Hugo vs The General Data Protection regulations (GDPR) in EU (EEA)

I posted this on Twitter, but it’s a good read, and a sign that Hugo may be even more popular in the time to come:

The new The General Data Protection regulations (GDPR) in EU (and EEA where my country is a member) is being enforced from 15th of May. Not long.

Some say it is the new “year 2000” in IT. And most companies are extremely unprepared, and the fines are heavy.

I was reminded of this recently by a phone call from an IT company.

“Hey. We see that you are on our mailing list. With the new privacy laws we need you to log on and check a consent form, or we will have to delete your email address …”

A phone call!

So, the many WordPress installations around will be extremely hard to get GDPR compliant. For many going static will be the cheapest and simplest option. And if you read the regulations like the Devil reads the bible, I think Hugo with its static binary is the top choice.

10 Likes

Yes of course Hugo is a top choice for privacy GDPR compliant websites. I have been reading up on the regulation for a while and prepare the sites I manage.

There is one thing though that I would like to draw your attention to @bep . The default internal Hugo template for Google Analytics as I gather doesn’t look compliant with the GDPR in its current form. Everything should be opt-in and IPs anonymized. No page view should be sent to Google servers before a visitor agrees for Google Analytics cookies.

The same goes for the YouTube template I think that one should use the new youtube-no-cookie version and possibly modifications are needed in other internal templates.

But to be honest the onus is on Hugo site admins to make their sites GDPR compliant.

1 Like

I can’t wait! Really looking forward to the time when all those un-asked for spam mails from companies and vendors that should know better are forced to dry up.

to be fair, there are plenty of articles and plugins for WordPress to help with GDPR but there is no doubt that things are simpler with a static generated site.

Can you create a GH issue for those two and I will put a priority on it – I can use it as a marketing gimick …

If you could put some details in the “what” it would be even better.

Ok. I will need a few hours on this (I’m no lawyer but I’ll try to make it as comprehensive as I can).

I’ll file the GitHub issue later tonight with annotations.

2 Likes

Sure.

But the problem is, any sizeable WP site will have a myriad of plugins. You may supply tools to discover that those plugins are not compliant (not sure how that works, so some level of manual inspection would be involved), but then you need to find compliant alternatives …

That would be great!

@spf13 I assume Google is also touched by this on some level: Do you have any “check lists” that could be relevant for Hugo or could help us making Hugo “GDPR Compliant”?

:wink:

Well, I am converting anyway.

It will be very interesting as I think that the EU DP’s office as well as each of the national offices are going to be absolutely swamped with complaints for months.

Nice to see that you have thought about it.

I am also not a lawyer though I do work in Information Security.

It looks as though serious consideration is being given to formally exclude basic analytics from GDPR:
http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CONSIL:ST_15333_2017_INIT&from=EN

This looks like a sensible analysis of the situation: https://www.amazeemetrics.com/en/blog/google-analytics-gdpr-compliant

1 Like

It might be worth adding a draft privacy policy page to the default minimal template?

Much of the processing will be outside your control since the cookies will be set via loaded scripts. But you could have some sensible defaults so that, if you include GA, YouTube, maybe Disqus, the privacy policy page is included and maybe linked into a standard footer.

What about:

  • disqus (the default implementation shows a comment count - even if the user did not agree on the visited site)
    Internal templates | Hugo
  • vimeo, tweet, instagram
  • the usage of Content Delivery Networks (CDN)? (for a site visitor a external cdn node is unrelated to the site)
  • the usage of google fonts api?

Question is: does a site needs user approval to include external content? Since the external party gets the visitors IP address - and this may be considered “personal data” (?!??).
https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases

Not sure, but at least a clear declaration of all external sources (shown on the site the user is visiting) might be needed.

Articles 2, 4, 5 (Pages 4 - 6) Definitions, Data quality, Lawfulness of processing

42

For EU Institutions, data protection by default is particularly
relevant for systems which directly interact with users, inside
or outside the EU Institutions. Where appropriate, any
processing operations shall be limited to what is the absolutely
necessary, as regards “the amount of personal data collected, the
extent of their processing, the period of their storage and their
accessibility" for persons or organisations. This should also be
applied to any tracking functions, e.g. in the context of web
services or mobile apps.

