Results 1 to 23 of 23
-
05-18-2018, 09:07 AM #1Junior Guru Wannabe
- Join Date
- May 2017
- Posts
- 75
What should I need to change following the GDPR
What should I need to change following the GDPR?
i am using adsense, and google analytics
What steps must I do to follow the conditions of GDPR?
I read the emails they sent(adsense and analytics) following the changes, but what actually on my website what should I do?
I have to warn the visitors of EU of something specific, the truth that I got into a big confusion.
I would be happy to learn what steps you have taken following the GDPR
*Thanks and sorry about my English
-
05-18-2018, 09:18 AM #2WHT Addict
- Join Date
- Mar 2018
- Posts
- 122
http://securit.pages.services/are-yo...pr-its-coming/
all the information you need
Verstuurd vanaf mijn SM-G920F met Tapatalk
-
05-18-2018, 09:46 AM #3
Well, no one knows 100% yet. It will be ongoing for many years after no doubt. But you can work on what we have available for now.
HostXNow - Shared Web Hosting | Semi Dedicated Hosting | Enterprise Reseller Hosting | VPS Hosting
-
05-20-2018, 09:44 AM #4Web Host Reviewer
- Join Date
- Feb 2006
- Location
- Kepler 62f
- Posts
- 16,699
Depending on your location, maybe nothing at all.
|| Need a good host?
|| See my Suggested Hosts List || Editorial: EIG/Site5/Arvixe/Hostgator Alternatives
||
-
05-20-2018, 01:51 PM #5Junior Guru Wannabe
- Join Date
- May 2017
- Posts
- 75
-
05-20-2018, 02:52 PM #6
It's not a matter of what you should change, it's a matter of how much time you have to commit to legislation containing over 88 pages in a single PDF document, and keeping up with the manuscript as it evolves and amendments are added.
http://eur-lex.europa.eu/legal-conte...LEX:32016R0679
Nowadays, I just use the documentation to learn new words. "envisages" is my word of the day!
On a more serious note, and from what I gather,
1. As long as you're open and honest about the data you collect.
2. You remove non-essential private information about your customers.
3. You remove all information upon request for non-customers (e.g. they cancelled, and you keep only what's required by your local laws).
4. You don't market to anyone who hasn't opted in.
You "SHOULD" be fine.
This is not legal advice, and I would make a horrible lawyer.★ GlowHost ★ → Affordable Managed Web Hosting Since 2002.
۪Cloud Servers- Hot Failover + Clustered Storage
۪Managed Dedicated Servers - Semi-Dedicated Servers
۪Shared & Reseller packages - 20 Min Ticket Response - 24/7/365 Phone & Live Chat
-
05-20-2018, 02:56 PM #7WHT Addict
- Join Date
- Mar 2018
- Posts
- 122
you don't gave to comply to EU law If your business is run from Israel.
but I do advice to respect it.
simply add the option for people to have details removed on request without you or your staff asking questions.
also only store essential information.
and keep your site and clientarea secure.
don't host your database on the same server as your site and clientarea.
make sure you do everything to avoid hacks and or leaks.Verstuurd vanaf mijn SM-G920F met Tapatalk
-
05-20-2018, 06:34 PM #8Web Host Reviewer
- Join Date
- Feb 2006
- Location
- Kepler 62f
- Posts
- 16,699
|| Need a good host?
|| See my Suggested Hosts List || Editorial: EIG/Site5/Arvixe/Hostgator Alternatives
||
-
05-20-2018, 06:44 PM #9WHT Addict
- Join Date
- Mar 2018
- Posts
- 122
true but if he does business with European clients it's not a bad idea to keep that in mind and be prepared.
we run our business from the USA but still honor EU regulations to accommodate those clients.
in the past it has shown to be very effective.Verstuurd vanaf mijn SM-G920F met Tapatalk
-
05-20-2018, 06:56 PM #10Web Host Reviewer
- Join Date
- Feb 2006
- Location
- Kepler 62f
- Posts
- 16,699
The GDPR has aspects that run contrary to U.S. law, and as a U.S. citizen and located business, you need to follow U.S. law. You don't get to pick and choose what jurisdictional laws/rules/regulations you follow anymore than the EU does. What they do applies to them, and only them.
