Legal requirement: Mass convert embed. obj. to static URL

[hjmaier]

I am currently struggling with the new privacy laws in Germany/European Union, which will come to life at the end of may. According to my lawyer (yes, they are that complex), I am not allowed to embed content from other platforms because of tracking cookies they will set (youtube does, vimeo does, probably other social media sites too ). 

I disabled the option already. But there is still a ton of embedded content on my site (also in the archive). 

I desperately need something to convert all embedded content to their static URLs. If not, I can be fined for breaking the new privacy rules. 

[opentype]

I doubt there as easy way to do this, since the full html embed code is part of the individual posts. You would have to write lots of MySQL queries to find all of the embeds and replace them. But people who speak MySQL fluently can do this of course. 

A better solution would probably be to keep all the embeds, but not load them unless consent is given. Example: 

https://edps.europa.eu/press-publications/press-news/videos/debating-ethics-dignity-and-respect-data-driven-life_en

(Also not a stock feature though. No idea how that can be implemented for several services.)

[hjmaier]

Yes, I agree. That would be a nice idea.

2 minutes ago, opentype said:

A better solution would probably be to keep all the embeds, but not load them unless consent is given.

Another idea would be, to leave the embeds in the database and filter to URLs during the output and display only the static URL. 

[hjmaier]

Additionally, according to my lawyer, it is illegal to embed Vimeo for example. They did not ensign in the EU-US Privacy  Shield. Even if a user gives his consent, I am not allowed to embed content from those sites. I am allowed to link, but I am not allowed to embed, since the EU laws count things like IP addresses as personal data.

Here the link to the list: https://www.privacyshield.gov/list

And here the link to the wikipedia: https://en.wikipedia.org/wiki/EU-US_Privacy_Shield

And since Invisionport is not listed there, I am not allowed to use the anti SPAM network. 

[Matt]

If you get consent to set cookies then you don’t need to remove your embeds. 

GDPR is about transparency, not stripping everything back to not set cookies. 

4.2.8 has a cookie consent feature you can use. You can list the cookies that will be set if you continue using the site. 

It’s unlikely that Vimeo sets personal information such as an IP address in a cookie as it can get your IP address from your “hit” to the site (same as hotlinked images). You might get a tracking code or ID but this will not reveal who you are. 

[hjmaier]

Hi Matt,

not according to my lawyer. If I embed a video, the site will get the ip address of the visitor. According to the privacy rules, an IP Address is considered a personal data. And in addition, since Vimeo did not sign the EU-US Privacy shield, I am not allowed to embed anything from them. No matter if I have the user consent or not. I know that sounds weird... 

Edit:

An example for youtube: It would be legal to embed youtube, if this link would be used: https://www.youtube-nocookie.com/

[DesignzShop]

 

Quote

U.S. President Donald Trump signed an Executive Order entitled "Enhancing Public Safety" which states that U.S. privacy protections will not be extended beyond US citizens or residents:

Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information

 

[sudo]

2 hours ago, DesignzShop said:

 

 

https://www.infosecurity-magazine.com/news/trump-order-sparks-privacy-shield/

 

[Cyrem]

4 hours ago, hjmaier said:

According to the privacy rules, an IP Address is considered a personal data.

Today i'm what Bob was yesterday, tomorrow i'm Kathlene from last week. IP Addresses are as personal as dirt on a sidewalk. Don't worry, I'm laughing with you, not at you.

[AlexWright]

22 minutes ago, Cyrem said:

Today i'm what Bob was yesterday, tomorrow i'm Kathlene from last week. IP Addresses are as personal as dirt on a sidewalk. Don't worry, I'm laughing with you, not at you.

*grabs a proxy* You were saying?

[Cyrem]

Just now, AlexWright said:

*grabs a proxy* You were saying?

My point exactly.... and you know, dynamic ip's.

[AlexWright]

47 minutes ago, Cyrem said:

My point exactly.... and you know, dynamic ip's.

