Heather Burns 12:52 pm on August 7, 2019
Tags: core-privacy ( 49 ), privacy ( 38 )

Feature plugin discussion: a consent and logging mechanism for user privacy

As part of the #core-privacy team’s 2019 roadmap, the team has begun a discussion on the possibility of creating a consent and logging mechanism, most likely as a feature plugin. This is a working document to assemble our thoughts on what the initiative would involve; this document is not the formal proposal.

We welcome all thoughts on this document, which you are welcome to leave as comments on this post, or share with us directly in the #core-privacy channel on Making WordPress SlackSlack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/..

What is in scope?

Our roadmap notes:

Consent capture refers to creating a means for users to express their consent to data capture and usage, and to change their opt-in or opt-out status at any time, through easily accessible means such as front-end user settings or account information areas.

Consent logging refers to creating a means for administrators to collect a history of how users have opted in or out of various means of processing their data across coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress., themes, and plugins, to view the current status of that consent, and to make that history (and present state) available to users.

A standard way for WordPress core, plugins, and themes to obtain consent from users should be established to provide a consistent and stable experience for administrators, developers, and users of all kinds.

This initiative will likely require long term research, especially since it will be heavily influenced by pending regulations, such as the ePrivacy Regulation revamp, as well as user testing to ensure a positive experience for all while preventing “consent fatigue” or dark patterns.

Existing consent and logging projects, such as Joomla’s consent system, will be studied and emulated (where possible) for both functionality as well as potential applicability as a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party rather than a core feature.

Work on consent and logging is a considerable opportunity, and a challenge, for frontend and UXUX User experience design. Thought should be given to how users are prompted for consent, how and where they change consent, and how this experience could be consistent across WordPress sites regardless of plugins or themes. Creating an open sourceOpen Source Open Source denotes software for which the original source code is made freely available and may be redistributed and modified. Open Source **must be** delivered via a licensing model, see GPL. pattern library of designs for consent and choice while collaborating with other projects and organizations is advisable. Some existing pattern libraries have been developed for IAPP (International Association of Privacy Professionals) and by IF London, working with Open Rights Group (whom Automattic sponsors).

Although this work is independent of any specific regulation or law, it should be done with mindfulness of the new privacy laws coming into play in early 2020. Making a “head start” will allow an effective solution to be deployedDeploy Launching code from a local development environment to the production web server, so that it's available to visitors. well in advance of the eventual compliance deadlines.

While there are a range of privately produced plugins available in the repository to deal with user consent and logging, no work has been done to date evaluating these issues from a core perspective. We also know that many administrators have deployed these solutions without really verifying that they are useful, effective, or meet the regulatory compliance requirements applicable to them. Additionally, we know that everyone – users and administrators alike – will be fully aware of the obtrusive, confusing, and almost entirely incorrect cookie and consent windows which appeared across the web as a result of a misunderstanding of GDPR’s requirements. Where these are based in plugins, they can occasionally do more harm than good.

Creating a core-centred consent and logging mechanism, as a feature pluginFeature Plugin A plugin that was created with the intention of eventually being proposed for inclusion in WordPress Core. See Features as Plugins., presents an opportunity for the project to make a positive impact across all these areas. It will empower administrators within the ecosystem to better comply with privacy-related requirements, while contributing to a better standard of protecting user privacy across the open web.

Is this a legal thing?

As a team, we work from the perspective of placing user privacy first and foremost, regardless of any particular legal compliance obligation, or indeed, any lack of one.

This mechanism would look ahead to the upcoming consent and compliance requirements of CCPA (US, January 2020) and the ePrivacy Regulation overhaul (Europe, spring 2020), while also looking back at GDPR. Recent developments including updated guidance on GDPR cookie consent from the data protection regulators in the UK and France, as well as Nevada’s data rights law taking effect on October 1, have brought forward the need for the mechanism.

That being said, this feature plugin would not be built specifically as a legal compliance package, as our V1 GDPR tools were, nor will it be depicted as a compliance solution. Indeed, a responsible approach to user privacy will mean having conversations along the lines of “well, X law says users do not have to be prompted to grant consent for Y thing, but should we give them that option and build that functionality regardless?” Working from this proactive user-centric approach, rather than taking a reactive legal compliance view, will help to future-proof the work and, perhaps, continue to protect users who may find that their legal privacy rights are being stripped back.

