danten.io

How To Deal with GDPR the Easy Way

Note: I’m not a lawyer and my comments and ramblings on the GDPR is by no means to be taken as legal advice. If you’re running an online business or a e-commerce site you should seek professional legal advise if possible.

25 May 2018 was a really scary date for many people. It was the date that the new EU regulations on data protection, the General Data Protection Regulation – GDPR – went into effect. Here’s a brief intro and definition according to the Wikipedia entry:

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

As many others, I spent countless hours, weeks and sleepless nights trying to figure out how to deal with this new EU regulation. And how to best offset the limitations it seemingly brings to web developers, e-commerce owners and content publishers. The GDPR basically affects every website on the planet.

For larger corporations, content providers and especially e-commerce businesses the GDPR is a real headache. For smaller sites, such blogs and content-only based corporate websites it’s a lot easier to deal with these new regulations.

There’s still a lot of confusion left out in the digital realm about the implications of GDPR:

Not only are several passages of the legal text not really clear and leaves several gray zones, but also the various translations in different European languages seem to contain minor issues and translation inconsistencies.

Coming to Peace with the GDPR

But finally, I’ve come to peace with the GDPR.

I noticed a significant increase in well-being after I realized that the only way to deal with this and modify an existing website to become “reasonably compliant” with GDPR is to revert to the spirit of FOSS (Free Open Source Software).

Meaning:

Let go of all 3rd party plugins, or at least those plugins who transmit data to a 3rd party. Stop using social media integrations, no more Facebook like buttons. No embedded Twitter feeds without explicit consent by the visitor. No Google Maps, no reCaptcha. No Akismet anti-SPAM, no Gravatars in the comments. No Google Analytics. No…

You name it. The list is long.

Over the years, web developers have gotten used to embedding 3rd party content. As well as the convenient features of many plugins and modules. Instead of sticking to basics, many sites are bloated with plugins and functionality.

Even Google Fonts transmit IP addresses when delivered via the Google CDN. So you’ll need to fetch them and serve them up from your server to avoid transmission of any potential personal data to 3rd party entities.

Revert to Self-Hosted Open Source Solutions

Instead, revert to self-hosted open source solutions and alternatives.

It’s time to clean up your site!

Especially for more basic corporate websites, this is a good option. Ask yourself the question: Do you really need e.g Google Analytics to gather simple visitor stats?

Yes, if you’re an e-commerce business and need to setup goals and remarketing while segmenting your users etc. then Google Analytics is a really powerful option that you probably don’t want to live without.

But for a smaller corporate website, or a WordPress site without any e-commerce functionality maybe a slightly more basic option like Matomo (formerly known as Piwik) is a good option as well.

Improved Page Speed. The Collateral Benefit of GDPR.

There’s actually a pretty huge benefit to avoiding 3rd party plugins:

Page speed and site performance.

You’ll notice a significant increase in page speed once you’ve cleaned up your site and run only the bare essentials. You reduce HTTP requests, you slim down data transmissions and your site will load faster. Much faster actually, without the overhead of all the clutter and plugins.

This leads to improved SEO and better search engine rankings. IMHO and for most business, it’s worth thinking about if this benefit is not more important than the gains you get from embedding a Facebook like button or serving Google Fonts from their CDN instead of directly from your server.

Open Source Alternatives to 3rd Party WordPress Plugins

So let’s take a brief look at the steps I’ve been taking to ensure that a content-only based WordPress site gets as compliant GDPR as possible.

Here’s a list in progress detailing the alternatives I used to retain basic functionality while avoiding data transmission to 3rd parties:

Akismet

Akismet is a spam filtering service that filters spam from comments, trackbacks, and contact form messages. It is a service offered by Automattic, a company famous for WordPress.com. Also, Automattic is providing some major contributions to the WordPress project itself.

Because Akismet is included in every default WordPress install, it’s used by millions of sites worldwide. And it’s doing a really good job at preventing spam.

However the drawback is that it’s transferring personal data to the Akismet servers located in the US:

When a comment is tested for spam the information that the commenter provided is transmitted to the Akismet servers. This includes the name, email address, site URL, and the comment itself.

This certainly creates a conflict with the GDPR. Especially when/if personal user data is transmitted to a server located outside the EU and without the users explicit consent.

As far as I know, Akismet is still working on modifying their plugin and service to become GDPR compliant. And chances are it’s not going to be feasible for them to reach 100% compliance.

Running a site without any anti-spam measures is not a good option.

So what is the solution for this?

Well, revert to another free open source plugin. After testing several options available, I’ve decided to use Antispam Bee on many of my WordPress sites.

Here’s a quote from the Antispam Bee website:

Say Goodbye to comment spam on your WordPress blog or website. Antispam Bee blocks spam comments and trackbacks effectively, without captchas and without sending personal information to third party services. It is free of charge, ad-free and 100% GDPR compliant.

I’m really happy with this: So far no automated spam has reached any of my sites.

reCAPTCHA by Google

While we’re at it and talking about anti-spam measures, we ought to mention reCAPTCHA. It’s not easy to imagine the internet without it:

We’ve all gotten used to having to confirm that we ain’t robots and clicking on images of cars and roads and mountains.

There’s been some criticism around towards Google for using reCAPTCHA to “unfairly using people around the world to help it transcribe books, addresses, and newspapers without any compensation.

Also, reCAPTCHA has been labelled “a serious barrier to internet use” for people with sight problems and reading disabilities.

In regards to GDPR, there’s a similar issue as with the above Akismet:

Data is transmitted to 3rd party servers outside the European Union. Because reCAPTCHA is loaded on every page where it is contained, no matter if the user actually want to submit forms and uses the service, it’s not easy to establish an explicit consent for this. reCAPTCHA can be used to collect personal data GDPR.

Vital interests & Article 6 section 1d and 1f

Some people would argue that reCAPTCHA (and also Akismet) would be covered by Article 6 section 1d and 1f. Also Recital 49.

processing is necessary in order to protect the vital interests of the data subject or of another natural person

and if:

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Furthermore the often quoted Recital 49 might apply:

The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, […] by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

The argument would be that you as a business have a legitimate interest in reducing spam. Spam take up your time and your resources.

Therefore some people assume that reducing spam is a legitimate interest for a business, and thus sending personal user information to a 3rd party server outside the Union is not in conflict with the GDPR.

Personally, I’m not convinced of this argument:

When it’s technically possible to protect your business interest – in this case fight spam – in other ways than transmitting user data to a 3rd party, then I really don’t see how the GDPR could endorse this.

Again, there are still many uncertainties and open questions regarding the GDPR. We will certainly gain more clarity throughout the next years, especially during 2019 when further legislation is being introduced.

To be on the safe side, and to make sure you comply with the “spirit of the GDPR” I’d advice to avoid both Akismet and reCAPTCHA if possible.

The honeypot solution

If you need a basic anti-spam feature e.g for your contact forms, you can consider to setup a so-called honeypot. On this site https://danten.io I use Contact Form 7 and the Contact Form 7 Honeypot plugin. This is how it works:

This simple addition to the wonderful Contact Form 7 (CF7) plugin adds basic honeypot anti-spam functionality to thwart spambots without the need for an ugly captcha.

The principle of a honeypot is simple — bots are stupid. While some spam is hand-delivered, the vast majority is submitted by bots scripted in a specific (wide-scope) way to submit spam to the largest number of form types. In this way they somewhat blindly fill in fields, regardless of whether the field should be filled in or not. This is how a honeypot catches the bot — it introduces an additional field in the form that if filled out will cause the form not to validate.

[ Work in progress – the following plugins yet to be covered ]

#GDPR