Pulling the plug on legal compliance plugins

Working on WordPress.org’s GDPR compliance team is providing a good opportunity to look at other issues not necessarily related to one piece of legislation, but which impact the .org ecosystem all the same. Amongst other things, we are taking a look at the plugin developer guidelines to see where we can strengthen and clarify what they say about the ways data should be structured and protected. While we were thinking about the plugin guidelines, I took the opportunity to kill off a problem I have ranted against on conference stages for years.

I worked with the .org plugin review team to have Section 9 of the plugin development guidelines, Developers and their plugins must not do anything illegal, dishonest, or morally offensive, amended with the following line:

  • implying that a plugin can create, provide, automate, or guarantee legal compliance

and with that, an issue which has always troubled me as a real risk to the integrity of the ecosystem has been shot down.

Going forward, plugins can, and certainly should, clarify that they can help a site administrator with aspects of a compliance issue, whether that is a front-end process or a back-end workflow. But claiming that a plugin is legal compliance, or can make it happen by mere activation, is no longer allowed.

As Mika Epstein and I wrote in the email explaining the change:

Sadly, no plugin in and of itself can provide legal compliance. While a plugin can certainly assist in automating the steps on a compliance journey, or allow you to develop a workflow to solve the situation, they cannot protect a site administrator from mistakes or lack of compliance, nor can they protect site users from incorrect or incomplete legal compliance on the part of the web site. In short, plugins are helpful tools along the legal compliance journey, but should never be presented as a solution, nor should they give users a false sense of security.

We also wrote a FAQ for developers whose plugins have been identified as potentially being in violation of the new rule.

So what does this change mean in the long run?

First, and most importantly, it means the days of plugins claiming to be the click-and-install solution for everything from GDPR to accessibility to contracts, either inadvertently or on purpose, is over.

For WordPress, it means the risk of reputational damage from this kind of abuse of the ecosystem is diminished, albeit within the plugin repository it can control.

For developers, it means working a little bit smarter. It’s not in any developer’s interest to be held responsible for a site’s compliance failure based on the promises made in a plugin’s description.

And for everyday site administrators, it’s a bit of tough love for tough times. Compliance matters like accessibility, VAT, and privacy should not be left to a 60 second search of the plugin repo. If you want a plugin to make your business legally compliant for you, you’re asking the wrong question.

Not a bad outcome for a few days’ work.

Many thanks to Mika Epstein for talking me through the idea and taking it to the team for quick action. And with that, it’s back to work.