GDPR TIPS

Social media

People use social media in various ways in combination with their websites.

Share website via Social Media

On your website you can use a "social share" functionality where your visitors can easily share the page with their followers.

  • Some social share extensions load scripts from external sources. Those external sources might register the IP addresses of your visitors.
  • Some scripts display "X of your Facebook friends liked this page" or "X of your friends shared this page on Twitter". 
    Those social media do log all the visits of your visitors, if they are logged in into those social media channels, but even if they did not "like" or "share" the page themselves.

Share Social Media via your website

Some platforms make it possible to show other places public information example, a twitter feed with latest tweets on your own website.

  • Some social share extensions load scripts from external sources. Those external sources might register the IP addresses of your visitors.
  • Facebook pixle is one tracker, ever wandered why all of a sudden you have ads in facebook that match where you have visited?
External resources (Fonts, JavaScript, CSS)

If your website use sources from external sites (read: something that is loaded from the cloud) then your visitor's browser will retrieve those sources directly from those external servers.

Those external services can therefore collect the IP addresses of your visitors
Think about:

  • JavaScript libraries like JQuery,
  • CSS libraries like Bootstrap
  • Webfonts like Google fonts
  • Javascript applications like chat service, currency convertors, the weather, etc

Measure: download the external sources, add to your local website and change all HTML/PHP scripts in your website to use the local services instead

Analytic tools

For marketing purposes and optimizing websites, a good insight in your visitors is essential.

However, you'll collect (and store) a lot of personal information about your visitors.

  • make contract with provider
  • use IP anonymize
  • provide Opt-Out
  • cookie information and privacy statement

Google Analytics

Add the following to the Google Analytrics snippet to anonimize the last digit of the IP address:

ga('set', 'anonymizeIp', true);

For example here: https://smarter-ecommerce.com/blog/en/analytics/implement-gdpr-compliant-ip-anonymization-google-analytics/

turn on IP Anonymization in Google Analytics and Google Tag Manager
example here gtag('config', 'GA_TRACKING_ID', { 'anonymize_ip': true }); </script>

There is a GDPR compliant Google Analytics description in German on this website: https://www.datenschutzbeauftragter-info.de/fachbeitraege/google-analytics-datenschutzkonform-einsetzen/

Passwords

A Sidenote

"Security is not meant to be convenient, it's meant to protect."!!

A technical measure to protect information is to use passwords.

Passwords strategy

  • Do not use the same password on multiple websites. Use a unique random passwords on each site
  • Do not write them down (for example on a post-it sticked to your monitor)
  • Do not share them with colleagues
  • Use a strong password. A strong password is something that is not easy to guess. So "qwerty" or "1234" are not strong passwords.
    However "Tr0ub4dor&3" might too difficult to remember as described in the webcomic xkcd. Or too easy to forget. See also the explanation of "Correct Horse Battery Staple".

Password manager

  • Do you use the feature of your browser to store all the passwords of the sites you visit? Have you protected access to it if you are not around?
    Have you encrypted the hard drive of your computer? Do you use a screen saver with password that will automatically be activated when your computer is inactive for some time?
  • A better idea to keep track of all your passwords is using a password manager. Often it can also generate random passwords.
  • Password managers or volts are definatly worth a look with 1pasword, keypass, lastpass etc are worth a look some seamlessly link to computers phones and pads, you dont have to remember paswords except the one for the volt "easy as".

Two Factor Authentication (2FA)

  • Also known as 2-Step Verification. 2FA is a technique to make an authentication process more safe.
    Use beside a password ("something you know") a second method of authentication that differs from a password and is "something you have".  
    For instance a mobile phone that can generate a security token on the fly. Or an USB device (called Yubi key) that generates a second security token.

Public-key cryptography

  • Another authentication method is using a public/private key combination. Create such a combination and store the private key on your computer, and the public key on the computer/service you want to access. You can secure it even more by creating an extra password on the public/private key. Sites like github.com or bitbucket.com use it. And Linux servers that you can access using ssh often use it.
Computers

Computers can store a lot of personal data locally. And more and more people use laptops (or the smaller versions called notebooks) for working with information. How do you safeguard the information on such devices?

