Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#205 2018-04-30 08:30:24
Re: Txp cookies, visitor logging, and GDPR stuff in general
This is interesting, regarding photographs and Germany…
Apparently, Germany made no provisions to have the existing law on photography supersede the GDPR, thus all digital photography of people now falls under the Reg. The following article (in German), as I’m told in Masto, mentions how Sweden circumvented the situation but for Germany, it’s basically the worst case full of lawsuits waiting to happen.
Offline
#206 2018-04-30 08:37:22
Re: Txp cookies, visitor logging, and GDPR stuff in general
Regarding Privacy Shield, which Michael quoted someone talking about in relation to DreamHost…
Privacy Shield is not sufficient between controllers and processors
Offline
#207 2018-04-30 12:52:06
Re: Txp cookies, visitor logging, and GDPR stuff in general
phiw13 wrote #311514:
From a privacy point of view, I don’t see much difference between local storage and cookies. Both can be personalized and used for tracking the user. Local storage is possibly worse as it offers a larger space for storing data. I think the GDPR, at least in spirit, treats them as equals – but I am not a lawyer.
(and fwiw, both Firefox and Safari treat local storage and cookies are synonymous in their privacy settings)
From what I can tell, the script simply stores a unique UID in local storage and pushes all the data straight to Google without storing it, using this UID to tell your actions apart. Since Google has tightened up its end for GDPR (they are storing it, not you, which means it’s a problem for them, not you), I think this is much safer then the cookie way, but I am of course not a legal expert.
Last edited by CodeWalker (2018-04-30 12:57:34)
Offline
#208 2018-04-30 14:10:12
Re: Txp cookies, visitor logging, and GDPR stuff in general
Destry wrote #311519:
This is interesting, regarding photographs and *Germany*…
Apparently, Germany made no provisions to have the existing law on photography supersede the GDPR, thus all digital photography of people now falls under the Reg. The following article (in German), as I’m told in Masto, mentions how Sweden circumvented the situation but for Germany, it’s basically the worst case full of lawsuits waiting to happen.
Thanks! And that was supposed to be the clear non-legalese overview!!
Had an interesting discussion last week with a couple of local summer course education providers. We can in our case(s) ask the permission of students if they are okay with appearing in photos of course activities that may be published (for example as part of their application or confirmation of participation). I believe that was already necessary for youngsters under 18 anyhow. So far so good. On the one hand, we need to keep a record of consent and at the same time, we pledge to delete personally identifiable data held on them after a certain amount of time, which presumably also includes that kind of record of consent – it is, after all by nature personally identifiable. Or is that exempted somewhere? We can’t start deleting those images at the time the records are to be deleted, or asking for renewed permission again at that interval.
Another question that came up is what to do about legacy information? For example:
1. We have archives of past summer courses with photos of participants taking part. The past participants value them as a reminder, and new participants value them as an indicator of the course vibe. It’s impossible to go back and ask them all again.
2. More contentious is perhaps the fact that a lot of such organisations (and probably many others) have their own researched lists of mailing recipients that they have been using since the days of postal mailings and word mailmerges. At some point in the past, those were entered into some mailing system, first some excel/access/outlook setup, later an online service. These aren’t purchased mass-mailing lists so these organisations aren’t nasty guys, it’s just their list of contacts. I suspect that’s fairly widespread practice regardless of whether correct or not. However, we don’t have a record of their consent anywhere, though many have been in the system and receiving emails for years.
With Mailchimp and co, those recipients can now unsubscribe easily enough (better than in the past). Mailchimp says on one of their pages that we should create a segment of those without a record of explicit consent and mail all the recipients asking for consent/opt-in. All those who don’t sign up should then be cleared from the list. Given the average click-rate for email letters, those contact lists are going to shrink by 70-80%?! That’s pretty drastic for a small organisation.
Did you read anything about such cases in your research?
TXP Builders – finely-crafted code, design and txp
Offline
#209 2018-04-30 14:13:59
Re: Txp cookies, visitor logging, and GDPR stuff in general
Destry wrote #311518:
It occurs to me that every service provider (web host, mail…) should be making it perfectly clear that they provide DPAs and you only need to request one.
Just an info for those hosting with all-inkl in Germany (a pretty common host): you can do this by signing into the member’s area, then going to Stammdaten › Auftragsverarbeitung. There’s a sample DPA (Auftragsverarbeitungsvertrag) which you can agree to and download online.
