Privacy Policy for WordPress plugins

Privacy Policy for WordPress plugins

A Privacy Policy is a legal agreement that's required by law if your WordPress plugin collects or shares any personal, identifying information from users.

Personal information can include but is not limited to the following:

  • Full name
  • Birthdate
  • Email address
  • Physical address
  • Financial information (credit card numbers, bank account information, etc.)
  • IP address
  • Geographic location (either requesting this information or using GPS to acquire it)

As a developer of WordPress plugin, you can collect this data directly or indirectly.


Data collection through WordPress plugins

Direct data collection would be when you request this information from users directly by asking them questions or having them fill out web forms through the interface of your WordPress plugin.

Indirect data collection happens when you use third party services that collect information about the users of your plugin for you.

An example of this would be a website that uses Google Analytics to collect information about users who visit that website.

Google Analytics will collect things like geographic locations, IP addresses, and other personal information, which means that the website using Google Analytics is indirectly collecting this personal information via Google.

This website would need a Privacy Policy because it uses Google Analytics. The policy must inform users that the website uses Google Analytics and that Google Analytics collects some personal information.

US Flag

In the United States, a Privacy Policy as a legal agreement is a requirement from the California Online Privacy Protection Act (CalOPPA).

The CalOPPA act requires that you have a Privacy Policy if you collect any personal information from any users located in the state of California. The effects of CalOPPA can be seen globally as most online businesses are accessible by users in California, regardless of the country of origin of the business.

Flag of EU

In European countries, the Data Protection Directive requires that users of a website or a mobile app (which can include a WordPress plugin as well) should be made aware of any collection of personal information, and any use of that information.

A "standard" Privacy Policy will include the following information:

  • What personal information you collect
  • Why you collect this personal information,
  • How you collect this personal information,
  • What you do with the collected personal information (sharing, storing, etc.), and
  • Any ways a user can opt out of or control other aspects of the data collection/sharing

Third party services or platforms can require you to have this legal agreement before you can sign-up for the service and/or platform.

For example, Apple App Store. If you plan to distribute your app on the App Store, Apple requires you to include a Privacy Policy.

Privacy Policy and WordPress Plugin

WordPress requirements for Privacy Policies

So, does your WordPress plugin need a Privacy Policy or not?

There are two different types of WordPress plugins:

  • Fully integrated, local standalone plugins that get installed on a website and work only on that website when installed (publishing widget, content editing plugin, etc.), and

    In this example, the WordPress developer simply creates the plugin and a website owner can use it.

    The WordPress developer itself doesn't collect and use personal data, but rather the website owner collects and uses personal data through the installed plugin.

  • Standalone plugins that integrate into a website, but also communicate with some sort of external server as part of their service (Facebook or Twitter plugins, for example).

    The kind of plugins are more common for SaaS apps, where a WordPress plugin is only one type of medium that the SaaS app may operate: website, mobile app, desktop app, WordPress plugin etc.

While it can't hurt to have a Privacy Policy for your plugin no matter what kind it is, you're only required to have one in place for the 2nd type of the plugin: the plugin that communicates with a server as part of the service.

This requirement comes from the regulations and acts mentioned earlier, but not from WordPress itself.

Requirements from WordPress Plugin directory

The WordPress Detailed Plugin Guidelines is designed for WordPress plugin developers and includes requirements for getting a plugin published in the WordPress directory.

In section 7 of the Guidelines, personal information and a Privacy Policy is addressed:

WordPress Plugin Guidelines, Section 7 addresses Privacy Policy

Section 7 basically states that if your plugin is a standalone type, you cannot collect personal information from users via the plugin without obtaining explicit consent.

A Privacy Policy isn't required by WordPress, but including information about "how user data is collected, and used, should be included in the plugin's readme, preferably with a clearly stated privacy policy."

Users must opt in before their personal information can be collected through your standalone, integrated plugin:

"Users may be asked to submit information, but it cannot be automatically recorded without explicit confirmation from the user."

Standalone WordPress plugins that communicate with an external server, such as Twitter or Akismet, are exempt from this policy.

WordPress states that "by installing, activating, registering, and configuring plugins that utilize those services, consent is granted for those systems."

That's the extent that a privacy policy is mentioned by WordPress:

WordPress Plugin Guidelines, Section 7 exception addresses Privacy Policy for SaaS

Even though WordPress doesn't actually require a Privacy Policy, CalOPPA and the European privacy laws do.

The WordPress plugin developer isn't required to create the Privacy Policy. It's the responsibility of the website owner since it's the website owner and not the developer who uses, processes and has access to user data facilitated through the plugin.

If you're the plugin developer, you can remind a plugin user that she's legally required to have a Privacy Policy.

Examples

Logo of SumoMe

SumoMe is an email subscription plugin that collects personal information.

This plugin collects user's email addresses as part of its main feature and sends these email addresses back to a server (the SaaS part of the plugin). This would trigger the requirement of a Privacy Policy.

Screenshot of SumoMe WordPress Plugin

Users are also able to link their social media accounts and use share buttons within the SumoMe plugin to connect with and publish to places like Facebook and Instagram. This involves a sharing of information that triggers a Privacy Policy requirement.

Logo of HubSpot

HubSpot has a Tracking Code plugin that users can install on their WordPress websites.

The tracking code is used to collect data from the user's website and feed that data to HubSpot to benefit HubSpot customers.

Screenshot of HubSpot Tracking Code plugin

Because this plugin is intended to collect and transmit data from HubSpot customers' websites, it needs a Privacy Policy.

Logo of Jetpack

Jetpack is a plugin that connects to your WordPress website, collects data about how your website is used, and then sends that data off to Jetpack servers to be analyzed.

Because user information like location, IP address and other data is sent to a third-party server, a Privacy Policy is required.

Screenshot of Jetpack WordPress plugin

The Activity Log plugin, for example, lets you monitor all activity like changes, edits and other internal happenings on your website.

While this plugin collects data, it isn't collecting data that triggers a Privacy Policy requirement. No personal user information is collected. The information is generated by the plugin and used by the plugin, with no data being transferred elsewhere.

Screenshot of Activity Log WordPress Plugin

The Members plugin works similarly by collecting information about people who access the behind-the-scenes of your website, and allowing roles and responsibilities to be assigned to them.

None of this information is ever transferred outside of the plugin, and it's used internally and not with the general public.

Screenshot of Members WordPress Plugin: Roles screen

You're not required to have a Privacy Policy if your plugin is fully integrated, but occasionally transfers user information back to your main server.

Information transfer, in this case, isn't done as a feature of your plugin but is done more for housekeeping purposes.

You won't need a Privacy Policy because you aren't really collecting and using the personal information here but rather just data about use of your plugin.

You are required to have a Privacy Policy if your plugin is part of a Software as a Service app that contacts a remote server and deals with user's personal information, like Facebook, Twitter, and other similar plugins.

While WordPress doesn't require you to have a Privacy Policy here, the law does:

If you've integrated a third-party app or service into your plugin that requires you to have a Privacy Policy (like Google Analytics) that's enough to mean you need one or you'll be in violation of the legal agreements between you and that third party.

Sara P.

Sara P.

Law school graduate, B.A. in English/Writing. In-house writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.