GDPR concerns

I’ve deferred my works on my own CP site, and one reason for that is because I still know very little about these privacy laws and how they apply to me. And now you’re telling me that there’s more coming? :scream:

Yeah. It seems that from Jan 2022 sites should keep a registry (not anonymized) showing the users have consented and a specific page where visitors can manage their consent.
So I have to anonymize statistic data and offer cookie consent only to have all visitors registering an account to manage their consents and be able to show proof of their consent.
Pretty straightforward to hell, if I dare say. I am trying to decide if it’s worth having a website anymore these days.

  1. Do you use Google Analytics?
  2. Do you use CDN?
  3. Do you use Facebook (analytics, pixel, etc)
  4. Do you own millions of dollars?
  5. Do you have registered users with private data on your site?

If you can answer each of these questions with no, you never ever need to worry about a thing related to GDPR.

It’s a fuss, used to put a smokescreen in front of the real issue which is selling data gathered for free from the user. And that, is still done anyway (which is usually also the reason for those very hefty fines they like to decorate the GDPR with).

Don’t worry lol. Even if you can answer all of above questions with yes, as long you don’t reside in EU and don’t own millions and don’t start making weird things with your users, the chances that someone will ever even think about “controlling” your site is like… negative rather than zero.

Even if you reside in the EU and you break every single rule of the GDPR, no one will do anything. Unless your name is Amazon and there are like hundreds of complains and some smart**** needs to get his/her name on a investigation paper…
I can’t find it right now, but there is a website, registered and visitable in Europe, openly breaking GDPR on purpose, they do that so to “prove that GDPR cannot be enforced”. They are up since long before GDPR was invented and are still up and will be up in 10 years, probably. Literally they call GDPR to fine them already. Yet … it’s just not enforceable - and that is inside their rule-area. Imagine across 2 oceans and 2 continents :stuck_out_tongue:

Also note, as far I understand CP sends the number of users - nothing personal thus: just a number like 27.
I want to see the GDPR judge hanging me on the fact that my site sends a number (representing the users of my site) to some server (or a count of sites in my network).

The real GDPR issue is (personal) data traffic.
For example you gather real data of your users, and send that data outside the EU, or store it somewhere. You track their behaviour, their skin color or wether they are male or female, etc. Then yes, you might want to add some “I am ok” button somewhere.
But… I have yet to see a “normal” website that does that, literally, ever, in any website I saw until today, unless the site is a social network, some online store or else nature there is no personal data gathered.

Simple blogs, web presences and the likes do neither need GDPR headaches nor GA4 or FB Pixel, so you really don’t have to worry, unless you have some sort of selling biz in the EU
And that is the main issue, where they could “hang” someone (using CDN, GA, Google fonts or Adobe fonts, etc, because those do track some data, and CDN for example might decrypt traffic, which might include passwords or the like… but all that only really is an issue if you have any such data of any user on your site)

Not that I encourage to break the GDPR … but just don’t lose your head over it. It’s really not that crazy as it is made believe.

I may permit myself to make publicity for my own form of GDPR (Zero Tracking Policy) lololol. Also explained in more detail here.

Follow this, and you will never need to think about any privacy law again, I am pretty positive about that.
You don’t need the consent to consent that I consented to consent the consent button to be consented (Our world is going places :rofl:)

2 Likes

@ElisabettaCarrara @smileBeda Thanks for the replies. Very informative. I won’t derail this thread any further, but I’ll ask more questions in this forum one of these days. Like I said, right now I’ve postponed my works on my own CP site, and it’s not just because of these privacy laws.

1 Like

Thread splitted so can discussed further outside petitions.

It’s a while I’ve removed analytics, anonimized logs, removed cookies from all of my websites and almost of my customer’s ones. Statistics moved to self-hosted Matomo.

So cookie banner and so on bye bye…

4 Likes

I may use this myself… Thanks much!

I really don’t care much about statistics. It distracts me from doing what is much more important, and that is content creation. In WordPress/com, I go out of my way not to look at the user’s Homepage where the stats are located. I had created a local HTML page with links to the pages I visit often.

1 Like

Are these server logs? My webhost has the option to disable them (access & server logs), and so if i do that, I won’t have any problem.

Question: How do I know if a plugin uses cookies or not?

Analytics plugins, and social sharing plugins like Shareaholic sure use cookies, but is there any other kind? How about a security plugin like Shield Security?

And of course, ClassicCommerce and similar plugins store user data.


I’m assuming that the CP core does not use cookies, and that whatever data being sent to and from the core is of no cause for concern.

And so, pls check if I got this right.

  • I don’t activate my server logs, and so all I have is the bandwith usage stats, which is automatically measured by my webhost.
  • I don’t use an analytics/statistics plugin
  • I don’t use a social sharing plugin
  • I don’t use a plugin that serves Ads
  • I don’t sell items.
  • I don’t use a CDN.
  • I don’t have a mailing list (only RSS).
  • I don’t have comments activated.
  • I don’t have registered users.
  • I don’t embed videos and audios from YouTube and other like services, but host them myself
  • I don’t load fonts from Google Fonts, but host them locally and load them using CSS font-rules.

