Here are details of the changes and checks we've been implementing during the past weeks at Labdoo in order to ensure GDPR compliance. Some of you need to update your impressums so i hope this is useful. Also for our future reference.
In the next hours all Labdoo users will receive a notification email informing about the new Terms and Conditions that need to be re-accepted.
- Enabled “Anonymize visitors IP address”: Tells Google Analytics to anonymize the information sent by the tracker objects by removing the last octet of the IP address prior to its storage. This will slightly reduce the accuracy of geographic reporting by Google Analytics but will keep the user’s IP address anonymous.
- Universal web tracking opt-out: If enabled and your server receives the Do-Not-Track (link is external) header from the client browser, the Google Analytics module will not embed any tracking code into your site. Compliance with Do Not Track could be purely voluntary, enforced by industry self-regulation, or mandated by state or federal law. Please accept your visitors privacy. If they have opt-out from tracking and advertising, you should accept their personal decision. This feature is currently limited to logged in users and disabled page caching.
- Internal URL: https://www.labdoo.org/admin/config/system/googleanalytics
- We were not using this feature, so we just disabled it.
- Disabled: Allow session storage
- Disabled: Store reverse-geocoded addresses with their corresponding latitude/longitude on the database
The IP geolocation database currently contains information for 0 visited IP addresses.
The system access log currently contains entries from 0 IP addresses.
- Internal URL: https://www.labdoo.org/admin/config/system/ip_geoloc
- We were not using this feature, so we just disabled it. This was a Drupal module that was recording world-wide access to the Labdoo site by users, and as part of that, it was recording the IP address in a log called accesslog.
- accesslog was fully disabled
accesslog was fully purged:
mysql> SELECT COUNT(DISTINCT hostname) FROM accesslog;
| COUNT(DISTINCT hostname) |
| 0 |
1 row in set (0.00 sec)
- Internal URL: https://www.labdoo.org/admin/config/system/statistics
- Labdoo only uses the minimum required cookies to ensure a minimally valid user experience (e.g., log in/log out, mobile versus desktop view)
- Implemented a new EU compliant cookie banner to ensure users’ consent on cookies
- Internal URL: https://www.labdoo.org/admin/config/system/eu-cookie-compliance
Impressum / Terms and Conditions
- Implemented a new TC that is GDPR compliant: https://www.labdoo.org/content/labdoos-terms-conditions-and-data-protection
- Labdoo Germany also implemented a GDPR compliant TC: https://www.labdoo.org/de/content/impressum
- Enforce every user to log in again and accept the new TC in order to be able to use the Labdoo site (this will be enabled on May 25)
- Removed all users from the newsletter subscription. We believe there is probably no need to do this since all Labdoo users already freely accepted being in the newsletter by consent, but we decided to take this action to ensure it’s clear that newsletters will only be sent out to users who’ve shown consent starting on May 25 2018.
- Sent out and email to all Labdoo users providing a link and instructions on how to register again to the Labdoo newsletter (this will be carried out on May 25)
Social media share links were removed
- These were share social network links (for Facebook, Google, etc.) shown at the top of each Labdoo page (below the language menu) that allowed users to shared that page on their social network accounts.
- This 3rd party plugins collect data from users in order to establish the communication between Labdoo and this 3rd party social networks.
- To ensure we preserve our policy of only requiring minimal personal information on the Labdoo website, we decided to remove all these links.
Youtube no cookies
We have enabled a new youtube encoder to enable posting videos on Labdoo pages (e.g., wikis, conversations) without using users' cookies. See https://www.labdoo.org/content/gdpr-compliance-youtube-videos
Right to erasure
- Ensured that any user can delete any content he/she created
- Made user's city information optional. This allows users to not specify the city they are from or to remove the city from their profile if they had provided such information in the past. Country is still mandatory, but a user could simply remove his/her account if he/she did not want to provide the country they are from.
- Developed a workflow that allows users to request removal of all their data. When user deletes account, all his/her objects (e.g., dootronics, dootrips) are assigned to an anonymous account. All those objects activity is registered an reported via email to an internal Labdoo account. Such log emails can be searched using that user account’s email address, which allows to identify the object (even after the user’s account has been deleted) and remove them, upon request.
- Internal URLs: https://www.labdoo.org/admin/config/people/accounts and https://www.labdoo.org/admin/people/permissions#module-user