How to build effective user controls

The core-privacy team draws on previously produced research, studies, and documents on best privacy practice. For user controls, the definitive source is: A Roadmap to Enhancing User Control via Privacy Dashboards (pdf), a study by the Privacy Bridges Project at the University of Amsterdam.

This diagram within the report explains the elements of a good consent and logging mechanism:

Diagram of the elements in a user control mechanism: agency (users), architecture (technology and design), attitude (providers and platforms), and authority (privacy regulators).

The mechanism must provide users with the agency to exercise true and meaningful control over their personal privacy; it must be built on an architecture that has already enabled optimal user privacy by default; and it must be used to its fullest extent, by site administrators, from an attitude of responsibility and respect to users. A fourth element is authority, the interplay of legal obligations to user privacy; this sits alongside, rather than within, the main mix, as not all countries and systems have privacy laws in place. Users who do not have privacy regulations or safeguards protecting them therefore rely on agency, architecture, and attitude even more.

The report collated best practice advice on consent mechanisms (dashboards) offered by UK, Australian, Canadian, New Zealand, US (the FTC), and EU data protection bodies, and this list offers us quite a bit of food for thought:

Accessible

Make the consent dashboard easily accessible for all users (for example, linking from the first screen);
Make the consent dashboard available to authenticated users, but also incorporate tools for passive and unauthenticated users, where their personal data is collected and used;
Link to this consent dashboard in the privacy policy of partner websites or third parties receiving personal data;
(We would add here that “accessible” should also mean the WordPress sense of a11yAccessibility Accessibility (commonly shortened to a11y) refers to the design of products, devices, services, or environments for people with disabilities. The concept of accessible design ensures both “direct access” (i.e. unassisted) and “indirect access” meaning compatibility with a person’s assistive technology (for example, computer screen readers). (https://en.wikipedia.org/wiki/Accessibility).)

Comprehensive

The consent dashboard should be comprehensive to manage all services and privacy settings in one place;
Manage not only the processing, but also the collection of their personal data; and
Allow the exercise of data subject rights, e.g., access to copies of personal data (linking to our existing data export and erasure tools).

Default-settings

Default-settings have to comply with the applicable law (also including regional variations);
Default-settings to be specific to each product/service with privacy-friendly defaults, and
A feature to ‘restore to default settings’ could also be added.

Granularity

Provide granular controls and upfront permissions, as well as giving the user ongoing control over their consent;
Provide information and control over which third parties receive personal data; and
Offer a Do Not Track (DNT) mechanism that allow consumers to choose to prevent tracking by ad networks or other third parties.

Usability

The consent dashboard should be easy and straightforward to use;
Create a clear user interface that works to convey messages and draw attention;
Use design elements such as graphics, colours and layers to create hierarchies and user action;
It should be as easy to revoke consent as it was to provide it;
Ensure that users have a way to modify their information, have control of any tracking and delete their profile entirely if they wish;
Avoid making the dashboard unwieldy or too complex; and
Avoid dark patterns and any deceptive UX which compromises user privacy.

Information and transparency

Present information about the collection and use of personal data in an open, fair, and comprehensive way (as with our existing privacy notice tool); and
Instead of just using an on/off button, explain the consequences of making a choice to provide data so users can make an informed decision.

Support from other projects

As part of our participation in the cross-CMS privacy working group, we would be working closely with Joomla’s equivalent of the core-privacy team, which has already launched a consent management mechanism. They have offered to support us with practical advice and assistance. We also have support from the privacy initiative at Drupal, which has a consent and logging mechanism within a GDPR module (not in Core); Umbraco is looking to all three projects’ work to hopefully follow.

Timescale

We have the benefit (right now) of a few months of leadup time, and our previous work together as a team means we have a good sense of how we work as a unit. What that means is that unlike our V1 GDPR work, we have a bit of breathing space to plan, iterate, design, test, and reflect.

That being said, CCPA’s deadline is 1/1/20, and its requirements are clearly defined. It may be practical to look at a V1 launch of the plugin with the functionality and options required for GDPR and CCPA, and then iterate for a V2 update containing the functionality required for the ePrivacy Regulation revamp; by that time we will know what its requirements will be.

