Preparing for General Data Protection Regulation (GDPR) Compliance
Picture taken in Sansar at the Conference Stage Experience
What is GDPR?
GDPR stands for General Data Protection Regulation and it is a new data protection law in the European Union (EU), which comes into force on May 25th 2018. The aim of GDPR is to give citizens of the EU control over their personal data, and change the approach of organizations across the world towards data privacy. This includes both identifying data like names and addresses as well as anonymous data like computer IP addresses. The GDPR applies to data collected about EU citizens from anywhere in the world. As a consequence, a website with any EU visitors or customers must comply with the GDPR, which means virtually all businesses that want to sell products or services to the European market.
How does this affect you, as a Second Life or Sansar Resident?
I have spoken to the Information Security Director at Linden Lab, Maya Linden, and she has related to me that the Lab is currently preparing for GDPR compliance and will have an announcement about that very soon.
She has also unofficially shared the following information with me, but has requested to wait for the official blog for further information:
Behind the scene, we are preparing for GDPR compliance by adjusting our security and privacy practices accordingly. Here are some high level actions that are direct result of our commitment to residents’ privacy and security:
- Align policies to GDPR and other regulations and demonstrate our commitment to our customers and users.
- Train each of Linden Lab employees and contractors on all privacy and security expectations with changing laws and policies.
- Embed privacy by design in all our systems and processes.
- Manage third-party risks – more guidance on this in our official blog.
Once the Lab makes their official announcement, I will link to it from this post.
UPDATE: Linden Lab has released a statement about GDPR, read it here: General Data Protection Regulation (GDPR) and Linden Lab
How does this affect you, as a visitor of my blog?
I wanted to assure you that I have also been working on preparing my blog for GDPR compliance. I have updated my Privacy Policy for this blog and now writing this post to be completely transparent about how I run this blog and which plugins I use for analytics and more.
Hosting and Platform:
This blog is a self-hosted wordpress blog, which is hosted on GoDaddy‘s servers. To my knowledge, both WordPress and GoDaddy themselves don’t collect any information about my blog’s visitors, however, I still wanted to share their Privacy Policies:
- GoDaddy’s Privacy Policy (preparing for GDPR compliance)
- WordPress.org’s Privacy Policy
Plugins
A Wordpress Plugin is a piece of software containing a group of functions that can be added to a self-hosted WordPress website, to extend functionality or add new features. I use a number of Plugins on my site to monitor site statistics and also use forms or polls that may collect personal data from my visitors. Here is a list of the Plugins I use on this site that may collect data from visitors, and also a link to their Privacy Policies.
- Jetpack -This is the main plugin on my site that collects the most data. Jetpack is owned by Automattic and they are preparing for GDPR compliance. Jetpack is the plugin that collects log files for analytics, which consists of geographic location, browser type, date/time stamp, referring/exit pages, number of clicks and other info like that, which is not personally identifiable. The personally identifiable information it collects are names, email addresses and IP addresses if you fill out the contact form on my website, leave a comment on any of my posts, or subscribe to my blog via email . You can read Jetpack’s Privacy Information page at this link.
- Akismet – Akismet is a comment spam filtering plugin. It collects IP addresses from those that leave comments on this blog. It is also owned by Automattic and they are preparing for GDPR compliance.
- Polldaddy – The polls I run on this blog are all through Polldaddy. Polldaddy collects IP addresses from those that answer the polls so they are not able to vote more than once. It is also owned by Automattic and they are preparing for GDPR compliance.
- Google Analytics – I’ve removed the plugin that I had for Google Analytics, but I still have the script in my home page. Google analytics collects similar log files like Jetpack does, again, this is not information that is personally identifiable. They have also implemented Data Retention controls which give you the ability to set the amount of time before user-level and event-level data stored by Google Analytics is automatically deleted from their servers. I have selected the smallest time option available. For more information, read Google Analytics Data privacy and security page as well as Google’s Privacy Policy.
