Page 1 of 1
General Data Protection Regulation (GDPR) and the ePrivacy Directive
Posted: Sun Jul 16, 2023 7:01 pm
by Isaac
Krom, if you don't know the answer off the top of your head, just ignore this post or delete it. I will not complain.
Is the dbb exempt from the General Data Protection Regulation (GDPR) and the ePrivacy Directive where you have ask users to accept cookies on landing?
Consent:
https://gdpr-info.eu/issues/consent/
Fines and penalties:
https://gdpr-info.eu/issues/fines-penal ... 20in%20Art.
fine framework can be up to 20 million euros
I am asking for personal reasons as well. I know Chatgpt has a bad name around here, but I've been asking it about this and it thinks there's no exemption for consent. I don't think cookies are used until a users logs in or registers. Maybe the warning is only needed on those pages?
Re: General Data Protection Regulation (GDPR) and the ePrivacy Directive
Posted: Fri Aug 25, 2023 8:23 pm
by Jeff250
I don't know the answer to your question, but not all cookies require consent under GDPR. Specifically, "strictly necessary" cookies do not require consent.
Re: General Data Protection Regulation (GDPR) and the ePrivacy Directive
Posted: Fri Aug 25, 2023 8:37 pm
by Isaac
I'd imagine ads running on a page would probably require you ask for consent. Maybe tracking cookies?
dbb privacy statement https://descentbb.net/ucp.php?mode=privacy
wrote:
...
We may also create cookies external to the phpBB software whilst browsing “DescentBB”, though these are outside the scope of this document which is intended to only cover the pages created by the phpBB software. The second way in which we collect your information is by what you submit to us. This can be, and is not limited to: posting as an anonymous user (hereinafter “anonymous posts”), registering on “DescentBB” (hereinafter “your account”) and posts submitted by you after registration and whilst logged in (hereinafter “your posts”)
...
I'm only asking because I think I need to do it for a site I'm working on, but it's unclear what the exceptions are. Like, why does CNN, TIME, and other big sites not ask me, even with a Tor browser making me appear as if i'm in germany? But I'm going to do comply only because I don't need to be fined. But I'm surprised how many sites don't prompt the question.
Re: General Data Protection Regulation (GDPR) and the ePrivacy Directive
Posted: Sat Aug 26, 2023 5:26 am
by Krom
Yeah, you can assume this is basically about ads and tracking cookies. Stuff like the cookie that the DBB uses is strictly for the functionality of the DBB itself. The only things the DBB cookies store on your computer are your user ID, session ID (which is randomly generated every login), and a password hash if you stay automatically logged in. The most important bit about the DBB cookies is they do not extend beyond the DBB domain, they don't track you elsewhere on the web like the cookies that CNN/TIME/etc will (because they are third party domain tracking cookies for ad networks).
Basically if you examine the cookies that CNN/TIME/etc are telling you about, you will notice they originate from some "adtrackingcompany.com" domain within the page, which is the same domain that shows up regardless of what site you are going to. So the ad tracking company knows what sites you went to and even what articles/pages you read on them. The DBB cookies don't do that, they straight up can't do that actually, and they only serve for local functionality of the DBB itself.
Re: General Data Protection Regulation (GDPR) and the ePrivacy Directive
Posted: Sat Aug 26, 2023 12:48 pm
by Isaac
Krom wrote: ↑Sat Aug 26, 2023 5:26 am
Yeah, you can assume this is basically about ads and tracking cookies. Stuff like the cookie that the DBB uses is strictly for the functionality of the DBB itself. The only things the DBB cookies store on your computer are your user ID, session ID (which is randomly generated every login), and a password hash if you stay automatically logged in. The most important bit about the DBB cookies is they do not extend beyond the DBB domain, they don't track you elsewhere on the web like the cookies that CNN/TIME/etc will (because they are third party domain tracking cookies for ad networks).
Basically if you examine the cookies that CNN/TIME/etc are telling you about, you will notice they originate from some "adtrackingcompany.com" domain within the page, which is the same domain that shows up regardless of what site you are going to. So the ad tracking company knows what sites you went to and even what articles/pages you read on them. The DBB cookies don't do that, they straight up can't do that actually, and they only serve for local functionality of the DBB itself.
Thank you. I couldn't ask for a more clear exception to the GDPR.
But then I see stuff like this and it shows that it's not cut and dry as I'd assume it should be:
It's scary because I used google fonts for django, wordpress, and regular html websites. This also implies any php plugins could theoretically could cause a site to violate the law, even if it's just to support a basic function, not provide ads.
