Jump to content

Community

Legal requirement: Mass convert embed. obj. to static URL


Recommended Posts

I am currently struggling with the new privacy laws in Germany/European Union, which will come to life at the end of may. According to my lawyer (yes, they are that complex), I am not allowed to embed content from other platforms because of tracking cookies they will set (youtube does, vimeo does, probably other social media sites too ). 

I disabled the option already. But there is still a ton of embedded content on my site (also in the archive). 

I desperately need something to convert all embedded content to their static URLs. If not, I can be fined for breaking the new privacy rules. 

Link to post
Share on other sites

I doubt there as easy way to do this, since the full html embed code is part of the individual posts. You would have to write lots of MySQL queries to find all of the embeds and replace them. But people who speak MySQL fluently can do this of course. 

A better solution would probably be to keep all the embeds, but not load them unless consent is given. Example: 

https://edps.europa.eu/press-publications/press-news/videos/debating-ethics-dignity-and-respect-data-driven-life_en

(Also not a stock feature though. No idea how that can be implemented for several services.)

Link to post
Share on other sites

Yes, I agree. That would be a nice idea.

2 minutes ago, opentype said:

A better solution would probably be to keep all the embeds, but not load them unless consent is given.

Another idea would be, to leave the embeds in the database and filter to URLs during the output and display only the static URL. 

Link to post
Share on other sites

Additionally, according to my lawyer, it is illegal to embed Vimeo for example. They did not ensign in the EU-US Privacy  Shield. Even if a user gives his consent, I am not allowed to embed content from those sites. I am allowed to link, but I am not allowed to embed, since the EU laws count things like IP addresses as personal data.

Here the link to the list: https://www.privacyshield.gov/list

And here the link to the wikipedia: https://en.wikipedia.org/wiki/EU-US_Privacy_Shield

And since Invisionport is not listed there, I am not allowed to use the anti SPAM network. 

Link to post
Share on other sites
  • Management

If you get consent to set cookies then you don’t need to remove your embeds. 

GDPR is about transparency, not stripping everything back to not set cookies. 

4.2.8 has a cookie consent feature you can use. You can list the cookies that will be set if you continue using the site. 

It’s unlikely that Vimeo sets personal information such as an IP address in a cookie as it can get your IP address from your “hit” to the site (same as hotlinked images). You might get a tracking code or ID but this will not reveal who you are. 

Link to post
Share on other sites

Hi Matt,

not according to my lawyer. If I embed a video, the site will get the ip address of the visitor. According to the privacy rules, an IP Address is considered a personal data. And in addition, since Vimeo did not sign the EU-US Privacy shield, I am not allowed to embed anything from them. No matter if I have the user consent or not. I know that sounds weird... 

Edit:

An example for youtube: It would be legal to embed youtube, if this link would be used: https://www.youtube-nocookie.com/

Edited by hjmaier
Link to post
Share on other sites


 

Quote

U.S. President Donald Trump signed an Executive Order entitled "Enhancing Public Safety" which states that U.S. privacy protections will not be extended beyond US citizens or residents:

Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information

 

Link to post
Share on other sites
4 hours ago, hjmaier said:

According to the privacy rules, an IP Address is considered a personal data.

giphy.gif

Today i'm what Bob was yesterday, tomorrow i'm Kathlene from last week. IP Addresses are as personal as dirt on a sidewalk. Don't worry, I'm laughing with you, not at you.

Edited by Cyrem
Link to post
Share on other sites
47 minutes ago, Cyrem said:

My point exactly.... and you know, dynamic ip's.

Yeah, my router is set to always assign dynamics whenever a device starts. I mean yeah it still has to be within the range, but even so. Proxies can still change that too. Anyone who blindly trusts IP address information, or considers it "personally identifiable" has never really worked with them.

Link to post
Share on other sites
  • Management

As noted in your other topic, I know Germany has additional data protections than other EU members, but the Privacy Shield will do nothing to address those and again, being certified Privacy Shield does not mean you are GDPR compliant. Dynamic IPs are not universally considered personally identifiable data, but with the GDPR, IP addresses are considered PII data. 

I can't and won't tell you to not follow your own local legal advice, but there are going to be gray areas in the expansive legislation, just as there were with the numerous renditions of the "cookie law." I believe the GDPR is intended to keep the big boys at bay and hold folks like us to a higher standard in terms of data transmission, processing and storage. It's extremely unlikely EU authorities are going to descend upon you for embedding a vimeo video. ? Further, provided you are using GDPR compliant (Privacy Shield is insufficient) providers and you've obtained consent, you should be fine. 

We unfortunately cannot advise or accommodate every scenario, so as the controller of data, it is your ultimately responsibility to ensure compliance. With that said, we will of course evaluate as things move forward to determine what we can do to help our clients be most successful. On this specific issue, we believe it would be unnecessary to do as your attorney is purportedly suggesting. 

Being prepared and diligent is fantastic, but try not to get too stressed and overthink this. If Facebook can continue to allow you to embed YouTube and Vimeo videos, I'm pretty confident you'll be ok too. ?

Link to post
Share on other sites
3 hours ago, Cyrem said:

Today i'm what Bob was yesterday, tomorrow i'm Kathlene from last week. IP Addresses are as personal as dirt on a sidewalk. Don't worry, I'm laughing with you, not at you.

Just as food for thought this could be much more of a concern when IPv6 is rolled out although I have not dug into it too far.

One thing to consider would be if you remove a user account but keep the posts are their ip's still saved.

Personally I think they need to delay it by 6 months to a year for small organisations or everyone tbh. Right now there are a huge amount of problems knowing exactly how to be compliant and this is before we get to how it will apply to businesses outside the EU who do business with EU customers.

Edited by sudo
Link to post
Share on other sites
6 hours ago, Cyrem said:

giphy.gif

Today i'm what Bob was yesterday, tomorrow i'm Kathlene from last week. IP Addresses are as personal as dirt on a sidewalk. Don't worry, I'm laughing with you, not at you.

Laugh all you want, but just because you don’t see this way doesn’t mean that laws and courts don’t consider IPs as personal data and prosecution and fines can follow. And the latter is what I need to care about. What do I do when I get sued for this? Tell the judge that it’s laughable and this Cyrem person on the internet said so as well? That’s not helpful. I rather go by the facts, and look for example at actual cases such as the EU court ruling based on a guy successfully suing the country of Germany over it. 
https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases

Edited by opentype
Link to post
Share on other sites
10 hours ago, Matt said:

4.2.8 has a cookie consent feature you can use. You can list the cookies that will be set if you continue using the site. 

One problem that might come up with that is that the law seems to force granular user control and so blanket solutions (“accept all possible cookies listed here or go away”) wouldn’t work. A better solution (for sites who opt in to this) could be:

  1. approval through the good-old “two click solution” popular in Europe for years. No embeds from Twitter, Facebook and so on are loaded by default. No preview image, no external calls. Nothing. Just an overlay box over the item asking the user for consent to watch this YouTube/Twitter/whatever content. After the consent, the decision can be stored and embeds work normally from now on. BUT:
  2. the user now seems to need to be able to opt out of it again at any time. So a privacy section in his account would give access to various types of settings (e.g. session cookies, Google Analytics, marketing tracking) and “social media embeds” could be one of them. Here the user could opt out again and the embeds would be shown again as mentioned under 1)
Edited by opentype
Link to post
Share on other sites

If anyone wants to see a good GDPR compliant cookie solution, this is pretty solid. It allows for per-category cookie consent and doesn't drop cookies until you explicitly consent. 

https://onetrust.com/cookie-policy/

There's probably going to be a lot of confusion for a while with regards to what constitues Legitimate Interest (for example IPS cookies) and what requires consent (Facebook Pixel, Doubleclick, etc). 

Link to post
Share on other sites
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

We use technologies, such as cookies, to customise content and advertising, to provide social media features and to analyse traffic to the site. We also share information about your use of our site with our trusted social media, advertising and analytics partners. See more about cookies and our Privacy Policy