Txp cookies, visitor logging, and GDPR stuff in general

Bloke · 2018-04-30 14:33:06

jakob wrote #311527:

On the one hand, we need to keep a record of consent and at the same time, we pledge to delete personally identifiable data held on them after a certain amount of time, which presumably also includes that kind of record of consent – it is, after all by nature personally identifiable.

That is a tricky one, for sure. For how long does one have to keep previous records of consent after they’ve requested to be forgotten? Given that there is no statute of limitations when a person can go back and claim “you used my info for such-and-such purposes without my consent!” this could be a bit of an issue if you have to delete the original consent as part of the cleanup operation.

Will be interesting to see how this is handled in practice.

phiw13 · 2018-04-30 14:33:18

Bloke wrote:

The issue, as jakob highlights, is that email click through rates for getting people to opt-in in the first place is probably less than 10%. And that’s assuming they haven’t already marked your marketing materials as instant spam. The conscientious, sure, will click and either continue to receive correspondence or will use the opportunity to review their spam marketing footprint and get out.

The UK Guardian newspaper has been running a large and ugly (cyan blue!) banner for the past couple of days specifically addressing the people who subscribe to their mailing list and asking to opt-in again (be quick, I think it runs till april 30). Perhaps that is an additional option for jacobs problem?

colak · 2018-04-30 14:37:26

jakob wrote #311527:

…with photos of participants taking part…

I guess many sites will have to close! This directive is just beyond me.

jakob · 2018-04-30 15:19:14

phiw13 wrote #311531:

The UK Guardian newspaper has been running a large and ugly banner for the past couple of days specifically addressing the people who subscribe to their mailing list and asking to opt-in again …

Yes, I see that too even as a non-subscriber. I guess you can still subscribe later, but that’s when they’re going to scrub their database.

(cyan blue!)

You noticed it, which is the purpose!

colak wrote #311532:

I guess many sites will have to close! This directive is just beyond me.

Well, in the end, I would probably take a common-sense approach. It’s probably not feasible to abide by every letter of the law (or to post-edit people out of photographs sometime later), and you can be tricked out all the time but there are things you can do to respect people’s rights and you can collect information responsibly and can inform transparently. I don’t see a problem with that.

I am interested to know what to do about legacy data, though, and about the nuisance factor of informing / re-asking everyone. In our case, I’m sure there are plenty of school secretaries who simply forward the email to the respective teacher. They’re more interested in actioning it right away then signing up to a double opt-in. FWIW, we discussed a few different approaches that may not conform to the letter of the law but to the spirit (to differing degrees!):

Mail each and every recipient for whom we don’t have explicit consent and ask them to opt in. (It’s clear to me that Mailchimp wouldn’t/couldn’t recommend any other option than this).
- Plus: it’s “by the book”.
- Minus: it’s a nuisance to the recipient and it will decimate the mailing list.
Include a note with the next mailing to opt in if they wish to continue receiving these mails in future.
- Plus: not so much of a nuisance. Obtains an opt in.
- Minus: many may not read it so it will also decimate the mailing list.
Do the same as 2, but do it two (or more?) times so as not to lose those with a full mailbox or who were on holiday the first time around, or, or, or…
- Plus: Obtains an opt-in. Sieves the list a few times before deletion with perhaps more list retention.
- Minus: More of a nuisance than 2 (minimize with good wording), still likely to cause a big hit to the mailing list.
Include a clear notice (once or a few times) that it’s easy to unsubscribe if you no longer wish to continue receiving these mails in future.
- Plus: not so much of a nuisance. Up front and honest. Less drastic damage to the mailing list.
- Minus: Doesn’t obtain an explicit opt-in. Could be formulated as a choice between “unsubscribe me” vs. “It’s okay: keep sending me stuff” as a means of encouraging people to action an opt-in or an opt-out.

They went away to think about it…

michaelkpate · 2018-04-30 16:03:47

Destry wrote #311519:

This is interesting, regarding photographs and *Germany*…

Blurmany.

Destry · 2018-04-30 16:07:47

jakob wrote #311527:

On the one hand, we need to keep a record of consent and at the same time, we pledge to delete personally identifiable data held on them after a certain amount of time, which presumably also includes that kind of record of consent – it is, after all by nature personally identifiable. Or is that exempted somewhere? We can’t start deleting those images at the time the records are to be deleted, or asking for renewed permission again at that interval.

I have not read or seen anything about specific data retention times. I know that applies to vital records, and such, which is a different set of guidelines and probably under control of a different authority (e.g. NARA has its own records schedule for US government agencies) and I’m sure every nation has something along those lines. Those kinds of ‘schedules’ could very well be tied into the GDPR, though, and if not now then anytime in the future.

But, look at Article 30: Records of processing activities of the Reg. This article is not long and outlines all the records a controller or processor is supposed to maintain and the info the records should convey. For example, from Para 1, item (f):

where possible, the envisaged time limits for erasure of the different categories of data;

That would suggest, at least at the EU level, that there is no required duration, except that it should be as short as possible. I.e. don’t keep data any longer than absolutely needed. But whatever that time is, explain it in your DPA, the duration and why it’s needed.

