Automattic, Privacy, WP Engine
Published on October 19, 2024

The “not affiliated” checkbox and the GDPR

written by Richard Best

TL;DR

The punchline of this post is that the operator(s) of WordPress.org may, through the “I am not affiliated…” checkbox, be breaching Europe’s General Data Protection Regulation (GDPR), and that is something of which the board of Automattic ought to be aware. Let me explain.

The “not affiliated” checkbox

As is well known across the community, on or around 8 October, the login screen on WordPress.org was amended to look like this (originally it linked to the WP Engine lawsuit, but that was subsequently removed):

Application of the GDPR

First of all, there is a strong argument that the operator(s) of WordPress.org are subject to the GDPR in relation to their processing of EU residents’ personal data through WordPress.org. For example, there are localised versions of WordPress.org translated into the languages of some EU member states (e.g., de.wordpress.org/) and so services are being actively offered to EU residents, and the WordPress.org privacy statement appears to have been written on the assumption the GDPR applies.

Personal data processing through the checkbox

Under the GDPR, “personal data” is any information relating to an identified or identifiable natural person. Large numbers of WordPress.org users are identifiable through the usernames or email addresses they use to log in for developer access or to access the forums. Information as to whether such a person is not affiliated with WP Engine in any way, financially or otherwise, can be considered “personal data” about that person.

Requiring EU residents to click the “I am not affiliated with WP Engine in any way” checkbox amounts to the processing of personal data about those residents (and the login with this checkbox is appearing in European member states — I’ve checked). MM was asked whether the checkbox value is stored and he said no, but others dispute that (e.g., “‘it’s not being stored’ is bullshi[*], as logins get logged and a check is required for login, so it is being stored”). Regardless of whether the specific checkbox value is being stored, the fact remains that, from the date the mandatory checkbox was implemented, every single person whose login screen has that checkbox and who logs into WordPress.org having clicked the checkbox can be taken to have clicked the checkbox and so, in this way, personal data is being processed.

Under Article 5(1) of the GDPR, personal data shall be “processed lawfully, fairly and in a transparent manner”, “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”, and “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.

Under article 6, processing shall be lawful only if and to the extent that at least one of the grounds listed in article 6(1) applies. There are six grounds which can be summarised as:

  • consent
  • necessary for the performance of a contract
  • necessary for compliance with a legal obligation
  • necessary to protect the vital interests of the data subject or another natural person
  • necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

There is a strong argument that none of these grounds applies. One might argue that the ‘legitimate interests’ ground applies but, in my view, in all the circumstances surrounding the checkbox, any such argument would be weak and probably fail.

I note, in this context, that the argument that WP Engine is attacking WordPress.org, that as a result WP Engine no longer has free access to WordPress.org’s resources, and that that justifies inclusion of the checkbox, is weak. So far as public attacks are concerned, the incontrovertible fact is that MM attacked WP Engine first, not the other way around. WP Engine’s cease and desist letter and, later following further attacks, its lawsuit, were in response to the attack upon it. In any case, and bearing in mind the ambiguity around the wording of the checkbox, there is no obvious reason why the operator(s) of WordPress.org needed to prevent all people with any kind of ‘affiliation’ with WP Engine from logging in, in order to prevent WP Engine itself from having free access to, or benefitting from others’ free access to, WordPress.org’s resources. People might have some loose affiliation with WP Engine that could not have any bearing on the ability of WP Engine itself to access or benefit from others’ access to WordPress.org resources.

Sure, as the owner/operator of the WordPress.org website, MM is able to deny WP Engine staff, contractors, and investors access to WordPress.org, but it does not follow from that that MM is able, in substance, to obtain an item of personal data (‘I am not affiliated with WP Engine’) from every single identifiable person who logs in to WordPress.org. Doing so is simply not necessary for the purposes of MM’s interests, even if they could be described as ‘legitimate’.

Breaches of the GDPR

There is a strong argument, therefore, that — in relation to EU (and UK) residents — collecting/processing this item of personal data is contrary to the GDPR. (It may also be contrary to the privacy laws of some other jurisdictions.)

It is also arguable that article 13 of the GDPR is being breached, because no information is provided at the point of collection as to “the purposes of the processing for which the personal data are intended as well as the legal basis for the processing” and other matters listed in article 13. The generic information in WordPress.org’s general privacy policy predates the checkbox, does not refer to it, and so does not clearly apply to it.

It is noteworthy that the owner/controller of WordPress.org is also the CEO of Automattic which is a clear competitor to WP Engine and a named defendant in the lawsuit in relation to which the checkbox is said to be a response. One assumes members of Automattic’s board are aware of and willing to accept the GDPR-related risk (on the basis that, in substance, it is a controller or joint controller). If I was a board member, this is not a risk I would willingly accept, but obviously that’s not a call for me.

Not legal advice and no attack on WordPress.org

Nothing in this post should be construed as legal advice. If any reader needs legal advice, they should consult a lawyer in their own jurisdiction. And to avoid doubt, I am not attacking WordPress.org or those who run it, regardless of what they may perceive. WordPress.org is awesome and for nearly two decades those behind it have been on a pedestal in my mind, revered for all they’ve achieved. But at some point, users’ privacy rights need to be respected, and enough has to be enough. Whilst one person may own and control the WordPress.org website, in substance it is the home for large parts of a global ecosystem. I suggest that foisting unreasonable requirements on members of that ecosystem, many of whom have helped make WordPress what it is today, needs to stop.