Data Privacy, DSGVO, and Cookies

Often the web­site oper­a­tor is told, that Data pro­tec­tion is com­plex and has to be orga­nized by experts. But what if she does­n’t have the mon­ey for that? If it seems some­how non­sen­si­cal to shoot at a spar­row blog with the can­non of a paid team of experts? Then — maybe and with the help of Google — she installs some pop­u­lar Word­Press plu­g­ins for data pri­va­cy and DSGVO and/or cook­ies — in the hope that all goes well. Or she inves­ti­gates it in more detail. And in the end, she per­haps gath­ers rules of thumb, from which at least one well-work­able way results. Here are my 3.7 rules of thumb, applied to my own data pri­va­cy file:

Solution

• I. Use only the per­son­al data that you real­ly need for the func­tion­ing of your sys­tem.
• II. If you col­lect per­son­al data, tell the own­ers,
  • that you are going to do so,
  • for what pur­pose you use the data,
  • what legal basis autho­rizes you to do so,
  • with whom you share the data,
  • how long you will store it,
  • how they can ask you which data you have stored over time
  • how they can have the data delet­ed again.
• III. If you store data on the com­put­er of your users, which they did not request direct­ly or indi­rect­ly, ask them before­hand for per­mis­sion.

Background

If I pro­ceed accord­ing to this — so I make myself believe again and again — I will design my sites in a way that I avoid the rough­est traps¹ and errors². Because I always have one thing in mind: with a mere cook­ie ban­ner it is not done:

1. The first thing I con­sid­er is where my blog as a sys­tem col­lects per­son­al data. The ones that I explic­it­ly request in and with forms are the eas­i­est for me to notice and remem­ber. Here I know — qua office — what I do with them and to whom I pass them etc.
2. Fur­ther­more, I am aware that IP address­es are also con­sid­ered per­son­al data — although the inter­net would not func­tion with­out them.
3. Addi­tion­al­ly, Word­Press can col­lect, note, and send data to third par­ties — as well as the plu­g­ins I’ve acti­vat­ed, the JavaScript libraries I’ve installed, the Google fonts I’ve inte­grat­ed, etc., etc.
4. Even­tu­al­ly, my com­menters are usu­al­ly made rec­og­niz­able via the com­mon Gra­vatar sys­tem.

I have to sort out this mish­mash:

• Rule (I) tells me that less is more: the few­er data I ask for and the few­er plug-ins I use, the lean­er my data pro­tec­tion con­cept can be. So I clean out here, e.g. by treat­ing pro­duc­tive and devel­op­ing sys­tems dif­fer­ent­ly.
• Rule (II) tells me that I must actu­al­ly describe the remain­ing data sets in the data pro­tec­tion con­cept. So I also deter­mine what data my plu­g­ins, font requests, and oth­er tech­ni­cal com­po­nents col­lect, how they store it, and where they pass it on.
• Rule (III) tells me that I have to get per­mis­sion to write files, i.e. cook­ies, to my user’s com­put­er — either by law, as in the case of tech­ni­cal­ly nec­es­sary cook­ies, or by con­sent of my user. And to get this con­sent, it is help­ful to spec­i­fy the pur­pose and effect.

My next posts describe how I have imple­ment­ed this in my bootScore-based site con­crete­ly.

---

And how does this …

… sup­port our migra­tion to bootScore? Well, besides her nor­mal design work, the web-design­er must deal with some legal require­ments, as — for exam­ple — those of the DSGVO pri­va­cy, of hav­ing a cook­ie con­sent dia­log and the respec­tive seman­tic, of hav­ing a data pri­va­cy page, an imprint, an image ref­er­ence page, and a FOSS com­pli­ance page. This post shall sup­port you to man­age your legal issues.

---

1. cf. https://www.e‑recht24.de/artikel/datenschutz/8451-hinweispflicht-fuer-cookies.html [↩]
2. cf. https://www.ihk.de/halle/recht/datenschutz/sonstige-rechtsinformationen/cookie-banner-fuenf-fehler-die-sie-vermeiden-sollten–4854218 [↩]