Also from the same Article 30, para 5:

The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

That’s a little bit vague, especially the conditions at the end there, but what it seems to say is, if you’re org is under 250 people and you don’t fall into the conditional situations, you may not need to create you’re own DPA.

Putting that in context of my own situation, for example, as a freelancer. I don’t need to create a DPA, as I am 1) less than 250 people in my org, and 2) I don’t, as a controller, need to process data regularly (i.e. I’m an ‘occasional’ processor, keeping simple client files). I do need a DPA from my associated processors, however, which at the very least is my web host (due to IP addresses in server logs), and mail service provider, if different (due to contact info).

Thinking a little further, I might choose to ‘erase’ my client records after work on them is done, with perhaps some reasonable buffer period just in case. If the client is ongoing, the file is not erased. If the client is sporadic, they must jump through the ‘consent’ hoops each time. Rinse and repeat.

But, to be prudent, look into what tax laws require about business record keeping too, as that would help inform what your data retention times might be. France has a rather overzealous records retention schedule that just seems counter-intuitive to the GDPR. But the two are not exactly the same (nor, perhaps entirely exclusive).

Destry · 2018-04-30 16:27:25

jakob wrote #311527:

1. We have archives of past summer courses with photos of participants taking part. The past participants value them as a reminder, and new participants value them as an indicator of the course vibe. It’s impossible to go back and ask them all again.

I can’t say anything with regard to GDPR compliance, sorry, but what I do see happening in general from this Reg is orgs buckling down on their content strategy plans and processes, or will need to create them to begin with. For example, all kinds of content auditing will become routine, and making plans for how to deal with it. Addressing critical questions like retention times and so on. Tying all these things together.

2. More contentious is perhaps the fact that a lot of such organisations (and probably many others) have their own researched lists of mailing recipients that they have been using since the days of postal mailings and word mailmerges. At some point in the past, those were entered into some mailing system, first some excel/access/outlook setup, later an online service. These aren’t purchased mass-mailing lists so these organisations aren’t nasty guys, it’s just their list of contacts. I suspect that’s fairly widespread practice regardless of whether correct or not. However, we don’t have a record of their consent anywhere, though many have been in the system and receiving emails for years.

This one is more clear. Fact is, a lot of people are on mail lists they would not choose to be if they knew they were, and if they did know and valued the list, they won’t mind abiding by the requirement to re-consent so you don’t get in trouble.

As an org, my position would be to start honest ASAP. Having to abide by the ‘opt-in consent’ situation, I would start a new, empty list with all the usual opt-in bells and whistles, then send a list message to the old list saying, ‘it’s GDPR time, folks. This list is closing on May 25th and all your accounts will be deleted with it. If you still want the good juice, you must subscribe at [this new list] by that time, or any time after, but the old list will be gone to the ether.’

Proactive triage is the prudent move.

jakob · 2018-04-30 20:05:43

michaelkpate wrote #311534:

Blurmany.

:-) It’s another aside, but I agree … partially (though don’t care much for the author’s tone of language sigh). It has made Street View virtually unusable in Germany to the point that Google have given up putting their Street View data online. The place where I live was scanned by Google several years ago but the data has never gone online. You can only see panoramas that users have uploaded … that are not then pixelated, making a mockery of the original purpose.

Otherwise … well, it’s so easy to poke ridicule from afar but much harder to understand what it means at a psychological level to a country like Germany until you’ve lived here for a while and began to understand how surveillance affected the lives of so many people at the most fundamental level and bred distrust in society and the establishment. Even after many years of living in the former East Germany, I ‘understand’ it but don’t ‘feel’ it the same way as many people here do. It’s really no wonder that people get jumpy about it …

michaelkpate · 2018-04-30 21:08:19

jakob wrote #311539:

(though don’t care much for the author’s tone of language sigh).

Jeff Jarvis is the Director of the Tow-Knight Center for Entrepreneurial Journalism and a
Professor at the City University of New York. He gets invited to speak at German Media Conferences on a fairly regular basis as well as having pieces published by the German Press.

jeff jarvis germany blurmany

He also writes at his own blog, BuzzMachine, and well as Medium.

So while he hasn’t lived in Germany, he has thought a lot about these issues, from an American perspective.

colak · 2018-05-01 09:46:57

Should we forget the right to be forgotten? Here’s on opinion in the guardian.

Destry · 2018-05-02 06:57:10

Heard back from legal counsel at Protonmail. They are not only compliant, they sent me a DPA. I need only sign it digitally and send a copy back.

Just need one now from WebFaction and I’m set.

So, Planeth, Protonmail, at least, can go in your databse, I guess. But probably need an explainer about the DPA as there is no direct link yet that I find.

P.s. Reach PM at ‘support’ by email.

phiw13 · 2018-05-02 07:40:08

Destry wrote #311556:

Heard back from legal counsel at Protonmail. They are not only compliant, they sent me a DPA. I need only sign it digitally and send a copy back.

Good for them!

And that is good to know in case I need something like that (still haven’t heard anything from Dreamhost). Thanks for investigating that one.