It would therefore be logical – and more than a bit fun – to aim to build something for Rian Kinney to be able to show during her CCPA talk at WordCamp US (1-3 November); it would be a natural fit for a team table at WCUS contributor dayContributor Day Contributor Days are standalone days, frequently held before or after WordCamps but they can also happen at any time. They are events where people get together to work on various areas of https://make.wordpress.org/ There are many teams that people can participate in, each with a different focus. https://2017.us.wordcamp.org/contributor-day/ https://make.wordpress.org/support/handbook/getting-started/getting-started-at-a-contributor-day/. as well.

What we will need

Our work on a consent and logging mechanism will need participation and expertise from a range of contributors:

Developers who can create the functionality needed to hook a range of consents and data rights into a single dashboard. As consent and logging requirements impact larger and enterprise clients at scale, we would love to see participation from agencies and teams working at this level in particular;

Designers and UX specialists who can integrate existing design research from CNIL, IAPP (member-only content available in Slack), and IF, as well as user testing, to make the back end interface simple and attractive, while making any front-end interfaces both effective and within healthy compliance;

Policy experts who can advise on upcoming legal and regulatory changes which will impact what functionality might need to be built in (I handle this for Europe, @riankinney handles this for the US, and we’d love to expand our policy knowledge base with experts from other regions);

Project managers who can keep a complex, multidisciplinary initiative like this on task; and finally;

Conference speakers from the team who can speak about the initiative, and our work in general, at future WordCamps.

It should be noted that no members of the core-privacy team are funded or sponsored to contribute to privacy in WordPress, so we will need to be very realistic about what we will be able to accomplish within the time availability that we have; or indeed, if an initiative of this scope will be possible on a purely voluntary basis.

Next steps

Please join us in our #core-privacy office hours at 1900 UTC on Wednesdays to discuss this, or any of the other activities of the team’s work.

#privacy

Ipstenu (Mika Epstein) 4:25 pm on August 7, 2019

+make.wordpress.org/plugins
- CodeBard 4:30 pm on August 7, 2019
  
  Something like this is already useful to a decent extent, and with the increasing amount of privacy regulations in near future, it may be fundamentally necessary.
  
  But as noted, it will require decent research, work, and afterwards a noticeable commitment to keeping it up to date with regulations.
  
  +1
- Toma Todua 5:21 pm on August 7, 2019
  
  Not directly to the subject, but about Privacy texts, I had some idea about standartization of Privacy Policy texts…
  i.e. there should exist some standard Privacy Policy agreements (say N1,N2 and N3) which most of the websites use by default (“we dont sell data… we use ads….” and like that….) , and privacy policy notifications can just include that “this site uses PP #3 agreement [link to official page of #3 text to wikipedia or wherever]”…
  if site uses custom privacy policy, and not any of the standard one, then it should be said there instead.
  - Heather Burns 5:41 pm on August 7, 2019
    
    If you have suggestions about an existing feature, please open a tracTrac An open source project by Edgewall Software that serves as a bug tracker and project management tool for WordPress. ticketticket Created for both bug reports and feature development on the bug tracker..
Jon Brown 7:22 pm on August 7, 2019

The generic use of “user” here is a bit confusing. I always think of “user” as the site owner/administrator, not the site visitor. I do understand your usage here though and will go with it.

I mention it because it exposes two things however:
1. It sounds like that from the portion copied from the Privacy Bridges project report you are proposing being able to log consent for visitors that don’t generate WP user accounts.

Making the dashboard available to authenticated users, but also incorporate tools
for passive and unauthenticated users, where their personal data is collected and
used.

If so, how? Because much of that data is outside of WordPress and putting it into WP/MySQLMySQL MySQL is a relational database management system. A database is a structured collection of data where content, configuration and other options are stored. https://www.mysql.com/. would be a massive performance hit. Representing that WP could control that is further fictional, WP isn’t going to delete server logs.

2. Very little of this seems to directly consider the point of view of WP site owners, besides the above mention of “have a management dashboard”. Has anyone surveyed site owners for what _their_ concerns and challenges around this are?

Overall, thank you, really great and through proposal. Just because I point out two concerns, doesn’t mean the bulk of it isn’t spot on.
- Heather Burns 7:37 pm on August 7, 2019
  
  The first question – consent for non-users – would likely deal most specifically with consent for cookies, beacons, pixels, etc, which will be the subject of the ePrivacy Regulation revamp (and also recently revamped guidance from the UK ICO).
  