TXP Builders – finely-crafted code, design and txp
Offline
#210 2018-04-30 14:23:52
Re: Txp cookies, visitor logging, and GDPR stuff in general
I’ve had a raft of recent messages from various companies I’ve been subscribed to over the years. The general format of all these message so far has been:
As part of the European GDPR changes blah blah we need your consent to continue sending you stuff. Click this massive button to indicate you’re happy for us to do so (or to configure your opt-in choices), otherwise click the teensy unsubscribe link beneath the massive button or do nothing. We’d be sorry to see you go, but value you as a customer anyway blah blah.
The issue, as jakob highlights, is that email click through rates for getting people to opt-in in the first place is probably less than 10%. And that’s assuming they haven’t already marked your marketing materials as instant spam. The conscientious, sure, will click and either continue to receive correspondence or will use the opportunity to review their spam marketing footprint and get out.
But, while this may have a large impact on direct marketing efforts – and certainly the size of the stored database of contacts – I suspect the people that haven’t already marked a company’s messages as spam will have either unsubscribed already or will be happy to receive them, give them a cursory scan and either act or delete according to content. Most likely the latter. So the actual effect to these organisations should be minimal anyway.
Quite how you actively seek (repeat) consent for publications that contain images, like course brochures, I have no idea. Worse, what happens when someone decides they don’t want to be included? You can’t erase them from history in print, but you can take their image off the system so it’s not reused – providing it’s not already gone into a print run. Guess this is where doing everything “within reason” comes from, if there is such a statement in the GDPR?
Does the nature of such agreements – form now on at least – have to be “Do you consent to your image being used a) on this and all future marketing materials, b) on this one only, c) never.” At least then, you give them the chance to have their image used now and immediately opt out. But how do you ensure that happens in real terms? And how long do you keep the image for and ensure it’s been purged?
A pickle.
Last edited by Bloke (2018-04-30 14:27:46)
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
#211 2018-04-30 14:33:06
Re: Txp cookies, visitor logging, and GDPR stuff in general
jakob wrote #311527:
On the one hand, we need to keep a record of consent and at the same time, we pledge to delete personally identifiable data held on them after a certain amount of time, which presumably also includes that kind of record of consent – it is, after all by nature personally identifiable.
That is a tricky one, for sure. For how long does one have to keep previous records of consent after they’ve requested to be forgotten? Given that there is no statute of limitations when a person can go back and claim “you used my info for such-and-such purposes without my consent!” this could be a bit of an issue if you have to delete the original consent as part of the cleanup operation.
Will be interesting to see how this is handled in practice.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
#212 2018-04-30 14:33:18
Re: Txp cookies, visitor logging, and GDPR stuff in general
Bloke wrote:
The issue, as jakob highlights, is that email click through rates for getting people to opt-in in the first place is probably less than 10%. And that’s assuming they haven’t already marked your marketing materials as instant spam. The conscientious, sure, will click and either continue to receive correspondence or will use the opportunity to review their spam marketing footprint and get out.
The UK Guardian newspaper has been running a large and ugly (cyan blue!) banner for the past couple of days specifically addressing the people who subscribe to their mailing list and asking to opt-in again (be quick, I think it runs till april 30). Perhaps that is an additional option for jacobs problem?
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
Offline
#213 2018-04-30 14:37:26
Re: Txp cookies, visitor logging, and GDPR stuff in general
jakob wrote #311527:
…with photos of participants taking part…
I guess many sites will have to close! This directive is just beyond me.
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
#214 2018-04-30 15:19:14
Re: Txp cookies, visitor logging, and GDPR stuff in general
phiw13 wrote #311531:
The UK Guardian newspaper has been running a large and ugly banner for the past couple of days specifically addressing the people who subscribe to their mailing list and asking to opt-in again …
Yes, I see that too even as a non-subscriber. I guess you can still subscribe later, but that’s when they’re going to scrub their database.
(cyan blue!)
You noticed it, which is the purpose!
colak wrote #311532:
I guess many sites will have to close! This directive is just beyond me.
Well, in the end, I would probably take a common-sense approach. It’s probably not feasible to abide by every letter of the law (or to post-edit people out of photographs sometime later), and you can be tricked out all the time but there are things you can do to respect people’s rights and you can collect information responsibly and can inform transparently. I don’t see a problem with that.
