login

Legal

Requesting Private Information of WordPress.com Users

Our users place their trust in us to keep them safe, and, in some cases, anonymous. We view safeguarding that trust and protecting our users’ private information as vital to what we do.

Automattic receives requests for information about WordPress.com users, sites, and accounts from government agencies, law enforcement, private parties, and individuals or corporations involved in civil lawsuits. Before revealing any non-public information about a site, an account, or a user, we require a valid subpoena, search warrant, or court order. The only exception is when we have a good faith belief that there is an emergency involving imminent danger of death or serious physical injury. 

If your request or inquiry highlights a potential violation of our policies or Terms of Service, we will review it in accordance with our standard enforcement procedures. Please note that we reserve the right to take immediate action against sites or user accounts that are found to be in violation of our Terms of Service. This may include the removal of public access to individual pieces of content, or full site/account suspension – with appropriate user notification. This will not impact the availability of information for response to legal process that has been preserved as the result of an applicable request.

More information about our procedures is below.

United States Legal Process

We require any subpoena, search warrant, court order, or judgment to be issued by a US authority in compliance with the United States Federal Rules of Criminal Procedure, the Federal Rules of Civil Procedure, and/or California state law. We respond to court judgments from the United States only, or foreign judgments specifically adopted by a United States or California court. Law enforcement agencies from outside the US may obtain these types of orders through the Mutual Legal Assistance Treaty (MLAT) process outlined in 28 U.S.C. § 1782 and 18 U.S.C. § 3512. See more about our process for non-US law enforcement requests below.

In line with section 1524.2.(c)(2) of the California Penal Code, we also require an attestation for search warrants stating that the evidence sought is not related to an investigation into, or enforcement of, a prohibited violation – as defined in Section 629.51(5).

WordPress.com vs. WordPress.org

Before making a request for information to WordPress.com, check to see if the site you are inquiring about uses WordPress.com (which is supported by us) or WordPress.org (which is not). The WordPress.org software, which is not hosted by us, can be downloaded and installed on any web host. If you’re inquiring about a site that says it has been “built using WordPress” or mentions that it is “Powered by WordPress,” please note that this means the site is using the WordPress.org software, and you should contact the host of that particular site. There are various free resources online for determining the host of a site.

Learn more about the difference between WordPress.com and WordPress.org.

What Information Do We Have?

WordPress.com has certain information relating to users, sites, and commenters. WordPress.com accounts contain various information that is provided at a user’s discretion and is unverified. The following is a summary of the information that we may collect and store.

1. Basic account information, such as:

  • Username
  • Email address
  • Name
  • Phone number

2. Transaction and/or billing information (if upgrades have been purchased).

We will generally retain transaction and/or billing information until changed or removed by the user (if it’s possible to do so). We also collect log data, which may include a user’s IP address, browser type, and operating system. We keep this information for up to 30 days as a matter of course, absent a valid preservation request. You can read more about how we handle preservation requests under “Preservation Requests for WordPress.com Sites” below.

3. Site creation, posting, and revision history information, such as:

  • The date and time (UTC) at which a site was created
  • The IP address from which a site was created
  • IP address and user agent for a post or revision

We may retain the above information, even if a site or post is deleted. Deleted posts remain in a user’s trash folder for 30 days, after which point our servers may retain a backup for an additional 60 days.

4. Information on commenters on WordPress.com sites.

We retain commenter information unless the owner of the site on which the comment appears deletes the comment.

5. Contact information associated with a domain registration (if a user has registered a custom domain).

If a user has registered a custom domain on WordPress.com (e.g., yourgroovydomain.com rather than yourgroovysite.wordpress.com), we may have the contact information the user provided for the domain registration.

Requests from Government Agencies/Law Enforcement

We do not voluntarily provide governments with access to user data – whether for law enforcement, intelligence gathering, or surveillance purposes. However, when required by law, we will disclose user information only in response to valid legal process such as; a subpoena, search warrant, or court order issued by a U.Sauthority, in accordance with the Federal Rules of Criminal Procedure, the Federal Rules of Civil Procedure, and/or California state law. The only exception is for emergency requests by law enforcement, for more information on emergency requests see the ‘Emergency Requests’ section below.

In response to a valid subpoena issued by a US authority, we can provide the following information, when it is available:

  • First and last names
  • Phone number
  • Email address
  • Date/time stamped IP address from which a site was created
  • Physical address provided by the user
  • PayPal transaction information

We require a specific court order or search warrant before providing additional IP address data or information relating to a specific post or a specific comment.

Emergency Requests from Government Agencies/Law Enforcement

As permitted by US law, we may disclose user information to government or law enforcement agencies – without a subpoena, search warrant, or court order – if we have a good faith belief that there is an emergency involving imminent danger of death or serious physical injury which requires disclosure of information related to the emergency without delay. If you are an officer of a government or law enforcement agency and have an emergency request, please submit your request by following these steps.

Such requests should include all of the following:

  • Nature of the emergency and the individual(s) in danger of death or serious physical injury;
  • WordPress account name or specific URL of the account(s) or link(s) containing information necessary to identify and prevent the emergency;
  • Links to any specific posts or comments containing relevant information;
  • The specific information requested, and why the requested information is necessary to prevent the emergency; and
  • Any other relevant details or context regarding the particular circumstances.

Notification to WordPress.com Users and Transparency

We aim for total transparency with our users when legal requests for information or complaints affect their sites, accounts, or information. It is our policy to notify users and provide them with a copy of any legal requests regarding their account or site, unless we are prohibited from doing so by a court order issued in the US. When the prohibition from notifying users expires, we will notify users and provide them with a copy of the legal process at that time.

In light of the October 19, 2017, Department of Justice guidance on nondisclosure orders, we ask that the agency include a specific end date for the nondisclosure period in any proposed order to the court, and that any period or extensions of time last no longer than a combined total of one year.

If a request for information is validly issued, as described in these Legal Guidelines, we will preserve the necessary information before informing the user of the request. In most cases, upon notification to the user of the request for information, that user will be provided with either 7 days or the amount of time before the information is due, whichever is later, during which time the user may attempt to quash or legally challenge the request. If, prior to the deadline, we receive notice from the user that he or she intends to challenge a request for information, we will not deliver any information until that process concludes. We also review the information requests received and may lodge our own challenge to the scope or validity of legal process received, on behalf of a user, whether or not the user pursues his/her own legal challenge.

Back to Top