Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#265 2018-05-10 08:23:28

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,453
Website GitHub

Re: Txp cookies, visitor logging, and GDPR stuff in general


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#266 2018-05-10 11:08:52

uli
Moderator
From: Cologne
Registered: 2006-08-15
Posts: 4,306

Re: Txp cookies, visitor logging, and GDPR stuff in general

Congratulations, Phil, for finding the perfect match for the busy Textpatterner you are!


In bad weather I never leave home without wet_plugout, smd_where_used and adi_form_links

Offline

#267 2018-05-12 23:59:37

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,912
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

Bloke wrote #311657:

@planeth Looks like DigitalOcean can go on the list in your database. Yay.

Adobe too, if not already in the database. I can’t remember.

Offline

#268 2018-05-14 07:45:27

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,912
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

planeth wrote #311430:

GDPR applies to companies, not individuals.

Returning to this point again because it’s not very clear in the GDPR.

Article 4, Alinea 18 says (bold mine):

‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

Let’s begin with the fact an ‘enterprise’ is bound by the Reg.

Next, let’s try to make clear what a ‘natural person’ means in this context. According to Article 4, Alinea 1, a ‘natural person’ is defined equivalently as a ‘data subject’, which we know means any EU citizen/resident, business owner or not. So this much seems to refute what you’re saying, Planeth.

But the distinction seems to be from taking the two bold parts together. A natural person engaged in economic activity.

Now we need to make clear what is meant by ‘an economic activity irrespective of its legal form’. On one hand it could simply mean what type of business it is (i.e. freelance to international corporation), but that would not jive with the fact anyone could just be a ‘natural person’. So on the other hand an ‘economic activity’ here could mean any activity where money is transferred, such as PayPal donations.

So in fact the Reg could be binding to any non-business website that has a PayPal button, or uses a Patreon or Liberepay account, etc. Anything where money and the personal data of two parties is shared/transferred.

If that’s true, then a non-business owner who has such a website as just described, would still need to have a clear data privacy statement on the site, with all the expected details laid out, and DPAs with whatever third-party is handling the funds transfer process (e.g. PayPal, Liberepay, etc).

Is this making sense to anyone or am I reading this wrong? Because if it’s making sense, then I may need to get another DPA in the future from a processor like PP or Liberepay for my personal site.

This would also have implications for open source projects like Txp.

Offline

#269 2018-05-14 08:16:00

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,730
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

I don’t know what the legal answer here is, but my thinking along the lines of the spirit of the regulations is:

  • If you are just a blogger, author, publisher writing about something or other or showing your photos, artwork, creations to the world, then you are an individual not engaged in an economic activity.
  • If you show adverts on that site that results in personally identifiable data being collected, e.g. third-party ad networks, then you need a consent option, privacy policy, & dpa.
  • If you sell (or take donations for) some of said photos, artworks, creations, writings … via your website, and as a result some personally identifiable information is collected and processed, e.g. by a payment gateway, then you need a consent option, privacy policy, & dpa.
  • If you don’t show advertising that involves data collection or take payment but you collect anonymised site statistics, it would be polite to let people know but is not transgressing the regulations.

I’d be interested to know what you think about the following situations, though:

  • People like you and me who advertise services via a homepage but don’t take any payments online or earn via the homepage through ads etc. We have personal sites as individuals and are legally-speaking economic entities even when self-employed/sole traders, but we do not earn through our sites nor take or pass on data used in conjunction with our economic activity. My feeling is that anonymised stats and server logs is not a problem as they are not processed or profiled for economic gain but it would be polite/prudent to inform users.
  • Advertising that is paid but doesn’t process any personal data, e.g. like “The Deck” used to be or what Gruber now does manually on Daring Fireball. As far as I am aware, there is no cookie involved, but it is feasible that Gruber – or the respective advertiser – collects data on clicks on the ad. That may or may not count as processed personal data, e.g. counting the number of clicks is non-personalised, communicating the referrer is arguably non-personalised but passing the ip of the clicker is personalised.

TXP Builders – finely-crafted code, design and txp

Offline

#270 2018-05-14 08:30:15

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,196
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

jakob wrote #311734:

I’m thinking along the same line as you, regarding your first bulleted list.

As far as I understand it, your, mines, Destroys personal website, describing and advertising our services, we’re good to go, as long as we don’t collect money directly. The contact form needs to make clear what it collects though (by filling in the form and pressing the Send button, there is an implied consent for collecting the email address).

Regarding you “The Deck” type of advertisement, that is a tricky tricky thing.

(I am of course not a legal eye, the bit of law classes I followed was 30+ years ago)


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

#271 2018-05-14 08:34:17

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,912
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

jakob wrote #311734:

  • If you are just a blogger, author, publisher writing about something or other or showing your photos, artwork, creations to the world, then you are an individual not engaged in an economic activity.
  • If you show adverts on that site that results in personally identifiable data being collected, e.g. third-party ad networks, then you need a consent option, privacy policy, & dpa.
  • If you sell (or take donations for) some of said photos, artworks, creations, writings … via your website, and as a result some personally identifiable information is collected and processed, e.g. by a payment gateway, then you need a consent option, privacy policy, & dpa.
  • If you don’t show advertising that involves data collection or take payment but you collect anonymised site statistics, it would be polite to let people know but is not transgressing the regulations.