I'm all for the spirit of the GDPR (privacy, security, anti-spam), but the regulation itself is horsepuckey.|| Need a good host?
|| See my Suggested Hosts List || Editorial: EIG/Site5/Arvixe/Hostgator Alternatives
||
-
05-21-2018, 01:59 AM #11Junior Guru Wannabe
- Join Date
- May 2018
- Posts
- 84
Hasn't WHMCS or cPanel come up with a new version or plugin to help adhere to GDPR instructions ? It would have been easier that way since most hosting provider uses them on their set up.
-
05-21-2018, 06:51 AM #12Web Hosting Master
- Join Date
- Oct 2003
- Location
- UK
- Posts
- 3,590
HI
can you explain what you mean by a plugin by Cpanel or WHMCS?
GDPR is about PERSONAL data and not computer data, ie their name/address/phone number
WHMCS has already made changes so order forms offer "opt in, opt out" of newsletters. By default it must be set to opt-out for GDPR.
You will need to also have tools to export client information in JSON format, again something WHMCS introduced in WHMCS 7.5
Other changes like GDPR-WHOIS will be handled by your registrar.
If you sell to EU customers then you will need have have a GDPR policy including who you share details with and links to their privacy polices, for example lets say you are a UK host but your marketing list is Mailchimp, then you'll need something stating personal details such as name, email address will be shared with mailchimp and here is a link to their privacy policy.█ The Hosting Heroes Ltd - over 20 years in the UK hosting industry.
█ Website Hosting | Reseller Hosting | Cloud VPS Servers | Dedicated Servers | VPS Reseller for WHMCS
www.thehostingheroes.com
-
05-21-2018, 07:19 AM #13Junior Guru Wannabe
- Join Date
- May 2018
- Posts
- 84
-
05-21-2018, 10:31 AM #14Junior Guru
- Join Date
- Jan 2003
- Location
- Budapest, Hungary
- Posts
- 231
Yeah, but computer data might contain personal data, and you are responsible for each and every possible way of personal data to you and out of you. IP address and email address are also personal data. That means almost all types of communications are covered by the law.
WHMCS consent function is alright. However there is an issue with companies having no internal documentation on personal data handling procedures. Which is another can of worms.
You can export it in any format, format is not in the law. Just portability, import-export of data. So data must be easily portable (so no, no pdf only exports).
Yeah but did you sign the registrar's DPA? Did you list possible interventions/changes and modifications in your procedures in your privacy policy because of the DPA of your registrar?
That is not enough, you need DPA with mailchimp, you need full internal documentation of API exchange of data and provide adherence to privacy shield treaty. You need to ensure their security is on-par with your requirements under GDPR. And you must modify your privacy policy to include any needed changes like: in case you sign up to our newsletter or sweepstakes we will send the following data: [list of data] to a foreign entity Mailchimp etc etc. located out of European Union and working under privacy shield. And that's another can of worms!
https://www.privacyshield.gov/articl...Privacy-Shield██ ServerAstra.com website / e-mail: info @ serverastra.com
██ HU/EU Co-Location / Managed and Unmanaged Cloud & Dedicated servers in Hungary with unmetered connections
-
05-25-2018, 06:28 PM #15Newbie
- Join Date
- May 2018
- Posts
- 11
I have just made sure my privacy policy is up to date.
-
06-07-2018, 05:46 AM #16Newbie
- Join Date
- Jun 2018
- Posts
- 7
GDPR
GDPR is very confusing. The more I read, more I'm getting confused.
From what I have researched, you should make your clients understand the concept of GDPR in simple way and should give them an easy method to comply with GDPR.
-
06-07-2018, 07:41 AM #17Web Hosting Master
- Join Date
- Nov 2015
- Posts
- 645
GDPR is not "being developed" - it's already in effect. Sure, parts of it can be changed in the future, just like any law, but we don't know which parts and how.
█ ResellersPanel.com - 16 years of experience in reseller hosting
█ Reseller Hosting | Web Hosting | VPS | Semi-dedicated | Dedicated | Domains | SSLs
█ Custom-built Hosting Platform & Control Panel | 24x7 Support | SSDs
█ Contact us @ +1-855-211-0932
-
06-07-2018, 05:08 PM #18Aspiring Evangelist
- Join Date
- Apr 2012
- Location
- Canberra
- Posts
- 399
Pfft, two things that MVPS had helpfully blocked for me for 15 years.
But lately I am seeing a concerning rising number of "anti-adblocker" alerts. These companies have no regard for privacy whatsoever. The fact I've already taken proactive steps to opt-out of something should be respected. Also, the ammount of crap that websites try to load that is simply not required for them to function is unbelievable.
