My bucket list for stuff around GDPR.
Really good and structured overview is given by ICO
- Privayc by design (see smashingmagazine article)
- GDPR is all about consent (see Recital 32), giving choices to the user
- Controller vs Processor
- Personally Identifiable Information (PII)
- IP-Addresses are PII
- Transaction IDs, UUID, hashed IDS. If there is a DB relation linking to the user it is PII.
- There are requirements as part of GDPR to prove that consent has been given (audit trail)
- The second half ofGDPR is the revamp of the ePrivacy Directive of 2002 (cookie law). ePD is still in draft negotiations.
- There is senstive and regular personal data. Sensitive is health, sexual orientation, religion, etc. Sensitive personal data requires stricter protections.
- GDPR expands personal data to online identifiers (IP, MAC address, mobile IDs) and GPS
- There are loopholes
My thoughts only.
- The common Accept & Continue cookie banner should be still valid if you have only mandatory cookies necessary for the functioning of the website.
- Using a cookie to identify a user after a login is totally fine. You can get the consent during login. It's a mandatory cookie for the functioning of the site. No withdraw option for the user required.
- Cookies from Google Analytics are not mandatory for the function of the website. Give a choice to turn off and explain why you need it.
- Cookies from youtube/videom are functional cookies. Consent required as it's not functional. Really ?
- Cookies are not banned under GDPR. However, if you can’t prove consent on an individual basis you’re at risk of non-compliance.
- Cookies are mentioned only once in the GDPR document (Recital 30)
- Recital is "Erwägungsgrund" in German
- Different types: analytics, advertising and functional services
- cookiechoices.org is from google listing resources around cookie consent.
- (dmnews) Consent is not required for cookies that are used specifically for the collection of “non-sensitive personal data” – like a cookie that is used to track items in a user's shopping cart.
Google Analytics/Adobe Analytics
- Google & Adobe are processors, the website is the controller
- Don't leak PII by tracking queries containing E-Mail and names etc.
- Enable IP Anonymization feature not to leak IP addresses.
- User ID/Client ID data deletion will be supported by Google Analytics
- Interpreting that (Recital 32), you need to have tracking cookies disabled when someone lands on your website for the first time. Consent is the only legal basis for using these kinds of cookies under the GDPR right now.
- Popovers attached to input fields explaining the why
- Accordions with some privacy related questions that you can expand and answer (what happens with my data)
- Some examples how modals could look like.
Questions to answer in a easy language.
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
- https://www.brothers-brick.com/privacy/ A good example to allow cookies and this seems to comply to gdpr already.