Show Impress with address and collected data

[bmarwell]

For wt 2.0

Although available as plugin, this should go into the core functionality.

In Germany we are required to have an easy accessible impress (not via sub menu, but header or footer is okay).

In Germany it must include name, address, etc. Especially if ads are shown or data is collected (eg Google analytics).

Therefore, we also need to enhance the plugins for Google Analytics and Piwik/Matomo to add their opt out and data consent etc to the impress page. And that's why I think this should go into the core functionality (as a core plugin).

The cookie consent could go into a separate plugin.

[bmarwell]

I think there could be a new CustomImpressInterface or similar.

As there are plugins available for wt1.7.x, this could target wt 2.1.0.

[fisharebest]

I started this a long time ago.

See https://dev.webtrees.net/demo-dev/privacy-policy

But I don't know what else to include in this page.

[bmarwell]

Great!

As said, we do have some requirements in Germany. This upcoming section is for Germany, but other countries may have similar but slightly different requirements.

• [ ] Implement a link "Impress" (dt.: Impressum) which is accessible without scrolling and not hidden inside a submenu.
• [ ] Render all data necessary which identifies the owner of the page, according to where the owner lives or hosts the site.
  • [ ] For the German Telemediengesetz: Add a section

    The owner and operator of this website in accordance with Section 5 of the Telemediengesetz (German Telemedia Act) is:
    Publishers name
    Address
    Telephone number or Email
    Trade registry number
    VAT number (if applicable).

    It must be called “Impressum” – imprint, privacy, contact or even Webimpressum are not acceptable. It should be accessible from within 2 links from the homepage

• [ ] Add a new CustomImpressModule interface.
• [ ] For every data collecting plugin (Google Analytics, Piwik/Matomo), implement this interface returning an opt out section. Usually they provide iframe snippets.

[fisharebest]

I have created a new footer module PrivacyPolicy. It replaces the previous module CookeWarning.

• It's German name is "Impressum"
• It shows details of any tracking/analytics tools
• It displays a "cookie warning" if any analytics are enabled.
• It shows contact details of all site administrators.
• It is enabled by default.

What else is required on this page?

[ric2016]

If the goal is to make the respective webtrees site fully GDPR compliant, further steps have to be taken, see e.g. these links

https://www.hipaajournal.com/make-a-website-gdpr-compliant/ https://www.datenschutz.org/google-analytics-datenschutz/ https://makeawebsitehub.com/gdpr-for-wordpress/

Some things to consider in particular:

• Consent:

Consent must now be explicitly obtained through a clear, decisive action. If your website does not collect any personal data (including IP addresses) and does not use cookies and you do not have contact forms or newsletters, you will not have to do anything to be GDPR compliant. All other sites will need to obtain consent.

• Users must be able to opt out of analytics tools, a warning is apparently not enough.

The whole issue is rather complex, and additional requirements may differ from country to country. I'm not sure it's at all feasible to support all this via webtrees modules. Ultimately, site owners may have to handle this on their own:

With that in mind, because of how dynamic every website is, no single plugin, solution, or platform can provide 100% GDPR compliance.

(the quote refers to wordpress sites, but likely also applies here)

[fisharebest]

I don't want to create a "GDPR" module. This is probably impossible.

Instead, I wanted a general-purpose "privacy page" states the facts about the site.

This, I hope, will be "good enough" for the majority of users.

Anyone with specific requirements (e.g. running the site commercially?) will need to create their own page.

My understanding is that personal data that is collected for "genealogical research" does not require the consent of the individuals in the tree (although they still have the right to access it, have it corrected, etc.).

What else is needed to satisfy the German "impressum" requirements? We show the actual email address of the site admin(s) - not just a contact form. Is a postal address also required, or is an email address sufficient?

Users must be able to opt out of analytics tools, a warning is apparently not enough.

webtrees is one of the few sites that obeys the DNT headers, and so users can opt out by selecting this option in their browser.

[bmarwell]

Hi greg,

In Germany, an impress might be required even if you do not use it commercially. It depends… (as always).

webtrees is one of the few sites that obeys the DNT headers

Even if webtrees obeys the DNT headers, the iframes from the data privacy statements from the Matomo (Piwik) or Google Analytics plugins need to be shown on such a privacy page.

Is a postal address also required

Yes, this is required.

§ 5 TMG: https://www.gesetze-im-internet.de/tmg/__5.html for persons (only citing for non-organizations):

den Namen und die Anschrift (name and postal address)

Angaben, die eine schnelle elektronische Kontaktaufnahme und unmittelbare Kommunikation mit ihnen ermöglichen, einschließlich der Adresse der elektronischen Post, … including email address

Companies, organizations and registred clubs are required to provide more information.