I've also had to add rules in uBlock Origin to block those annoying Cookie Popups as well, even WHT has one now (blocked thank goodness), due to the EU's completely ham-fisted rules. Cookies don't necessarily track people, and there are a LOT of ways to track people - you can even do it using HSTS fingerprinting as described several years ago by Sam Greenhalgh. Basically instead of setting a cookie you just use a bunch of subdomains to encode a user ID, for example you have your website at example.com load resources from s01.example.com s02.example.com ... s20.example.com. Then you use a javascript function in the page to see what resources were loaded over HTTPS - if nothing was loaded over HTTPS (first visit) then you request a unique "fingerprint" of resources over HTTPS with the server sending the HSTS header. I.e. https://s02.example.com/something.gif https://s06.example.com/somethingelse.gif ...
Anyway I can tell you 100% that at least 95% of websites that display the "Cookie Banner" are doing so frivolously. Like WHT - it came up even when I was logged in, meaning that cookies were already set! The EU legislation says you need to get consent before you set any cookies. Hardly any websites actually do this, at least 95% simply display the banner and already start setting cookies - and of course allow their 3rd party malware servers (advertisers) to set them as well. The law is supposed to allow you, or I, to refuse cookies. In reality it doesn't - you get a banner that says "Like most websites we set cookies, click accept". And that's it. The website will set cookies anyway, and the banner displays dispite cookies already being set. And they don't give you a decline button on the intentionally obtuse and ugly cookie banner.
Until EU websites start complying with the Cookie Law I don't hold out much hope that anyone will be complying with GDPR any time soon.
I don't believe you. Show me your website that doesn't set cookies until consent is given. Here in Australia, and in the US and Canada consent can be implied - in the EU it is not implied. Like I said above at least 95% of websites that display the cookie banner - including Google, and here at WHT, do so after already setting cookies, and that's not compliant with the EU law.
I'll cite the relivant part of the law, it's found in the Directive on privacy and electronic communications (ePiracy directive) Article 5.3:
"3. Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user."
The GDPR expands the legislation by specifically requiring affirmitive consent and not implied consent, here is the relivant part:
"(32)Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided."
The conditions of consent are set out in GDPR Article 7:
"Article 7
"Conditions for consent
"1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
"2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
"3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
"4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."
To sumarise - (a) cookies that are essiential for the website to function are exempt. (b) users must give informed consent. (c) they must also be given the option to widthdraw their consent at any time. (d) users must be given the right to refuse cookies. And it has to be as easy as giving consent! (3) It applies to 3rd party cookies. This means you cannot embed content that sets 3rd party cookies like analytics and adsense until after conset is given.
To give you an example, WHT's banner looks like this:
We use cookies to enhance your experience. By continuing to visit this site you agree to our use of cookies. Learn more X
This isn't compliant with EU legislation - it's not even close to compliant. (1.) there's no affirmitive consent. Clicking the "X" sets a cookie called "cookiebanner-accepted" with the value of "1". As above, the GDPR specifically states that isn't good enough. The statement "By continuing to visit this site you agree to our use of cookies" is not compliant. (2.) there's no option to refuse. Advice to adjust broswer settings in the cookie policy isn't good enough. (3.) it pops up after 5 cookies are already set including one to track the user. (4.) The page already tries to embed third party tracking content including Google Analytics and Adsense. Under the EU legislation you are not allowed to do this, you can only embed such content AFTER consent is given. (5.) The cookie policy at the "Learn More" link lies - it reads as follows:
"You always have a choice over whether or not to accept Cookies. When you first visit the Website and we notify you about our use of Cookies, you can choose not to consent to such use. If you continue to use the Website, you are consenting to our use of Cookies for the time being."
Really? How exactly do you choose not to consent? Furthermore as I mentioned above, under EU legislation you cannot imply consent so the second sentance shows that the policy is not EU compliant. What actually happens, as I mentioned, is that the site already sets cookies and the banner doesn't do anything except set its own cookie that makes no functional difference to what cookies are set or are not set.
The penton privacy policy lies - it reads "For more information, please visitthe Cookie Policy for the site you are using, which can be found in the website footer." But there is no Cookie Policy link in the WHT footer - it's only found in the Cookie Banner - once that's gone there's no link.