Hard disk encryption

  • Have you encrypted the hard disk? So that you can only boot up the computer and access the information on the laptop after entering a long strong password sentence?
    The operating system Debian Linux offers "LVM with encryption" as one of the options during installation.
  • In case your laptop with encrypted hard disk gets lost or stolen (or both), the information (personal data) on the laptop will be safe. 
    Do not forget to report it to the police and get an official report (which also states that you have taken the technical measure to protect the data by encrypted hard disk). You will need it in case of an insurance claim. Report it in your internal incident list and assess the possible consequences of the data loss, and if needed inform the GDPR authorities.

Password protection

  • Does your operating system asks you for a username / password when booting? It better... because it is an extra protection of the information on your hard disk.
  • The password protection on an operating system is easy to beat: start up the computer with an USB or CDRom with another operating system,
    and you will be able to access all the data on the hard disk.
  • Do you have a "clean desk policy" in your company? Yes, it's nice to work on a clean desk, but in this case it's meant that you do not leave behind any documents that can cause security issues (for example personal data). Protecting your computer with a password protected screen saver that automatically protects your computer after a certain time of inactivity.

Technical problems

  • Do you have a technical problem with your computer? Does it need a repair? Do you send your computer, packed with personal data, to a repair company? Do they safeguard that data? Do you have a written contract about that? Are there any ways to not send them the hard disk with data?
  • What do you do with your broken computer? Have you wiped your hard disk? Formatting might not be enough, because sometimes it is possible to restore information. Some governmental bodies and companies that are very serious about their data, will phycically destroy a hard disk by drilling holes in it, or use a special hard disk shredder.

* note that where this article says hard disk, you could also read hard drive, or SSD (Solid State Drive)

What every browser knows about you

A browser reveals more information about you then you probably know: location, software versions, currently logged in services,...

You will be really astonished how much information this is.

Browsers like Firefox, Chrome, Safari and Brave have plugins that help with blockers and cookie control, these may help you.

  • Try to use the same link with a browser in privacy modus (in Firefox: Ctrl+Shift+P) and you will see the difference. However your IP-address and therefore your location is still transmitted.
  • Even if you have installed privacy protection add-ons in your browser, the combination of your operating system + browser + configuration settings are probably unique.  Therefore you are still identifiable.
  • Panopticlick (from the Electronic Fronteer Foundation) shows you how unique you are: https://panopticlick.eff.org/
  • http://webkay.robinlinus.com/
  • Another website does something similar: https://amiunique.org/fp

You can protect your browser by installing a plugin:

  • FireFox: NoScript
  • Chrome: Safescript
Removing data in Joomla

When removing data from your Joomla website, you have to think about a couple of possible issues.

Articles

  • When you remove an article, it will be moved to "trash". The article is still in the database, and can be restored. Only the state field in the database table has been changed. 
    To remove permanently, in Content > Articles > Search Tools (button) > set the "Select Status" filter to "Trashed", select the articles to be removed permanently and choose [Empty trash]

Versioning

  • Some extensions use "Versioning" meaning that when you save an existing item, the old item will be kept so that you can "roll back". If you remove information from an existing article when versioning is switched on, the removed information is still in the database and can be accessed via "Versions" 

User Manager

  • When you remove a user, the user will be removed immediatelly and not be stored in "trash" like articles.
  • When you remove a user that has written some articles, the articles will not have an associated user anymore, and administrators will retrieve see a warning. 
    Alternatively you can edit the user, remove or change their name + email address, and block it.