  The answer to the second question is no, though I’m aware that you and others raised that as an issue in the post about potential questions for the 2019 user survey. To date, no one has been in contact with the coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress.-privacy team about adding any questions on privacy to the survey.
Josh Pollock 12:29 pm on August 8, 2019

This is great. Thank you Heather for putting this together.

I wanted to make one suggestion that’s something I can help with.

Under developers in the “What we need” section, I think it’s really important to include pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party developers here. Plugins like mine collect a lot of personally identifying data. I created my own system for identifying which fields represent PII and for logging consent. A consent logging APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. in coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. would be way better.

Adoption from popular plugins of this standard is important to its success, so I think it’s important to discuss what makes that easy. I think that is a matter of good documentation of both the code and best practices.
- Heather Burns 1:56 pm on August 8, 2019
  
  Thanks Josh, that’s very helpful feedback we’ll definitely take aboard.
  
  You might want to have a peek around Joomla and Drupal’s modules to see how they handled consent APIs. I can put you in touch with the teams behind them if you like.
  - Josh Pollock 2:27 pm on August 11, 2019
    
    Heather –
    
    That would be awesome. I’d be happy to talk with them and come back with an informed opinion on how to impliment something similar in WordPress.
    
    I’m @Shelob9 in WordPress slackSlack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/., feel free to reach out. I’ll do my best to attend the next meeting.
    - Rian Kinney, Esq. 1:41 pm on August 12, 2019
      
      That would be awesome. I’d be happy to talk with them and come back with an informed opinion on how to impliment something similar in WordPress.
      
      I’m @Shelob9 in WordPress slackSlack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/., feel free to reach out. I’ll do my best to attend the next meeting.
      
      Woo hoo! We always welcome and appreciate participation in the privacy discussions and innovation.
- Ipstenu (Mika Epstein) 1:54 am on August 9, 2019
  
  > A consent logging APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. in coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. would be way better.
  
  Yes, it would be!
  - Mikel King 5:33 pm on August 9, 2019
    
    A consent logging APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. in coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. would be way better.
    
    +1
- Rian Kinney, Esq. 1:39 pm on August 12, 2019
  
  Under developers in the “What we need” section, I think it’s really important to include pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party developers here. Plugins like mine collect a lot of personally identifying data. I created my own system for identifying which fields represent PII and for logging consent. A consent logging APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. in coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. would be way better.
  
  This is really great insight and feedback Josh, thank you!!!
souri 1:52 pm on August 14, 2019

Wow Heather – big thanks for this post and for putting this all together!
If WordPress has something like this in coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. it would be a leap forward in functionality and helpfulness for website owners.
With the recent GDPR jurisdiction many website owners will be over challenged. A mechanism to help them with this topic would help all sites, website owners and visitors.
taisa1984 8:59 pm on September 11, 2019

So, the idea would be to have something like some Cookie plugins offer, letting the users “check” what they are willing to accept. It sounds quite cool to have this “by default” and not having to relay on something else. Small site owners can’t afford to have all those as clear as it should be by themselves.

I think it is a quite complex project, because there are a lot of variables to take into account if this wants to cover everything: E-mail marketing integrations, security, plugins, analytics from different providers and different implementation, pixels (some set up directly into code, and also on AMP version), scripts, tagtag A directory in Subversion. WordPress uses tags to store a single snapshot of a version (3.6, 3.6.1, etc.), the common convention of tags in version control systems. (Not to be confused with post tags.)-manager, cookies…

Also, with all I know… I am quite worried about what all that is going to mean. I understand that people must have the choice for their data… But as site owners, we need some data to run better our websites, keep them safe, and make a living of our business.

I was surprised for example to see how many plugins store the ips, and you just install them and now nothing. Yeah, normally now they have this anonimization option, but only advanced webmasters review all the pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party options I think… And many website owners are not. And the security and spam plugins normally need it to make their job.

