A grey area in the GDPR compliance and a common practice in popular plugins.
Practical example: You have a popular plugin installed in your self-hosted WordPress.org site, and you have explicitly enabled the “Disable Tracking” option in the plugin settings.
Then you see, the plugin is constantly sending requests to an external domain, including some data in the URL query strings, like WP and PHP version.
Also, as you might know, the IP and domain it will be recorded in the server logs.
This is a relatively easy way to track users, and maybe the best way to keep track of real-active users, like a heartbeat!
Under the GDPR, collecting IP addresses is generally considered personal data, especially if they can be used to identify or indirectly identify an individual. User consent is required unless the processing is strictly necessary for the basic technical functioning of a website (e.g., session management or security). In such cases, consent is not required, and the processing may be based on a legitimate interest or fall under the “strictly necessary” exemption.
There is an issue in Yoast SEO, if you want to see how Joost de Valk reacts… In fact, they deliberately lie in their documentation.
* This is not an isolated case, it’s a common practice you will find in different forms.