Smart Search

  • Smart Search is a search method that completes your search keywords while typing them in the search box. In order to guess the words, it indexes all your articles. When you remove an article, the words might still be in the database tables of the smart search component (the database tables called "finder")

Other

  • Akeeba Backup might keep backups on the server
  • RSForm Pro might store user input from forms in the database

Third party extensions for Joomla 

PixGDPR (paid)

  • Create a "Forget me" functionality in Joomla. Registered users can wipe their profile with one click.
  • Users can download a generated on the fly sheet with all their user related data.
  • 3rd party extension developers can create plugins to extend this to their extensions as well
  • More information: https://pixpro.net/labs/extensions/pixgdpr

RCP User (paid)

RSForm Clean Up (free)

  • CLI script to automatically remove RSForm form input after a certain time
  • The script must be placed in the /cli/ folder of Joomla.
  • In the script you can adjust how long the form input should be saved
  • Using a crontab on the server, the script can be started automatically at specified times.
  • More information: https://gist.github.com/pe7er/47bf1020b12ef29df8603fa80d1fdccd
Privacy Shield

The European Union (EU) and the United States of America (USA) have set up a mechanism to comply with data protection requirements when transferring personal data from the EU to the USA. 

Under the GDPR the EU doesn’t allow the transfer of data on its citizens to a country outside the EU unless the country has adequate data privacy laws. When you use companies like Google, Dropbox, Amazon Web Services, etc you might store your privacy related data in the cloud, which could easily be outside the EU.  As the "adequate" part is not defined (well, or even not at all), organizations should better check the EU-US Privacy Shield. 

What’s the deal? Is HTTPS important or not?

The idea of HTTPS has always been a good one, and most leading businesses implemented it a long time ago.

However, somewhat recently, Google announced that HTTPS is a ranking factor.

Obviously, that got SEOs talking about and debating the subject. At the time, it was a very small ranking factor, affecting less than 1% of global searches.

However, security is something that Google takes very seriously, and it’s likely to become more important in the future.

UNDER GDPR it is the prefered way

Google Font - provide your own

If you use Google Fonts you will probably load them everytime somebody loads your website in the browser. The font file is hosted by Google and as an external resource it is downloaded for every page load. We will tell you how to provide webfonts on your own server.

In your Browser, for example Chrome, press F12 to open the developer tools. Click on the "Network" tab and reload the page as stated (i.e. F5). Then you can filter on "Fonts" in the filter field on the left side. You will probably see some new lines below now. If you move your mouse pointer over the name of the font you will see the URL. Google fonts are loaded from a domain called "fonts.gstatic.com". Maybe you use another webfont provider, then the URL will be shown here too. If the URL shows your own domain at the beginning, then the font file is already hosted on your own webhost.

In this example the font is called "sintony" as you can see in the URL. Now you can look for your font on https://fonts.google.com and after you have selected it, you will be able to download the font file as .zip.

 

Here is a link for Wordpress sites: https://www.news47ell.com/how-to/host-google-fonts-locally-wordpress/

Encryption

One main recommendation to ensure data security within GDPR is encryption of data at rest and data in motion. There are many different ways and tools.

For all these encryption tools: be careful, if you lose your password or key file or other authentication method you will not be able to regain access to your data.

  • If you are on a Windows computer and you use Windows 10 Pro then you can activate Bitlocker for free. It will encrypt your whole windows installation.
  • On some Linux distributions like Debian Linux, you can choose during installation for formatting your harddisk as encrypted LVM volume.
  • For partial encryption of your drive you can consider VeraCrypt. It is an Open Source utility to encrypt your data: https://en.wikipedia.org/wiki/VeraCrypt
  • If you use cloud storage you can consider Boxcryptor - it is an end-to-end encryption tool for i.e. Dropbox, GoogleDrive, OneDrive,... https://www.boxcryptor.com/en/
  • For single files, you can consider encrypting a zip-folder with 7zip with a strong password: https://www.7-zip.org/7z.html
  • For transmitting data to other people, you can use something like privatebin which you can host yourself: https://privatebin.info/ and github

We will add more tips in the next weeks.

Contact form GDPR-compliance

Why do I need the field in the contact form?

If you collect personal data on your website, e.g. through a contact form or a newsletter subscription, you must inform those affected whether you pass on the data to someone else, where and how long you save them, how they are transferred to you, ...

