GDPR: All this data is shared with wordpress.com?

Hi @programmieraffe

We cannot give specific legal advice about your particular site of course, because we are not your attorney.

In general, though, if you handle the information you collect from your visitors responsibly and are not sharing or selling it to other companies without permission, then the GDPR is unlikely to cause a radical change in how you do things. WordPress.com is not a tool which gives you a lot of personally or legally sensitive details on your visitors.

Further, if you want to write a Privacy Policy that discloses to your site’s visitors the information that’s collected when they follow or comment on your site, you can create a customized privacy policy using our Privacy Policy Helper:

https://jetpack.com/support/for-your-privacy-policy/

You can also see more here:

https://jetpack.com/blog/jetpack-gdpr/

If you have any follow-up questions, let us know.

I would like to join this question:

To which extent is “Jetpack Protect” a part of the Jetpack plugin and requires extensive syncing. It would seem that the list of plugins and versions installed and maybe a site ID would be sufficient information for a vulnerability scan.

Instead the plugin’s dashboard links to the document above that explains the Jetpack sharing process, in which, among other things

User-Related Data
Jetpack syncs miscellaneous bits of user information, such as:
The user IDs, usernames, email addresses, roles, and capabilities of registered users. This does not include passwords.
The user ID of any users that make changes to the site and the time that changes are made (e.g. ID of the user that added a new user, modified the site icon, or trashed a comment)."

is mentioned.

This is clearly not necessary information to be shared for the purposes of a security scan. And as the OP has mentioned, if this isn’t merely a mistaken link, will prohibit the use of the plugin by everyone subject to the GDPR.

If running the WPScan/Jetpack Protect plugin ineed requires consent to the sharing of data as is the case with the complete Jetpack plugin, it would suggest a strange kind of data grab for a free offer supposedly aimed at increasing the health of the WP ecosystem.

As such, I would think that the link to the JETPACK sharing agreement as part of the JETPACK protect plugin’s setup process is an oversight. Could you confirm this, and maybe fix it? Also, it would be great to get a list of data *actually* shared with Automattic when using this plugin.

Thanks.

Hi there

Sorry for the confusion here. Jetpack Protect does not sync all of the same data as Jetpack, only what is needed to perform its services – that is plugin, theme, and WordPress version information. We are working on confirming those details and getting the documentation updated accordingly.

Thanks, great, that’s good to know! Thanks for your efforts =)

Hi there,

I’m marking this topic as resolved now. But If you have any further questions or need some more help, you’re welcome to reply here and mark this topic as “not resolved” from the left sidebar of this topic or open another thread.