Not disagreeing with you, just some extra thoughts…
In my opinion, it is best practice to require explicit agreement to the privacy policy (and other contractual terms) before any individual product may be purchased.
Access to the “service delivery domains” is entirely restricted to users who have purchased the product (even if the consideration required for the product purchase was $0).
Also as a matter of opinion, I do not believe that privacy legislation like the GDPR is in any way intended (certainly not the local version of it), to mean that I need to require the consent of bots / hackers who try to circumvent my security to collect their IP address or information related to their activity, as such information would be needed if I have to report them to the authorities and to take mitigating action to protect the privacy of my customers.
Locally, a number of property rights are enshrined in our Constitution.
Our Constitution is not just a contract between the Legislator and the People, it also applies to the interactions between non-government agencies.
In accordance with those rights and in accordance with common law principles, I do have the right to take reasonable action to protect my private property.
Informed consent is crucial.
However, I don’t believe that privacy legislation needs to be the boogeyman that many (not referring to anyone on this forum, just to be clear) are trying to scare people into believing.
@anon71742606 As I said, consent is not required for everything under Gdpr. If data collection or storage is necessary to comply with another legal obligation, or to prevent or detect crime, then consent is not required.
Of course, this requires that IP addresses, for example, that are captured in this way must only be used for that purpose. If they are also used for another purpose, then consent is required.
One thing I’d point out, though, is that one privacy policy will often be insufficient under Gdpr. That’s because, for every different use of data that requires consent, separate consent must be obtained. Under Gdpr, consent cannot be given in a blanket fashion; it must be granular.
2 Likes
And here I shall suggest CP does a better job than WP about that.
Maybe with a dedicated core plugin allowing to ask specific consents.
This however is material for a petition, I think.
I do see your point there @timkaye
How do you “square” multiple privacy policies with plain-language principles though?
I personally think it is a balancing act and that the intent and context are very important.
Let’s say, as a general example, this does not specifically apply to me:
An audit firm has a website.
But they don’t just use that website to advertise, they allow clients to upload raw documents and to view the processed documents (i.e. download the completed financial statements).
No one other than the accountant (and employees within their organization), the web host / tech / security guy and the client has access to their information.
The accountant uses their website as an electronic means of communication to do their work within the scope of the engagement and does not allow interest-based advertising, or any third party advertising, because that would just look unprofessional.
There is a signed engagement letter in place for the service.
Other than pointing out that electronic communication carries certain risks, including potential unauthorized access, I don’t really see how complicated / multiple privacy policies are necessary.
The treatment of information isn’t really any different than if the client brought in paper copies to the office, other than being electronic as per above.
So I would say: “Remember that all information you submit to us needs to be kept in accordance with legislative requirements and those of the x professional body we belong to.”
@anon71742606 This is where good design comes into play. Take a look at how TheAtlantic.com does it.
Your proposed announcement just isn’t enough, I’m afraid.
1 Like
@timkaye
I did not mean that I would rely on a literal one-liner 
I like Atlantic’s privacy policy.
I already have pretty much the same elements (ex the details about the third party advertisers, which are only briefly addressed because it does not apply).
Reading it was still very useful though. They phrase some elements very eloquently.
Thanks for pointing us to it!
1 Like
One use of third-party cookies is the WP Theme Previewer. You can see the first page correctly, but to go to other pages, it needs the cookie to show you the correct theme. Otto is supposedly working on that, but I think other things have priority. I wonder how CP will solve this problem.
1 Like
Thanks, @joyously
I was actually not aware of that. Really good to know.
I only have two themes that I vetted and tested and I don’t use anything else so my use of the theme previewer is virtually non-existent, but still, it is something that should be made clear to us as users and the same thing definitely doesn’t apply to the majority of other users.
I see six cookies that are not considered third-party by my browser (I mean from WP site).
Four expire when the browsing session ends.
Contents are encrypted.
Do you know why so many are needed?
The WP site is actually a network, so it depends on which parts you have visited. The forum has a profile, but it is tied to your other WP profile. There is plain .org where the themes and plugins are, Make, Trac, SVN, Codex, etc.
@joyously
In this case, it is a private .org installation. (Edit: single site, not MU).
It includes a test cookie, a logged in user, one for settings and one for date/time settings.