You can add an extra field to have the visitor confirm the privacy policy.

Paper documents

The paperless office is a nice concept but might still be science fiction. People often forget that paper can contain personal data and that GDPR applies there too.

Printing documents

  • Modern copymachines and large office printers often have an internal hard disk that stores all the documents that you print or copy.
  • What do you do with misprints or faulty copies? Do you discard them in the dustbin? Please see the item about destroying documents.

Storing documents

  • You might have taken technical measures regarding access to electronic documents. What measures do you take to protect the documents that are printed and stored in a binder in your office?
  • How long do you keep your printed documents?

Destroying documents

  • Recycling old paper documents so that it can be used to make new paper is a good idea from environmental view of point. 
    Do you use a shredder to destroy all documents that contain personal information?
WordPress GDPR compliance

The WordPress core development team is working on making WordPress GDPR compliance.

WordPress GDPR compliance

At the moment there's a beta version available for testing: WordPress 4.9.6 Beta 1.
That Beta release is focused on adding privacy enhancements to the WordPress core.

WordPress  4.9.6 Beta 1 is available here: https://make.wordpress.org/core/2018/05/03/wordpress-4-9-6-beta/  

Some new features in WordPress regarding GDPR

  • Privacy Policy Page
    Adds a functionality to create a Privacy Policypage with some prefilled information that has to be changed for your own site,
    or let it link to an existing privacy policy page
  • Export Personal Data
    Adds the possiblity for users to export their personal data from a WordPress website
  • Remove Personal Data
    Adds a function for its users to remove their personal data entirely from a WordPress website
  • Commenter Opt-in for Cookies
    When a visitor leaves a comment on a WordPress website, a cookie will be saved so that the authors name + email + website can be used for the next comment. To comply with the GDPR the next WordPress version will get an Opt-in "Save my name, email and website in this browser for the next time I comment" that is unchecked by default.

More information about the effort to make Wordpress GDPR compliance: https://make.wordpress.org/core/tag/gdpr-compliance/ 

Joomla GDPR compliance

The Joomla Project is working on a Joomla GDPR compliance oriented release including tools to help you with the privacy of your websites.

Joomla GDPR compliance

The next version of Joomla CMS,  Joomla 3.9, will get a Privacy Tool Suite that makes it easier for site owners to comply with GDPR. And for developers to get their extensions GDPR compliant.

Joomla 3.9

The project is working to get the following privacy tools to Joomla 3.9 in order to make Joomla GDPR compliance:

  • Consent Project Board:
    • get consent of registered users (form plugin)
    • track consent of registered users 
    • log their activities
    • take care about the consent retention time
  • Information Requests Project Board 
    Facilitate your workflow related to your user requests:
    • make it easier to the users to submit information requests
    • track the status of the users requests
    • let the user access and download their data.
  • Core API Project Board
    Provide an API for extension developers so they can report the data they collect and this info can be displayed in the new com_privacy extension  

Joomla needs your help!

The Joomla project invites anyone to help an work on Joomla GDPR compliance. 
Join the dedicated repository to help in making this release a success for the project. 
They are looking for coders to write code, testers to provide quality assurance for the release, copywriters to write the feature documentation.

For more information, see the Privacy Framework repositoryhttps://github.com/joomla-projects/privacy-framework 

AcyMailing

A popular newsletter extension for Joomla is Acymailing. A digital newsletter is a nice way to keep in touch with your customers and people who are interested in your website or service. However, the GDPR requires you to take care of things like opt-in, data storing and unsubscribing.

Acymailing

Acymailing is a newsletter extension for Joomla which consists of a Component, some Modules and some Plugins. You install it on your own Joomla site. It stores names, email addresses and IP addresses (for spam protection). In the administrator back-end you can see the names and email addresses, but the current version does not show the IP addresses. The IP addresses can only be seen in the database tables of this extension.