Yeah, my router is set to always assign dynamics whenever a device starts. I mean yeah it still has to be within the range, but even so. Proxies can still change that too. Anyone who blindly trusts IP address information, or considers it "personally identifiable" has never really worked with them.

[Lindy]

As noted in your other topic, I know Germany has additional data protections than other EU members, but the Privacy Shield will do nothing to address those and again, being certified Privacy Shield does not mean you are GDPR compliant. Dynamic IPs are not universally considered personally identifiable data, but with the GDPR, IP addresses are considered PII data. 

I can't and won't tell you to not follow your own local legal advice, but there are going to be gray areas in the expansive legislation, just as there were with the numerous renditions of the "cookie law." I believe the GDPR is intended to keep the big boys at bay and hold folks like us to a higher standard in terms of data transmission, processing and storage. It's extremely unlikely EU authorities are going to descend upon you for embedding a vimeo video. ? Further, provided you are using GDPR compliant (Privacy Shield is insufficient) providers and you've obtained consent, you should be fine. 

We unfortunately cannot advise or accommodate every scenario, so as the controller of data, it is your ultimately responsibility to ensure compliance. With that said, we will of course evaluate as things move forward to determine what we can do to help our clients be most successful. On this specific issue, we believe it would be unnecessary to do as your attorney is purportedly suggesting. 

Being prepared and diligent is fantastic, but try not to get too stressed and overthink this. If Facebook can continue to allow you to embed YouTube and Vimeo videos, I'm pretty confident you'll be ok too. ?

[sudo]

3 hours ago, Cyrem said:

Today i'm what Bob was yesterday, tomorrow i'm Kathlene from last week. IP Addresses are as personal as dirt on a sidewalk. Don't worry, I'm laughing with you, not at you.

Just as food for thought this could be much more of a concern when IPv6 is rolled out although I have not dug into it too far.

One thing to consider would be if you remove a user account but keep the posts are their ip's still saved.

Personally I think they need to delay it by 6 months to a year for small organisations or everyone tbh. Right now there are a huge amount of problems knowing exactly how to be compliant and this is before we get to how it will apply to businesses outside the EU who do business with EU customers.

[opentype]

6 hours ago, Cyrem said:

Today i'm what Bob was yesterday, tomorrow i'm Kathlene from last week. IP Addresses are as personal as dirt on a sidewalk. Don't worry, I'm laughing with you, not at you.

Laugh all you want, but just because you don’t see this way doesn’t mean that laws and courts don’t consider IPs as personal data and prosecution and fines can follow. And the latter is what I need to care about. What do I do when I get sued for this? Tell the judge that it’s laughable and this Cyrem person on the internet said so as well? That’s not helpful. I rather go by the facts, and look for example at actual cases such as the EU court ruling based on a guy successfully suing the country of Germany over it. 
https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases

[opentype]

10 hours ago, Matt said:

4.2.8 has a cookie consent feature you can use. You can list the cookies that will be set if you continue using the site. 

One problem that might come up with that is that the law seems to force granular user control and so blanket solutions (“accept all possible cookies listed here or go away”) wouldn’t work. A better solution (for sites who opt in to this) could be:

1. approval through the good-old “two click solution” popular in Europe for years. No embeds from Twitter, Facebook and so on are loaded by default. No preview image, no external calls. Nothing. Just an overlay box over the item asking the user for consent to watch this YouTube/Twitter/whatever content. After the consent, the decision can be stored and embeds work normally from now on. BUT:
2. the user now seems to need to be able to opt out of it again at any time. So a privacy section in his account would give access to various types of settings (e.g. session cookies, Google Analytics, marketing tracking) and “social media embeds” could be one of them. Here the user could opt out again and the embeds would be shown again as mentioned under 1)

[Jacques Corby-Tuech]

If anyone wants to see a good GDPR compliant cookie solution, this is pretty solid. It allows for per-category cookie consent and doesn't drop cookies until you explicitly consent. 

https://onetrust.com/cookie-policy/

There's probably going to be a lot of confusion for a while with regards to what constitues Legitimate Interest (for example IPS cookies) and what requires consent (Facebook Pixel, Doubleclick, etc).