GDPR in 2022: What do I really need to know as a solo founder?
Hello to everyone in the Indie Hackers community,
It looks like things have been getting worst on the GDPR front, for what I can tell.
I am getting messages from users telling me that that can't use my service because things like Google Fonts and Google Analytics have been essentially made illegal in certain European countries like France, Austria and Germany, due to recent court rulings.
A user told me they know of people who got fined because of this.
Is this true? I can only find a few references here and there, but there seems to be truth to it.
My main question is, what did you do in your case to make your product GDPR compliant?
Any links to services that you used would be very helpful.
Here is what I did so far for compliance.
I generated the legal documents like terms and conditions, privacy policy etc. using Termly, and I added a PDF with a GDPR Data Process Agreement (DPA) listing the platforms that I use (Firebase, etc).
I've set the region of my production databases to Europe.
To give more context if needed, I own a bootstrapped company and I' now setting up the legal paperwork for being compliant with GDPR, the company is Belgium-based.
The company is an online course platform, that allows customers to create their own website, in their own custom domain.
So the customers could have in their websites privacy policies that are different than mine.
What did you do in terms of documentation and third-party services to help you make your company GDPR compliant?
Any services that you recommend?
Thank you for any insight on this matter,
Vasco
GDPR is honestly a nightmare for small businesses. My strategy has been to collect as little personal data as possible and to not use third-party services if I can avoid them. Staying away from cookies as well. And I trust Iubenda to generate sensible policies.
I've read enough about the GDPR to understand what its intentions are, but you have to be a lawyer to understand all of it - actually not even that is enough, court rulings are changing the way the laws are interpreted.
I've been researching GDPR compliance for my own business recently and here are the general principles I've learned.
Disclaimer: I'm not a lawyer, so please do your own due diligence!
1) Practice data minimalism. You should store as little data as possible about customers, and only what's required to provide your service to them. You should store this data securely and encrypt it where possible, and avoid storing it any longer than is needed. When collecting non-essential data (for example, data that allows you to provide a better service but isn't strictly essential), you need to give users the ability to opt-out.
2) Get explicit consent. Get consent for any data collection/storage/cookies via a checkbox that explains how you'll use the data, and links to your Privacy policy which goes into more detail.
3) Lean on your Privacy Policy. Your privacy policy should list all the data you collect and your legal basis for collecting that data. Explain how long data will be stored. Explain individuals’ rights over their data and how to go about exercising their rights. (And of course, make sure you actually have a publicly available Privacy Policy).
4) Give users power over their data. Your users must at any time be able to:
(None of these processes are required to be automated - it's totally fine to list these rights in your privacy policy and instruct users to reach out to you for assistance with any of these, then fulfil requests manually.)
5) Check GDPR compliance of the services you use to store and process user data. When it comes to GDPR, every service/tool you use is seen as an extension of your business. At the moment, this is the most challenging aspect of GDPR compliance, because some companies like Google and AWS exist in a grey area. They argue that they are GDPR compliant, even when hosting and processing data in non-EU data centers, under something called the Standard Contractual Clauses (SCCs):
"The SCCs are a pre-approved data transfer mechanism under GDPR, applicable in all EU Member States, which enable the lawful transfer of personal data to countries outside of the European Economic Area that have not received an adequacy decision from the European Commission (third countries)." (Taken from the AWS GDPR Center)
However, some commentators argue that US-hosted data falls outside the SCCs because the US has weak privacy laws. In addition, Austria, Italy, France and Denmark have each ruled that the SCCs don't cover transfer of data to the US (although there hasn't been an EU-wide ruling as yet).
As far as I'm aware, this hasn't been tested in a high-profile case yet, so if you are highly risk averse, you should host your data in the EU (at least for EU-based users).
You may also choose to use GDPR/privacy focused tools and services to minimise your risk.
6) If your user data is leaked or breached, communicate about it immediately. If worst comes to worst and data is leaked, you need to let your users know as quickly as possible (usually within just a few days) and provide information about which data was accessed and how to mitigate risk as a result of the leak.
Hope that's helpful - please let me know if there's anything I missed or if you disagree with my interpretation of the rules.
Very helpful, thank you @tashicorp! I am looking into this.
Thank you for the summary, this is more or less what I thought as well.
So American cloud providers are not (yet) considered illegal via GDPR I'm guessing, or is that a grey area that has been going on for years?
My whole platform is based on Firebase which I've set to Europe region, and AWS, for which I did the same.
But apparently, that might not be enough, according to the latest rulings?
I was surprised to learn that Google Analytics is now basically illegal in Europe, is this true? Or can we keep using it?
What types of disclaimers or popups did you put on your site to protect your business?
Thank you for any insights on this.
Storing EU data in US regions is generally thought to be against the spirit of GDPR. Using US cloud providers to store data in European regions is more of a grey area. If you want to be super safe, the only way to be guaranteed compliant is to store data with an EU-owned cloud provider in the EU.
I think most bootstrappers are willing to operate in this grey area because AWS/Firebase are too powerful and convenient not to use. (Although if anyone can recommend an EU cloud provider with a similar developer experience I'd appreciate that!)