Documentation and downloads are available at: https://www.acyba.com/ 

Acymailing and GDPR

At the moment the developer is implementing some new features to make it easier for its users to comply with the GDPR. 
Update May 16, 2018: a new version GDPR related is out: https://www.acyba.com/acymailing/change-log.html

And information about how to configure Acymailing to be compliant with the GDPR: 
https://www.acyba.com/acymailing/541-how-to-configure-acymailing-to-be-compliant-with-the-gdpr.html

Some general tips 

  • Check if your form is transmitted through SSL so that the input is communicated through a secured line
  • Use double opt-in if available
  • Inform (future) subscribers that their IP-address will be stored in the database, how long and for what purpose
  • Inform subscribers how they can sign off again
  • Sending and importing Newsletter recipients
Mailchimp

A popular Software as a Service for sending newsletters is Mailchimp. Newsletters are a nice way to keep in touch with your customers and interested people. Regarding GDPR you will have to take care of a couple of things regarding opt-in, data storing and unsubscribe.

Mailchimp

It's an external service.  The service encrypts the transport from browser to their server using TLS/SSL.
The service is available at: https://mailchimp.com/ 

Mailchimp and GDPR

Some questions:

  • Where do they store its email addresses?
  • Do they store IP addresses? For what purpose? How long?
  • Do you have a Processor Contract with them?

A knowledge base article from Mailchimp about GDPR: https://kb.mailchimp.com/accounts/management/about-the-general-data-protection-regulation 
Mailchimp has some GDPR tools for their service: https://blog.mailchimp.com/gdpr-tools-from-mailchimp/ 

Some general tips  

  • Use double opt-in if available
  • Inform people how they can sign off again
  • Sending and importing Newsletter recipients
VirtueMart

A popular webshop extension for Joomla is VirtueMart. With a webshop you need to store personal information like name, address for legal obligations (invoices) and to fullfill your contract (the order).

VirtueMart

This component has been available since 2005. It is a highly configurable and customizable multi-language shopping cart solution for Joomla 2.5 and Joomla 3.

Website: https://virtuemart.net/ 

Virtuemart and GDPR

Interesting discussion about what to consider / change in Virtuemart: 
http://forum.virtuemart.net/index.php?topic=140063.0

Safety measure

For security reasons (to protect possible personal data on invoices), it is advised to put the invoices folder outside the webroot of the website. You can configure the folder ("Safe path") that VirtueMart uses for storing invoices and downloadable files. You should specify that folder in the Virtuemart configuration: 

VM Configuration > Templates > Media File Settings

Visit the Virtuemart documentation for more information. 

General tips for webshops 

  • use SSL for your website so that all communication is transported through a secured line
  • inform your visitors and customers about cookies
  • only collect necessary data
  • check for payment providers - they are processors and you need processor contracts with them
  • inform what data is stored and how long
  • if you store IP-address inform people
  • are you using a currency convertor? Is it an external JavaScript?
J2Store

J2Store is a popular webshop for Joomla. Webshops need to store personal information (like name, address) for legal obigations (invoices) and to fullfill their contract (the order) with the customer.

J2Store

J2Store is a native Joomla shopping cart and e-Commerce extension. It works in an unique way because it makes it possible for webshop owners to use Joomla's articles as products, it's just adds product details to Joomla articles.

Website:  https://www.j2store.org/ 

J2Store and GDPR

Recently, J2Store released a free GDPR Compliance Tool for J2Store with the following functionality:

  • a GDPR Consent and Privacy Policy link at the checkout (Like the terms and conditions). 
    You can use this to ask consent of a EU customer to store his personal data (like address)
  • Delete address button. So customer can choose to delete the address stored in the site.
  • Adds Delete All Addresses button. 
    One click deletion of all addresses of the customer (Only for registered users). 
    NOTE: The address associated with an order would not be deleted. 
  • A request form that the customer can use to request all his personal data associated with the orders to be deleted.
  • Editing / deleting activities can be logged and/or notified to both the customers and/or administrators.
  • email notifications about activities in the app settings can be turned on/off
  • the activity log can be turned on/off 
  • More information about this extension: https://www.j2store.org/extensions/apps/gdpr-compliance.html

