Textpattern CMS support forum

You are not logged in. Register | Login | Help

#271 2018-05-14 08:34:17

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,062
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

jakob wrote #311734:

  • If you are just a blogger, author, publisher writing about something or other or showing your photos, artwork, creations to the world, then you are an individual not engaged in an economic activity.
  • If you show adverts on that site that results in personally identifiable data being collected, e.g. third-party ad networks, then you need a consent option, privacy policy, & dpa.
  • If you sell (or take donations for) some of said photos, artworks, creations, writings … via your website, and as a result some personally identifiable information is collected and processed, e.g. by a payment gateway, then you need a consent option, privacy policy, & dpa.
  • If you don’t show advertising that involves data collection or take payment but you collect anonymised site statistics, it would be polite to let people know but is not transgressing the regulations.

That all sounds spot on. I’m a million miles from anything to do with advertising, gladly, so that’s really another nebula for me.

  • People like you and me who advertise services via a homepage but don’t take any payments online or earn via the homepage through ads etc. We have personal sites as individuals and are legally-speaking economic entities even when self-employed/sole traders, but we do not earn through our sites nor take or pass on data used in conjunction with our economic activity. My feeling is that anonymised stats and server logs is not a problem as they are not processed or profiled for economic gain but it would be polite/prudent to inform users.

Yeah, this is pretty much how I’m handling it. Though it’s clear we need a DPA from the web host at least, even though if the data is anonymised. Though possession of a DPA is nothing you need to prove to ‘data subjects’, I don’t think, though a mention that you have one is probably prudent.

  • Advertising that is paid but doesn’t process any personal data, e.g. like “The Deck” used to be or what Gruber now does manually on Daring Fireball. As far as I am aware, there is no cookie involved, but it is feasible that Gruber – or the respective advertiser – collects data on clicks on the ad. That may or may not count as processed personal data, e.g. counting the number of clicks is non-personalised, communicating the referrer is arguably non-personalised but passing the ip of the clicker is personalised.

If there is no way of using any ‘recorded’ data to identify a person, then it’s okay and you probably don’t have to say anything about it, but would still need to have a DPA, or whatever legal thing an ad processor provided, on record. But as you noted, IP addresses do count as PD, so in that case the data privacy policy needs to make clear how that data is used in such cases.

That’s about as far as I know anything.


The text persuades, the *notes prove。

Offline

#272 2018-05-14 08:34:54

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 1,578
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

Destry wrote #311731:

This would also have implications for open source projects like Txp.

What kind of implications are you thinking about?

Only in that their data privacy policies need to be sufficiently written (no small task), and that they get the necessary DPA’s on file from the processor(s). So in Txp’s case, PayPal at the least.

Offline

#273 2018-05-14 08:42:39

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,062
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

phiw13 wrote #311737:

What kind of implications are you thinking about?

Only in that their data privacy policies need to be sufficiently written (no small task), and that they get the necessary DPA’s on file from the processor(s). So in Txp’s case, PayPal at the least, assuming they provide one.

This would suggest Txp would need to designate an actual ‘Controller’ too (surely no need for a ‘DP Officer’) and some kind of official record keeping process where DPA’s would go.

Fock! I always hit the damn Edit button instead of Quote. Grrr.


The text persuades, the *notes prove。

Offline

#274 2018-05-14 08:49:45

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,062
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

I think I screwed up your post, Phi, because I can’t get my head out of my ass as a moderator. Seriously, someone should revoke my rights.


The text persuades, the *notes prove。

Offline

#275 2018-05-14 09:04:55

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,062
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

My exchange with WF today, after a previous one a week ago. (I refrained from putting the Digital Ocean compliance materials as a link under ‘progressive web host’.)…

Another week and no word about compliance or DPA offer. Only 13 days away. I’d expect to see full details from any progressive web host by this point. You might tell the lawyers to hurry back from the pub and earn their fee.

The reply:

Our staff is working hard on making sure we are compliant and will provide more guidance as soon as we can.

He’s a little agitated, of course, and that’s exactly what I meant to do. I mean, come on. Are they going to spring it at the last f-ing minute?

Keep in mind there’s a community thread on this too where people are calling them on it in broad daylight. ;)

Reminds me of their Let’s Encrypt adoption pace too, which was very late. They sure don’t anticipate and move fast at WF, I have to say. Reactive, not proactive.


