How Colloq Became GDPR Compliant
Since the beginning we were dedicated to protect our users’ privacy and security. Unfortunately this doesn’t necessarily mean that we were fully compliant to the new EU GDPR law. Here’s what we did and had to do to get compliant, including some of the challenges and limits we hit.
Privacy thinking
We like GDPR. We really do, because at minimum we believe it will fix the behaviour of some bad players. More importantly, it will force people to think about privacy. There are many good reasons for people to install ad blockers, privacy tools and take other measurements such as using Firefox’ Facebook container plugin to protect themselves. Some people, like myself, even run their own DNS that blocks tracking resources and use strict firewalls at home. GDPR will improve the situation about users feeling completely out of control about their own private and personal data.
Implementing GDPR means developers need to research and change how to think about third party services. If you know the effort it takes to be able to use such service, the cost may not be worth it. Until now, many of us followed the approach of implementing analytics scripts just to get some data. Many people don’t even look at their collected data or at least that data wouldn’t require anything else than anonymous server logs.
At Colloq don’t use any third party service to track user behaviour. We only use the default nginx log format which also stores private data such as the IP address or referrer information. Using defaults is usually a good idea to save time. But in the end, we stored IP addresses without a specific need. Being faced with the new rules of GDPR, we realized that it will be a much better idea to not store any details we don’t really need. We believe that building a good product can be done without giving away your data and by protecting your data.
Legal compliance as a small company
Many of you may know this already, but Colloq is a completely independent company entirely funded by its founders, Holger, Tobias and myself. We don’t have a large budget and while we had some legal advice in the past, we don’t want to afford special-branch lawyers for legal advice. The interesting part is that might not even be able to give us more clarity on what we can do, must do and cannot do.
That’s why we set ourselves the goal to comply with GDPR on the strictest interpretation of the law. As you can imagine, this is a difficult challenge and might have an impact on how to operate a service. It also saves us the worries about any substantial fines, since we are in the green zone here.
Natural language
One thing that the new law actually requires is that privacy documents are written in an easily understandable language. This is interesting, because until now most services provided their legal texts in a language that often is not easy to understand. For Colloq we wanted to have natural language terms of service and privacy policy from the beginning and we put a lot of effort into creating and verifying them. It’s certainly easier to stick to Legalese, but in order to make users understand what the services does, we believe it’s important to make these things easy to read and as short as possible.
With GDPR making clear language a requirement, reading privacy policies will become much easier and pleasant on a lot of compliant sites. Since we created our terms and policies with that in mind already, regarding the language we didn’t need to change much for GDPR. Nevertheless, revising the documents after a few months made us realize that some parts could still be improved.
We hope the new privacy policy is easy to read and understand. If you think we could improve something, please let us know.
Third-party services
Colloq relies on very few selected third parties. According to the law, online services that collect ‘private information’ from users need to have GDPR compliant service providers and a signed Data Protection Agreement. Additionally, we need to have clear information and inform the user about where we store data, for which reason and for how long.
All our hosting companies have provided us with such agreements when we contacted them and we now have valid contracts in place. Our infrastructure is hosted on Digital Ocean, emails are sent via Amazon AWS and our payments are processed by and through Stripe.
Unfortunately, until now we haven’t received a positive reply to provide us with DPAs by Tito, Eventbrite and Gravatar (Automattic). Some of them told us that they’re working on this and will be able to provide something in May. In the end that leaves us the option to wait until shortly before GDPR becomes effective or to remove these services from our platform. We still hope to find a way to integrate at least some of these companies in order to build a better experience for our users.
Privacy policy updates
In order to comply with GDPR, we extended and have rewritten some parts of our Privacy Policy. While we effectively did not change the scope of the policy, we clarified who receives which data, what we do and what we don’t do in order to comply.
Our privacy policy is written in clear language so everyone can understand what happens to their data. We voluntarily share more information than needed in order to make our users understand our company values. We want our users to trust us, so we ensure them that we try to avoid collecting any data that we don’t really need.
From now on we will also publish a changelog for the privacy policy to give you a better idea on what exactly has changed.
Open Terms of Service & Privacy Policy Updates
With these changes, we also reworked how we integrate and show our terms of service and privacy policy. Since the beginning we wanted to make these legal documents public and their updates easy to read but we hadn’t had the time so far. Now we offer you our legal documents as open source project on Github. This way you can view their history, diffs in whatever way you prefer.
We’re happy to be fully transparent now and have a reliable, trackable way to publish updates to our terms and privacy policy.
Export & deleting your account data
We also made it much easier to let you export or delete your data. Until now you needed to contact us to get an export of your data or delete your account. From now on, you can do both on your own in your account dashboard. We’ll also write about both features in detail on our blog in the next days.
Final words
We’ll share more about our privacy practices from now on and how we try to build a reliable, safe place for our users. This will include ethical concepts, technical implementation details or design examples.
If you like what we do for your privacy and security and want a service to manage your events, you can sign up for Colloq here. We’d love to have you on board!
