Privacy: Add check for wp_privacy_personal_data_erasers filter (GDPR personal data erasure)

[masteradhoc]

Summary

Plugin Check should detect when a plugin collects personal data but does not register an eraser callback via the wp_privacy_personal_data_erasers filter.

Background

Since WordPress 4.9.6, WordPress ships a Personal Data Removal tool to help sites comply with privacy regulations such as the GDPR. Plugins that store personal data (e.g. in comment meta, post meta, or custom post types) are expected to hook into this tool by registering an eraser callback via:

add_filter( 'wp_privacy_personal_data_erasers', 'my_plugin_register_erasers' );

The eraser callback receives a user's email address and a pagination page number, removes the associated personal data, and returns a status array indicating whether items were removed, retained, and whether processing is complete.

Reference: https://developer.wordpress.org/plugins/privacy/adding-the-personal-data-eraser-to-your-plugin/

Proposed Check

Add a detection rule that warns plugin authors when their plugin appears to handle personal data (e.g. uses add_comment_meta, update_user_meta, custom DB writes, etc.) but does not register a handler for the wp_privacy_personal_data_erasers filter.