EU GDPR compliant third-party services

[zsteinmetz]

The current live implementation of Open Specy uses Google Analytics. However, according to the EU General Data Protection Regulation (GDPR) users should be allowed to switch off any tracking particularly if their data is sent to any other service (like Google).

So we could implement some kind of a switch to toggle off analytics. As far as I know, GDPR does not allow for a simple opt-out. The user has to be prompted before any analytics has started. Alternatively, we could add some tracking ourselves as discussed, for example, here:

https://stackoverflow.com/questions/33620555/track-user-activity-in-shiny-app

There's also some code, we could use: https://gist.github.com/srvanderplas/6049567

I guess, Google Translate is not such a big issue because it only sends site data to Google, right?

[wincowgerDEV]

Yeah, definitely need to make this a priority before we publish. I like the idea of moving away from google and toward logging fingerprints for sessions which will then be shared to dropbox : https://gist.github.com/srvanderplas/6049567

That seems like a simple solution which is GDPR compliant. We can also add a button that allows people to turn off this functionality if they want, kind of like the data sharing button or even have it get turned off when the data sharing button gets turned off.

[zsteinmetz]

I also found this: https://github.com/DataScienceScotland/shiny_cookies

[wincowgerDEV]

Nice find!!! Yeah this has a lot of overlap with the other issue. Going to add the cookie control there for sure.

I guess in offline mode for now we will just completely disable the cookies and other advanced features which we can't control well and try to improve that later.

On Tue, Mar 30, 2021, 1:34 AM Zacharias Steinmetz @.***> wrote:

I also found this: https://github.com/DataScienceScotland/shiny_cookies

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub https://github.com/wincowgerDEV/OpenSpecy/issues/20#issuecomment-810030042, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGMUJUZTUN6VXZETFNYCDQ3TGGEKHANCNFSM4Y7X3G2A .

[wincowgerDEV]

@zsteinmetz

Of course the new youtube embed that we added has cookies!!! GAH! Trying to figure out how to remove them now.

[zsteinmetz]

We can use youtube-nocookie.com

[wincowgerDEV]

https://axbom.com/embed-youtube-videos-without-cookies/

This website says that even that creates some new "cookie like" data.

[zsteinmetz]

"cookie like" data

Maybe the closest we can get without investing too much time.

[wincowgerDEV]

Agreed, it is better than nothing. I am not European anyway :) lol

[wincowgerDEV]

I guess one thing we could do is just make the youtube video a button that redirects to youtube. That would remove the cookies and data from our site and make sure people only get tracked if they want to.

[zsteinmetz]

I just checked. We get some cookies from Google anyway. So I'd rather go for a decent privacy disclaimer instead. But this is nothing, we'll need to fix immediately—at the earliest when we host on our university servers.

[wincowgerDEV]

fixed with https://github.com/wincowgerDEV/OpenSpecy/pull/58#issue-611669999

[wincowgerDEV]

Agreed that it isn't a huge priority but it will be nice to not worry about it now that we are in compliance. As far as I know anyways lol. I am not a lawyer.

[wincowgerDEV]

Oh! The google translate thing might be creating cookies too. Eh, I think that one is worth the cookie. Too good of an accessibility feature to remove and too complicated to change ourselves right now.

[wincowgerDEV]

I just checked. We get some cookies from Google anyway. So I'd rather go for a decent privacy disclaimer instead. But this is nothing, we'll need to fix immediately—at the earliest when we host on our university servers.

Agreed on the good privacy statement. That will be for a later date.