That all sounds spot on. I’m a million miles from anything to do with advertising, gladly, so that’s really another nebula for me.

  • People like you and me who advertise services via a homepage but don’t take any payments online or earn via the homepage through ads etc. We have personal sites as individuals and are legally-speaking economic entities even when self-employed/sole traders, but we do not earn through our sites nor take or pass on data used in conjunction with our economic activity. My feeling is that anonymised stats and server logs is not a problem as they are not processed or profiled for economic gain but it would be polite/prudent to inform users.

Yeah, this is pretty much how I’m handling it. Though it’s clear we need a DPA from the web host at least, even though if the data is anonymised. Though possession of a DPA is nothing you need to prove to ‘data subjects’, I don’t think, though a mention that you have one is probably prudent.

  • Advertising that is paid but doesn’t process any personal data, e.g. like “The Deck” used to be or what Gruber now does manually on Daring Fireball. As far as I am aware, there is no cookie involved, but it is feasible that Gruber – or the respective advertiser – collects data on clicks on the ad. That may or may not count as processed personal data, e.g. counting the number of clicks is non-personalised, communicating the referrer is arguably non-personalised but passing the ip of the clicker is personalised.

If there is no way of using any ‘recorded’ data to identify a person, then it’s okay and you probably don’t have to say anything about it, but would still need to have a DPA, or whatever legal thing an ad processor provided, on record. But as you noted, IP addresses do count as PD, so in that case the data privacy policy needs to make clear how that data is used in such cases.

That’s about as far as I know anything.

Offline

#272 2018-05-14 08:34:54

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,196
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

Destry wrote #311731:

This would also have implications for open source projects like Txp.

What kind of implications are you thinking about?

Only in that their data privacy policies need to be sufficiently written (no small task), and that they get the necessary DPA’s on file from the processor(s). So in Txp’s case, PayPal at the least.


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

#273 2018-05-14 08:42:39

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,912
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

phiw13 wrote #311737:

What kind of implications are you thinking about?

Only in that their data privacy policies need to be sufficiently written (no small task), and that they get the necessary DPA’s on file from the processor(s). So in Txp’s case, PayPal at the least, assuming they provide one.

This would suggest Txp would need to designate an actual ‘Controller’ too (surely no need for a ‘DP Officer’) and some kind of official record keeping process where DPA’s would go.

Fock! I always hit the damn Edit button instead of Quote. Grrr.

Offline

#274 2018-05-14 08:49:45

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,912
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

I think I screwed up your post, Phi, because I can’t get my head out of my ass as a moderator. Seriously, someone should revoke my rights.

Offline

#275 2018-05-14 09:04:55

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,912
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

My exchange with WF today, after a previous one a week ago. (I refrained from putting the Digital Ocean compliance materials as a link under ‘progressive web host’.)…

Another week and no word about compliance or DPA offer. Only 13 days away. I’d expect to see full details from any progressive web host by this point. You might tell the lawyers to hurry back from the pub and earn their fee.

The reply:

Our staff is working hard on making sure we are compliant and will provide more guidance as soon as we can.

He’s a little agitated, of course, and that’s exactly what I meant to do. I mean, come on. Are they going to spring it at the last f-ing minute?

Keep in mind there’s a community thread on this too where people are calling them on it in broad daylight. ;)

Reminds me of their Let’s Encrypt adoption pace too, which was very late. They sure don’t anticipate and move fast at WF, I have to say. Reactive, not proactive.

Offline

#276 2018-05-14 13:55:52

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,912
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

One of the reasons I’ve not shown my data policies yet is (besides waiting on WF) I’m still working out how to best write and display this information.

There is certainly no guide on the subject, nor can it really be ascertained from a pattern of use around the web because nearly every site does it differently.

I’m taking the approach to treat domain (business) and sub.domain (perso) by three common documents published at domain:

  • Legal Mentions
  • Contact
  • Style Guide (not legally relevant but convenient as a single source regarding editorial attention, as that’s what my services are)

At the moment (after many revisions to structure and copy) I have my main ‘Legal Mentions’ page, where the majority of everything is spelled out in this order:

  • brief intro para
  • 00 Relevant Laws
  • 01 Definitions
  • 02 Websites Concerned
  • 03 Controller
  • 04 Processors
  • 05 Data Privacy
  • 06 Outbound Links
  • 07 Copyright (Droit d’auteur)
  • 08 Changes

Section 02 makes clear the domains, their nature, and distinctions with regard to GDPR compliance.

Sections for Data Privacy and Copyright link to separate policy pages, but those pages are short and I’m now thinking I’ll just put them into the main doc and use anchor links anywhere I want to link to them specifically, such as footer links.

The Controller section was my former ‘Administration’ section; details about the business owner but now in context for EU/GDPR compliance (hopefully).

The Processors section includes this info for each processor I have a DPA with; marked up as a definition list, which works nicely:

Organization
Nature of business:
Reason for DPA:
How processor uses data:
How controller uses data:
Duration of data storage:

The items are written concisely so it works out pretty good.

What do you think for a small freelance gig? Any comments or other points of reference?

Offline

Board footer

Powered by FluxBB