According to this precedent it seems that any 3rd party hosted content is a violation. The dbb is fine, but what happens when I put a youtube link or imgur link in a thread? It's hosted content, so that's a gray area, if not a clear violation.
Re: General Data Protection Regulation (GDPR) and the ePrivacy Directive
Posted: Sat Aug 26, 2023 1:32 pm
by Krom
That seems like a bit of overreach or straight up bad ruling or maybe even a default judgement if the website representative didn't show up at the court. I don't think it would really hold up on appeal just given how the technology works. If they really didn't want their IP address reaching google they should have blocked their computer from pinging it in the first place because it all happens client side.
Even if you post a youtube or twitter embed on a page, loading said embedded element is the responsibility of the client. And if youtube or twitter include cookies in embedded elements they still have to obtain consent for it from the user. Just be keep in mind giving consent on the youtube or twitter home page probably counts towards embedded posts in other sites as well, once you give it they can use it anywhere including here.
Re: General Data Protection Regulation (GDPR) and the ePrivacy Directive
Posted: Sat Aug 26, 2023 2:18 pm
by Isaac
Krom wrote: ↑Sat Aug 26, 2023 1:32 pm
If they really didn't want their IP address reaching google they should have blocked their computer from pinging it in the first place because it all happens client side.
You're rational about how GDPR should work, but I don't see where on the official GDPR site gives the user any responsibility or blame.
Krom wrote: ↑Sat Aug 26, 2023 1:32 pm
Even if you post a youtube or twitter embed on a page, loading said embedded element is the responsibility of the client. And if youtube or twitter include cookies in embedded elements they still have to obtain consent for it from the user. Just be keep in mind giving consent on the youtube or twitter home page probably counts towards embedded posts in other sites as well, once you give it they can use it anywhere including here.
If the user is anonymous and views a youtube element on the dbb, does youtube prompt the question through its iframe? I've never seen any embedded element do that and I browse via tor all the time, which is normally putting me in Europe. I think the GDPR is a stupid and dangerous law that the US should not enforce, but here we are.
edit:
maybe user generated content has its exceptions, but I don't see it.
Re: General Data Protection Regulation (GDPR) and the ePrivacy Directive
Posted: Sat Aug 26, 2023 2:41 pm
by Krom
Yeah, those parts of it are stupid and dangerous, and will likely at some point bump up against the reality of the technology where the courts will eventually sort it out correctly. This particular ruling will likely not stand in the long run because it is fundamentally not how the network functions, just whoever got hit by it probably didn't want to spend any more contesting it and nobody bigger took up the case to fully litigate it to completion. Like at some point someone may attempt the same thing by complaining how a google news story had a twitter embed so twitter figured out they were looking at whatever, and both google and twitter will both send lawyers in who will gut this ruling and the judge that passed it down like a fish.
If I had to bake up some tortured analogy, it would be like suing walmart because you used an ATM card for a purchase which lead to the bank knowing you shop at wallmart when you could have just used cash.
Re: General Data Protection Regulation (GDPR) and the ePrivacy Directive
Posted: Sat Aug 26, 2023 6:30 pm
by Isaac
It began in 2018 and Google has had to pay a fine already:
https://en.wikipedia.org/wiki/General_D ... dvertising.
I think for my sites, I'm just going to start adding the pop-up. I'm not sure if I have to record the consent to its own database table. I really hate all of this, because I think users can frivolously sue for a quick 100 euros. Forget the fine. The court fees are going to be $500 at least...
Re: General Data Protection Regulation (GDPR) and the ePrivacy Directive
Posted: Sun Aug 27, 2023 2:57 pm
by Jeff250
Isaac wrote: ↑Sat Aug 26, 2023 12:48 pmIt's scary because I used google fonts for django, wordpress, and regular html websites. This also implies any php plugins could theoretically could cause a site to violate the law, even if it's just to support a basic function, not provide ads.
Even if GDPR doesn't mind, your visitors might, since you'd still be giving Google information about who visits your website in exchange for saving a little of your server's bandwidth per visitor.
edit: I realize that the behavior of linking to resources hosted on third party CDNs is near ubiquitous, so don't interpret the above as me calling you out or anything. But I think that sometimes we are quick to get angry at GDPR when some of our "best practices" have been surprisingly problematic this entire time.
Re: General Data Protection Regulation (GDPR) and the ePrivacy Directive
Posted: Sun Aug 27, 2023 3:51 pm
by Isaac
No offence taken. I made this post to learn about something I new little about. I've been doing it for years with jquery as well. But yes, people should be prompted, even if we think it should be obvious almost all sites do this at some level.