Hello everybody,
After searching on the forum and docs, I still wonder about GDPR and EPD-R (ePrivacy).
To tackle each point, let’s break it down to technical questions (I just need to see clearly and I ask naïve questions, no sub-text here):
-
Cookies (of not logged-in visitor):
Must be allowed by the user.
On a basic app (the news with users tutorial, still 3.464MB) running on localhost, I get at least 3 cookies on Firefox: 2 local anvil + youtube! (iframe.api), and one more Anvil cookie, visible on Chromium.
Looks like youtube.com, checkout.stripe.com (despite not working yet on Anvil runtime), maps.googleapis.com, fonts.googleapis.com, fonts.gstatic.com, cdn.skypack.dev are de-facto in all apps?
From Anvil, there areanvil-test-cookieandring-session(a session cookie for a not logged-in visitor?).
→ Is there (or will we have) a way to deactivate these cookies by default?
Here’s a summary about cookies from Cookies, the GDPR, and the ePrivacy Directive - GDPR.eu :- Receive users’ consent before you use any cookies except strictly necessary cookies.
- Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
- Document and store consent received from users.
- Allow users to access your service even if they refuse to allow the use of certain cookies
- Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.
-
Personal information:
Storing (and deleting) user’s information, like email, could be in the scope of GDPR consent, but having their emails in the App logs means Anvil is also in the loop. I noticed that sessions are also written in the database on the Anvil runtime version (RuntimeSessions table). Is there a reason, since there are no logged-in in my test case, and it’s not hosted on Anvil servers?
→ how to prevent having user emails to reach App logs and sessions for not logged-in visitors, at least on runtime? -
Final question about telemetry. Is there any user and/or usage data coming from Anvil runtime server to Anvil? Same question with uplinks connecting to Anvil hosted apps (beyond the websocket of course).
If you’d like to know more, here’s a helpful checklist GDPR compliance checklist - GDPR.eu
Let’s discuss these 2 first, no need to overload the plate (maybe it’s already the case).
Thank you!
.
Note: You might have noticed that English is not my primary language, so I may reply by pointing you to pages written better (and maybe more obscurely) than I could ever do.
Also, I’m not a lawyer (but a digital marketing director), I try to boil down to technical solutions, not legalese, to offer honest service and walk with a clear sight.
EDIT: Here’s a quick and dirty fix for the youtube cookie.