Add WordPress Privacy Data Exporter & Eraser for consent records

[betayazilim]

Description

The plugin stores personal data (anonymized IP, user agent, geo-location, consent timestamps) in the pressidium_cookie_consents table, but does not register with WordPress's privacy data export/erasure system introduced in WordPress 4.9.6.

WordPress provides two hooks for GDPR compliance:

• wp_privacy_personal_data_exporters — to export personal data on request
• wp_privacy_personal_data_erasers — to erase personal data on request

When a site administrator processes a data export or erasure request (Tools → Export/Erase Personal Data), the plugin's consent records are currently invisible to this system.

Suggested Implementation

Data Exporter

add_filter( 'wp_privacy_personal_data_exporters', function( $exporters ) {
    $exporters['pressidium-cookie-consent'] = array(
        'exporter_friendly_name' => __( 'Pressidium Cookie Consent', 'pressidium-cookie-consent' ),
        'callback'               => 'pressidium_cc_privacy_exporter',
    );
    return $exporters;
} );

The exporter should look up consent records by anonymized IP (since full IPs are not stored) and return matching records.

Data Eraser

add_filter( 'wp_privacy_personal_data_erasers', function( $erasers ) {
    $erasers['pressidium-cookie-consent'] = array(
        'eraser_friendly_name' => __( 'Pressidium Cookie Consent', 'pressidium-cookie-consent' ),
        'callback'             => 'pressidium_cc_privacy_eraser',
    );
    return $erasers;
} );

The eraser should delete matching consent records from the database.

Note: Since IPs are anonymized via wp_privacy_anonymize_ip(), exact matching by email may not be possible. Consider storing a hashed user identifier (when logged in) to enable more precise lookups.

References

• WordPress Privacy Data Export/Erasure API
• GDPR Article 17 — Right to erasure

Environment

• Plugin version: 1.9.1

[over-engineer]

@betayazilim Thanks a lot for opening the issue and for the detailed breakdown!

This is a great point about integrating with WordPress’s built-in privacy tools and we’ll definitely consider this for a future update of the plugin.

Since the plugin only stores anonymized IP addresses, user agents, and coarse locations (country codes only), do you think this qualified as personally identifiable information (PII)? Any insight would be appreciated.

Thanks again for taking the time to share this!