Google Analytics has essentially been found not to be GDPR compliant for the above reason - user data is transferred to the US. If you're trying to be GDPR compliant then I'd recommend against using GA.
I'm actually not yet collecting any data on my site yet. I'm trying to avoid cookies all together. When I collect data I'll add a simple consent checkbox and explanation of how the data will be used.
Shameless plug, but you could have a look at Simple Analytics.
Also, we've written in-depth about what's going on, and it seems we do need a political agreement between the EU & US on how to handle personal data in order to move on. Here
President Biden signed an executive order on the matter last week, although the EU is likely not really satisfied. My guess is that it will take some time until this gets figured out. Until then, Austria, Italy, France & Denmark ruled the use of US cloud-based services to be unlawful. You could say this holds for every EU member country as these rulings are based on a coordinated effort on an EU level.
"Austria, Italy, France & Denmark ruled the use of US cloud-based services to be illegal" - Whow, this is huge!
This means that any companies that use Amazon Web Services and Firebase in those countries are now outlawed?
That is just insane, are you 100% sure of this? It just sounds so unbelievable.
And what is the path forward for companies that use these services? I just can't replace Firebase or AWS, all my code uses their SDKs.
Well. They specifically mention Google Analytics, but the grounds on which they find Google Analytics unlawful in its current setup are identical to others. Here is the Italian press release
However, ruling something unlawful and governing it are two different things...
I hear people are getting fined for it. I get it that a US company might always be forced to share the data with the US government given a court order (the 9/11 laws I believe).
But that argument would render all American cloud platforms unlawful, which is insane. I bet most cloud companies in Europe use cloud providers like Amazon and google cloud.
are they all suddenly illegal and subject to a random 4% annual revenue fine?
is there something like a newsletter that I can follow to keep informed of this? Thank you for any insights, I liked the article a lot.
We try to keep up with the news in our monthly newsletter: Theprivacynewsletter.com
You could look into Umami Analytics: https://umami.is/ self hosting or cloud version. Based on their website they are privacy focused and not using cookies.
Thank you, and what is your experience with Umami, I think there is no cloud version yet, right? Where did you self-host it?
Thank you in advance for any insight on your experience in using Umami.
Whoops, I forgot the cloud product was in development. But yes, you can self -host on Digital Ocean or or another vendor for about $6/mo and it's fairly straight forward. I'm assuming you are technical?
Here's some of the resources I followed. The docs from Umami are actually quite good:
If you need some help, I can send you runbook / logging I did while setting it up!
For me Plausible.io is a pretty neat privately-friendly analytics tool.
We developed a privacy friendly and dynamic integration of Google Fonts. Let me know If somebody is interested ;)
Look for EU hosting: For example you can replace Heroku/Render etc. by scalingo.com . Hetzner can replace linode/digital ocean. Use s3 from ovh or scaleway .... . These providers fall under GDPR.
Very good questions, just removed all my Google fonts a couple of days ago, I am based in Finland but...you never know.
Thankfull that I have been using Umami.is for around two years now...
I'm thinking of replacing Google Analytics by something else, what is your experience with Umami? I see it's self-hosted, no cloud provider yet. Where did you self-host it, is based on Node?
Thank you for any insight you can share on your experience with Umami.
I have self hosted it on Hetzner,not even 4euros a month.
Is fine, but it gets blocked because is not server side analytics...
Besides analytics, a user can ask to delete his personal. Upon request you'll have to ask for a proof of identity in a secure way (https, sftp, anything secure) (don't use emails, I usually use a field + file upload from my users table), and if it matches, delete the data.
I usually use user/state column/table
gdpr_deletion_status(requested, awaiting_document, confirmed) and don't forget to add a noindex tag any nominative profile public page from this user.Cheers 🙏
That's where onduis.com come in help ( regarding analytics ) :D
There are a lot of nuances but I think the legal documents are the most important I believe. Unfortunately for a bootstrapped company this can be very expensive. We already set aside about 5k for the launch for legal documents.
May have to use alternatives like Plausible.io which are privacy focused.
did you try Plausible, is it good? What is your experience with it?
I haven't use it myself but on the recent indiehackers podcast they about it and GDPR briefly.
I've been asking myself the same questions too. Would love to hear what we should be doing to ensure compliance at the super early stages.
Yes I'm too at a very early stage. And what did you do in terms of legal documents so far, and in terms of GDPR?
I used to think that adding consent boxes, popups and a delete account option would be enough, but it doesn't seem to be the case.
If you have done something on that sense, please share your experience.
Good question.. Even I am interested to know from others..
Yes, this is a good one, I think it could be the subject of a whole podcast.
And did you do something specific to GDPR in your product so far?
There is Alexiane Wyns in Belgium who is a lawyer who wrote a book on GDPR If you need more you can consult her but as a starting point there is a lot of documents online. Most marketing technique used in the US require information and consent such as retargetting or even segmentation.
Thank you for the reference, I didn't know about her.
I recently bought usermaven for this
How good is it usermaven, are you happy with it? I'm thinking of replacing Google Analytics.