Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#181 2018-04-25 11:05:56

planeth
Plugin Author
From: Nantes, France
Registered: 2009-03-19
Posts: 234
Website GitHub Mastodon

Re: Txp cookies, visitor logging, and GDPR stuff in general

Destry wrote #311399:

Here’s a sincere suggestion, though… In your database, you have the link columns:

  • Privacy notice
  • Data processing agreement

Using Slack as example, they have a specific link for GDPR compliance. I suspect other orgs might have separate links for that too. Another column for specific GDPR links would be useful, maybe, to facilitate finding and accessing the relevant bits:

  • Privacy policy
  • GDPR compliance
  • Data processing agreement

Thanks for the Slack link :)
In fact, I put the GDPR compliance|commitment blog post in the “observation” column.
The layout jsut changed a bit.
You’re welcome to suggest better information layout.

Offline

#182 2018-04-25 11:08:24

planeth
Plugin Author
From: Nantes, France
Registered: 2009-03-19
Posts: 234
Website GitHub Mastodon

Re: Txp cookies, visitor logging, and GDPR stuff in general

Destry wrote #311399:

I don’t see any of these companies using the suggested term “Code of Conduct” either, as the GDPR outlines, but I suspect we’ll see that emerge more with time, and that would be a good column header too.

As I understand it’s the role of the WP29 working group to publish these “Code of Conduct” or also it may be a group of enterprises —like the https://cispe.cloud/, who represents the cloud providers.

Offline

#183 2018-04-25 11:46:53

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,912
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

planeth wrote #311400:

the GDPR compliance|commitment blog post in the “observation” column.

I see now. That works. Keeps fewer columns.

Regarding the CoC, I guess I didn’t understand it. I’ll look at that more. Thanks.

Offline

#184 2018-04-25 13:28:31

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,912
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

Important document here in relation to the gdpr about consent, and how it must be received.

Article 29 Working Party Guidelines on consent under Regulation 2016/679 (PDF)

It’s very clear from these guidelines that coercing consent by a ToS update is not valid consent according to the Regulation if any data collected in the scope of a ToS/contract is not essential for the purposes of delivering the service.

(Exactly what Richard Stallman is arguing for, systems designed to collect as little data as absolutely needed.)

Watchdogs are watching.

Offline

#185 2018-04-25 13:41:22

planeth
Plugin Author
From: Nantes, France
Registered: 2009-03-19
Posts: 234
Website GitHub Mastodon

Re: Txp cookies, visitor logging, and GDPR stuff in general

Destry wrote #311403:

(Exactly what Richard Stallman is arguing for, systems designed to collect as little data as absolutely needed.)

Watchdogs are watching.

Yes, it’s the “privacy by default and by design” concept. Don’t harvest data you don’t need.

Offline

#186 2018-04-26 13:24:16

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,912
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

I’m wondering… If I use a third-party email provider like Protonmail (PM) in relation to comm_connect plugin, then is PM a ‘processor’ at that point? Thus do you need to have a ‘Data Processing Agreement’ DPA posted in relation?

I guess the question is, does a third-party mail provider like that actually process data for you? I don’t think that concept is true, but I’m not sure how it’s interpreted. They clearly store personal data in the form of email and header information for as long as you want to keep it on their servers. But there’s no actual processing of the data, per se.

I’m going to make it clear I’m using them, but I’m not sure what else I need in that respect.

If I used a WebFaction account, that would probably eliminate the issue, as WebFaction is already defined as the web host.

Hmm…

Offline

#187 2018-04-26 13:48:26

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,453
Website GitHub

Re: Txp cookies, visitor logging, and GDPR stuff in general

Surely on every website that you own, you don’t have to add a note about which email client you use? Do you? That’d be mental. Poeple who send you a message are opting in to sharing their information with you by the very nature of clicking “Send”.

I guess the only time this would be an issue would be if you then used that email account to send out marketing materials without prior consent (or sent the email or its metadata to someone else). But that’s covered by your CoC (“I won’t sell your details…”)

If it’s used for one-to-one communication back to the sender, is the fact your mail client stores the sender’s email address, IP address, browser, their MTA, etc as part of the message header classed as abuse? I highly doubt it.

The only possible type of (mis)use I can think of where this might come under scrutiny is if you use one of the online mail services such as GMail, Yahoo, Hotmail, etc. These offer ads in and around the inbox. Unless you (the account owner) opt out, those ads are “personalised” based on message content. Thus, message content sent by others to you is being aggregated and “used” by a third party to sell you (the account owner) stuff.

Is it personally identifiable? I don’t know. Are portions of email content/trigger words collected and fed back to the marketeers who place the ads so they can target their keywords better to make the ads more “relevant”? Do ads in the inbox come under PPC, where companies who bid on keywords can see underlying stats of who clicked on what ads to gauge conversion, regardless of whether personally identifiable content was harvested? And, if so, is that a violation of the sender’s privacy according to GDPR?

Since people can opt in to having their data stored, but can simultaneously opt out of having their data profiled (aggregated and used for marketing purposes, even stats of who clicked what), maybe this use case falls under that banner?

Interesting indeed.

Last edited by Bloke (2018-04-26 13:57:28)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#188 2018-04-26 14:36:56

planeth
Plugin Author
From: Nantes, France
Registered: 2009-03-19
Posts: 234
Website GitHub Mastodon

Re: Txp cookies, visitor logging, and GDPR stuff in general

Processing is defined at https://gdpr-info.eu/art-4-gdpr/ Alinea 2.
Basically, as soon as you touch data it’s a processing.
Therefore Proton mail is a processor.
Now, since it’s only for your personal use, do you need a DPA? Probably no.
GDPR applies to companies, not individuals.

Offline

#189 2018-04-26 14:40:10

planeth
Plugin Author
From: Nantes, France
Registered: 2009-03-19
Posts: 234
Website GitHub Mastodon

Re: Txp cookies, visitor logging, and GDPR stuff in general

Bloke wrote #311429:

I guess the only time this would be an issue would be if you then used that email account to send out marketing materials without prior consent (or sent the email or its metadata to someone else). But that’s covered by your CoC (“I won’t sell your details…”)

Nope. If you want to send marketing material, you need a clear action of consent from your user.
And also provide all the informations about what you do with their personal data, what are their right, how they can withdraw consent, …

Offline

#190 2018-04-26 15:42:08

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,453
Website GitHub

Re: Txp cookies, visitor logging, and GDPR stuff in general

planeth wrote #311431:

Nope. If you want to send marketing material, you need a clear action of consent from your user.

Yes, that’s what I meant by it being “an issue”. If someone sent you a message about your site and you stored that address in a database and used it to mailshot them when your CoC states you won’t, that’s a legislative issue and you deserve to be penalised!


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#191 2018-04-26 19:34:44

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,912
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

planeth wrote #311430:

Now, since it’s only for your personal use, do you need a DPA? Probably no.

My site in question is a work site. Only a micro-entreprise business, but still, it’s selling editing services. Which is why I’m 19 pages into this thread still asking about it. ;)

Offline

#192 2018-04-26 19:57:53

planeth
Plugin Author
From: Nantes, France
Registered: 2009-03-19
Posts: 234
Website GitHub Mastodon

Re: Txp cookies, visitor logging, and GDPR stuff in general

Data Processing Agreement is a contract between you as a controller and the processors which process personal data on your behalf.
Either the service you are using has already one for you to sign, or you’ll need to have one written for them to sign.
Hope this clarifies things.
I’ll be on my sailboat the next 3 days, so we’ll continue next week ;)

Offline

Board footer

Powered by FluxBB