Txp cookies, visitor logging, and GDPR stuff in general

Destry · 2018-04-28 17:09:05

Was just looking at the privacy policy for CryptPad, which is a worthy French project, btw, and I’m really liking what I see there. It’s super simple, plain language, and seems to cover all the bases.

Can it really be that easy?

I especially like how they talk about IP and log data, in a ‘that’s just the way it is’ kind of tone, ‘we don’t do this, we do that’. Done.

Their contact email is not a form, but a direct link to a mail address at xwiki.com, which is probably their own mail server, so that eliminates having to say anything about a DPA there.

I guess I’m either going to not let potential clients contact me ?, or I have to contact Proton and/or WebFaction.

Destry · 2018-04-28 18:51:12

If you’re on WebFaction and you’re using an email from your own domain for business, you do need to get some kind of DPA from them, or give them one, or something. They don’t seem to be GDPR compliant yet (lawyers are reviewing), but they seem willing to work with you via a support ticket. Thread on it here

This likely means if you don’t use your own domain emails hosted by them, you have to get a similar arrangement from that provider instead (e.g. Protonmail). Protonmail doesn’t seem to have nothing about it on their website, and being outside the EU, they may not want to play. I don’t know.

Edit: I’ve just written them to see what they say about it.

It looks like Planeth the sailor was right. ;)

Destry · 2018-04-29 00:25:39

lol… This email marketers info is cracking me up, but making its readers cry. If you think you’ve got it bad as a honest freelancer or whatever, just think of these saps who are used to screwing people with dark UX and hidden opt-out cover ups. They are literally scared and confused. I take a certain pleasure from that.

And this, from a commenter. Man, it says it all:

I still do not think many organisations here in the UK are aware of GDPR. People just look perplexed if you mention it to them. The very few that do know what GDPR is all [say] the same thing …. ‘it doesn’t apply to us, we are too small’.

This is going to be an entertaining summer.

colak · 2018-04-29 17:51:57

We’ve been discussing how GDPR will affect our online presence but this twitter thread is looking at its repercussions in schools. here is a funny one

Award certificates must only refer to the successful pupil as ‘Child x.’ ‘Your child, who cannot be named for legal reasons, has worked well in a subject that we cannot disclose in accordance with GDPR legislation.’ Signed: Teacher x (twitter.com/VivWatson1/status/990496004616196098)

which elicited the response:

“Has worked well” seems too clear. “Is progressing in line with averages expected from a meta-study of like and unlike students” seems to be more fitting… (twitter.com/4321jc/status/990496993905524737)

michaelkpate · 2018-04-29 20:51:00

I just got curious about Dreamhost and did some googling.

Also IP addresses are personal data. So it’s not only about databases, also server log files are affected as they include the IP address. As far as I could see in our DreamHost settings, it’s not possible to turn server logs completely off or to anonymize IP addresses in the log files. Even if you don’t save a database, you are also affected by the server logs. And yes, Privacy Shield is a must. = Will Dreamhost be GDPR compliant?

If you search the database at https://www.privacyshield.gov/list, Dreamhost isn’t listed. Neither is Hostgator, Bluehost, Laughing Squid, Digital Ocean, and Joyent. The only one I could think to try that was is Rackspace.

CodeWalker · 2018-04-29 22:03:51

Just on a side note, regarding tracking cookies of the Google Analytics variety…. I have been using GA Lite lately rather then the official ga script from Google. It’s a clone that is much much smaller, you can run it off your server, and you can even bundle it up with your own scripts via webpack / grunt / gulp.

Crucially – it doesnt drop truck load of cookies like the official script does. It uses local storage. Thats good news if your in the EU because, it’s less cookies to document in your Privacy Policy / GDPR stuff.

Last edited by CodeWalker (2018-04-29 22:10:13)

phiw13 · 2018-04-30 00:12:19

CodeWalker wrote #311513:

Crucially – it doesnt drop truck load of cookies like the official script does. It uses local storage. Thats good news if your in the EU because, it’s less cookies to document in your Privacy Policy / GDPR stuff.

From a privacy point of view, I don’t see much difference between local storage and cookies. Both can be personalized and used for tracking the user. Local storage is possibly worse as it offers a larger space for storing data. I think the GDPR, at least in spirit, treats them as equals – but I am not a lawyer.

(and fwiw, both Firefox and Safari treat local storage and cookies are synonymous in their privacy settings)

Destry · 2018-04-30 07:46:28

With regard to the particularity of Data Processing Agreements (DPA) and web hosts (per IP addresses) and/or mail service providers (contact info), Planeth’s database on companies in compliance is useful reference to see how companies are doing it. We could probably help her to add more thus help a lot of others in turn.

Looking at the list there, MailJet, a French mail provider is in compliance, and account holders only need to request a DPA from them.

Others in the US, like Postmark and Mailchimp, are doing the same, seemingly, and even show pieces of the agreement.

I’m pretty confident now the onus of providing the DPA — in those situations, particularly — is on the processor not the controller. Once you have a DPA, you have to keep it on file in case a national authority requests it, which they could do anytime. Then in your web privacy policies/statements you would name your processor(s) and that you have the DPA with them. Make it clear what each is for, etc.

OVH, a web host, is listed there as compliant, but I don’t see any DPA resource. Presumably you can still request one there, but that would remain to be seen.

The only other webhost listed is Amazon, which would be, of course, as they have a lot riding on it.

Web hosts better get on it fast or there will be a lot of rogues websites on the internet soon… Or a lot of ‘Under Construction” signs. ;)

I wonder if all this legal pressure on web/mail providers, etc, will encourage them to raise rates on everything now to cover the legal review fees. I wouldn’t be surprised. It could be a market thing, rates going up on average globally.

Destry · 2018-04-30 08:23:00

It occurs to me that every service provider (web host, mail…) should be making it perfectly clear, like MailJet, that they provide DPAs and you only need to request one. Practically no companies do. Even OVH, supposedly compliant, says nothing about DPAs.

If I was a service provider in the processor category, I would be getting on that ASAP. They are really doing everybody a disservice by not. Adding to the confusion.

Those that do are sure to gain a lot of new customers fast!

Destry · 2018-04-30 08:30:24

This is interesting, regarding photographs and Germany…

Apparently, Germany made no provisions to have the existing law on photography supersede the GDPR, thus all digital photography of people now falls under the Reg. The following article (in German), as I’m told in Masto, mentions how Sweden circumvented the situation but for Germany, it’s basically the worst case full of lawsuits waiting to happen.

Tipps fuer fotografen

Destry · 2018-04-30 08:37:22

Regarding Privacy Shield, which Michael quoted someone talking about in relation to DreamHost…

Privacy Shield is not sufficient between controllers and processors

CodeWalker · 2018-04-30 12:52:06

phiw13 wrote #311514:

From a privacy point of view, I don’t see much difference between local storage and cookies. Both can be personalized and used for tracking the user. Local storage is possibly worse as it offers a larger space for storing data. I think the GDPR, at least in spirit, treats them as equals – but I am not a lawyer.

(and fwiw, both Firefox and Safari treat local storage and cookies are synonymous in their privacy settings)

From what I can tell, the script simply stores a unique UID in local storage and pushes all the data straight to Google without storing it, using this UID to tell your actions apart. Since Google has tightened up its end for GDPR (they are storing it, not you, which means it’s a problem for them, not you), I think this is much safer then the cookie way, but I am of course not a legal expert.

Last edited by CodeWalker (2018-04-30 12:57:34)

jakob · 2018-04-30 14:10:12

Destry wrote #311519:

This is interesting, regarding photographs and *Germany*…

Apparently, Germany made no provisions to have the existing law on photography supersede the GDPR, thus all digital photography of people now falls under the Reg. The following article (in German), as I’m told in Masto, mentions how Sweden circumvented the situation but for Germany, it’s basically the worst case full of lawsuits waiting to happen.

Tipps fuer fotografen

Thanks! And that was supposed to be the clear non-legalese overview!!

Had an interesting discussion last week with a couple of local summer course education providers. We can in our case(s) ask the permission of students if they are okay with appearing in photos of course activities that may be published (for example as part of their application or confirmation of participation). I believe that was already necessary for youngsters under 18 anyhow. So far so good. On the one hand, we need to keep a record of consent and at the same time, we pledge to delete personally identifiable data held on them after a certain amount of time, which presumably also includes that kind of record of consent – it is, after all by nature personally identifiable. Or is that exempted somewhere? We can’t start deleting those images at the time the records are to be deleted, or asking for renewed permission again at that interval.

Another question that came up is what to do about legacy information? For example:

1. We have archives of past summer courses with photos of participants taking part. The past participants value them as a reminder, and new participants value them as an indicator of the course vibe. It’s impossible to go back and ask them all again.

2. More contentious is perhaps the fact that a lot of such organisations (and probably many others) have their own researched lists of mailing recipients that they have been using since the days of postal mailings and word mailmerges. At some point in the past, those were entered into some mailing system, first some excel/access/outlook setup, later an online service. These aren’t purchased mass-mailing lists so these organisations aren’t nasty guys, it’s just their list of contacts. I suspect that’s fairly widespread practice regardless of whether correct or not. However, we don’t have a record of their consent anywhere, though many have been in the system and receiving emails for years.

With Mailchimp and co, those recipients can now unsubscribe easily enough (better than in the past). Mailchimp says on one of their pages that we should create a segment of those without a record of explicit consent and mail all the recipients asking for consent/opt-in. All those who don’t sign up should then be cleared from the list. Given the average click-rate for email letters, those contact lists are going to shrink by 70-80%?! That’s pretty drastic for a small organisation.

Did you read anything about such cases in your research?

jakob · 2018-04-30 14:13:59

Destry wrote #311518:

It occurs to me that every service provider (web host, mail…) should be making it perfectly clear that they provide DPAs and you only need to request one.

Just an info for those hosting with all-inkl in Germany (a pretty common host): you can do this by signing into the member’s area, then going to Stammdaten › Auftragsverarbeitung. There’s a sample DPA (Auftragsverarbeitungsvertrag) which you can agree to and download online.

Bloke · 2018-04-30 14:23:52

I’ve had a raft of recent messages from various companies I’ve been subscribed to over the years. The general format of all these message so far has been:

As part of the European GDPR changes blah blah we need your consent to continue sending you stuff. Click this massive button to indicate you’re happy for us to do so (or to configure your opt-in choices), otherwise click the teensy unsubscribe link beneath the massive button or do nothing. We’d be sorry to see you go, but value you as a customer anyway blah blah.

The issue, as jakob highlights, is that email click through rates for getting people to opt-in in the first place is probably less than 10%. And that’s assuming they haven’t already marked your marketing materials as instant spam. The conscientious, sure, will click and either continue to receive correspondence or will use the opportunity to review their ~~spam~~ marketing footprint and get out.

But, while this may have a large impact on direct marketing efforts – and certainly the size of the stored database of contacts – I suspect the people that haven’t already marked a company’s messages as spam will have either unsubscribed already or will be happy to receive them, give them a cursory scan and either act or delete according to content. Most likely the latter. So the actual effect to these organisations should be minimal anyway.

Quite how you actively seek (repeat) consent for publications that contain images, like course brochures, I have no idea. Worse, what happens when someone decides they don’t want to be included? You can’t erase them from history in print, but you can take their image off the system so it’s not reused – providing it’s not already gone into a print run. Guess this is where doing everything “within reason” comes from, if there is such a statement in the GDPR?

Does the nature of such agreements – form now on at least – have to be “Do you consent to your image being used a) on this and all future marketing materials, b) on this one only, c) never.” At least then, you give them the chance to have their image used now and immediately opt out. But how do you ensure that happens in real terms? And how long do you keep the image for and ensure it’s been purged?

A pickle.

Last edited by Bloke (2018-04-30 14:27:46)

Textpattern CMS

Textpattern CMS support forum

#196 2018-04-28 17:09:05

Re: Txp cookies, visitor logging, and GDPR stuff in general

#197 2018-04-28 18:51:12

Re: Txp cookies, visitor logging, and GDPR stuff in general

#198 2018-04-29 00:25:39

Re: Txp cookies, visitor logging, and GDPR stuff in general

#199 2018-04-29 17:51:57

Re: Txp cookies, visitor logging, and GDPR stuff in general

#200 2018-04-29 20:51:00

Re: Txp cookies, visitor logging, and GDPR stuff in general

#201 2018-04-29 22:03:51

Re: Txp cookies, visitor logging, and GDPR stuff in general

#202 2018-04-30 00:12:19

Re: Txp cookies, visitor logging, and GDPR stuff in general

CodeWalker wrote #311513:

#203 2018-04-30 07:46:28

Re: Txp cookies, visitor logging, and GDPR stuff in general

#204 2018-04-30 08:23:00

Re: Txp cookies, visitor logging, and GDPR stuff in general

#205 2018-04-30 08:30:24

Re: Txp cookies, visitor logging, and GDPR stuff in general

#206 2018-04-30 08:37:22

Re: Txp cookies, visitor logging, and GDPR stuff in general

#207 2018-04-30 12:52:06

Re: Txp cookies, visitor logging, and GDPR stuff in general

phiw13 wrote #311514:

#208 2018-04-30 14:10:12

Re: Txp cookies, visitor logging, and GDPR stuff in general

Destry wrote #311519:

#209 2018-04-30 14:13:59

Re: Txp cookies, visitor logging, and GDPR stuff in general

Destry wrote #311518:

#210 2018-04-30 14:23:52

Re: Txp cookies, visitor logging, and GDPR stuff in general

Board footer