You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'll drop this into #core-privacy next week for discussion.
My inclination here is passwords themselves aren't PII (Personally-Identifiable-Information) but in combination with a username or email can be used to access personal data either on the site or across other networks users have re-used their credentials for. If a token can be stored instead of a password then this mitigates a hack/leak from then re-using credentials to test other external services to gain further access to their personal data.
*I know several people who use the same email/user/pass combo for every site they signup for.
If passwords or other data is stored and 'processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damanage, using appropriate technical or organizational measures.' (Article 5(1)(f) of the GDPR) then as long as it's being disclosed (maybe through the Privacy Policy Guide) that should comply with the legislation.
*If any discussion ensues in a future privacy team meeting I'll post the archive link here.
As a follow up to
https://wordpress.slack.com/archives/C02RQC26G/p1585246415044800
The text was updated successfully, but these errors were encountered: