Cookies and GDPR
Jan Peterka
Posted on February 14, 2020
Recapitulation
In first article I defined some base information and plans.
In this article we will try to understand first part of legal requirements for publishing app - cookies and personal data.
I'm not a lawyer, this article is my own grasp of which is needed. If you find any factical (or other) mistakes, please let me know in comments.
Cookies
General rules (EU applicable)
You can find info on many sites (such as here or here), but in general, these are the rules:
For most cookies uses, you need your users to opt-in - meaning give their consent to using cookies. It might be a checkbox in register form, or pop-up window they need to accept.
You also have to list what kinds of cookies you use, and enable users to disable those not critical for using the app (necessary and functional cookies).
Also, users need to have the option to revoke their consent later, and it should be obvious to them how to do that.
My app
I use Flask-Sessions for session management, which is server-site. I only use cookies to save session and remember-token (as I checked in my browser). So, this cookie is by no means personal info.
My usage of cookies qualifies them as necessary cookies.
I don’t use any third-site services and cookies (such as Google Analytics).
That means the following:
My cookies are exemption from the consent requirement. I have to inform users about using cookies, but I don’t need their consent.
My solutions
As I only need a simple banner informing users about using cookies, I can make some myself, or use some generator. I used this one.
Personal data and GDPR
General definitions
General Data Protection Regulation (GDPR) is an EU-wide set of rules for managing personal data.
Here are some of the definitions we will need:
According to the Regulation of 679/2016n:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
App overview
What personal data do I collect?
I collect data which identify person, like:
- name (first and last)
- email address (which classifies as online identifier)
- Google ID (if logged in via Google OAuth)
However, the definition of personal data from above says that any information relating to an identifiable person is personal data. Which means that any data that is connected to persons info (through foreign key etc) is personal data. For my app, it means everything user creates (e.g. recipes) or I collect about them (e.g. last login time)
How do I process them?
I collect this data when users create them (account, recipes,..).
I collect some data about app usage (last login, login count, recipe page show count).
I don’t give the data to any other person or business.
General rules
So I will try to just pinpoint some main rules needed in my app:
I need users active, informed consent before collecting data
I will solve this by adding checkbox to registration form which confirms that the user is informed about what personal data I collect and how I process them, with a link to Privacy Policy (further describing what I do with data - more on that later).
Users have the right to access their data and to information about their data (article 15)
Well, as users can see all their data in the app at the moment, it shouldn’t be a problem. However there are some information I keep that isn't shown on the user profile. For example - last login date, number of logins, how many times a certain page was seen,.. Those are information I use for improving usage of my app (having info about the number of active users) and for features like suggested recipes (based on most looked at).
If user requests this information, I am able to get them from database manually (GDPR states I have a month to fulfill this request, so it’s entirely possible), but in the case of more request I would probably add some automated way for users to get their data.
As of informing about purposes of processing data, these will be added to Privacy Policy. I also need to include info about how they can get their data - in my case they can contact me via apps mail.
Users have the right to restrict my use of their data (article 18)
What does that mean?
According to article 18, I have to stop processing their data if they request it based on claim that:
- data is inaccurate || processing is unlawful || app doesn’t need the data
I don’t see that happening in my app, but still I need to give them info about how to request this.
Also according to how ‘processing restriction’ is defined, I need to be able to mark these data. I don’t do that now automatically, but if I receive such a request, I can implement this (by adding parameter or flag to user).
Right to change inaccurate or incomplete data (article 16)
Ok, so I allow my users to change their name and email. That’s a good idea anyway, and also already implemented in my app. I just need to let them know about this option in Privacy Policy as well.
Right to know who’s collecting their data and what for (recital 58)
Important thing here is that any information I give users or publicly about data collection and processing must be easily accessible and easy to understand. Therefore it should be in languages my app is available in - currently only Czech, possibly in English in the future. That would mean adding all law documents in English as well.
Right to be forgotten
Also important role - users can request deletion of their data if their personal data is no longer needed for the purpose for which it was originally collected.
In case of my app, it means mainly option to delete their account and all personal data associated with it.
One possible way is to implement this to user profile editing (as seen in many big apps). However, as my app is small and with little users, I am okay with just adding info that they can contact me with this request, as with the others.
Data security (article 32)
According to this article I must ensure integrity and availability of data processing system. This is a bit hard to understand, but we will look more into this in section about security. One important part of this rule is that I have a responsibility to test and evaluate security of my app. It might mean doing a security audit, but it’s probably okay to just do my best to secure data and built secure app.
Posted on February 14, 2020
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.