Blog of Raivo Laanemets

Stories about web development, consulting and personal computers.

GDPR compliance

On 2018-07-14

This blog is now compliant with the General Data Protection Regulation (GDPR).

The link above takes to the original regulation text. I used various online guides to make my blog compliant with the regulation.

Why am I affected?

This blog collects two pieces of personal data: commenter emails and visitor IP's. This data is not used for purely personal or household activity. The blog is still a part of my consulting activities and acts as a marketing channel. Thus the article 18 (personal or household activity) does not apply. Otherwise it would exempt the blog from the regulations.

Steps to compliance

  1. Create a privacy notice.
  2. Implement consent system.
  3. Make data collection compliant.
  4. Drop non-compliant 3rd party services.

Privacy policy

The first step towards GDPR compliance is to create a privacy policy. This is unique to every site and depends on the data you collect and the purpose why you collect it. A good guide for creating a privacy policy can be found from here. My own policy can be found from here.

The article 32 of the regulation states the requirements for consent. Quote:

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.

And also:

Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

This means that displaying a message and having the user keep browsing the site is not enough for consent. The user might browse the site but you cannot collect and process the user's personal data until you get actual consent.

I implemented this with a simple message referring to the privacy policy and the "Agree" button next to it. I made my analytics solution to delay data collection until consent is confirmed this way. It sets a small cookie to remember consent. Consent can be withdrawn (you must provide it) by clicking a link in the footer. It just removes the cookie.

Dropping IP address from Nginx logs

There is no easy way to ask user's consent before the user makes the first request to the server and implementing such conditional logging of IP address might be technically challenging. I also did not find a good reason to have IP logged (personal data processed) without visitor consent ("nice to have" or "maybe we need it later" does not seem to be enough). Therefore it was simplest to just remove the IP field from the log format.

Dropped Sentry.io

Whether a webpage using Sentry.io is GDPR-compliant is still a bit mystery to me. There does not seem to be enough information available on this issue. At the moment I am getting IP address in Sentry reports and that means it's definitely not compliant. Or rather, it's conditionally compliant if you get user's consent before sending Sentry report. This is bound to Sentry's technical solution and I really have no time to work on this. So I just dropped using their service for now.

There is a good guide for 3rd party GDPR compliance. You will need consent if you use certain Google Analytics features, for example.

JavaScript disabled

When JavaScript is disabled in the browser (I understand that there are such users), the consent is not necessary in my case as data collection and cookie handling only works when JavaScript is enabled. This is likely very different to the sites where cookies are handled on the server side.

Alternatives

It is also possible to comply by not collecting any personal data. I thought about it but decided to keep my analytics for now.

The commenting system can always ask explicit consent at the comment form. So the commenting system is not an issue (it would still require a privacy policy).

A very brutal solution is to block every visitor from EU. This is the last resort solution. Sadly I have seen it being used by some sites, including some US .gov sites.

Other than a privacy activist suing Internet giants over GDPR on its first day when it came into effect, I have found no other actual cases.

I expect the Internet giants (Facebook, Google, etc.) to be already compliant or get there very soon. They have all the legal and development resources to do it.

The fines (up to 20M or 4% of yearly revenue, whichever is higher) are very high. For comparison, Cookie Law had country-dependend and much smaller fines. There are numerous cases where the Cookie Law has been applied in EU to hand out fines, so these privacy laws are not there for nothing but are real legal risks.

Update 2018-07-25

I gave up on using IP addresses and reworked my privacy policy. While it is possible to make only IP address usage consent explicit, I considered it to be too much work.