I am interested to know what to do about legacy data, though, and about the nuisance factor of informing / re-asking everyone. In our case, I’m sure there are plenty of school secretaries who simply forward the email to the respective teacher. They’re more interested in actioning it right away then signing up to a double opt-in. FWIW, we discussed a few different approaches that may not conform to the letter of the law but to the spirit (to differing degrees!):
- Mail each and every recipient for whom we don’t have explicit consent and ask them to opt in. (It’s clear to me that Mailchimp wouldn’t/couldn’t recommend any other option than this).
- Plus: it’s “by the book”.
- Minus: it’s a nuisance to the recipient and it will decimate the mailing list.
- Include a note with the next mailing to opt in if they wish to continue receiving these mails in future.
- Plus: not so much of a nuisance. Obtains an opt in.
- Minus: many may not read it so it will also decimate the mailing list.
- Do the same as 2, but do it two (or more?) times so as not to lose those with a full mailbox or who were on holiday the first time around, or, or, or…
- Plus: Obtains an opt-in. Sieves the list a few times before deletion with perhaps more list retention.
- Minus: More of a nuisance than 2 (minimize with good wording), still likely to cause a big hit to the mailing list.
- Include a clear notice (once or a few times) that it’s easy to unsubscribe if you no longer wish to continue receiving these mails in future.
- Plus: not so much of a nuisance. Up front and honest. Less drastic damage to the mailing list.
- Minus: Doesn’t obtain an explicit opt-in. Could be formulated as a choice between “unsubscribe me” vs. “It’s okay: keep sending me stuff” as a means of encouraging people to action an opt-in or an opt-out.
They went away to think about it…
TXP Builders – finely-crafted code, design and txp
Offline
#215 2018-04-30 16:03:47
Re: Txp cookies, visitor logging, and GDPR stuff in general
Offline
#216 2018-04-30 16:07:47
Re: Txp cookies, visitor logging, and GDPR stuff in general
jakob wrote #311527:
On the one hand, we need to keep a record of consent and at the same time, we pledge to delete personally identifiable data held on them after a certain amount of time, which presumably also includes that kind of record of consent – it is, after all by nature personally identifiable. Or is that exempted somewhere? We can’t start deleting those images at the time the records are to be deleted, or asking for renewed permission again at that interval.
I have not read or seen anything about specific data retention times. I know that applies to vital records, and such, which is a different set of guidelines and probably under control of a different authority (e.g. NARA has its own records schedule for US government agencies) and I’m sure every nation has something along those lines. Those kinds of ‘schedules’ could very well be tied into the GDPR, though, and if not now then anytime in the future.
But, look at Article 30: Records of processing activities of the Reg. This article is not long and outlines all the records a controller or processor is supposed to maintain and the info the records should convey. For example, from Para 1, item (f):
where possible, the envisaged time limits for erasure of the different categories of data;
That would suggest, at least at the EU level, that there is no required duration, except that it should be as short as possible. I.e. don’t keep data any longer than absolutely needed. But whatever that time is, explain it in your DPA, the duration and why it’s needed.
Also from the same Article 30, para 5:
The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
That’s a little bit vague, especially the conditions at the end there, but what it seems to say is, if you’re org is under 250 people and you don’t fall into the conditional situations, you may not need to create you’re own DPA.
Putting that in context of my own situation, for example, as a freelancer. I don’t need to create a DPA, as I am 1) less than 250 people in my org, and 2) I don’t, as a controller, need to process data regularly (i.e. I’m an ‘occasional’ processor, keeping simple client files). I do need a DPA from my associated processors, however, which at the very least is my web host (due to IP addresses in server logs), and mail service provider, if different (due to contact info).
Thinking a little further, I might choose to ‘erase’ my client records after work on them is done, with perhaps some reasonable buffer period just in case. If the client is ongoing, the file is not erased. If the client is sporadic, they must jump through the ‘consent’ hoops each time. Rinse and repeat.
But, to be prudent, look into what tax laws require about business record keeping too, as that would help inform what your data retention times might be. France has a rather overzealous records retention schedule that just seems counter-intuitive to the GDPR. But the two are not exactly the same (nor, perhaps entirely exclusive).
Offline