I posted this on Twitter, but it’s a good read, and a sign that Hugo may be even more popular in the time to come:
The new The General Data Protection regulations (GDPR) in EU (and EEA where my country is a member) is being enforced from 15th of May. Not long.
Some say it is the new “year 2000” in IT. And most companies are extremely unprepared, and the fines are heavy.
I was reminded of this recently by a phone call from an IT company.
“Hey. We see that you are on our mailing list. With the new privacy laws we need you to log on and check a consent form, or we will have to delete your email address …”
A phone call!
So, the many WordPress installations around will be extremely hard to get GDPR compliant. For many going static will be the cheapest and simplest option. And if you read the regulations like the Devil reads the bible, I think Hugo with its static binary is the top choice.
Yes of course Hugo is a top choice for privacy GDPR compliant websites. I have been reading up on the regulation for a while and prepare the sites I manage.
There is one thing though that I would like to draw your attention to @bep . The default internal Hugo template for Google Analytics as I gather doesn’t look compliant with the GDPR in its current form. Everything should be opt-in and IPs anonymized. No page view should be sent to Google servers before a visitor agrees for Google Analytics cookies.
The same goes for the YouTube template I think that one should use the new youtube-no-cookie version and possibly modifications are needed in other internal templates.
But to be honest the onus is on Hugo site admins to make their sites GDPR compliant.
I can’t wait! Really looking forward to the time when all those un-asked for spam mails from companies and vendors that should know better are forced to dry up.
to be fair, there are plenty of articles and plugins for WordPress to help with GDPR but there is no doubt that things are simpler with a static generated site.
But the problem is, any sizeable WP site will have a myriad of plugins. You may supply tools to discover that those plugins are not compliant (not sure how that works, so some level of manual inspection would be involved), but then you need to find compliant alternatives …
@spf13 I assume Google is also touched by this on some level: Do you have any “check lists” that could be relevant for Hugo or could help us making Hugo “GDPR Compliant”?
It will be very interesting as I think that the EU DP’s office as well as each of the national offices are going to be absolutely swamped with complaints for months.
Nice to see that you have thought about it.
I am also not a lawyer though I do work in Information Security.
It might be worth adding a draft privacy policy page to the default minimal template?
Much of the processing will be outside your control since the cookies will be set via loaded scripts. But you could have some sensible defaults so that, if you include GA, YouTube, maybe Disqus, the privacy policy page is included and maybe linked into a standard footer.
Not sure, but at least a clear declaration of all external sources (shown on the site the user is visiting) might be needed.
Articles 2, 4, 5 (Pages 4 - 6) Definitions, Data quality, Lawfulness of processing
42
For EU Institutions, data protection by default is particularly
relevant for systems which directly interact with users, inside
or outside the EU Institutions. Where appropriate, any
processing operations shall be limited to what is the absolutely
necessary, as regards “the amount of personal data collected, the
extent of their processing, the period of their storage and their
accessibility" for persons or organisations. This should also be
applied to any tracking functions, e.g. in the context of web
services or mobile apps.
No, I disagree. A privacy policy is a mainstay of meeting the requirements. I am not suggesting that we should have standard wording, absolutely that is down to each site owner. However, it would be a helpful reminder to people less familiar with the requirements.
The use of external content is absolutely fine - as long as it doesn’t result in the capture of data that could lead back to the actual identity of the user. This is the thrust of the law.
It is absolutely clear that there is a significant grey area in the new law that is still being worked through. The ongoing discussion about the GA tracking number for example & it seems clear that the authorities have thought about this and are leaning towards excluding such things - but, no absolute decision has yet been made.
In honesty, it is very unlikely indeed that any site that has taken some steps to meet GDPR requirements and is only doing analytics and 3rd party discussions will ever be pursued unless they are a very large and important site. Even then, it will take months at least for the edge cases of this law to settle.
Again, the important thing will be to be able to demonstrate that you have thought about GDPR and tried to take steps to deal with it.
On the other hand, if you are running a high-profile site or are deliberately capturing identifiable user data - whether through commerce or for some other reason - then you do indeed need additional steps and really need subject matter experts to help you.
I was speaking with someone at the UK’s ICO on Thursday and they were clear that they want people to contact them earlier rather than later on GDPR matters - of course, I doubt their resourcing levels are sufficient to cope with the early influx of requests, issues and complaints.
Sorry, I should also have said that I agree that you should declare your external resources on your privacy policy. However, the important thing about the policy is declaring your intent for the use of the data you hold and the resources you are using.
If you are consulting legal experts, you also need to remember that GDPR requires you to use language that is comprehensible to the majority of your users. This excludes a lot of legal wording that incorporates legal terminology.
I’m not an expert in the GDPR. But as I posted on Github even the Client ID is considered by some privacy experts as personal identifiable information.
The standard GA code does not anonymize a visitor’s IP and sets the Client ID cookie in a users device with a 2 years expiry date. Now that looks like something that needs user opt-in in my humble opinion.
Also as the GDPR is strictly opt-in you need to disable GA until a user agrees to its use.
I don’t think that’s enough. Your users would need to agree to the privacy policies and data collection of the third party resources you have included in your site.
But the best approach would be to ask a lawyer.
Personally I have already removed non essential third party resources from Hugo sites I manage, e.g. Google Fonts.
Not if they don’t collect personal information. AFAIK, but haven’t checked yet, for example, Disqus does not collect information unless you sign in. At which point you (as the user not the site owner) must deal with their terms and conditions and privacy. As a site owner in that case, you would only be expected to declare that Disqus is used and why.
As you say though, we are not legal experts.
Personally, I am not willing to over-react until things are rather clearer. I will certainly try to improve my privacy statement and policy and will ensure that GA is only doing the minimum but that’s about it for now. There is a lot of work still to be done on the law and its consequences.
I will continue to use Disqus and include my Twitter timeline. I will be needing a new set of sharing icons anyway as WordPress used to take care of that via a plugin so I’ll probably hold back on that for a while.
But then I don’t sell things or advertise on my sites right now. That only leaves my contact form and that is easily dealt with manually.
It will be much harder for sites that sell things and high-profile, high-volume sites that’s for sure.
For example, how is Discourse handling GDPR? Does their response to it cause any issues for the Hugo authors? Looks like they are probably OK: https://meta.discourse.org/t/gdpr-and-anonymizing-personal-data/72103/2 but you need to be ready to delete users and provide an export of all data on request.
