Plugins Hosted on Can No Longer Guarantee Legal Compliance

The plugin review team has amended guideline number nine which states, developers and their plugins must not do anything illegal, dishonest, or morally offensive, to include the following statement:

  • Implying that a plugin can create, provide, automate, or guarantee legal compliance

Mika Epstein, a member of the plugin review team, says the change was made because plugins by themselves can not provide legal compliance.

Sadly, no plugin in and of itself can provide legal compliance. While a plugin can certainly assist in automating the steps on a compliance journey, or allow you to develop a workflow to solve the situation, they cannot protect a site administrator from mistakes or lack of compliance, nor can they protect site users from incorrect or incomplete legal compliance on the part of the web site.

Mika Epstein

Since sites can have any combination of WordPress plugins and themes activated, it’s nearly impossible for a single plugin to make sure they’re 100% legally compliant.

Plugin developers affected by this change will be contacted by the review team and be asked to change their titles, descriptions, plugin header images, and or the text within the readme.

Instead of claiming compliance, the team has published a frequently asked questions document that recommends plugin authors explain how the plugin will assist in compliance. If you have any questions, please leave a comment on the announcement post.


6 responses to “Plugins Hosted on Can No Longer Guarantee Legal Compliance”

  1. Glad to see is finally getting serious about legalities. The next step should be developing a full scale TOS and Privacy Policy, not only for users and contributors, but for their own team, and then consider ditching some of these other sub-section policies/guidelines. Currently the WordPress Foundation is poorly protected (and neither are plugin authors, etc) from things like liability, slander, etc.

    Compare this with e.g. GitHub:

    Staff at are arguably trying hard considering the lack of tools at their disposal, but interpretation of these various policies continues to be rather case-by-case, and is often based on personal whims rather than a sound legal (etc) framework.



    • How will the WP team follow legalities? EU has the cookie law for exame, where I live…Canada…we don’t have a cookie law.

      In the USA you can’t collect personal information from visitors under 13 (hence why you have to be 13+ to join facebook, twitter and so forth), many countries around the world do not.

      Automattic is HQ’d in San Francisco. Should follow US law? Hey, they don’t have to then follow the EU cookie and GDPR (or whatever) laws since they are European.

      Which laws should they comply with? They can’t follow all laws.

      • From my understanding, and I’m certainly no expert, GDPR is a lot stricter than anything the US currently does – so, covering yourself with the GDPR is a good base to start from.

        If any of your users are from the EU then you are expected to abide by the GDPR. How can they enforce that if, say, you’re in the US? They can’t. BUT any third party you deal with that is from the EU can be fined for your lack of coverage – hence you’ll see such third-parties starting to ask you for details of what you’re doing about the GDPR.

        There’s really only 2 ways, I see, you can avoid GDPR – successfully Geo-block all EU citizens from your site (gonna be difficult due to VPN) or never deal with any third party from the EU. Except, the GDPR is not onerous – it’s a fair set of rules about user privacy.

  2. David,

    since I can’t reply to your reply to my reply….here we go.

    I am all for cookie warnings and privacy for users. In general for sites I have worked at over the years, if you want your data removed, all you have to do is prove you are you and a list of what you want removed and I would usually remove it.

    There are sites that do the cookie warning thing like this:

    “Continual use of our site/services will mean you agree to our usage of cookies/TOS, if you don’t agree with that then (link)”.

    Couldn’t I just do that? Just like if I had a visitor to one of my sites with e-commerce, that visitor does not per say have to create an account but don’t expect a order history or anything like a refund or reward points if you don’t want an account

  3. This is really a shocking news but I am happy that finally, WordPress shows some seriousness towards the Legalities.

    EU and northern America has different rules of cookies and thus, it is hard for the WordPress to cover all users from such countries.

    Hope, soon there will be a final solution which covers the law and legal issues too.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: