GDPR

It’s coming.

And while it’s tempting to ignore it I know getting up to speed is the thing.

THIS IS NOT LEGAL ADVICE. I’M NOT A LAWYER, ETC.,

JUST SOME OF MY EVOLVING THOUGHTS.

Probably the best site I’ve found is the UK ICO which explains everything pretty well. Look at their cookie notification though: “We have placed…” so much for my acceptance first!

Does the regulation apply? It you’re selling to EU (or is it European Economic Area?) residents then it does.

If you’re not promoting / selling to them…

And they just happen on your website, as if by magic, possibly not – although I’m checking into this further.

Consent – where it’s a pain. If it’s just a signup for “newsletter” is a button “Sign Me Up” enough. It does seem to me to be OK, except maybe on the record keeping? Maybe I’d have to record the button text in a field at the autoresponder.

Exclusions – where it gets fun.

Cookies – interesting

Affiliate links? Are these caught?

Places where I might have personal information stored or processed:

  1. Website – in the client browser
  2. Website – at hosting provider
  3. Hosting backups
  4. Hosting databases
  5. Help desks
  6. Shopping cart systems
  7. Payment processors
  8. Cloud services: – Podio, Integromat, fileconverters, Ad systems, Google Analytics, Facebook, Twillio, Cloud email services – gmail (what’s in attachements?).
  9. Downloaded to PCs
  10. PC backups to cloud (idrive, etc).
  11. PC backups to local hard drives (portable? thumb drives).
  12. Autoresponder – active campaign in my case
  13. Hotjar – heatmap/screen recording software
  14. Chat
  15. Surveys? / questions.
  16. Exit popup provider?
  17. All those sneeky services like sharethis – that provide a service, but also grab data using unknown javascript. (little widgets, tools, calculators – third party addons)
  18. WordPress plugins – are these slurping data off to some server? even IP address is PII!!
  19. Cookies
  20. CDN – logs? Mine. What about their stats? Any PII in URLs?

I’m wondering about a nice IP map to EU countries…

 

 

And there’s bound to be more

Facebook pixel:

they’ve implemented a JavaScript system for pausing the pixel until consent is given:

fbq('consent', 'revoke');
fbq('init', '<your pixel ID>');
fbq('track', 'PageView');

The events don’t fire until the magic fbq command:

fbq('consent', 'grant');

[a few days later] Except I’m finding once cookies are agreed to by the visitor I can’t revoke/grant with no time between them. I seem to have to delay the grant by a second or so.

It’s never a great idea when you’re just adding a delay to make it work… without knowing why – it could easily just break again in the future.

This is where you consider you have to get consent to track ads or do remarketing.

Or maybe you have “legitimate interests…” it’s essential for your business?

Google Analytics:

Just added:

ga(‘set’, ‘anonymizeIp’, true);

on all sites (I think – watch out for subdomains, subdirectory installs of wordpress, etc).

I’ve just prototyped a “cookie bar” plugin. (used one of my single file plugins). Don’t really like it. People don’t even really know what a cookie is and what it’s doing. To “clearly explain” takes acres in the privacy policy. That no one is going to read.