Preparing for GDPR
Because the EU General Data Protection Regulation (GDPR) is coming into effect next month, I have been trying to make sure my website and game services are compliant. As neither the website nor the services require registration or login, there wasn't much personal data being collected to begin with. I have always been wary of storing any sensitive data so naturally my aim is to not collect any personal data that would require user consent according to GDPR.
Nearly all services running on the host log IP addresses and those will be considered personal data. I can't disable logging completely as that information is crucial for detecting and preventing network problems, hack attempts, service misuse, etc. Instead, I set up all logs containing IP addresses to be deleted after 12 weeks. Similarly, all IP addresses are purged from game service databases like high score tables. This limited IP address storage should fall within "legitimate interest".
The big problem was third party code running on the website. I was surprised by the amount of cookies set by embedded videos and widgets. Here's what I did to improve the situation:
- Google Analytics was completely removed as I haven't been using it that much anyway. I might reconsider this later if I can find a way to do that without collecting any personal data and thus not having to ask for user consent.
- ShareThis social media sharing widget was replaced by direct share links to social media sites.
- Gfycat video player widget was replaced by HTML5 video player.
- Youtube embeds were set to use privacy-enhanced mode that should not store any cookies on load.
- Itch.io widget was replaced by a link to downloads.
According to multiple online cookie checkers, no tracking cookies are created. Playing embedded videos will still access external resources and potentially allow third party servers to store data provided by the browser. I don't know how I could prevent this unless I self-host everything.
Edit 2018-05-22: It turned out that no-cookie version of Youtube embeds may still track users even before playing the video, so I changed the code so that the actual Youtube embed is only loaded once user clicks on the preview image to play the video. This also made pages load a bit faster.
Posted on 2018-04-23