Is devrant GDPR compliant? 😏

.

wouldn't mind hearing this awnser myself. But just by guessing it should be since deleting an account removes everything associated to it

@PerfectAsshole iirc you need to ask for cookies and tracking aka. google analytics too 🙃

.

@hungryBear @Floydian @IRonnyc @matsaki95

you guys warm my heart for using a dot instead of the emojis 😊

@JoshBent if cookies are used for tracking they must be opt in with an easy way to opt out. So yes google analytics isn't gdpr compliant, makes me happy as hell i never used that garbage on my sites and just relied on the number of active accounts

@PerfectAsshole depending on how you track how many active accounts there is, you would have to document it too 😂

edit: and offer to delete that data

Yeah, we’ve always been delete compliant since we don’t do soft-deletes or anything. When you delete your account or any data, it’s immediately deleted from the database.

@JoshBent as long as there's no personal information taken from the connection you're fine. For instance a last login row wouldn't fall under the gdpr. But yeah a delete account is required along with a human readable download of the data you have collected(if you have competitors) under the gdpr. I've been listening to webinars on it for awhile it has alot of holes in it but it should stop 90% of site to site tracking

@dfox what about cookies, google analytics etc? all those things are gdpr food too

@PerfectAsshole I am still trying to gather as much as I can to prevent myself and clients from accidental core meltdown, by some lawyer in his 80s

@JoshBent we use Google Analytics (website only) and I’m not too familiar with how they are setup or whatever, but we’ll look into that. People who are worried about Google Analytics should really block the origin domain IMO. I don’t see any personal or identifiable data that is collected in our Google Analytics.

@Floydian made me think of something, I should include firefox and chrome directlinks for tampermonkey and then a button that links directly to my script 😊

@dfox google analytics seems to be the worst offender usually, because they basically do everything, collect everything, process everything, are a third party that you basically hand over all those metrics etc so its definitely massive

@JoshBent but what personally identifiable info would be collected? Also, our privacy policy has always stated we use Google Analytics so no change needed there.

@dfox oh also app crash/usage metrics have to be mentioned, basically theres tons of shit that collects data in some way, so its gdpr hell

@dfox the generated policies about google analytics always seemingly mention some sort of identifiable data, I can't directly right now think of what all those things could collect, but analytics as said, usually is at the very top to be mentioned for cookies, tracking, personal data etc, its a mess

@JoshBent yeah, to be honest I’m more familiar with access/delete, but there’s a lot of stuff. I think some time is needed to see how much of it plays out. There will be changes to the law soon.

@dfox I feel it would be very valuable to all of us also, to see what changes you implement and what you yourself find out, since it's really a big mess right now, mostly filled with trash and cash grabbing trashbags.

@Floydian will probably update all my repos with it, once I finish the notifications filter, so I'll tag you there :)

@JoshBent definitely, I’ll keep you updated. I’ve been doing a lot of GDPR stuff for the company I work for and we will likely learn a lot more there in coming weeks/months. Obviously a shit-show everywhere like you pointed out haha.

@dfox ohh right, youre working for adobe or its branch iirc? they definitely have some steam to find what needs change, that makes you an even more valuable resource! 😊

@JoshBent yeah that's easily understandable. It has been said by the people that wrote the law that small websites don't have alot to worry about as long as they don't collect excesive information(don't collect more than you actively use), have a delete option, and report any data breaches in a timely manor. But personally i take that with a grain of salt and cover my ass.

@Bitwise I have "denied by client" because I block in the browser 😄

@Bitwise ah makes sense

This is a comment which purpose is that i can follow the conversation...

@Mizz141 .📌

.

📌

Random stranger point of view: I'm pretty sure devrant, like 99% of business (is devrant even a business though?) isn't 100% compliant, the law is just too deep to be 100% compliant. I'd bet a pointy-haired lawyer could find non-compliance in Mozilla foundation (though obviously no one is going to try that, there are way juicier targets).

For example, did you know your internal HR has to be GDPR-compliant too? Yeah, your employees personal data IS subject to the GDPR.

Also, got some personal infos on paper? Yeah, that needs to be compliant too (if you do, good luck, our lawyer advised us to never use consent on paper).

But it does seem like it's way ahead of most others, because it already had a privacy first approach :)

I don't know where Devrant is based, but if a service is based and HQ'd in the US, does GDPR even matter?