- Wordfence – Wordfence is a security plugin which tightens the security on your site and prevents it from being hacked. They collect the IP addresses of my readers and other non-personally identifiable information. Wordfence is owned by Defiant and they are preparing for GDPR compliance. Keep an eye on both the Wordfence Privacy Policy and the Defiant Privacy Policy for updates.
Advertising Partners
Some of the advertising partners on this site may use cookies and web beacons, those advertising partners include:
- Google – Google’s use of the DART cookie enables it to serve ads to users based on their internet history. DART uses “non personally identifiable information” and does NOT track personal information about you. For more information about this or to opt out of the use of the DART cookie, visit Google Advertising Privacy & Terms.
- Amazon – Amazon also uses cookies. Check Amazon’s Privacy Policy for more information.
More information about this on my Privacy Policy page.
Future Updates to my Privacy Policy
Any changes to my plugins, advertisers, or any other privacy info, will be made directly on my Privacy Policy page so please keep an eye on that page for all future updates. The Privacy Policy page link can be found in both the header and footer of my blog.
I have done my best to try and understand GDPR and how it affects my blog and my readers. Hopefully I have covered everything. If you feel I have missed anything, please feel free to leave it in the comments of this post and I will update my Privacy Policy if needed. Thank you.
Security should be improved. It should be strong and invisible.
I really don’t agree with it, as it will affect not just SL, but other sites that collect data. How is YouTube content creators, whose primary audience is European, gonna know what their audience likes, where they watch their content from, and even be able to figure out age range? Its gonna make it much harder, for businesses who primarily rely off of Analytics to even thrive.
How does GDPR affect me? Well it’s put me out of business, that’s how.
I live in the US, and my SL business – which makes mainly adult furniture but also a few popular utility HUDs – earns me a staggering US$90 a month most months. More around Christmas, less around Summer. Of that about US$70 per month never leaves Linden Lab as I use it for land tier and Lindex exchange fees. That leaves me a few thousand L$ each month for a new fat pack from Blueberry or tips for DJs.
I don’t have a legal team at my disposal. I lack the education to properly assess the impact of the new laws from a foreign country that suddenly apply to me. I don’t have the time to spend researching them and the energy necessary to comply with them, so the only way I can ensure that the made up name of a cloud of pixels belonging to someone living in Luxembourg is properly protected is to never have access to it. And from what I can see the only way I can do that is to simply stop doing business with anyone in the EU.
Unfortunately I have no way of knowing who’s in the EU and who’s not, and since I could be liable for fines of up to 20,000,000 Euros or 4% of my total sales, whicever is GREATER, I’m out.
On the 24th of May I’ll delete my vendors, purge all sales records, and delete the long history of sales notification emails. I’ll disable my MP shop and use whatever tools LL makes available to delete all records from there as well.
Since the regulations will also apply to my freebie items which are available via MP, those will be going away as well.
Records collected by some of my products which utilized an external web host will be deleted naturally.
Soon after that I’ll sell off most of if not all of my land, and without that or a SL income I’ll cancel my premium membership when it next comes round.
Am I getting carried away? You’re damn right I am. I’m sure with sufficient effort on my part – or expenditure of enough money at any of I’m sure a thousand GDRP Compliance Consultants who I’m certain don’t have an annual lobbing budget or a relative in the EU bureaucracy – I could get compliant, but for US$20 a month? Yeah, no.
In the grand scheme of things it means nothing. I’ll be sad because I’ve enjoyed my little business these past five years. It’s paid for a nicer SL than I’d have if I were paying for it out of my own pocket.
I flatter myself to think that my customers will be sad for a few minutes but I’m not the only person making kinky furniture in SL. The 15,000 or so people using my free My Eye View HUD will still be able to us it, but no one else will and that makes me a little sad.
But it’s for the greater good, right? We need a broad, poorly thought out, draconian law which has wide reaching negative impact on people well outside the reasonable reach of the governing body which is imposing it to insure that no one ever knows the name of an avatar in Second Life.
I’d hold a going out of business sale, but then I’d have additional records to delete and this is already more work than it’s worth.
EU can take their NWO and shove it up their ass.