GDPR compliance

[florianrusch]

Hi everyone,

actually there is just one big topic everywhere - GDPR. (in german DSGVO) We wonder if there is anything to consider at wpCasa. Especially with regard to the processing/disclosure of personal data.

The plugin WPCasa Listings Map occurs to me spontaneously, which uses Google Maps, which means that Google gets at least access to the IP address of the user. (Who knows what else they're picking up 😄)

Will this issue be addressed? And what are the starting points for making wpCasa compliant to the GDPR? Will this be considered directly in the new version?

And if you need help, how can we help to make wpCasa GDPR compliant?

Regards, Flo

[JoeHana]

Yes, Google Maps is indeed an issue. Unfortunately we couldn't find anything directly related for the GDPR in terms of the Maps. The whole world is warning from Google Analytics but no one really talks about how to handle Google Maps properly. That's why we're thinking of including an alternative Maps Provider. Not sure if this will make it into the next release since this would be subject of WPCasa, WPCasa Listings Map and WPCasa Admin Map UI.

Other than that we're not seeing much of an issue since WPCasa doesn't actually process any user-related data. It only stores a cookie for the favorites and for the search options but this should be properly described anyway on each sites privacy policy. Perhaps we need to fix a few of our themes which use Google Fonts and will put them local instead.

On the other hand: Do you have any specific suggestions?

[JoeHana]

PS: Is there any way to get directly in touch with you?

[Jimmi08]

About Google Fonts: They should not be problematic, it's just panic... yes, there are discussion that this is not enough but there are big theme companies solving this and they can't go to local fonts (to big for all google fonts) etc. For now it's enough to state in Privacy Policy you are using google fonts.

What does using the Google Fonts API mean for the privacy of my users? The Google Fonts API is designed to limit the collection, storage, and use of end-user data to what is needed to serve fonts efficiently.

Use of Google Fonts is unauthenticated. No cookies are sent by website visitors to the Google Fonts API. Requests to the Google Fonts API are made to resource-specific domains, such as fonts.googleapis.com or fonts.gstatic.com, so that your requests for fonts are separate from and do not contain any credentials you send to google.com while using other Google services that are authenticated, such as Gmail.

Source: https://developers.google.com/fonts/faq#what_does_using_the_google_fonts_api_mean_for_the_privacy_of_my_users

Other opinion:

Google Fonts is actually not a problem from a GDPR perspective as long as the EU-US 'Privacy Shield' is in force. All in all, Google's data privacy compliance is outstanding in comparison with most other US companies, only Amazon and Microsoft are probably on the same level.

[Jimmi08]

About Google Maps

• there is nothing, black hole. Google should solve this, not users. For example not displaying maps before user confirm their consent.

Only available solution I was able to find for now:

• replace by self-hosted solution for maps
• replace by other service
• display map only after click on button (See map) - like accordion - with look like checkbox with consent
• replace by image with link to google maps (at least for contact forms)

Latest changes (not confirmed): Google Maps Platform - new name for Google Maps it's part of Google Cloud, that is already GDPR compatible https://services.google.com/fh/files/misc/google_cloud_and_the_gdpr_english.pdf

Question is who will use this if the first information they want is your billing info.

[florianrusch]

@JoeHana Interesting - I've never noticed, that wpCasa used a cookie. 😄 The only problem actually on our wpCasa websites is Google Maps.

@Jimmi08 you are right. Google Maps Platform is now a part of the Google Cloud. Google says on his website (https://cloud.google.com/security/gdpr/#what-you-can-do):

Google is a data processor and processes personal data on behalf of the data controller when the controller is using G Suite or Google Cloud Platform.

If I'm right, that means, that we as the data controller have to "sign" a contract (data processing agreements) with Google, the data processor so that they can use the data. But I'm not really sure if and how we have to inform the user about that.

I'm not really sure what's the best way to handle that.

PS @JoeHana I didn't use the contact form 7 plugin already. But I think it won't be a problem to extend the widgets with a checkbox. Or? By the way: you can contact me over this email address: -removed-

---

Edit: delete email address