Txp cookies, visitor logging, and GDPR stuff in general

planeth · 2018-04-25 11:05:56

Destry wrote #311399:

Here’s a sincere suggestion, though… In your database, you have the link columns:

Privacy notice

Data processing agreement

Using Slack as example, they have a specific link for GDPR compliance. I suspect other orgs might have separate links for that too. Another column for specific GDPR links would be useful, maybe, to facilitate finding and accessing the relevant bits:

Privacy policy

GDPR compliance

Data processing agreement

Thanks for the Slack link :)
In fact, I put the GDPR compliance|commitment blog post in the “observation” column.
The layout jsut changed a bit.
You’re welcome to suggest better information layout.

planeth · 2018-04-25 11:08:24

Destry wrote #311399:

I don’t see any of these companies using the suggested term “Code of Conduct” either, as the GDPR outlines, but I suspect we’ll see that emerge more with time, and that would be a good column header too.

As I understand it’s the role of the WP29 working group to publish these “Code of Conduct” or also it may be a group of enterprises —like the https://cispe.cloud/, who represents the cloud providers.

Destry · 2018-04-25 11:46:53

planeth wrote #311400:

the GDPR compliance|commitment blog post in the “observation” column.

I see now. That works. Keeps fewer columns.

Regarding the CoC, I guess I didn’t understand it. I’ll look at that more. Thanks.

Destry · 2018-04-25 13:28:31

Important document here in relation to the gdpr about consent, and how it must be received.

Article 29 Working Party Guidelines on consent under Regulation 2016/679 (PDF)

It’s very clear from these guidelines that coercing consent by a ToS update is not valid consent according to the Regulation if any data collected in the scope of a ToS/contract is not essential for the purposes of delivering the service.

(Exactly what Richard Stallman is arguing for, systems designed to collect as little data as absolutely needed.)

Watchdogs are watching.

planeth · 2018-04-25 13:41:22

Destry wrote #311403:

(Exactly what Richard Stallman is arguing for, systems designed to collect as little data as absolutely needed.)

Watchdogs are watching.

Yes, it’s the “privacy by default and by design” concept. Don’t harvest data you don’t need.

Destry · 2018-04-26 13:24:16

I’m wondering… If I use a third-party email provider like Protonmail (PM) in relation to comm_connect plugin, then is PM a ‘processor’ at that point? Thus do you need to have a ‘Data Processing Agreement’ DPA posted in relation?

I guess the question is, does a third-party mail provider like that actually process data for you? I don’t think that concept is true, but I’m not sure how it’s interpreted. They clearly store personal data in the form of email and header information for as long as you want to keep it on their servers. But there’s no actual processing of the data, per se.

I’m going to make it clear I’m using them, but I’m not sure what else I need in that respect.

If I used a WebFaction account, that would probably eliminate the issue, as WebFaction is already defined as the web host.

Hmm…

Bloke · 2018-04-26 13:48:26

Surely on every website that you own, you don’t have to add a note about which email client you use? Do you? That’d be mental. Poeple who send you a message are opting in to sharing their information with you by the very nature of clicking “Send”.

I guess the only time this would be an issue would be if you then used that email account to send out marketing materials without prior consent (or sent the email or its metadata to someone else). But that’s covered by your CoC (“I won’t sell your details…”)

If it’s used for one-to-one communication back to the sender, is the fact your mail client stores the sender’s email address, IP address, browser, their MTA, etc as part of the message header classed as abuse? I highly doubt it.

The only possible type of (mis)use I can think of where this might come under scrutiny is if you use one of the online mail services such as GMail, Yahoo, Hotmail, etc. These offer ads in and around the inbox. Unless you (the account owner) opt out, those ads are “personalised” based on message content. Thus, message content sent by others to you is being aggregated and “used” by a third party to sell you (the account owner) stuff.

Is it personally identifiable? I don’t know. Are portions of email content/trigger words collected and fed back to the marketeers who place the ads so they can target their keywords better to make the ads more “relevant”? Do ads in the inbox come under PPC, where companies who bid on keywords can see underlying stats of who clicked on what ads to gauge conversion, regardless of whether personally identifiable content was harvested? And, if so, is that a violation of the sender’s privacy according to GDPR?

