How Colloq Became GDPR Compliant
Since the beginning we were dedicated to protect our users’ privacy and security. Unfortunately this doesn’t necessarily mean that we were fully compliant to the new EU GDPR law. Here’s what we did and had to do to get compliant, including some of the challenges and limits we hit.
We like GDPR. We really do, because at minimum we believe it will fix the behaviour of some bad players. More importantly, it will force people to think about privacy. There are many good reasons for people to install ad blockers, privacy tools and take other measurements such as using Firefox’ Facebook container plugin to protect themselves. Some people, like myself, even run their own DNS that blocks tracking resources and use strict firewalls at home. GDPR will improve the situation about users feeling completely out of control about their own private and personal data.
Implementing GDPR means developers need to research and change how to think about third party services. If you know the effort it takes to be able to use such service, the cost may not be worth it. Until now, many of us followed the approach of implementing analytics scripts just to get some data. Many people don’t even look at their collected data or at least that data wouldn’t require anything else than anonymous server logs.
At Colloq don’t use any third party service to track user behaviour. We only use the default nginx log format which also stores private data such as the IP address or referrer information. Using defaults is usually a good idea to save time. But in the end, we stored IP addresses without a specific need. Being faced with the new rules of GDPR, we realized that it will be a much better idea to not store any details we don’t really need. We believe that building a good product can be done without giving away your data and by protecting your data.
Legal compliance as a small company
Many of you may know this already, but Colloq is a completely independent company entirely funded by its founders, Holger, Tobias and myself. We don’t have a large budget and while we had some legal advice in the past, we don’t want to afford special-branch lawyers for legal advice. The interesting part is that might not even be able to give us more clarity on what we can do, must do and cannot do.
That’s why we set ourselves the goal to comply with GDPR on the strictest interpretation of the law. As you can imagine, this is a difficult challenge and might have an impact on how to operate a service. It also saves us the worries about any substantial fines, since we are in the green zone here.
With GDPR making clear language a requirement, reading privacy policies will become much easier and pleasant on a lot of compliant sites. Since we created our terms and policies with that in mind already, regarding the language we didn’t need to change much for GDPR. Nevertheless, revising the documents after a few months made us realize that some parts could still be improved.
Colloq relies on very few selected third parties. According to the law, online services that collect ‘private information’ from users need to have GDPR compliant service providers and a signed Data Protection Agreement. Additionally, we need to have clear information and inform the user about where we store data, for which reason and for how long.
All our hosting companies have provided us with such agreements when we contacted them and we now have valid contracts in place. Our infrastructure is hosted on Digital Ocean, emails are sent via Amazon AWS and our payments are processed by and through Stripe.
Unfortunately, until now we haven’t received a positive reply to provide us with DPAs by Tito, Eventbrite and Gravatar (Automattic). Some of them told us that they’re working on this and will be able to provide something in May. In the end that leaves us the option to wait until shortly before GDPR becomes effective or to remove these services from our platform. We still hope to find a way to integrate at least some of these companies in order to build a better experience for our users.
Export & deleting your account data
We also made it much easier to let you export or delete your data. Until now you needed to contact us to get an export of your data or delete your account. From now on, you can do both on your own in your account dashboard. We’ll also write about both features in detail on our blog in the next days.
We’ll share more about our privacy practices from now on and how we try to build a reliable, safe place for our users. This will include ethical concepts, technical implementation details or design examples.
If you like what we do for your privacy and security and want a service to manage your events, you can sign up for Colloq here. We’d love to have you on board!