01 February 2020
Personal information can include but is not limited to the following:
As a developer of WordPress plugin, you can collect this data directly or indirectly.
Direct data collection would be when you request this information from users directly by asking them questions or having them fill out web forms through the interface of your WordPress plugin.
Indirect data collection happens when you use third party services that collect information about the users of your plugin for you.
An example of this would be a website that uses Google Analytics to collect information about users who visit that website.
Google Analytics will collect things like geographic locations, IP addresses, and other personal information, which means that the website using Google Analytics is indirectly collecting this personal information via Google.
In European countries, the Data Protection Directive requires that users of a website or a mobile app (which can include a WordPress plugin as well) should be made aware of any collection of personal information, and any use of that information.
Third party services or platforms can require you to have this legal agreement before you can sign-up for the service and/or platform.
There are two different types of WordPress plugins:
Fully integrated, local standalone plugins that get installed on a website and work only on that website when installed (publishing widget, content editing plugin, etc.), and
In this example, the WordPress developer simply creates the plugin and a website owner can use it.
The WordPress developer itself doesn't collect and use personal data, but rather the website owner collects and uses personal data through the installed plugin.
Standalone plugins that integrate into a website, but also communicate with some sort of external server as part of their service (Facebook or Twitter plugins, for example).
The kind of plugins are more common for SaaS apps, where a WordPress plugin is only one type of medium that the SaaS app may operate: website, mobile app, desktop app, WordPress plugin etc.
This requirement comes from the regulations and acts mentioned earlier, but not from WordPress itself.
The WordPress Detailed Plugin Guidelines is designed for WordPress plugin developers and includes requirements for getting a plugin published in the WordPress directory.
Section 7 basically states that if your plugin is a standalone type, you cannot collect personal information from users via the plugin without obtaining explicit consent.
Users must opt in before their personal information can be collected through your standalone, integrated plugin:
"Users may be asked to submit information, but it cannot be automatically recorded without explicit confirmation from the user."
Standalone WordPress plugins that communicate with an external server, such as Twitter or Akismet, are exempt from this policy.
WordPress states that "by installing, activating, registering, and configuring plugins that utilize those services, consent is granted for those systems."
SumoMe is an email subscription plugin that collects personal information.
HubSpot has a Tracking Code plugin that users can install on their WordPress websites.
The tracking code is used to collect data from the user's website and feed that data to HubSpot to benefit HubSpot customers.
Jetpack is a plugin that connects to your WordPress website, collects data about how your website is used, and then sends that data off to Jetpack servers to be analyzed.
The Activity Log plugin, for example, lets you monitor all activity like changes, edits and other internal happenings on your website.
The Members plugin works similarly by collecting information about people who access the behind-the-scenes of your website, and allowing roles and responsibilities to be assigned to them.
None of this information is ever transferred outside of the plugin, and it's used internally and not with the general public.
Information transfer, in this case, isn't done as a feature of your plugin but is done more for housekeeping purposes.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.