GDPR (sigh) and theme compliance

(Jannis from inStacks Software) #41

Why shouldn’t my provider be allowed to store these logs with IP addresses? Only because it is personal data, I have a contract with him that he is allowed to do so.

The point is: I should not send my website users to a domain outside of EU, because the IP address will be transferred…

(Doobox Software) #42

I obviously am in the camp that does not believe that an IP address without further processing to match it to an individual constitutes personal data. But you have expressed that you do believe it is personal data. If it’s personal data you simply can not collect it without the user’s explicit consent, which is physically impossible to get in the case of server logs before you already have the data.

(Jannis from inStacks Software) #43

It doesn’t matter what I believe. I just try to prepare as good as possible.

(Doobox Software) #44

Just had to point out how ridiculous (impossible) it would be to try and not collect a users IP from any source without prior consent. The internet without server logs seems like a stretch.

(Jannis from inStacks Software) #45

Good that you brought it up again. Will double check with my provider.

(Simon) #46

True, it doesn’t matter what you believe, it matters what the law states. To date no one has supplied any legal evidence that IPs on their own are personal information. There has been plenty of evidence that in certain situations the could be personal information, but on their own they are not.

Your advice to code your site to stop the passing on of all IP addresses or obtain permission is completely unnecessary and creating more work for developers.

Why on earth would you as a developer want to do that to other developers?

(Rob Beattie) #47

Having started this thread and worried over GDPR for the last few weeks I’d also like to offer another perspective.

I emailed my active clients last week, attempting to explain my understanding of what GDPR means, how it could affect their site and how I could help them to move towards compliance.

Out of about 20, one has a strategy in place and are developing a new privacy policy along with a local small business group; a second has said they might be interested, depending on cost.

The rest is silence…


(Andrew Tavernor) #48

Today I have been in a meeting with the directors of a international technology company with offices (and websites) in most European countries and the US. Their head office and company registration is in Cologne and their board members are mostly German, including the director responsible for the company legal department who is himself a fully qualified and practicing German attorney / lawyer / solicitor / rechtsanwalt.

After the meeting over coffee I asked him the specific questions over his interpretation of the discussion on this forum page and their company plans for GDPR.

His first reply with a smile on his face was to never take legal advice from computer programmers.

He then went on to say, and I summarise, that he knows of no ruling that makes an IP address in isolation personal data (i.e. without being ABLE to be linked to an individual by THAT organisation).

He briefly read the links to the documents posted on this page and his reply was “see, it is what I say” as he smiled.

Following his initial advice, I am not personally going to evangelise on the law or what you should or should not do as I am not a lawyer. All that I could suggest is that RW users consult a qualified lawyer if they are worried.

Please do not shoot the messenger but I thought today’s opportunity was too good to miss in order to get an opinion.

(Jannis from inStacks Software) #49

I am not giving any advice. I am not telling you what you have to do. I am just discussing how most of the German forum members and myself are interpreting the law, and what I do with my own website.

(Greg Schneck) #50

As being in the US I’ve largely not worried about GDPR… This morning I received an email from MailChimp explaining what they are doing to become compliant and from everything I read if a website owner is in the US and they take something as simple as an email address from someone in the EU then they need be GDPR compliant.

This would indicate that I also have some website work to do to become compliant… (cookies, cart, etc)
Here’s the guide from MailChimp:

(David) #51

Interesting article in the New York Times today:

(Simon) #52

As it’s EU law, I’m not sure how they could enforce it on US citizens?

(michael m.) #53

No problem. They have a task force under weapons. They come at night

(Barrie McDermid) #54

If the cash prize is big enough, they will come.

Wonderful though Rapidweaver is, I would tentatively suggest that if you’re using it, you likely aren’t a worthwhile target.

I’m making an effort, and have read some articles (including on here).

Unless you’re Google/Facebook/Apple etc i wouldn’t lose too much sleep.


I’m going along with you on this one. Partly because I don’t have time to faff around with this nonsense but also because I don’t fully understand the ramifications of this for a small timer like me who does this kind of thing as a hobby/favour for friends. So it’s head in the sand time for me until further notice.