Since people can opt in to having their data stored, but can simultaneously opt out of having their data profiled (aggregated and used for marketing purposes, even stats of who clicked what), maybe this use case falls under that banner?

Interesting indeed.

Last edited by Bloke (2018-04-26 13:57:28)

planeth · 2018-04-26 14:36:56

Processing is defined at https://gdpr-info.eu/art-4-gdpr/ Alinea 2.
Basically, as soon as you touch data it’s a processing.
Therefore Proton mail is a processor.
Now, since it’s only for your personal use, do you need a DPA? Probably no.
GDPR applies to companies, not individuals.

planeth · 2018-04-26 14:40:10

Bloke wrote #311429:

I guess the only time this would be an issue would be if you then used that email account to send out marketing materials without prior consent (or sent the email or its metadata to someone else). But that’s covered by your CoC (“I won’t sell your details…”)

Nope. If you want to send marketing material, you need a clear action of consent from your user.
And also provide all the informations about what you do with their personal data, what are their right, how they can withdraw consent, …

Bloke · 2018-04-26 15:42:08

planeth wrote #311431:

Nope. If you want to send marketing material, you need a clear action of consent from your user.

Yes, that’s what I meant by it being “an issue”. If someone sent you a message about your site and you stored that address in a database and used it to mailshot them when your CoC states you won’t, that’s a legislative issue and you deserve to be penalised!

Destry · 2018-04-26 19:34:44

planeth wrote #311430:

Now, since it’s only for your personal use, do you need a DPA? Probably no.

My site in question is a work site. Only a micro-entreprise business, but still, it’s selling editing services. Which is why I’m 19 pages into this thread still asking about it. ;)

planeth · 2018-04-26 19:57:53

Data Processing Agreement is a contract between you as a controller and the processors which process personal data on your behalf.
Either the service you are using has already one for you to sign, or you’ll need to have one written for them to sign.
Hope this clarifies things.
I’ll be on my sailboat the next 3 days, so we’ll continue next week ;)

Destry · 2018-04-26 21:20:46

Have a good sailing trip.

planeth wrote #311451:

Data Processing Agreement is a contract between you as a controller and the processors which process personal data on your behalf.

This I picked up on.

Either the service you are using has already one for you to sign, or you’ll need to have one written for them to sign.

This is where I’m unsure. I’m not paying Protonmail for their services. It’s a free account like gmail is free. Google certainly wouldn’t give me any signed agreement either. I mean, imagine having to make the one-on-one agreement with millions of freelancers. That doesn’t make sense.

But lets turn it to the web host, because I could just as easily create a new email account on their mail services using my own domain, for purposes of using with a web contact form, which is all this is for. Am I then supposed to have a one on one agreement with WebFaction because it’s their server? I doubt I’ll get it from them either. They just want to be a web host.

Destry · 2018-04-28 08:55:21

Sorry bici, I didn’t respond to this thoroughly before, nor very well.

bici wrote #311299:

Can a case be made that anything posted in a Forum belongs there forever.

Destry wrote #311306:

Absolutely not. That’s like saying you can’t edit your posts either, which is ludicrous. And I would radically change my participation if that were ever the case.

What I meant here was, I would not like to see that happen. Not only would it be the biggest bait-n-switch ever pulled by an open source forum, but I would give serious thoughts to stop using the forum at that point.

bici wrote #311316:

And yet there are many forums/blogs where once you have posted there is no editing/deleting.

I think what you mean is, a site visitor can’t edit or delete. This might be true, but the owner can still do it, and now has to do it if a user makes a reasonable request for it.

Letters to The Editor in a newspaper: there for ever. Comments made on a website: there for ever. An article published in a Book or Magazine: There for ever.

Print media is a different situation entirely, of course, and not relevant to the Reg, unless the info has been digitized, and then it probably falls under copyright laws, not GDPR.

But for blog posts and comments — even these forum posts — the focus is on ‘classic’ and ‘digital’ data in electronic/tabulated format. In other words, the user accounts that users made the posts by. And the Reg now says, users have the right to be forgotten, for ‘erasure’. And if controllers don’t want the responsibilty of dealing with such requests, they have to develop/provide tools for the user to ‘erase’ on their own will.

