Technical review of GDPR and ePrivacy

Technical review of GDPR and ePrivacy

Soumis il y a 5 années 2 semaines par jmcouillard.

The following recommandations are the result of many reading about GDPR and ePrivacy. They should be use a base for your own reflexion and do not replace a lawyer opinion.

GDPR is relatively new and there is little or no jurisprudence for the application of the law. The following informations shouldn't be used as legal advices.

Overview

General GDPR overview

Identifiable data: GDPR defines personal data as anything that can be used to identify a user. These data include :

  • Images
  • Photos
  • Email addresses
  • IP addresses
  • Bank informations

Every data saved by your website that can be used (by itself or when combined to other data) to identify a user, must be compliant to the GDPR. This includes :

  • Form data (POST)
  • User profile data
  • Any tracking or analytics tools (such as hotjar)
  • Server logs
  • Emails
  • Mailing list
  • Cookies generated by your website
  • Cookies generated by third-parties (such as Google Analytics or Youtube embed)

When GDPR is applicable, compliant websites and applications must includes 3 major features :

  • A Privacy terms page, which describes how private will be used.
  • An extract data feature, which allows a user to download a copy of all its data.
  • A delete data feature, which allows a user to request a full deletion of its data (right to be forgotten).

Public websites and registering users in the GDPR context

GDPR is mainly designed to regulate applications. Its main goal is to forbid entreprises to use personal data collected through the usage of an application (or website) without their clear consent. These applications include (but are not limited to):

  • Facebook
  • Gmail
  • Spotify
  • Your favorite CRM
  • Etc.

These applications will most of the time require you to create a user account (or use a login method such as a Google Account) to identify you.

If your website doesn't require you to save user data, complying to the GDPR should be easy (see Solution 1). Otherwise, you will need to be ready to implement new features and new mechanisms in your application or website in order to comply (see Solution 2).

Cookies: ePrivacy Regulation and GDPR

In 2019, cookies will be mainly regulated by ePrivacy Regulation.

GDPR will only regulate cookies when they are used to track personal identifiable data.

The popup that is shown on most website is related to ePrivacy Regulation. It is not directly related to GDPR.

ePrivacy consent doesn't need to be saved on the server or registered on a database.

Here are the main characteristics and features of the ePrivacy Regulation:

Cookie usage is governed by the ePrivacy Directive (Cookie law) and not the GDPR.

Cookie law requires users’ informed consent before storing cookies on a user’s device and/or tracking them.

The Cookie Law does not require that records of consent be kept but instead indicates that you should be able to prove that consent occurred — even if that consent has been withdrawn.

Technical cookies strictly necessary for the provision of the service. These include preference cookies, session cookies, load balancing, etc.

The 2019 revision states that :

Cookies for purely analytic purposes should be exempted from the rule. Recognising that they don’t intrude on personal privacy, the Regulation proposes that cookies for website analytics should be exempted from the requirement for consent. However, the proposition only encompasses first party cookies. It is yet unclear, whether external services such as Google Analytics will benefit from this exemption.

Source: Cookiebot - The EU ePrivacy Regulation and Cookies - What do I need to do?

So, for now, a Cookie Popup seems to be the right way to comply to the ePrivacy regulation.

More information on ePrivacy and cookies :

Solution 1 : if it is not required, do not save user data or create user sessions

Most simple websites (such as a personal blog or a company website without ecommmerce) can skip GDPR complications by avoiding to store personal user datas and by avoiding user session. If you choose to do so, you will need to disable any instance of:

  • Remarketing tools (Facebook pixels, Google Ads remarketing, etc.)
  • Precise Analytics (such as geographical location of users)
  • User session (such as user carts, user preferences, saved search, etc.)
  • User accounts
  • Contact forms
  • Mailing list
  • E-Commerce

For exemple, Dri.es Buytaert personal website doesn't include any cookie popup or GDPR consent, but is still totally valid under the GDPR and ePrivacy regulations since it doesn't save any personal user data or cookie.

Server logs

Server logs are useful to debug website and keep track of activities. On most modern servers, logs are enabled by default and will save IP addresses and under GDPR, an IP address is considered as personal data.

A server log looks like this :

2019-04-09 13:39:48 Access  67.215.6.202    20  GET /fr/projects/nextiva HTTP/1.0

In order to comply with GDPR without having to request and save a user consent, you could disable the servers logs. If you need to keep logs active (for security reason, since many security tools depends on those), you should anonymize IP addresses in rotated logs (here is the how-to for Plesk based server).

Analytics

Google Analytics (and other Analytics tools such as Matomo/Piwik) will save IP addresses and under GDPR, an IP address is considered as personal data. Google Analytics track and store IP addresses of your website users, in order to report on geolocation data. However GA does not report on IP addresses in its reports.

In order to comply with GDPR without having to request and save a user consent and stop collecting IP address, you can use the IP anonymization feature to anonymize/mask website visitors IPs. When you anonymize visitor IP, the last 3 digits from your website visitor’s IP address are automatically dropped / deleted. In other words, the IP anonymization feature sets the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros.

More information about IP Anonymization in Google Analytics

Google Tag Manager

Do not include Google Tag Manager in a GDPR compliant website or application, since it allows any person who has access to the Tag Manager to add tracking and other third-party scripts to the website. Those additional scripts might not (and probably won't) be compliant by default to the GDPR.

Embeds (Youtube, Vimeo, Soundcloud, etc.)

Most embeds (whether they are scripts or iframe) will register their own cookies and save their own user data, even when embedded on your own site. You have to use a no-cookie version of these embeds if they exists, or disable the embeds when there is no no-cookie version available.

Youtube

Instead of linking to youtube.com, link to youtube-nocookie.com, and no data-collecting HTTP cookie will be sent. This is Google's way of providing GDPR-compliant YouTube videos.

Source: dri.es

Cookies and ePrivacy

Since using this solution doesn't allow you to create a session, cookies shouldn't be required.

Since the only cookies that will be present on your site (directly or through third-parties) will be 100% technical, neither ePrivacy and GDPR requires you to get consent for those (no cookie popup). Make sure that no IP addresses are save in your cookies.

Drupal 7 does register the has_js cookie, but this cookie is only technical and doesn't provide a way to identify the user. It should then be allowed by both ePrivacy and GDPR without consent.

Solution 2 : proceed with your data collecting and obey to the law

If your website is more complex and you do require one or many of the previously listed items which require private data (sessions, ecommerces, user accounts, etc.), then you will need to go through these steps and execute all the ones that applies to you.

Step 1: review your cookies usage and comply to ePrivacy Regulation with a cookie popup

To create more complex websites or applications, you will need non-technical cookies.

ePrivacy Regulation

A popup will be required once the site is loaded before the non-technical cookies are created. This popup needs to explain the reasons why the cookies are needed (Statistics, Preferences, Sessions, etc.) and shouldn't be implied. ePrivacy consent doesn't need to be saved on the server or registered in a database. If you use an Analytics software which adds cookies to your site, you still need to comply to the ePrivacy regulation by informing users before creating cookies.

GDPR

When cookies can identify an individual, it is considered personal data. (https://www.cookiebot.com/en/gdpr-cookies/)

All cookies that directly identify a person or can potentially be combined to identify a person may only be used once you have your user’s proper consent to it. This consent is a not covered by the ePrivacy cookie pop-up and consent needs to be saved for reference.

Cookies used for personal identification should be described in your Privacy Policy.

Step 2: review embeds (Youtube, Vimeo, etc.) or Analytics tools on your website

Google Analytics (and other Analytics tools such as Matomo/Piwik) and embeds (such as Vimeo or Youtube) will save IP addresses and under GDPR, an IP address is considered as personal data. These services will register their own cookies and save their own user data, even when embedded on your own site. You have to use a no-cookie version of these embeds if they exist, or disable the embeds when there is no no-cookie version available.

For example, Google Analytics track and store IP addresses of your website users, in order to report on geolocation data. However GA does not show IP addresses in its reports. In Google Analytics, you can disable IP tracking through IP anonymization (see full explanation in Solution 1). With Youtube, this can be done using the url youtube-nocookie.com instead of linking to youtube.com.

If you use full IP addresses tracking or Advertising features in GA, you must request explicit consent and store this consent data before enabling them.

This should be included in your Privacy terms.

Step 3: review your forms

Webforms

If you use forms, then you will need to save the data clearly in order to allow to extract the data on user requests, or delete them. To do so, data will need to be clearly linked to a user.

Contact forms

If you use a contact form, we do recommend storing the messages on your server in order to make it easier to generate a data download, or to identify which messages should be deleted on user request.

If your contact form relays email data to an SMTP server (SMTP relays), you will need to take manual and appropriate action when a user will ask for a data deletion.

You should add a tick-box to your contact form, requiring the user to confirm they have read and agreed to your terms and privacy policy. The wording can be as simple as: I confirm that I have read and agree to COMPANY NAME terms and privacy policy.

Step 4: review your mailing list

If you do have a mailing list (whether it is using an external service or not), users must consent that their private data (such as email address) will be used to subscribe them to those.

This should be included in your Privacy terms.

When a user requests for data deletion, their data should also be deleted from the mailing list system.

Step 5: create your Privacy policy page

When GDPR is applicable, compliant websites must include a Privacy policy page:

Under GDPR, a site’s privacy policy needs to be clearly written in plain language and answer basic questions like what information is being collected, why it’s being collected, how it’s being collected, who is collecting it, how it will be used, and if it will be shared with anyone else. If your site is likely to be visited by children, this information needs to be written simply enough for a child to be able to understand it.

You may consider adding a data request form to your site’s privacy policy page for user data download (or deletion).

Step 6: setup properly your server logs

Server logs registered by Apache and/or nginx server might save data from users such as their IP addresses. You will need to include those logs when a user asks for data download or deletion.

Step 7: get ready for user download/deletion requests

You should build a clear step-by-step guide for your team in the event of a user data deletion/download request. If the tasks are not automated, this guide should list all the places where users data are located and how to download/delete them.

Download data upon user request

User can request a full download of their data at anytime. You will need to be able to generate a file containing all the user-related data.

Delete data upon user request

Users can request deletion or removal of personal data when there is no compelling reason for its continued processing. This is also referred to as “the right to be forgotten”.

When a request of this kind happen, you should take appropriate action in order to delete all user related data. This might include manual actions.

Step 8: get ready for quick response to data leaks

If a data breach happens on your website or your application, all your users should be notified within 72 hours :

If a data breach occurs, consumers must be notified within 72 hours. Failing to comply with GDPR can come with some very steep consequences.

Source: GDPR: What it Means for Google Analytics & Online Marketing

Step 9: ask for a review by your legal team and nominate in-house GDPR representatives

You should ask for your legal team to review your actions prior declaring GDPR compliant.

You should also nominate a in-house person or team has a GDPR representative. They should be in charge of GDPR related tasks, which mainly consist of:

  • User data download requests
  • User data deletion requests
  • Data breaches
  • Legal related requests

Additional links

More information on this pages, by order of relevance: