GDPR (sigh) and theme compliance


(Rob Beattie) #1

I’ve seen @willwood mention that he’s working to make his themes GDPR-compliant and this made me wonder about a couple of things.

  1. What’s the issue here? What actually needs to change?
  2. Are other devs planning to do the same?

And if a theme isn’t GDPR-compliant, where does the responsibility lay? With the dev, with the person who uses the theme to build the site, or - if there is one - the client?

Any thoughts appreciated.

Rob


(Jannis from inStacks Software) #2

Most probably references to CDNs for fonts, icon libraries, jQuery.

With the client, or domain / website owner. Nevertheless you as web designer should make your client aware of it.

The developer isn’t responsible, but it would be nice if he is updating his themes. If not, people might stop using specific themes.


(Rob Beattie) #3

Thanks Jannis,

I don’t suppose you know what user information is passed on when you access these CDN services?

Thanks

Rob


(Jannis from inStacks Software) #4

Most probably “only” the IP address of the website user.


(Rob Beattie) #5

Thanks very much.

So if the theme hasn’t been modified to use local versions of services that are typically served up by CDNs, is there anything I can do to fix that?

Alternatively, I wonder if it’s enough to include a line or two in your privacy policy explaining that this happens and what it means?

Rob


(Jannis from inStacks Software) #6

You could create a local copy of the theme via RW theme inspector, and afterwards adjust the theme to your needs (-> most probably inside the index.html of the theme content).

Referencing local copies of the libraries isn’t difficult.

You can ask 10 people and get 20 different opinions about that. Especially if you as guys from UK or Germany.

  • Mostly UK people say: You do not have to ask.
  • German people say: Oh no! Get away with all that remote calls.
  • People from the “borders of Europe”: Whats GDPR all about? Who are these guys in Brussel - forgetting that this regulations are covered by local government laws.

IMHO, you would have to “ask” the website user “first” before making “a single” CDN request. But that’s my opinion, not being a lawyer (coming from Germany, and knowing there are a lot of lawyers just awaiting the 25. May).


(Rob Beattie) #7

Many thanks for your candour and the speedy reply, Jannis.

Like many people I don’t feel comfortable messing around the ‘insides’ of a theme in case I break it.

I’ll need to think further on this.

What a PITA. :sunglasses:

Rob


(Joe Workman) #8

Just want to say for anyone passing by this thread… Foundation is good to go! The only thing that could be non-compliant is if you are using a Google Font. The theme has the power to use other fonts though. (Even though I think that this entire CDN debacle is absurd)


(Tomas Jakobs) #9

Just bought and released a web with Nicks Depth Theme and contacted him because of Google Fonts (the usual suspect) and Social Icons (from an unknown S3 server). Last was especially annoying because I didn’t use any of these “so called social” icons. I’ve now managed to load Google Fonts from my own server and my website is now GDPR compliant: https://ul-fluglehrer.de

If a theme Author doesn’t take GDPR into account, I won’t buy any themes. It’s that simple.
@joeworkman: Ja I am using Foundation with basic Arial font settings (https://jakobssystems.net) and would like to use Google Fonts, but because you’re dynamically linking them with JS vars I have no chance to search and replace something. As feature request: Give us a switch or setting for offline google Fonts please.

UPDATE: just recieved an Mail from Nick: he will add a “no-load” font options and will address this in the next theme update!

UPDATE 2: And Joe, I forgot this discussion about CSP last year. You promised to add better CSP support in future Foundation releases, please do not forget us.

UPDATE 3: As urgent feature request for RW, enable hashing for inline scripts and styles please!


(Rob Beattie) #10

My understanding though is that an IP address can’t be used on its own to identify an individual. It can identify a machine that’s making the connection and the general geographic area, but without other info, I don’t see how it can identify that I was using it, rather than someone else in my house or office.

Therefore it seems to me that it doesn’t come under the umbrella of ‘personal data’.


(Tomas Jakobs) #11

In Europe IPs belongs to personal data like your name or address. And of course they can easily be put into context when other data from trackers or ads is available. Over time you receive the whole life with all desires and longings and secrets. Google Fonts as example. The Server-Logs of fonts.google.com are priceless.


(Rob Beattie) #12

That’s interesting.

Do you mean that if Google Fonts knows your IP address but nothing else

and Facebook has your IP address and all sorts of other info about you,

then someone can put the two together and identify you by name, address etc.?


(Jannis from inStacks Software) #13

Sure. And don’t forget: It is not only Google Fonts. It’s Google itself.

The IP address might not say anything to you, but for the global web companies, that’s sufficient to get a trace of you.


(Jason Bostick) #14

I’m sure something similar will be coming for us in North America at some point but I hope they’ve ‘worked out the kinks’ by then. I feel for you poor b*stards and the headache this seems to be causing.


(Tomas Jakobs) #15

this is nothing new…

if you want to dig deeper: https://media.ccc.de/v/33c3-8034-build_your_own_nsa
(choose english translation)

Brexit, Trump, Google, Facebook, Cambridge Analytica… What else has to happen?


(Will Woodgate) #16
  1. Basically a process of making themes more ‘self-contained’ and removing links / calls to external resources. Mostly it effects jQuery, Font Awesome icons, Bootstrap, UIKit, Flickr galleries, Google Web Fonts and a couple of other opensource libraries. I am making these changes as part of my ‘nothing external’ policy. As well as ensuring you don’t have anything to worry about with regards to GDPR, it also safeguards you against external libraries vanishing due to sudden API changes, political tensions (e.g. China blocking Google), technical issues or other unknowns etc. Keeping everything inside the theme simplifies things, which in-turn means we can promise a stronger and more reliable theme that will give you many, many years of flawless service. The original reasoning behind using CDNs is less relevant nowadays, hence this change in policy.

  2. From what I’ve seen, most are taking a proactive approach. But a few have worryingly said they intend to do nothing and GDPR is not their problem! I think time will tell who is on the ball and who isn’t. Stack developers probably have the least amount to do. Some theme developers may have rather more to do. It depends really on where individual developers have been calling scripts / libraries in the past and if they are considering making changes going forward.

Yes, it is a lot of hard work and very time consuming to update these themes. So far the free designs are all done and the others are in the latter stages of completion. I’m mostly publishing updates on an ‘as requested’ (ask and you shall get) basis, because there are too many to release all in one session. Many of the themes are older designs from other developers, hence the need for rather more work doing to them.

Of course, the protracted update process does also throw-open other questions; like whether it is worth maintaining hundreds of demo sites or simply giving-out free demo versions and project files for people to download and play with. So the updates do form the basis for a wider business strategy / rethink. :slightly_smiling_face:


(Joe Workman) #17

Not sure what you are trying to search and replace for. If you want more control over your own hosted fonts, have aa look at Font Pro.

As I said on that thread. I will take CSP into account with the next version of Foundation. I have done a lot of work around this for Total CMS v2 already.


(Rob Beattie) #18

@Elixir has just started pushing out GDPR-friendly updates of his themes, so that’s good news as well. I’ve asked @weaver if they’re planning to do the same. Fingers crossed.

Rob


(Adam Shiver) #19

Yep, I sent out Abstract this morning. Going to take it slowly as to not overwhelm the inbox of both users and myself, as well as to ensure things go smoothly in case I hit any bumps in the road while sending out updates. Once I’ve sent out updates for all of the currently available themes in the Elixir store I will make a blog post outlining the updates, as well as let people know how to manually retrieve updates in case they do not get an email for some reason.

This will be a long process though, so please everyone, hang in there with me as I send out updates as you will get a separate email for each theme you’ve purchased in the past.


(Simon) #20

No they do not. Certainly not in the UK and not according to GDPR.

The only thing you have to be concerned about with your website is personal and sensitive data. Personal data is data that can identify a specific living individual. I have had extensive conversations with the Information Commissioners Office (ICO) who regulates the GDPR in the UK. They stated that if an individual is not specifically identifiable from the data it is not personal data. The example the ICO cited was of a photo and stated a photo is not personal data because you cannot identify the individual without other data. An IP cannot identify a specific living individual without other data. If you are only supplying the IP then you are not processing personal data in the uk.

I do know that EU member states can add to the base GDPR legislation, so you would need to check with the regulators of GDPR in the EU country that you are hosting the website, but in the UK, sending IP’s to google or elsewhere with no other data that makes identifying an individual possible places your data outside the GDPR.