Also, in a e-commerce for example, it is not so easy that a customer can say “hey, I don’t want you to have my information anymore” when I must keep all the invoices and info for at least 5 years for taxes…

I would like to help if I could, not sure if possible.
DjPD 9:55 am on September 21, 2019
I also think that a kind of consent logging APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. would be much better in the coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. because not every pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party developer would have to program that code himself.
In addition, you can also take a lot of work off the plugin and theme developers, because you simply give them instructions, which information should be relevant.
I think it would be great if you already deposited somewhere in the plugin, which data can be collected by this plugin.
It’s not just about cookies anymore. The DSGVO / GBPR is actually much more. It’s all about data usage. And if I install a plugin, then it would be good if you can see if it is a plugin, which is data intensive or not.

I think the WordPress Core needs to give all developers the tools they need to use the same unified features that help them stay in touch with privacy.
If every developer builds their own cookie or privacy features, then everything is separate and independent of the core and there’s no way to oversee it, manage it, and get an overview of the mess.
That can not be attractive to anyone.

I find it just as difficult when plug-in manufacturers try to offer a DSGVO / GPBR plug-in. For one, most are not always compliant, and for another, not all work.
In any case, it would be much easier for WordPress to organize the topic of data protection long-term so that it is clear and transparent. No other plugin developer can do that. WordPress manages a lot of plugins and themes on its servers. If WordPress gives developers the ability to specify what data the plugin collects, or which third-party services could collect data, and if the plug-in can work even if certain data is not collected, that would be a giant step.
Maybe then the core also provides a function, so that one builds a query at all points in the code where data is collected. If the user has given consent, execute, otherwise blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience..
Because as soon as you have this information, WordPress can work with it and control the data collection and display it transparently. If the WordPress user then installs a plugin, this data will automatically be added to the privacy list, so that visitors can immediately see what data may be collected and then give their consent.
That would make things much easier.

I think that caching will play a bigger role in the future as well. It is quite attractive and safer, if you load content in the backend and cached and then only displays in the frontend. In addition, it also means that it reduces the Internet requests. And especially if you want to use content from third parties and integrate, the temporary storage could be quite interesting.

Actually, it can only be the right way to do the administration of all cookies or data in the core itself. And this also means that the plugin and theme developer is also taken in the responsibility, so this must also specify which data may be collected directly from his plugin, but also what data from third party functions are collected.
And the process does not have to be complicated. The theme / plugin developer simply indicates what data is stored or collected for third parties so that the WordPress Core can also work with the data and also manage, organize (allow / block) and display it in the privacy area. That creates much more transparency. In addition, WordPress can then work much better with it. If WordPress knows what data may be collected and how it collects data, WordPress can also better control (block) that data.

I know, it’s a big job. But I think that wordpress gets that down and maybe the development team is also addressing the currently leading plugin manufacturers that may already have created a good foundation. In Germany, many (including lawyers) recommend the Borland cookie) By incorporating into the core their DSGVO / GBPR plugins could be superfluous, but maybe you support WordPress.

In my opinion, should come from the Core:
- Opt-In (OptOut is no longer possible in the EU) for data collection approval
- Compact modal view
- Administration and organization of all individual cookie and data functions (scripts, cookies, snippets of code (Google, pixels, etc.) including all plugins, themes and already integrated fixed functions like GravatarGravatar Is an acronym for Globally Recognized Avatar. It is the avatar system managed by WordPress.com, and used within the WordPress software. https://gravatar.com/., PingBackPingback A pingback is a special type of comment that's created when you link to another blog post, as long as the other blog is set to accept pingbacks. Pingback allows you to notify other bloggers that you have linked to their article on your website. Although there are some minor technical differences, a trackback is basically the same thing as a pingback., Social Media Embed, .. ,
(What kind of data is collected by the theme, WordPress Embed / oEmbed, plugins and third party providers, maybe with a typical classification into groups).
It would also be important for this organization to have the system block these features, or display certain content that might potentially be used to collect data, so that the user sees that it has blocked certain things and is only viewing them with consent can. Whenever WordPress displays something that could collect data or be transmitted by the user to third parties, Wordpess must check if the user has allowed it. This creates transparency, but also control.
I think this point is very elementary.
- Cookie documentation
- Right to forget
- Personal data access
Requests and Changes for data access or deletion
- Privacy by design
- For anyone who wants to remove the IP from WordPress, maybe even the ability to pseudonymize the IP or data. Whereby I have read that if one obtains consent, that there are also legal requirements, that one needs in each case an IP as proof, because name / mail is not sufficient.