The text persuades, the *notes prove。

Offline

#276 2018-05-14 13:55:52

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,062
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

One of the reasons I’ve not shown my data policies yet is (besides waiting on WF) I’m still working out how to best write and display this information.

There is certainly no guide on the subject, nor can it really be ascertained from a pattern of use around the web because nearly every site does it differently.

I’m taking the approach to treat domain (business) and sub.domain (perso) by three common documents published at domain:

  • Legal Mentions
  • Contact
  • Style Guide (not legally relevant but convenient as a single source regarding editorial attention, as that’s what my services are)

At the moment (after many revisions to structure and copy) I have my main ‘Legal Mentions’ page, where the majority of everything is spelled out in this order:

  • brief intro para
  • 00 Relevant Laws
  • 01 Definitions
  • 02 Websites Concerned
  • 03 Controller
  • 04 Processors
  • 05 Data Privacy
  • 06 Outbound Links
  • 07 Copyright (Droit d’auteur)
  • 08 Changes

Section 02 makes clear the domains, their nature, and distinctions with regard to GDPR compliance.

Sections for Data Privacy and Copyright link to separate policy pages, but those pages are short and I’m now thinking I’ll just put them into the main doc and use anchor links anywhere I want to link to them specifically, such as footer links.

The Controller section was my former ‘Administration’ section; details about the business owner but now in context for EU/GDPR compliance (hopefully).

The Processors section includes this info for each processor I have a DPA with; marked up as a definition list, which works nicely:

Organization
Nature of business:
Reason for DPA:
How processor uses data:
How controller uses data:
Duration of data storage:

The items are written concisely so it works out pretty good.

What do you think for a small freelance gig? Any comments or other points of reference?


The text persuades, the *notes prove。

Offline

#277 2018-05-14 14:06:11

michaelkpate
Moderator
From: Avon Park, FL
Registered: 2004-02-24
Posts: 1,129
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

Without adtech, the EU’s GDPR (General Data Protection Regulation) would never have happened. But the GDPR did happen, and as a result websites all over the world are suddenly posting notices about their changed privacy policies, use of cookies, and opt-in choices for “relevant” or “interest-based” (translation: tracking-based) advertising. Email lists are doing the same kinds of things. – GDPR will pop the adtech bubble

A lot to read in the essay and the comments, but basically Doc Searls thinks Google will do fine but Facebook is in trouble. If you want to read more on his Facebook take, you can read this Medium article if the site is still up.

Offline

#278 2018-05-14 16:16:17

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,062
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

Anyone know if you can set the duration for how long Apache server logs keep records (e.g. number of days) on a hosted server, or is that strictly dictated by the web host?

I was just looking in my local .config file, but I don’t see anything there, unless I missed it.

It’s not a critical thing. I was just wondering how to answer the question, How long is the IP data kept (whether or not anonymized).


The text persuades, the *notes prove。

Offline

#279 2018-05-15 08:45:14

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,062
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

My contents now looks like follows, all information on a single page. Each section is anchored and linked to from key places.

Contents:

  • 00 Relevant Laws
  • 01 Definitions
  • 02 Websites Concerned
  • 03 Controller
  • 04 Data Privacy
    • 4.1 Zero Data Collection
    • 4.2 Consent
  • 05 Processors
    • 5.1 Email Service Provider
    • 5.2 Web Host
  • 06 Outbound Links
  • 07 Copyright (Droit d’auteur)
  • 08 Changes

I’m ready to publish except there are statements about Txp’s IP compliance, which isn’t in affect until 4.7 stable release, technically, and WF (web host) is still not compliant.

But in regard to the latter, I was just looking at their PP and it says all IP data is anonymized on their servers (I think Jakob mentioned that too), and since I’m not using WF for contact mail, I wonder if I even have to have a DPA from them at all? It doesn’t seem like I do.


The text persuades, the *notes prove。

Offline

#280 2018-05-15 08:48:15

philwareham
Core designer
From: Farnham, Surrey, UK
Registered: 2009-06-11
Posts: 3,112
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

Textpattern 4.7.0 is being released today!

Offline

Board footer

Powered by FluxBB