Destry · 2018-05-02 07:50:16

Also, Protonmail reports a recent high increase in phishing attempts on PM servers.

Be smart about the emails you open, links you click.

Destry · 2018-05-02 09:18:53

jakob wrote #311533:

I am interested to know what to do about legacy data, though, and about the nuisance factor of informing / re-asking everyone.

In the case of mail lists, including all legacy contact info, I’m pretty sure it’s similar to how I described, and exactly as the Guardian is doing, as Phil pointed out.

Here’s another example. I just got a message from a conference mail list I’ve been on for the last 10 years. They’re now using MailChimp. Here are parts of the message:

You may have heard about the new General Data Protection Regulation (“GDPR”), that comes into effect May 25, 2018. To help comply with GDPR consent requirements, we need to confirm that you would like to receive content from us.

…

If you’d like to continue hearing from us, we ask you that you please update your subscription settings. If we don’t hear from you, after May 26, 2018 we’ll automatically remove you from our database.

Then at the bottom it provides a Mailchimp button ‘Update Settings’. And in the message footer (a Mailchimp template) there are also links for ‘Unsubscribe’ and ‘Update Settings’

The assumption here is they will be deleted if they do nothing, or a user can unsubscribe sooner or accept (give consent) by chang settings.

My experience with mail list unsubscriptions is not perfect. I’m not always (rarely) unsubscribed, so I’d hope not doing anything here would get me forgotten once and for all. I’d be less trusting of the ‘Unsubscribe’ button, though in the case of a Mailchimp list, it’s probably safe, and especially in light of gdpr.

Bloke wrote #311529:

The issue, as jakob highlights, is that email click through rates for getting people to opt-in in the first place is probably less than 10%. And that’s assuming they haven’t already marked your marketing materials as instant spam. The conscientious, sure, will click and either continue to receive correspondence or will use the opportunity to review their ~~spam~~ marketing footprint and get out.

Ah, yeah. I now appreciate what you’re saying there. It takes a few hammer strokes in this stuff.

Last edited by Destry (2018-05-02 11:22:19)

Bloke · 2018-05-02 12:10:42

From a standpoint of data breaches, how do firms stand that leak personally identifiable information under GDPR?

I noticed in recent memory that both gmail and hotmail changed their sign-in process to a two-step system. So instead of username and password being on one page and if you mistype something it says “sorry, one of the above bits of info is incorrect” after form submission (thus leaking nothing) they now do this:

Enter your username
Click Next
Enter your password
Click Login

If you enter an account name that doesn’t exist in step 1, it tells you immediately when you execute step 2 and won’t take you to the enter password step. Thus to locate the existence of anyone’s email address (personally identifiable info?) is a simple case of trying various words until it lets you into the password step.

Granted, when GDPR hits you won’t be able to use that information for marketing purposes without opt-in (heck it shoudn’t be allowed now but that’s the world we live in) but is that termed a leak of personal info?

PayPal do the same two-step thing, but if you type random text – even with nonexistent domains – it still takes you to the enter password step. Never thought I’d say this but… Good PayPal.

Textpattern CMS support forum

#211 2018-04-30 14:33:06

Re: Txp cookies, visitor logging, and GDPR stuff in general

jakob wrote #311527:

#212 2018-04-30 14:33:18

Re: Txp cookies, visitor logging, and GDPR stuff in general

#213 2018-04-30 14:37:26

Re: Txp cookies, visitor logging, and GDPR stuff in general

jakob wrote #311527:

#214 2018-04-30 15:19:14

Re: Txp cookies, visitor logging, and GDPR stuff in general

phiw13 wrote #311531:

colak wrote #311532:

#215 2018-04-30 16:03:47

Re: Txp cookies, visitor logging, and GDPR stuff in general

Destry wrote #311519:

#216 2018-04-30 16:07:47

Re: Txp cookies, visitor logging, and GDPR stuff in general

jakob wrote #311527:

#217 2018-04-30 16:27:25

Re: Txp cookies, visitor logging, and GDPR stuff in general

jakob wrote #311527:

#218 2018-04-30 20:05:43

Re: Txp cookies, visitor logging, and GDPR stuff in general

michaelkpate wrote #311534:

#219 2018-04-30 21:08:19

Re: Txp cookies, visitor logging, and GDPR stuff in general

jakob wrote #311539:

#220 2018-05-01 09:46:57

Re: Txp cookies, visitor logging, and GDPR stuff in general

#221 2018-05-02 06:57:10

Re: Txp cookies, visitor logging, and GDPR stuff in general

#222 2018-05-02 07:40:08

Re: Txp cookies, visitor logging, and GDPR stuff in general

Destry wrote #311556:

#223 2018-05-02 07:50:16

Re: Txp cookies, visitor logging, and GDPR stuff in general

#224 2018-05-02 09:18:53

Re: Txp cookies, visitor logging, and GDPR stuff in general

jakob wrote #311533:

Bloke wrote #311529:

#225 2018-05-02 12:10:42

Re: Txp cookies, visitor logging, and GDPR stuff in general

Board footer