Furthermore the developer offers some information about how to make your webshop GDPR compliant: 
https://www.j2store.org/blog/gdpr-how-is-it-important-for-small-and-medium-businesses.html 

General tips for webshops 

  • use SSL for your website so that all communication is transported through a secured line
  • inform your visitors and customers about cookies
  • only collect necessary data
  • check for payment providers - they are processors and you need processor contracts with them
  • inform what data is stored and how long
  • if you store IP-address inform people
  • are you using a currency convertor? Is it an external JavaScript?
RSForm Pro

RSForm Pro is a well known form generator component for Joomla. When you use a form you could collect personal data. If so, you have to inform people how the data is saved and transmitted, how long you store it and if you transmit it to other recipients.

RSForm Pro

RSForm Pro is an advanced form component to create your own forms in Joomla. It has multilingual, conditional fields, responsive layout, captcha protection, possibility to add custom PHP code.

Website: https://www.rsjoomla.com/joomla-extensions/joomla-form.html  

RSForm Pro and GDPR

  • RSForm Pro can be configured to send an email notification to the visitor and the site admin. Even if your site is working with SSL (so under https:// ) the email will probably be sent in plain text.
  • By default RSForm Pro adds the submitted form data in the database. In case of email problems it's nice to have a backup of the submissions in your database. However if you do not remove the old submissions manually, they will remain in your database for ever. 
    RSForm has an option to not store any submission information in the database: it's a configuration option in in each form: in the Form info tab set the "Save data to database" option to NO.
  • The recent version of RSForm Pro has an option to automatically delete submissions after a period of time. The duration before the submissions are deleted can be configured separately per form.
  • You can also use a CLI script available to remove all data older than 1 month: https://gist.github.com/pe7er/47bf1020b12ef29df8603fa80d1fdccd
    (Technical info: This script can run automatically if it is added as cron tab on your server)
  • Information from the developer RSJoomla about creating GDPR Compliant forms with RSForm Pro: 
    https://www.rsjoomla.com/blog/view/433-create-gdpr-compliant-forms-in-joomla-with-rsformpro.html 
  • The recent version of RSForm Pro has an option for users to allow users to view and delete their submissions via the "Submissions directory" menu item,
    and a delete function to remove their own submissions through an encrypted link available in the component emails.
    More information: https://www.rsjoomla.com/blog/view/442-rsjoomlas-approach-to-gdpr-compliance.html 

General tips for forms 

What you have to to consider when using forms on your website:

  • Only collect necessary data. On a normal contact form you don't need birthdate or address.
  • Use https on your website to secure the data that is being communicated through the form.
  • Email notifications will probably be sent in plain text from your server to the visitor and/or administrator.
Breezing Forms

Breezing Forms is a form generator component for Joomla.  With forms you could collect personal data. If you collect personal data then you have to inform people how that data is saved and transmitted, how long you store it and if you transmit it to other recipients.

Breezing Forms

Breezing Forms is a free Joomla form generator extension. It enables you to create any kind of feedback form in a very short time.
Website: https://crosstec.org/en/downloads/breezingforms-for-joomla.html 

Breezing Forms and GDPR

General tips for forms 

What you have to to consider when using forms on your website:

  • Only collect necessary data. On a normal contact form you don't need birthdate or address.
  • Use https on your website to secure the data that is being communicated through the form.
  • Email notifications will probably be sent in plain text from your server to the visitor and/or administrator.
Hikashop

Hikashop is popular webshop extension for Joomla. Webshops need to store personal information like name, address for legal obigations (invoices) and to fullfill a contract (the order).

Hikashop

HikaShop is a native E-Commerce extension for all versions of Joomla. It is built for simplicity and flexibility. It offers a wide range of marketing tools, and statistics to help the admins manage their store.

Website:  https://www.hikashop.com/ 

Hikashop and GDPR

In Hikashops if a visitor, who is not logged in, adds a product to the card, Hikashop stores the IP address.  In the HikaShop configuration you can add a "terms and conditions" view to your "checkout workflow" to get a checkbox during the checkout. You can customize the text using a translation override. 

