One topic that is getting more and more attention lately is the GDPR, which stands for General Data Protection Regulation. A new regulation that should start to be fully enforced by May 25th, 2018, and that finally provides many pretty good user-related regulations and limitations. For once, and although not everything is clear or properly detailed, even in general is something that benefits everyone using internet. Even companies, although where it benefits them (performance, security, data protection) is not as interesting as user tracking, retargeting and other marketing and data related areas that must change radically.
For a decade, companies have been harvesting more and more data without our consent, so in theory in less than two months, no more automatic opt-out consents, no more dozens of trackers without at least informing you, no more Delaware-based international companies not complying with EU laws and no more tricks to not be able to delete your accounts. Or at least that's the theory, we'll see how it turns out.
Anyway, this regulation also means that most tech companies are going to be busy this two months adapting to the new laws. At work we've already started to prepare everything and the first thing I noticed is that there are many posts but relevant, quality info was not so easy to come by, so I decided to write this small blog post and gather what we've found interesting.
First, the most important link of all, the regulation itself: https://gdpr-info.eu/art-16-gdpr/
Reading all of it can be a bit daunting at first, but it contains a handy search box that allows to easily find detailed explanations inside the 173 "recitals" and of course in the main regulation itself. Instead, I recommend you to start by going through the following links links from Bozhidar Bozhanov, which provide an interesting and practical digest about the regulation in general and cookies:
- GDPR for developers (brief slidedeck but good summary)
- Practical guide for developers
- Protecting sensitive data
- Tracking cookies and GDPR
If you read it, you'll see that there are hundreds of mentions to "personal data", but what really covers that term? This post is a good explanation.
Another excellent summary guide is Stripe's.
Also, while checking how it affects Google Analytics I came upon this post containing very important topics regarding both Google Analytics and Google Tag Manager and ip anonymization, among other things you should now take care about, like never sending to GA urls containing personally identifiable data (emails and the like).
If you speak or at least read Spanish, the two following links contain all GDPR info translated and into PDF:
One topic that had some discussion at the office was if regarding the "consent checkboxes" you could just go and make all of them mandatory or not allow to use your service. According to recitals 42 and 43:
Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
So, if I interpreted them correctly, you cannot make it an all-or-nothing choice unless it is really critical for the service to work. Which means, you must provide a way to use the service without being tracked by third parties and the like.
As I mentioned before, let's see how all this gets implemented, but at the very least we'll now be able to own a bit more our data, and also request data exports from any service, the "right to forget" (data deletion). or "processing restriction" (in theory, you allow the service to keep your data but they're forbidden to use it for anything else than basic functionality).
Update: Added Stripe's guide link.