(Tomas Jakobs) #56

Personal data will now include not only data that is commonly considered to be personal in nature (e.g., social security numbers, names, physical addresses, email addresses), but also data such as IP addresses, behavioral data, location data, biometric data, financial information…

(Will Woodgate) #57

An interesting post from Paddle today (of note, Realmac Software and several addon developers here use Paddle) about IP addresses being treated as personal data:

To be honest, I would definitely sit up and listen to these guys. Paddle were one of the first payment vendors to negotiate the minefield that was VAT MOSS (the law requiring all international sellers of digital downloads to EU citizens to collect VAT). So Paddle certainly know all the legalities of doing business with EU customers and I consider their opinion on these matters to be pretty much indisputable. Clearly they have information to-hand that IP addresses are personal data, given that they are having to go to some complex lengths (at their own cost) to re-engineer their payment systems not to share IP addresses for successful transactions.

I do not agree with everything that has been discussed in this thread that IP addresses are not personal data. Certainly if the website user is transmitting their IP address solely to your server, then there is no harm in that. After all, that is the fundamentals of how the internet is wired-up to work! But if that IP address is being shared with a third party and logged elsewhere, this starts to get problematic. Even if you don’t know the name of the person behind an IP address, you can start to build quite a comprehensive profile about that particular datum - times of day it is most active, pages it likes etc. When IP addresses start going into a centralised database, then you can start looking for the same IP address over multiple websites. This might form the basis for targeted advertising - identifying an IP address and manipulating what it sees.

I would also ‘+1’ the post by @NeilUK regarding Matomo. I have done more research on this one and signed up to an online course about it. This analytics package seems to be on-top of how IP addresses should be managed in the context of measuring site traffic. Again I rather suspect Matomo know a lot more about the legalities of data protection, because it is one of their founding principles.

Call it scaremongering if you wish, but I think this is quite serious legislation. Doing nothing, I don’t think is an option, if you want to be perceived as owning and operating a legitimate website.

I’m sure Google and Facebook et al. are going to get sued to the moon and back by the EU; considering much of their business model is built entirely around data collection and resale. Granted, the EU probably hasn’t got the resources to go-after the small site owner just yet, but I reckon these new laws do mark the start of a systematic shift in how online data is managed.

As I have been telling others, I think that a positive, proactive approach towards GDPR could also benefit how customers view your company. If you are seen to be protecting customer privacy (putting the customer first), it seems logical that customers will be happier. And happy customers are more loyal and lucrative customers!

I agree 100% that the way the EU has pushed out GDPR (and equivalents) is a total shambles. It is utter chaos. Better privacy protection is needed. But this legislation seems to have been written 10 years late to chase-after the likes of Google and Facebook - and has inadvertently stung everyone else. Much like Sunday trading laws, I am of the opinion this legislation should only have been applicable to bigger companies - based on number of employees or amount of data they are collecting. The rest of us should have been allowed to continue following existing data protection laws; with only minor amendments to make things more relevant for the digital era. But it is what it is. Time to accept, adopt and move forward. :slightly_smiling_face:

(Andy Pink) #58

Sorry but it is an option. I mean that literally. I have a website and I am doing nothing about it. When the first court cases begin in 10 years time I’ll look at it again. In the meantime…zzzz
Though I do agree about this GDPR should be stinging the big companies and not small devs. But isn’t that because we are just ‘gold plating’ here …(Gold-plating is pejorative term to characterise the process where an EU directive is given additional powers when being transposed into the national laws of member states…wiki) We absolutely gold plated health and safety in the UK and in the process wrecked our culture in my opinion.

Why not …wait? Wait and see what the lay of the land is before jumping to conclusions.

(Jannis from inStacks Software) #59

Thanks @willwood for sharing this. I was in contact with Paddle about this exact topic, good that they introduced that change.

(Andrew Tavernor) #60

I think this is far too general statement given the complex and specific nature of the question at hand.

The discussion here has been about isolated IP’s and their nature, not the situation where data controllers are concerned.

Paddle are in a very different situation as they hold email addresses, names and addresses to go with the IP of the customer.

Undoubtedly, in their situation, IP addresses come under the auspices of personal data but as @svsmailus stated above, no one can provide a legal precedent that confirms that an isolated IP should fall under GDPR. Time will tell as case law develops,