Hugo offers GDPR friendly settings. Although I really appreciate the effort, I think they may be insufficient.
The GDPR friendly settings will instruct the platforms to NOT TRACK, through the DNT-directive (do not track). However, GDPR is not about tracking, but about leaking Personal Identifiable Information (PII) to third parties. Even an IP address is considered to be PII. Your data (IP address and meta data) may end up in logs of other hosting providers or in the US governments database through systems like the PRISM project
A German court recently fined a website owner for loading Google Fonts. AFAIK you are only allowed to create LINKS TO other webpages, given that you clearly mark what website your are linking to. The website visitor is considered to give explicit consent by clicking the link. Any other form of third party content is prohibited, unless you have explicit consent (through a cookie banner for example).
Should we change this page in the Docs? Should we leave out the ‘GDPR’ claim and change the title of the page to ‘Privacy settings’? This would prevent the Hugo docs from giving (potentially) wrong legal advice.
I agree that it would be best to at most mention GDPR in a footnote on that page. Mentioning GDPR in the title can easily give people the wrong impression. If one read the “Note that:” part all is explained but better to be clear from the start.
It would be better to avoid misinformation about the GDPR, where the Hugo official website should contain technical information only without falling into possible legal mistakes.
Indeed, the title of the GDPR is “the protection of natural persons concerning the processing of personal data and on the free movement of such data”. Thus, the protection is related to natural persons and not data.
The common mistake is to consider that it falls under the GDPR for data protection. Instead, the protection is related to natural persons and their personal information, avoiding the unlawful processing of their personal data.
No doubt regarding the IP as personal information like others one technical.
Anything that hits a third party server, without prior disclosure, and opt-out ability, afaik.
Hence the recently raised issue of using Google fonts, if you don’t provide a user the ability to opt-out of your fonts you are exposing that visitors ip address to Google, without their consent.
So I think this is the list that hits a third party server.
Those services are no problem/actually quite useful in non-European countries. They are also allowed in the EU when you have explicit consent. I do not think that these services/shortcodes are the point/problem.
However, providing privacy settings that claim GDPR compliancy seems like legal advice to me. You could make a footnote, as proposed. This could somehow link these privacy settings vaguely to the GDPR saying something like “These privacy settings enhance the privacy of the visitor and can be useful in the process of making a website GDPR compliant.” I would refrain from any other claim or further mention of the GDPR.
True… but not the point IMO. Every developer in the EU knows (or should know) what is allowed. It is not the task of Hugo to produce GDPR compliant websites. You can build ANY website with Hugo: a GDPR compliant and a wildly non-compliant one. The only thing Hugo should REFRAIN from is advice you on how to achieve that. That is not the task of Hugo, it is country-specific and it is most likely incorrect… thus risky.
A good point. It should be made clear what the potential effects of using certain inbuilt templates might be, not everyone is a professional web dev and/or lawyer.
I have to disagree here. I don’t see any inherent risks to privacy-first, secure by default architecture. No-one will ever be prosecuted for not giving away ppi to 3rd parties without consent.
Should it? I think we cannot and won’t fix that for them. Wix, Wordpress and Squarespace are neither solving that for their customers (just to name a few website builders). GDPR is very complex. Hugo should draw the line at privacy settings and SHOULD leave the rest to professionals and lawyers.
I meant that the current privacy friendly options at the current ‘Hugo and GDPR’ page might be not GDPR compliant, thus risky. I agree that privacy by design is a good approach, but it is far from mainstream and only relevant in the EU (and California?)… Therefore, removing all third party requests might be one bridge to far for now.
Some of these are things that are broken, and some are improvements. Making them someone else’s problem is attractive, but again, I am not advocating their removal.
true! I love your enthusiasm.