WordPress.org

Making WordPress.org

Opened 3 weeks ago

Last modified 3 weeks ago

#5618 new enhancement

Require ToS/Privacy at login and record acceptance

Reported by: tellyworth Owned by:
Milestone: Priority: high
Component: Login & Authentication Keywords:
Cc:

Description

For legal reasons it is necessary that WordPress.org enforces acceptance of a ToS and Privacy Policy at login, and record the date and version of the policy most recently accepted by each user. This means:

  • The login form will need to include a checkbox such as [ ] I have read and accept the terms of service and privacy policy with appropriate links.
  • Failure to check the box will prevent login.
  • Login sessions should remain capped at 2 weeks to ensure all active users regularly accept new terms.
  • On successful login, a usermeta or similar value should be set recording the timestamp and version of the ToS and Privacy policy documents (perhaps the currently deployed svn rev# for each?)
  • It should probably also record the rev # of the login form and theme, since that may be relevant info.

Change History (2)

#1 follow-up: @dd32
3 weeks ago

The login form will need to include a checkbox such as [ ] I have read and accept the terms of service and privacy policy with appropriate links.

Alternatively:

  • The registration form should have the checkbox
  • The login form should only prompt if the user hasn't reviewed the terms since last update

Perhaps the login validation could be a post-login screen, with a "Yes I agree / No I do not" button instead of a checkbox though.

timestamp and version of the ToS and Privacy policy documents (perhaps the currently deployed svn rev# for each?)

Recording the timestamp that they've agreed to should be enough I think, ie. It's safe to assume that someone's timestamp of 2021-06-01 01:02:03 will indicate that they've agreed to the 2021-05-01 policy, but not the 2021-07-01 version.

Note, that WordPress.org does not currently have a published TOS, this would probably go well with #957

#2 in reply to: ↑ 1 @carike
3 weeks ago

Replying to dd32:

Alternatively:

  • The registration form should have the checkbox
  • The login form should only prompt if the user hasn't reviewed the terms since last update

I prefer this :) Better user experience, less compliance fatigue, more meaningful interaction.

Note: See TracTickets for help on using tickets.