Were anyone to delete all their posts it would be a disservice to those that would benefit from the information offered.

This is true in a place like this, and probably rare-to-unlikley to ever happen (if you don’t bait-n-switch users), but it’s not immune from it. If any forum did try to resist, they (the controller) has the burden of justifying the denial in a legal suit, and that’s not going to be good in most cases.

What the forum could do, is allow account deletion but then anonymize that user’s posts. I.e. username would have to be hashed in profiles (nick or otherwise since the system wouldn’t be able to distinguish what was pseudo or real), headshots removed (again pseuo avatars or otherwise, etc. In fact, that might be the legal requirement anyway if a user doesn’t batch delete their entire presence, posts and all. I’m not sure. Anonymized data is a big part of the Reg, so I wouldn’t be surprised.

Destry · 2018-04-28 13:22:41

Destry wrote #311455:

This is where I’m unsure. I’m not paying Protonmail for their services. It’s a free account like gmail is free. Google certainly wouldn’t give me any signed agreement either. I mean, imagine having to make the one-on-one agreement with millions of freelancers. That doesn’t make sense.

I think I get a little bit of what’s happening now, at least as it concerns the following situation…

I just got an email from Google about Google Analytics’ tactic for compliance. It’s making people accept a crazy number of new “data processing” agreements, individually, in relation to different GA features. So in that respect Goog is handling the DPA for you, which makes sense since it’s such a big piece of bread and butter for them on one hand, and they have a lot to lose legally on the other.

I don’t know if Protonmail is doing something like that similarly, or even if gmail is, for that matter, but I see how it could be done.

This is just a poke in the dark, but I think in these cases where a service is free, the onus is on the service provider to offer the DPA because they are trying to grow and remain in business. If I was paying them (as a business owner), however, the onus would be on me as a controller to provide some legal DPA in contract with the processor. Or, maybe it doesn’t matter which way it goes, as long as one exists?

I think this thing about emails in relation to the contact form, though, is one business owners better look into fast, whether it’s a provider like Protonmail or your web host. The only way out of any DPA for mail processing, as I see it, is if you host your own mail server, and how many freelancers or small business do that?

Textpattern CMS support forum

#181 2018-04-25 11:05:56

Re: Txp cookies, visitor logging, and GDPR stuff in general

Destry wrote #311399:

#182 2018-04-25 11:08:24

Re: Txp cookies, visitor logging, and GDPR stuff in general

Destry wrote #311399:

#183 2018-04-25 11:46:53

Re: Txp cookies, visitor logging, and GDPR stuff in general

planeth wrote #311400:

#184 2018-04-25 13:28:31

Re: Txp cookies, visitor logging, and GDPR stuff in general

#185 2018-04-25 13:41:22

Re: Txp cookies, visitor logging, and GDPR stuff in general

Destry wrote #311403:

#186 2018-04-26 13:24:16

Re: Txp cookies, visitor logging, and GDPR stuff in general

#187 2018-04-26 13:48:26

Re: Txp cookies, visitor logging, and GDPR stuff in general

#188 2018-04-26 14:36:56

Re: Txp cookies, visitor logging, and GDPR stuff in general

#189 2018-04-26 14:40:10

Re: Txp cookies, visitor logging, and GDPR stuff in general

Bloke wrote #311429:

#190 2018-04-26 15:42:08

Re: Txp cookies, visitor logging, and GDPR stuff in general

planeth wrote #311431:

#191 2018-04-26 19:34:44

Re: Txp cookies, visitor logging, and GDPR stuff in general

planeth wrote #311430:

#192 2018-04-26 19:57:53

Re: Txp cookies, visitor logging, and GDPR stuff in general

#193 2018-04-26 21:20:46

Re: Txp cookies, visitor logging, and GDPR stuff in general

planeth wrote #311451:

#194 2018-04-28 08:55:21

Re: Txp cookies, visitor logging, and GDPR stuff in general

bici wrote #311299:

Destry wrote #311306:

bici wrote #311316:

#195 2018-04-28 13:22:41

Re: Txp cookies, visitor logging, and GDPR stuff in general

Destry wrote #311455:

Board footer