Also the banner itself lies. The bb cookies are essential, obviously, if you want to log in. But other than that, the cookies are not used to enhance the user experience, they're used to track and advertise as it says in the Cookie Policy:
"‘Targeting’ or ‘Advertising’ Cookies enable a website to show you relevant advertising or facilitate your use of third party services. We may use these Cookies to provide information about your Website visit to advertisers, so that they can show you adverts more relevant to your interests, limit the number of times you see the same advert and measure the effectiveness of their advertising. We may also use such Cookies to make it easier for you to ‘like’ or ‘share’ Website content through your social network(s). The social networking websites may subsequently use information about your visit to target advertising to you on those websites. Please see their website terms and policies for further information on such use."
That is the antithesis of enhancing the user experience. And obviously that's not EU compliant either, you can't tell your users you're setting cookies to enhance their experience if you're using them to track and advertise.
Note what the EU Law's website banner looks like:
This site uses cookies to improve your browsing experience. Would you like to keep them? [✓] [X]
Even their own implimentation probably isn't strictly compliant as GDPR Article 7.3 states "It shall be as easy to withdraw as to give consent". One would well argue that the cookie banner has to stay perminently in place for the purpose of removing consent, yet once you consent or decline using the cookie banner it disappears.
-
06-08-2018, 01:48 AM #19Web Hosting Master
- Join Date
- Nov 2012
- Location
- WWW
- Posts
- 751
You need to insert warning message to your website that you website/external widgets collect cookies and user should accept this. In WHT you can see this message in the bottom
ADELINAhost (Established 2012)
Shared Hosting - VPS - Dedicated Servers in more than 10 locations
https://www.adelinahost.com
-
06-08-2018, 02:20 AM #20Aspiring Evangelist
- Join Date
- Apr 2012
- Location
- Canberra
- Posts
- 399
And as I just mentioned above, WHT's cookie message isn't remotely close to being compliant with EU law.
-
06-14-2018, 02:55 AM #21Web Hosting Evangelist
- Join Date
- Nov 2006
- Posts
- 451
You can say GDPR is an updated version of data protection act and anyone who processes data belonging to EU residents btw that doesn't mean it's a sigh of relief for people living outside EU. As as matter of fact, If you were an American company doing business in Europe your company could still be fined.
bodHOST.com: Fully Managed Hosting Solutions
+ Auto-Scalable Cloud Hosting Services...
-
06-14-2018, 04:17 AM #22Web Hosting Master
- Join Date
- Oct 2006
- Location
- US/EU/UK
- Posts
- 4,886
@ariel1238a you aren't in the EU, therefor your website and the business behind are governed by a different jurisdiction. i think that all the talk here might be useful, but will not help a bit, but will not make your website or service compliant with the U.S. or European laws (and it probably shouldn't). I would suggest to use a legal advisor and to ask one what are the specific steps to make (one of them would be to make sure that your website users are familiar with your jurisdiction and how it deals with the Personal Data).
HostColor.com ★★ Edge Infrastructure - US Dedicated Servers & Europe Dedicated Hosting ★ since 2000
In 50 U.S. Edge Data Centers & 80 POPs worldwide
24/7 Support ★★ Support Tickets - LiveChat - Phone
-
06-14-2018, 05:53 AM #23Aspiring Evangelist
- Join Date
- Jun 2014
- Posts
- 384
Just wondering, there is some law for coffee shops in Europe. A European walk into a coffee shop in Singapore, orders a cup of coffee. Finishes it and asks for a bill. How come laws in Europe apply here ?
As long as you are physically hosted out of Europe and have a corporate office outside Europe, why should we bother ?
Similar Threads
-
From shared host to VPS, what should I need to do?
By hing02 in forum VPS HostingReplies: 5Last Post: 07-04-2011, 11:00 AM -
If I need to change node/ip address, what do I need to change?
By chasebug in forum VPS HostingReplies: 5Last Post: 08-23-2010, 11:10 AM -
what is Linux Command to change file the ownship
By sdhost1964 in forum Hosting Security and TechnologyReplies: 4Last Post: 09-23-2009, 02:41 PM -
what do I need to do so everyone that access the website goes to httpS://
By Alfa in forum Hosting Security and TechnologyReplies: 21Last Post: 03-17-2005, 04:58 PM -
What do I need to automate the order process?
By GoldenTiger in forum Running a Web Hosting BusinessReplies: 10Last Post: 06-17-2003, 01:06 PM