GDPR compliance is hard: the WordPress edition

When my friend Georgie commented on my post about Talk.CSS, she told me that her comment wasn’t visible to her as awaiting moderation after submission, although she assumed that it had posted successfully based on the fact that the URL in her browser’s address bar had changed. This was new to me: I could’ve sworn the moderation notice was always visible because I’d tested it thoroughly when developing the theme for blog.NOVALISTIC 5.0 “Veldin”.

We couldn’t find any leads so we left it as it was. Two weeks later, this morning, she sent me links to this WordPress.org support forum topic, posted around the same time we first ran into this issue, and to this Stack Overflow question which was asked just a few hours ago. The asker self-answered with the following:

Apparently the solution was to have the “Save my name, email, and website in this browser for the next time I comment.” checkbox selected in order for the message to show up.

So you have to have the GDPR checkbox to be checked in order to have the comment and message appearing before approval.

Sorry for bothering.

(Yes, I’m including that last line here, and no, I didn’t edit it out, because I simply don’t see the point in making a fuss over it.)

So, it dawned on me, the issue was twofold:

  1. My theme was missing a critical privacy element for GDPR compliance; namely, a checkbox that indicates the user’s consent to their browser remembering their details in a cookie (yes, you do need explicit consent for anything a user submits that you might store either on your server or in a cookie now).

  2. WordPress 4.9.6, the latest release that adds GDPR compliance elements, is failing to display the comment moderation notice when the user submitting a comment has not given this consent, presumably as an unintended side effect of being a little too conservative (not that I’m saying that’s a bad thing!).

If your WordPress theme has a custom comment form implementation (i.e. the comment form is provided by a custom callback rather than the built-in comment_form() template), you’ll need to add the new cookie consent checkbox. The only important bit is the name attribute, whose value must be wp-comment-cookies-consent. Here’s what mine looks like:

<form class="feedback" action="<?php echo site_url( '/wp-comments-post.php' ); ?>" method="post">
    <!-- ... -->
    <p><label><input type="checkbox" name="wp-comment-cookies-consent"<?php if ( ! empty( $commenter['comment_author_email'] ) ) echo ' checked'; ?>> Remember my name, email and website for future comments</label></p>
    <p><button type="submit">Post Comment</button>
<?php comment_id_fields(); ?></p>
<?php do_action( 'comment_form', $post->ID ); ?>
</form>

As with the rest of the comment form fields, you don’t need any additional plumbing for this to work. As long as the checkbox is present in your comment form, when the user checks it off WordPress will correctly set the cookie and notify the user if their comment is awaiting moderation.

Wait, what? So if the user doesn’t allow the cookie to be created, they don’t get notified?

That’s right. An oversight in the implementation of this feature means that since WordPress won’t remember the user’s details, it won’t be able to determine that the comment that it just received was theirs and display it to them along with the moderation notice. Privacy, am I right?

No worries though, the developers have been made aware of this since before WordPress 4.9.6 was released, as it was reported on the WordPress Trac at least two months ago. Understandably, they punted this issue to 4.9.7 in order to get the important stuff (GDPR compliance tools) out in a timely fashion (4.9.6 was released on May 17, which happens to be exactly one month ago at the time I’m writing this). Hopefully a fix for this issue will be shipped soon.

Add a comment

Things to keep in mind: