Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Privacy Policy for Sharing module misses info about counts #10271

Open
Zodiac1978 opened this Issue Oct 8, 2018 · 3 comments

Comments

Projects
None yet
4 participants
@Zodiac1978
Copy link

Zodiac1978 commented Oct 8, 2018

Steps to reproduce the issue

  1. Visit this page: https://jetpack.com/support/for-your-privacy-policy/
  2. Uncheck everything but Sharing
  3. See copy text.

What I expected

Info about the the request to Facebook, LinkedIn or Pinterest (for example) to get the sharing count information.

What happened instead

Sharing
Data Used: When sharing content via email (this option is only available if Akismet is active on the site), the following information is used: sharing party’s name and email address (if the user is logged in, this information will be pulled directly from their account), IP address (for spam checking), user agent (for spam checking), and email body/content. This content will be sent to Akismet (also owned by Automattic) so that a spam check can be performed. Additionally, if reCAPTCHA (by Google) is enabled by the site owner, the sharing party’s IP address will be shared with that service. You can find Google’s privacy policy here.

This text does not mention any requests to Facebook et al. for getting the counts.

This need to get mentioned for GDPR compliance and maybe there could be an easier way to opt out than using a filter: https://jetpack.com/2016/04/15/hook-month-customizing-sharing/

I think it have to be mentioned, because the IP address gets shared with Facebook, et al. - and IP address is a personally identifiable information in the context of the GDPR. The user needs to know that happens if he/she visits the page, which is not the case at the moment.

@jeherve

This comment has been minimized.

Copy link
Member

jeherve commented Oct 8, 2018

There are indeed requests made to Facebook and to Pinterest when you have those 2 non-official sharing buttons on a page. Those are the only 2 services that get requested at the moment. As you mentioned, that can be stopped with a filter, jetpack_sharing_counts.

The visitor's IP address is not directly sent to each service; only the post URL is. It may, however, appear in Facebook's or Pinterest's access logs as the IP address making the request.

@pesieminski What is your take on this? Should we add this to the privacy policy helper?

@pixolin

This comment has been minimized.

Copy link

pixolin commented Oct 16, 2018

It may, however, appear in Facebook's or Pinterest's access logs as the IP address making the request.

IANAL, but to the best of my knowledge, submitting IP addresses to third party and storing them in their access logs is exactly something, the GDPR is supposed to prevent. This is not a matter of "enhancement" but a (legal) bug, which needs to be fixed if you want Jetpack to comply with GDPR.

@Zodiac1978

This comment has been minimized.

Copy link
Author

Zodiac1978 commented Feb 24, 2019

This is used on WordPress.org as well and is not mentioned in the privacy policy on wordpress.org and therefore breaking laws. Just FYI.

Maybe @pesieminski can finally have a look at this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.