Or would a US-based service who doesn't want to give a flying fuck about GDPR need to make it a policy to forbid EU-based users from using the service?

I'm about sick of it myself as I work for a game that operates out of the EU, but I'm in the US and can personally not give any less fucks about it.

@xorith if you choose not to do business in the EU and pro-actively prevent EU users from using your services, yeah you can probably ignore the GDPR, legally speaking (but don't take my word for it).

Well, at least until other countries decide to follow suite and implement their own privacy law.

It's just not a good prospective for a lot of international business to cut off access to the EU.

Also, it's a matter of signaling, saying you are in compliance with the GDPR means you care about privacy and consumer rights. For some markets, it's important.

I'd be sad if Devrant was not accessible from the EU anymore though.

@Fradow To me, the GDPR is signaling government overreach, not consumer protection.

But that's just my opinion. It's punishing those who already "do good", meanwhile those who would "do evil" will simply pay a lawyer to find the loopholes that likely exist in the law.

I've already found a few of those loopholes myself. You can make it a royal pain for a user to make requests by demanding proof of identity, for one.

@Fradow And I'm also thinking that a company that is HQ'd in the US would be hard to hold accountable to the GDPR anyway.

@xorith I can understand your point, it's in phase with US culture to consider the GDPR as government overreach. That's why different places have different laws.

As an European, with French culture, I don't consider the GDPR as government overreach, I consider it as strong re-affirmement of your ethical obligations.

You might wonder why I say "strong re-affirmement" and not "overdue law": that's because French law already had very similar requirements (that were not enforced, not well-known, and not implemented by most actors).

Those who "do evil" will bear the cost of defending against lawsuits and the bad rep. Those who "do good" pay the price of being compliant (or at least enough compliance to not get lawsuit).

Loopholes exist in every law. That's why they are revised, and that's why they are enforced by humans and not robots. Let's just say judges frown upon business which apply the letter of the law while going against the spirit of the law (at least in French culture).

@xorith I don't think consumer protection is overreach. Most people don't even know about stuff like that unless they see it in TV.
However I don't like how GDPR is executed. But I guess it's a first attempt.
I would just create a law saying "don't be evil" 😂

@xorith there are bi-lateral commercial agreements between US and some/most/all EU countries. If you knowingly do business with EU customers while knowingly breaking EU law, I think there is a way to be hold accountable (but don't quote me on that). The risk of course the increase with the size of the business, and is practically non-existent if you are small.

Most big business (which actually have some risk) already have at least one EU branch (which is a EU business, and can totally be held accountable), so the point is moot.

Basically, risk management, in most case, is going to be simple enough: are you big enough to have EU branch? If yes, pay attention to EU law. If you don't, accept the risk and move on. Obviously, consult a real lawyer about this.

That's basically how I do it in reverse: I don't have US branch, they are an insignificant percent of my revenues, therefore I don't pay attention to any US law, unless forced to.

@Fradow That risk management bit.

Years ago we had a "Do Not Call List" implemented at the federal level. It was done in such a way that companies weren't prepared and couldn't prove that they didn't call someone. So lawyers would have fun making claims with a settlement offer and companies would simply pay up to avoid governmental fines.

I can see something similar happening with GDPR. From my understanding, all you'd have to do as a user is show some proof that you provided your email address to a company. Then make a demand for personal information. If the company doesn't have it anymore, what happens?

Maybe I misunderstand the law, but it seems like it's ripe for abuse, which will punish the good actors. Already I've had to spend hours upon hours for a small-time shop to prepare for this, and we're not even 100% sure we can't be screwed over by a client who wants to make a point.

📌

I know the pain of GDPR.

I don't know when indian companies do these level things. 😭

@xorith that's how it works in the US, but, at least in my country, that's not how the legal part is going to play out, especially since it concerns individuals, not companies.

What's going to happen to trigger an investigation is that a governmental body (the CNIL in France) is going to take cases, either because they want to (for example, because they think Facebook needs investigation), or because consumers complains to them (consumers don't launch costly lawsuits against companies directly).

This governmental body has limited manpower, and is going to go after big cases first. Which means, if you are small, you are probably safe for a while (but don't use it as an excuse to avoid doing anything, just don't rush an half-baked solution).

I'm unaware of cases of lawyers making claims with a settlement offer using a wide-net in my country as is done in the US.

You have to keep in mind legal system is widely different.