Plugins Hosted on WordPress.org Can No Longer Guarantee Legal Compliance

The plugin review team has amended guideline number nine which states, developers and their plugins must not do anything illegal, dishonest, or morally offensive, to include the following statement:

  • Implying that a plugin can create, provide, automate, or guarantee legal compliance

Mika Epstein, a member of the WordPress.org plugin review team, says the change was made because plugins by themselves can not provide legal compliance.

Sadly, no plugin in and of itself can provide legal compliance. While a plugin can certainly assist in automating the steps on a compliance journey, or allow you to develop a workflow to solve the situation, they cannot protect a site administrator from mistakes or lack of compliance, nor can they protect site users from incorrect or incomplete legal compliance on the part of the web site.

Mika Epstein

Since sites can have any combination of WordPress plugins and themes activated, it’s nearly impossible for a single plugin to make sure they’re 100% legally compliant.

Plugin developers affected by this change will be contacted by the review team and be asked to change their titles, descriptions, plugin header images, and or the text within the readme.

Instead of claiming compliance, the team has published a frequently asked questions document that recommends plugin authors explain how the plugin will assist in compliance. If you have any questions, please leave a comment on the announcement post.

4 Comments


  1. Glad to see WP.org is finally getting serious about legalities. The next step should be developing a full scale TOS and Privacy Policy, not only for users and contributors, but for their own team, and then consider ditching some of these other sub-section policies/guidelines. Currently the WordPress Foundation is poorly protected (and neither are plugin authors, etc) from things like liability, slander, etc.

    Compare this with e.g. GitHub:

    https://help.github.com/articles/github-terms-of-service/

    https://help.github.com/articles/github-privacy-statement/

    Staff at WP.org are arguably trying hard considering the lack of tools at their disposal, but interpretation of these various policies continues to be rather case-by-case, and is often based on personal whims rather than a sound legal (etc) framework.

    E.g. https://wordpress.org/support/topic/vastly-improve-plugin-reviews-with-this-one-weird-trick/

    E.g. https://make.wordpress.org/plugins/2017/12/28/guideline-update/

    Report

    Reply

    1. How will the WP team follow legalities? EU has the cookie law for exame, where I live…Canada…we don’t have a cookie law.

      In the USA you can’t collect personal information from visitors under 13 (hence why you have to be 13+ to join facebook, twitter and so forth), many countries around the world do not.

      Automattic is HQ’d in San Francisco. Should WP.org follow US law? Hey, they don’t have to then follow the EU cookie and GDPR (or whatever) laws since they are European.

      Which laws should they comply with? They can’t follow all laws.

      Report

      Reply

      1. From my understanding, and I’m certainly no expert, GDPR is a lot stricter than anything the US currently does – so, covering yourself with the GDPR is a good base to start from.

        If any of your users are from the EU then you are expected to abide by the GDPR. How can they enforce that if, say, you’re in the US? They can’t. BUT any third party you deal with that is from the EU can be fined for your lack of coverage – hence you’ll see such third-parties starting to ask you for details of what you’re doing about the GDPR.

        There’s really only 2 ways, I see, you can avoid GDPR – successfully Geo-block all EU citizens from your site (gonna be difficult due to VPN) or never deal with any third party from the EU. Except, the GDPR is not onerous – it’s a fair set of rules about user privacy.

        Report

Leave a Reply

Your email address will not be published. Required fields are marked *