Preparing for GDPR

Because the EU General Data Protection Regulation (GDPR) is coming into effect next month, I have been trying to make sure my website and game services are compliant. As neither the website nor the services require registration or login, there wasn't much personal data being collected to begin with. I have always been wary of storing any sensitive data so naturally my aim is to not collect any personal data that would require user consent according to GDPR.

Nearly all services running on the host log IP addresses and those will be considered personal data. I can't disable logging completely as that information is crucial for detecting and preventing network problems, hack attempts, service misuse, etc. Instead, I set up all logs containing IP addresses to be deleted after 12 weeks. Similarly, all IP addresses are purged from game service databases like high score tables. This limited IP address storage should fall within "legitimate interest".

The big problem was third party code running on the website. I was surprised by the amount of cookies set by embedded videos and widgets. Here's what I did to improve the situation:

According to multiple online cookie checkers, no tracking cookies are created. Playing embedded videos will still access external resources and potentially allow third party servers to store data provided by the browser. I don't know how I could prevent this unless I self-host everything.

Edit 2018-05-22: It turned out that no-cookie version of Youtube embeds may still track users even before playing the video, so I changed the code so that the actual Youtube embed is only loaded once user clicks on the preview image to play the video. This also made pages load a bit faster.

Back to home

Posted on 2018-04-23