Jump to content

Recommended Posts

Hi all,

It seems that the world wide web contains millions of articles by know-it-alls who talk about GDPR but I'm really struggling to find any kind of privacy policy that basically says:

'I don't collect personal details from you. If you email me, I'll email you back and that's about it'.

Has anyone come across anything that freelancers can use on their sites?

Share this post


Link to post
Share on other sites

I'm facing the same issue, I'm not worrying about it too much and instead keeping it simple (as GDPR says it must be clear).

40 minutes ago, NOCK said:

'I don't collect personal details from you. If you email me, I'll email you back and that's about it'.

... pretty much what I'm saying too with a few extra bits like "I don't have a mailing list", "I use Google Analytics to improve my site" with a link to their policy, "I use session cookies simply to hide this banner when you have clicked ok" etc.

I'm trying not to over complicate it.

Share this post


Link to post
Share on other sites
39 minutes ago, BrowserBugs said:

I'm facing the same issue, I'm not worrying about it too much and instead keeping it simple (as GDPR says it must be clear).

... pretty much what I'm saying too with a few extra bits like "I don't have a mailing list", "I use Google Analytics to improve my site" with a link to their policy, "I use session cookies simply to hide this banner when you have clicked ok" etc.

I'm trying not to over complicate it.

The whole thing is nuts.. I've err'd on the side of caution big-time and removed Google Analytics, Hot Jar, and Google Maps... I just can't be bothered with the agro considering I can't take on any more work and can't remember the last time I looked at GA or HJ. Any thoughts on what I've written so far? Very much a WIP.... https://www.james-nock.co.uk/privacy/

Share this post


Link to post
Share on other sites

I know caution mate, might be a bit overkill. I've been looking at different companies approach, take a look at TSO Cookies as it names the cookies and what each does, covers GA and HotJar (even though their tables are screwed, will need to inspect).

Edit: Google has announced a new privacy policy, I'll be linking to it when live to save repeating myself.

Edited by BrowserBugs
Forgot summit

Share this post


Link to post
Share on other sites

It's not really about cookies, it's more about how to secure personal identifiers.

For example, if you keep client data in a spreadsheet your privacy policy needs to document how is it secured. You need to detail how you manage emails (eg: deleting emails from past clients or enquiries that don't result in work). You don't need to get cookie consent either as it doesn't have personal identifiers.

@NOCK, that's a pretty good policy.

Edited by fisicx

Share this post


Link to post
Share on other sites
26 minutes ago, fisicx said:

You don't need to get cookie consent either as it doesn't have personal identifiers.

OMG I'm a dumb ass, "The Directive gave individuals rights to refuse the use of cookies that reduce their online privacy." source. Session cookies don't use personal information 😵

Share this post


Link to post
Share on other sites
On 5/12/2018 at 5:05 PM, BrowserBugs said:

Session cookies don't use personal information 😵

Maybe not personal information but if you store UserAgent / IP Address etc. in session cookies you could use them to build a profile on a user and that's also a 'no-no'. I also had a problem recently where PrivacyBadger/Ghostery etc. were blocking session cookies and so killing a piece of SaaS... so I'm also trying to reduce dependence on them going forwards as privacy tools like that are getting more an more popular these days.

I've just updated my WIP (would REALLY like some constructive feedback)... and on further reading it looks like all freelancers that collect/process data (so all of them!) will need to register with the ICO, for £35 per year! https://ico.org.uk/for-organisations/register/self-assessment/

I'm surprised this thread hasn't gotten more attention given that we're now less than a fortnight away from this really mattering.

Edited by NOCK

Share this post


Link to post
Share on other sites

Your policy looks ok. I'm personally reading through my clients when they ask me to update so I can see each approach and hopefully confirm my own. It's interesting to see each take on it, last one I updated included about sharing limited information with their accountant (third party), another about right of removal not able to be done in the case of invoices already paid obviously to tax reasons, they're all so different :s

3 hours ago, NOCK said:

Maybe not personal information but if you store UserAgent / IP Address etc. in session cookies you could use them to build a profile on a user and that's also a 'no-no'. I also had a problem recently where PrivacyBadger/Ghostery etc. were blocking session cookies and so killing a piece of SaaS... so I'm also trying to reduce dependence on them going forwards as privacy tools like that are getting more an more popular these days.

I think it's more aimed at organisations who have been using underhanded tactics to generate data ... i'm getting a lot of emails about "please don't leave us" to mailing lists I never signed up to so it's having some effect. Storing IP in a session cookie is fine IMO as it's not persistent, it's the saving anything to the server after the session ends, so in the case of session cookies you're not storing their data, it's only the user data you hold once logged in. All my clients sites with logins, if the user blocks session cookies the login forms change to a notice saying they cannot login without them on. We can't make the world cookie free.

