TL;DR The punchline of this post is that the operator(s) of WordPress.org may, through the “I am not affiliated…” checkbox, be breaching Europe’s General Data Protection Regulation (GDPR), and that is something of which the board of Automattic ought to be aware. Let me explain. The “not affiliated” checkbox As is well known across the community, on or around 8 October, the login screen on WordPress.org was amended to look like this (originally it linked to the WP Engine lawsuit, but that was subsequently removed): Application of the GDPR First of all, there is a strong argument that the operator(s) of WordPress.org are subject to the GDPR in relation to their processing of EU residents’ personal data through WordPress.org. For example, there are localised versions of WordPress.org translated into the languages of some EU member states (e.g., de.wordpress.org/) and so services are being actively offered to EU residents, and the WordPress.org privacy statement appears to have been written on the assumption the GDPR applies. Personal data processing through the checkbox Under the GDPR, “personal data” …