Summary
Plugin Check should detect when a plugin collects personal data but does not register an exporter callback via the wp_privacy_personal_data_exporters filter.
Background
Since WordPress 4.9.6, WordPress ships a Personal Data Export tool to help sites comply with privacy regulations such as the GDPR. Plugins that store personal data are expected to hook into this tool so that admins can generate a complete data export (ZIP file) for any user on request. Registration is done via:
add_filter( 'wp_privacy_personal_data_exporters', 'my_plugin_register_exporters' );
The exporter callback receives a user's email address and a pagination page number, collects the relevant personal data, and returns it as a structured array of grouped items. Exports are cached on the server for 3 days and then automatically deleted.
Reference: https://developer.wordpress.org/plugins/privacy/adding-the-personal-data-exporter-to-your-plugin/
Proposed Check
Add a detection rule that warns plugin authors when their plugin appears to handle personal data (e.g. uses add_comment_meta, update_user_meta, custom DB writes, etc.) but does not register a handler for the wp_privacy_personal_data_exporters filter.
Summary
Plugin Check should detect when a plugin collects personal data but does not register an exporter callback via the
wp_privacy_personal_data_exportersfilter.Background
Since WordPress 4.9.6, WordPress ships a Personal Data Export tool to help sites comply with privacy regulations such as the GDPR. Plugins that store personal data are expected to hook into this tool so that admins can generate a complete data export (ZIP file) for any user on request. Registration is done via:
add_filter( 'wp_privacy_personal_data_exporters', 'my_plugin_register_exporters' );
The exporter callback receives a user's email address and a pagination page number, collects the relevant personal data, and returns it as a structured array of grouped items. Exports are cached on the server for 3 days and then automatically deleted.
Reference: https://developer.wordpress.org/plugins/privacy/adding-the-personal-data-exporter-to-your-plugin/
Proposed Check
Add a detection rule that warns plugin authors when their plugin appears to handle personal data (e.g. uses
add_comment_meta,update_user_meta, custom DB writes, etc.) but does not register a handler for thewp_privacy_personal_data_exportersfilter.