[Umbrella Task] Verify beautiful-jekyll is GDPR compliant

[OCram85]

Meta

:question: About [Umbrella Tasks]

[Umbrealla Tasks] are logical constructs to manage complex issues broken down in multiple small tasks. This should help with getting an overview, plan and delegate complex tasks.

:arrow_downsmall: Blocked By (Sub Tasks)_

:arrow_upsmall: Blocks (Parent Tasks)_

:package: Content

This would be awesome for EU based users 👍

I'm starting to work on this in the next days :D ... 25. Mai is coming 😸

:page_facing_up: Possible Tasks / Issues

Google Font Usage

To avoid privacy policy section it maybe would be better not to use the google CDN. One possible way would be using something like this

• [ ] #358

jQuery

Using it from local and not loading it from CDN

• [ ] #357

FontAwesome

Using FontAwesome from local store to prevent privacy policy definition caused by third party cookie

• [x] #359

Bootsrap

• [x] already local and updated

  Cookies

  How to deal with opt-out? Maybe implementation of CookieConsent

Privacy Policy

beautiful-jekyll could provide a simple template page explaing the internal used resources

Social Share / Github buttons

If the clients IP address will be transferred this needs to be addressed.

Google Analytics / Matomo

Disqus

Usage needs a privacy policy section as well

Any more ideas or recommendation?

[OCram85]

@daattali: What do you think about external resources like jQuery, GoogleFonts... Do you want them as external or could it be possible to implement them into the beautiful-jekyll itself? It should be no difference for end users. But it would simplify the privacy policy creation. It's your design decision :smiley_cat:

[OCram85]

FYI:

• I've contacted the github team and asked for any advice relating the GDPR and GitHub Pages based blogs.
• In addition to that I started a conversation in the community section. How to deal with GDPR...

[daattali]

Thanks for the initiative and eagerness to move this forward fast! To be honest I don't know if simple static blog sites like the ones served with this template need to worry about GDPR to such a high degree.

As of right now I would prefer to stay away from all of this. But I want to keep the issue open and let others chime in because I'm not very informed about these laws and how others in similar situations handle them. I'm interested to know if/how other jekyll templates changed because of GDPR. If you get any more info from github, from your discussion thread, or from other places, please do update me. I I really appreciate your contribution here

To answer to each of your points separately:

• Beautiful jekyll and its websites do not collect or store any information (so I don't think a privacy policy is needed)
• Disqus does have its own popup that automatically gets injected, so no need to worry about that.
• Matomo already has an opt out link
• We could add CookieConsent although I think many people who use beautifuljekyll don't actually use any cookies, so again it might be too much (the only cookies used may be from google analytics? Or can you think of other cookies?).
• Google Analytics is the only thing that is completely uncovered, but again that's only used by a small fraction of people, and I would imagine Google should be responsible for having a popup for that, just like Disqus does, but I might be very wrong.
• Social share buttons - we're not collecting or storing any info, before actually sharing any content, the third party website asks for permission explicitly, I think that's enough
• Removing CDNs also feels a bit much for me :)

I may be in the wrong about all of this so I hope others will respond as well

[johnmackintosh]

You can anonymise IP addresses in GA, (at the expense of less precise location analytics) by adding in an extra snippet of code to the GA file. The cookie consent thing is probably the main issue, it's not enough to offer "Dismiss" and "OK" options. People need to be able to decline or opt in. The cookie consent / Insites code looks like it works but I can't figure out the javascript to make it work properly to decline cookies

[daattali]

I tried googling a little bit about jekyll+gdpr and didn't find too much, but I did see that someone brought up a similar issue on the MinimalMistakes theme, and the author there also had reservations because of the added complexity, and he's also wondering how others are handling it. Would be interesting to see how that issue, and other popular jekyll themese, evolve https://github.com/mmistakes/minimal-mistakes/issues/1662

[johnmackintosh]

I found this article which suggests that Google Tag manager is key to managing the likes of Disqus and other 3rd party plug ins :

https://brianclifton.com/blog/2018/04/16/google-analytics-gdpr-and-consent/

I found it quite straightforward to get a cookie consent warning (one with opt in /opt out) to appear. What I don't know is if the javascript callback hook (whatever THAT is) is actually doing what it's supposed to. When I add that code in, I don't get a warning. Without the code, I get the consent warning but presumably no action is taken despite what the user selects

[OCram85]

@daattali: I just tried to sensibilize about the usage of beatiful-jekyll and the GDPR.

About external resources

You're right, beautiful-jekyll doesn't collect any data or uses own cookies. And all of the the used external resources have their own privacy policy. But since we are using these, the browsers IP will be transparent to these CDNs. So I'm forced either to write an complex privacy policy which explains this. That's why I tried to remove the external sources.

Cookies

The fact some of used services like Disqus, FontAwesome... uses cookies the GDPR requires to give the users a possibility to deny them. That's why many started using services like Cookie Consent. Now the implementation totally depends on the individual country laws. Some need just the opt-in feature, some need a opt-out. But I'm not quite sure how to opt-out such third party cookies.

Github as hoster for jekyll (gh-pages)

There is one more fact which seems to be hard to evaluate. We all have an account and accept the privacy policy of github. But when we use the awesome gh pages github acts as hoster for our site. So what's with the users data github collects? - For example: web logs and log retention times. Is this transparent to the gh pages visitor? - Do we have to react on this? Is there an ODP (order data processing)?

GDPR in general

On top of that it totally depends on whether the individual implementation is for private or business projects. So I didn't want to panic someone ^^

I'm really not a fan of the GDPR. The intention is great but the realization is really futile. :angry:

[OCram85]

@johnmackintosh: I'm dealing with the same javascript problems and cookie consent. It totally depends on the used beautiful-jekyll features. Is it possible to use the liquid markups in a java-script? Maybe this would help creating dynamic scripts for opt-out (like the matomo cookie )

[johnmackintosh]

@Ocram85 : I honestly don't know anywhere near enough about JavaScript to answer that, sorry.

I have the consent pop-up working, and I also added a privacy page detailing exactly what information may be captured. I opted to make Google Analytics less precise, and disabled social media sharing options. I'm not sure what else to do with this?

[OCram85]

@johnmackintosh : thanks for your feedback

I've also added the consent pop-up and privacy page. In addition I had to host the domain by my self.

But I'm not quite sure if we have to implement a opt-in for the cookies or something similar.

[daattali]

Closing as I don't think a simple static blogging website should invest so many resources into GDPR