It’s a nightmare I know. That’s why I said that other internal templates may be affected by the new regulation.

I still haven’t opened the GitHub issue. It’s already a lot of research about Google Analytics and I haven’t finished.

Feel free to post suggestions about the other templates you mentioned if you can

I’ll try to have the issue opened in a couple of hours and then I’ll post a link to take the discussion there.

We need all the input we can get from Hugo users in the EU about GDPR compliance.

3 Likes

Only a lawyer familiar with the GDPR can do this. It’s out of scope.

The only thing we should do is to provide the least intrusive internal templates and then let Hugo admins take it from there.

Issue opened.

Feel free to add your comments. We need your help.

4 Likes

No, I disagree. A privacy policy is a mainstay of meeting the requirements. I am not suggesting that we should have standard wording, absolutely that is down to each site owner. However, it would be a helpful reminder to people less familiar with the requirements.

The use of external content is absolutely fine - as long as it doesn’t result in the capture of data that could lead back to the actual identity of the user. This is the thrust of the law.

It is absolutely clear that there is a significant grey area in the new law that is still being worked through. The ongoing discussion about the GA tracking number for example & it seems clear that the authorities have thought about this and are leaning towards excluding such things - but, no absolute decision has yet been made.

In honesty, it is very unlikely indeed that any site that has taken some steps to meet GDPR requirements and is only doing analytics and 3rd party discussions will ever be pursued unless they are a very large and important site. Even then, it will take months at least for the edge cases of this law to settle.

Again, the important thing will be to be able to demonstrate that you have thought about GDPR and tried to take steps to deal with it.

On the other hand, if you are running a high-profile site or are deliberately capturing identifiable user data - whether through commerce or for some other reason - then you do indeed need additional steps and really need subject matter experts to help you.

I was speaking with someone at the UK’s ICO on Thursday and they were clear that they want people to contact them earlier rather than later on GDPR matters - of course, I doubt their resourcing levels are sufficient to cope with the early influx of requests, issues and complaints.

Sorry, I should also have said that I agree that you should declare your external resources on your privacy policy. However, the important thing about the policy is declaring your intent for the use of the data you hold and the resources you are using.

If you are consulting legal experts, you also need to remember that GDPR requires you to use language that is comprehensible to the majority of your users. This excludes a lot of legal wording that incorporates legal terminology.

Is this true? I not doubt you know more about GDPR than me, but the article that Bep linked in the first post says:

With the note that:

So is it “no page view should be send unless …” or “we can send page views to Google unless …”?

I’m not an expert in the GDPR. But as I posted on Github even the Client ID is considered by some privacy experts as personal identifiable information.

The standard GA code does not anonymize a visitor’s IP and sets the Client ID cookie in a users device with a 2 years expiry date. Now that looks like something that needs user opt-in in my humble opinion.

Also as the GDPR is strictly opt-in you need to disable GA until a user agrees to its use.

2 Likes

I don’t think that’s enough. Your users would need to agree to the privacy policies and data collection of the third party resources you have included in your site.

But the best approach would be to ask a lawyer.

Personally I have already removed non essential third party resources from Hugo sites I manage, e.g. Google Fonts.

Not if they don’t collect personal information. AFAIK, but haven’t checked yet, for example, Disqus does not collect information unless you sign in. At which point you (as the user not the site owner) must deal with their terms and conditions and privacy. As a site owner in that case, you would only be expected to declare that Disqus is used and why.

As you say though, we are not legal experts.

Personally, I am not willing to over-react until things are rather clearer. I will certainly try to improve my privacy statement and policy and will ensure that GA is only doing the minimum but that’s about it for now. There is a lot of work still to be done on the law and its consequences.

I will continue to use Disqus and include my Twitter timeline. I will be needing a new set of sharing icons anyway as WordPress used to take care of that via a plugin so I’ll probably hold back on that for a while.

But then I don’t sell things or advertise on my sites right now. That only leaves my contact form and that is easily dealt with manually.

It will be much harder for sites that sell things and high-profile, high-volume sites that’s for sure.

For example, how is Discourse handling GDPR? Does their response to it cause any issues for the Hugo authors? Looks like they are probably OK: https://meta.discourse.org/t/gdpr-and-anonymizing-personal-data/72103/2 but you need to be ready to delete users and provide an export of all data on request.