Edited by BrowserBugs

Share this post


Link to post
Share on other sites
8 minutes ago, BrowserBugs said:

Your policy looks ok. I'm personally reading through my clients when they ask me to update so I can see each approach and hopefully confirm my own. It's interesting to see each take on it, last one I updated included about sharing limited information with their accountant (third party), another about right of removal not able to be done in the case of invoices already paid obviously to tax reasons, they're all so different :s

I think it's more aimed at organisations who have been using underhanded tactics to generate data ... i'm getting a lot of emails about "please don't leave us" to mailing lists I never signed up to so it's having some effect. Storing IP in a session cookie is fine IMO as it's not persistent, it's the saving anything to the server after the session ends, so in the case of session cookies you're not storing their data, it's only the user data you hold once logged in. All my clients sites with logins, if the user blocks session cookies the login forms change to a notice saying they cannot login without them on. We can't make the world cookie free.

Cheers, your point about the accountant is great and something that a lot of companies will probably miss!

You shouldn't need to store IP in a session cookie, as you have it in the SERVER superglobal anyway don't you (assuming php).

Share this post


Link to post
Share on other sites
3 minutes ago, NOCK said:

Cheers, your point about the accountant is great and something that a lot of companies will probably miss!

You shouldn't need to store IP in a session cookie, as you have it in the SERVER superglobal anyway don't you (assuming php).

I never do, was more an example of "you could for some reason" because it'll trash on session end. :)

Share this post


Link to post
Share on other sites

Do any of you know how businesses are supposed to be informed about GDPR? Maybe you've had campaigns in the UK, but It seems like we've actively had to go out to every client to let them know, which is a nightmare when you're a small team.

Share this post


Link to post
Share on other sites
50 minutes ago, Jack said:

Do any of you know how businesses are supposed to be informed about GDPR? Maybe you've had campaigns in the UK, but It seems like we've actively had to go out to every client to let them know, which is a nightmare when you're a small team.

Technically, it shouldn't be your responsibility to inform businesses about GDPR but it's always a good thing to do. 

Send them a mass email perhaps using something like Mailchimp?

On a different note, here is a tool I have been using to generate a list of cookies which can be embedded into a privacy policy page, and a concent banner. It also gives the user the option to enable/disable particular groups of cookies.

https://onetrust.com/pricing/ (Scroll down to Cookie Consent & Website Scanning).

Share this post


Link to post
Share on other sites
38 minutes ago, teodora said:

Technically, it shouldn't be your responsibility to inform businesses about GDPR but it's always a good thing to do. 

Send them a mass email perhaps using something like Mailchimp?

Most clients should know by now, we've already been doing a tonne of work getting people compliant. The biggest problem is that I haven't seen any campaigns over here. Some businesses are just finding out now through word of mouth, some that will require work doing haven't replied to us, it's a mess.

Share this post


Link to post
Share on other sites

The major one I have is storing customer details for billing + accounting purposes, and all of that falls under "legitimate interest", i.e. to use name and email to send out invoices, or postal address of they want paper receipts.

Share this post


Link to post
Share on other sites
2 hours ago, BlueDreamer said:

The major one I have is storing customer details for billing + accounting purposes, and all of that falls under "legitimate interest", i.e. to use name and email to send out invoices, or postal address of they want paper receipts.

I think "legitimate interest" sums up most things legit, profiling in the background for marketing gains is the dark area :)

Share this post


Link to post
Share on other sites

Absolutely, it's the mass surveillance & data collection that's the big target. Roll on the 25th May, we'll see what happens to the marketing/adtech world, hopefully it will reign them in a bit and start getting consent from the few people that will let them.

Share this post


Link to post
Share on other sites

The pop up warning "this site uses cookies" - this is required now as part of GDPR for US Based companies just in case someone in the EU visits the website? Or does an updated privacy policy suffice to pass the test? 

Edited by RobertS

Share this post


Link to post
Share on other sites
1 hour ago, RobertS said:

The pop up warning "this site uses cookies" - this is required now as part of GDPR for US Based companies just in case someone in the EU visits the website? Or does an updated privacy policy suffice to pass the test? 

If you have EU users I would think so, judging by the companies I have seen implement it. It's not reliable to do a Geo IP lookup either, so I'd imagine they have to, plus it's easier to just roll out to everyone.

Share this post


Link to post
Share on other sites

Slightly off topic, but I found this useful: http://www.bbc.co.uk/news/av/43921814/gdpr-your-data-protection-questions-answered

Contrary to what seems to be the popular belief in many companies, the UK authorities are saying it's fine to email those you already have a relationship with. No extra consent needed.

Don't expect any 'please opt-in' emails from WDF! 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing

    No registered users viewing this page.

  • Member Statistics

    • Total Members
      58,142
    • Most Online
      4,970

    Newest Member
    mymbaa2102
    Joined
  • Forum Statistics

    • Total Topics
      65,732
    • Total Posts
      453,105
×