General tips for webshops

  • use SSL for your website so that all communication is transported through a secured line
  • inform your visitors and customers about cookies
  • only collect necessary data
  • check for payment providers - they are processors and you need processor contracts with them
  • inform what data is stored and how long
  • if you store IP-address inform people
  • are you using a currency convertor? Is it an external JavaScript?
WooCommerce

WooCommerce is the most popular eCommerce platform for WordPress. 

 WooCommerce

The ecommerce platform for WordPress was created by WooThemes in September 2011. Automattic, the operator and core contributor of  WordPress, acquired WooThemes in May 2016.

WooCommerce is free to download as a plugin from the WordPress.org plugin directory. You can easily set up a simple webshop for free. For more advanced webshops or for some payment plugins, you have to purchase premium themes and plugins.

https://woocommerce.com/

WooCommerce and GDPR

https://woocommerce.com/2017/12/gdpr-compliance-woocommerce/ 

General tips for webshops 

  • use SSL for your website so that all communication is transported through a secured line
  • inform your visitors and customers about cookies
  • only collect necessary data
  • check for payment providers - they are processors and you need processor contracts with them
  • inform what data is stored and how long
  • if you store IP-address inform people
  • are you using a currency convertor? Is it an external JavaScript?
GDPR Infographic

The European union has an infographic available about the different components of the GDPR.

According to the EU the GDPR consists of better rules for small business. From 25 May 2018 citizens have more control over their data. And business have to comply to just one set of rules for all companies operating in the EU (in the past each EU country had its own privacy regulations).

More information for Small and medium-sized enterprises (SMEs): https://ec.europa.eu/justice/smedataprotect/index_en.htm

Cookies

A cookie is a small piece of data that your browser retrieves from a website that you are visiting and stores it locally on your computer. Websites use it to identify its users.

Cookies

There are three different types of cookies:

  • Session cookies: these cookies are only used during your visit (during a session) and automatically removed when you close your browser.
    Example: a shopping cart from an online shop that keeps track of all the items that you add to your shopping basket
  • Permanent cookies: these cookies are used for future visits and will be stored on your computer even after closing your browser.
    Example: cookies that contain a token that represents your login details and password so you don't have to enter it every time you visit the site
  • Third-party cookies: these cookies are installed by third parties and used for collecting information about the visitors.
    Example: Google Analytics uses cookies to distinguish different users that are using the same IP address (because they work in an office behind a firewall)

Cookies and GDPR

The GDPR distinguishes three types of cookies:

  • Functional cookies: these cookies are needed for a properly functioning website. 
    Example: for a shopping cart or to remember login credentials
  • Analytical cookies: these cookies are used to generate statistics about visitors
    Example: Google Analytics cookies
  • Tracking cookies: these cookies are used to track visitors over various websites and mailing used for marketing purposes

Cookie Tool

To see all the cookies that you get from a website, you can use a browser like Google Chrome:

  • Right Click on a web page
  • Choose "Inspect"
  • Click on [Application] tab
  • under "Cookies" you should see the site that you are visiting
  • Right click on that and choose "clear" to remove all cookies
  • If you refresh your browser then you should see what cookies are created.

You could also use some online tools to check the cookies that are set,
for example: http://www.cookie-checker.com/

Newsletter

Newsletters are a nice way to keep in touch with your customers and people who are interested in your website. However, you will have to take care of a couple of things regarding opt-in, data storing and unsubscribe.

  • Check if your form is transmitted through SSL so that the input is communicated through a secured line
  • Use double opt-in if available
  • If you store IP-address (i.e. Acymailling) inform people
  • Check in your database
  • Inform people how they can sign off again
  • Sending and importing Newsletter recipients
  • have a unsubscribe link near the subscribe link
  • Use encryption (Zip with password-protection, use services like privatebin)

Newsletter solutions

Some popular electronic newsletter solutions are: