On Wednesday, Garret Hyder announced a feature proposal for a WordPress Consent API. The proposal is one step on the larger privacy roadmap for core. If merged into WordPress, it would establish a standard method for core, plugins, and themes to obtain consent for various privacy-related features. The idea is to create a consistent experience for developers, site administrators, and site visitors.
The WP Consent API plugin is available via the WordPress plugin directory. Development is currently happening on the plugin’s GitHub repository.
Hyder identified several areas in which an API for handling consent could help in bringing a site into compliance with various privacy laws:
- Consent management plugins cannot prevent other plugins from placing a PHP cookie.
- Plugins that integrate tracking code on the client-side could break the site if blocked by a consent management plugin.
- Minified URLs in JavaScript files may not be detected by automatic blocking scripts.
- Using a blocking approach to handle privacy requires a list of all types of URLs when dealing with cookies and other types of tracking.
“Primarily this API is aimed at helping to achieve a compliant use of cookies or other means of tracking by WordPress websites,” wrote Hyder in the proposal. “If a plugin or custom code triggers, for example, Facebook, usage of this API will be of help to ensure consent. If a user manually embeds a Facebook iframe, a cookie blocker is needed that initially disables the iframe and or scripts.”
The goal is not to create functionality that would block third-party scripts, such as tracking from a site like Facebook. Because different jurisdictions have their own laws across the world, the actual management of blocking functionality would be best suited for a consent management plugin. This would be outside of the scope of what WordPress does out of the box. By providing an API directly in core, it would allow plugin developers to build consent management plugins that are needed in different locations. The API would merely be a means for all plugins to talk the same language. That standardization would allow consent management plugins to work as they should.
Furthermore, adding a front-end user interface would place additional scripts, styles, and functionality on all WordPress sites. These types are things are best handled by plugin developers.
The API proposes allowing the creation of consent categories. Such categories might be preferences, marketing, or statistics. They would be filterable by plugins. The API has two indicators to determine consent for a category: a region-based consent type, which can be opt-in or opt-out, and the visitor’s choice.
The team working on the project has put together a Consent API Demo to see how this plugin would work along with consent management on a website’s front end. The demo makes use of the Complianz plugin and an example plugin for showcasing how the API works.
Consent management is a tough area to handle in terms of web design and development. On the one hand, respecting the privacy laws of various jurisdictions is necessary for many people around the world. On the other hand, cookie notice popups on websites often create a poor user experience for site visitors, and that experience may only get worse before it gets better.
However, a standard API is past due in core WordPress. This will at least provide plugin authors with a means of working with consent management plugins. In time, maybe we will find a front-end interface that creates a nice experience while maintaining privacy.
The team is currently looking for feedback on the proposal and plugin. If the feature proposal is accepted, authors of consent management plugins should be prepared to begin integrating with the API.
This is actually a fantastic idea; I really hope they integrate it into core.
A standardized API for this would really help consolidate everything for my own plugins, especially since, for example, consent is only needed if the site owner enables certain features.