And so, if I follow all of the above, would I be free then from the GDPR and other privacy laws?

Can I say goodbye now to the cookie banner, and use a privacy policy like Beda’s Zero Tracking Policy?

EDIT: How about Contact Forms? What if I just put my email address?

2 Likes

Read the code - or - use it fully and see if cookies are stored. There’s not really an easy way to know, unfortunately.

Then you’ll get a lot of spam directly to your email address. I would just use a normal contact form.

Submitting a contact form, to me, implies consent for the data submitted to be processed. If you are worried about this, then you could include a short notice next to the contact form about how the information submitted in the form will be used. This is how I do it on my site:

I also have server logs enabled on this site, because under the GDPR, consent is only one of six lawful bases for collecting and processing data, which means that data can be collected without consent as long as it meets the criteria of one of the other lawful bases. The most common lawful bases for normal website operators are consent and legitimate interest. You can read more about that at GDPR legitimate interests. (There are also provisions that require data to be secured against breaches, access restricted to as few people as possible, etc., but I’m not as familiar with those because they mostly fall under “common sense” to me.)

I consider collecting IP addresses to be clearly a legitimate interest for the legally defined purposes of fraud prevention and IT security. Of course, if you are worried about this, and you don’t need the server logs, then disabling them entirely is a fine choice.

You could also enable a mailing list as long as it is opt-in and you meet the other requirements: provide notice for what data is collected and how it is processed, allow people to opt out and remove any stored data about them, etc.

I agree with the rest of your measures for your site. Serving videos from YouTube should require consent for anything to even be loaded from Google’s servers, in my opinion.

I am not a lawyer, but all of the investigation that I have done so far indicates that GDPR is pretty reasonable as long as you don’t send data to places it doesn’t really need to go. Unfortunately that means not using mainstream services (like anything from Google), and just about every website does things the “typical” way of embedding all kinds of stuff from 100 different providers, then giving you a whole bunch of crap to read and accept as a result.

3 Likes

Thanks a lot! This will make it easier for me to get started with a privacy-conscious CP site.

1 Like

Server logs are no privacy concern
And I wouldn’t disable them. They are needed when stuff goes wrong.

Usually those logs merely hold an IP and an action
That’s nothing private :grinning:

1 Like

IP addresses are considered personally identifying data in some circumstances: Court confirms that IP addresses are personal data in some cases | White & Case LLP

The legitimate interest path is better for server logs.

My opinion is that if there isn’t consent, or a truly legitimate interest, maybe you shouldn’t be doing it :slight_smile:

1 Like

We here in Europe (esp. Germany) use contact forms with a required “acknowledge” checkbox with a short text which boils down to “I consent my entered data being ‘electronically processed’” (which includes replies per mail) - you have to specifically check it before sending, else it wont be submitted.
A nice side effect is, that it blocks quite a bit of spam, too :slight_smile:

Update: Screenshot of the contact form on my site.

cu, w0lf.

1 Like

Sites that promote VPNs make a big deal out of IP addresses, and so I think it’s safer to consider them as private data.

1 Like

This looks good. Is there a CP-compatible contact form plugin that offers something like this out-of-the-box? Or is your contact form a custom plugin?

I probably don’t need such a contact form, because I’m from the Philippines. (Like I said, I still know very little about internet privacy laws, and I’m not sure if my country has one or not.)

That’s actually something I probably want to add to my cf plugin
however… is that consent just a façade? Or is it saved, and if so, against what?

That’s relating to what @ElisabettaCarrara mentioned that you’d need to “save that consent”

I think - but am not sure - a fake check is enough, however… not sure how that would be in terms of actual ruling

I circumnavigate that by not saving the contact form stuff
The email just gets to my email inbox. Not saved in the site as a email or post or else. Thus, if I got to delete some thing on request technically I’d have to delete all emails in my inbox of that specific person.

And email communication isn’t regulated by gdpr - that’s personal communication between me and another person who literally initiated the contact on their own

So me thinks that’s enough. Even without checkbox and just a info on the cform

My guess is, that if your website’s report looks like this, you don’t need to worry about privacy, except you have ecommerce or user registration or something similar.

2 Likes

There is an update to the law in the works for Italy.
First, every website having any kind of cookies will have to show a form blocking cookies being the default, the form allows to manage in detail which cookies to allow/disallow.
The form should log IP and preferences, and allow a visitor to come back to settings if ever they change their mind.
The discussion revolves around making this compulsory for every site, even the ones with functional cookies.
Various people that are deemed knowledgeable in the Italian blogsphere are disagreeing on the above and explaining all and it’s contrary,.which adds up to the confusion.
To me, having to anonymize data but also log them not anonymized is a bit nonsensical, but who am I to argue with the lawmaker?

But that relates only to cookies or also such form submit consensus?

It is your right and even your duty to make sure your lawmakers act in your interest. In fact, the people are the true lawmakers. Government exists to serve the people which make up the society being governed, and it should never be the other way around.

A society which forgets this – or fails to act on it – will not survive in the long term.

2 Likes