Regarding Personal Data Deletion functionality

You’re not missing anything. This new functionality addresses that but has a process to help ensure that the right data is removed and for the right reasons.

Is this supposed to be used by people who want their PII data to be deleted – thus being compliant with the right to be forgotten?

I’m so going to avoid any talk about perceived regulatory requirements but here’s how the new feature works.

If you are a user or someone who has posted a comment, media, posts, etc to a WordPress site then have to request the information of the WordPress site. That could be via a contact page on the site. The important thing is the admin needs to get the request with your email address.

The admin then goes to this page.

https://some-site-here/wp-admin/tools.php?page=export_personal_data

And submits the email of the person making that request.

That person receives an email from that WordPress site asking to confirm the request. No one wants their data exposed to anyone who just asks so that confirmation is important.

You (the user) confirms via a link. That moved the request into the “Confirmed” tab for that site.

The administrator of the site needs to (in the confirmed tab) send you an new email. That will have an obfuscated link in it for you to view all of the data on that site associated with your email. The link is good for 24 hours I believe.

Erasing your data works the same way with confirmation and when that process is confirmed and finished then all associated data, uploads, etc. are removed.

Thanks for the detailed reply.

I guess it all comes down to what you mentioned, one’s perception of the regulatory requirements ??

For a registered user, after erasing their personal data, follow up with deleting the user using the flow WordPress already included for that. In a future version we’ll likely be adding an action to the erasure request row to quickly start that Delete User flow.