Hey, just went through a few different checklists, and discovered that Lemmy does not meet GDPR requirements for notifying users for how servers handle the data. I’ve brought up this request on github, and I hope to get it fixed soon, but in the meantime I’ve compiled a list of EU address blocks and intend to add them to my firewall. Just thought you all should know.

  • MrWiggles@prime8s.xyzOP
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    I was told by the owner of Beehaw that login cookies are excluded from the cookie dialog requirement, and Lemmy doesn’t use tracking cookies which are subject to the requirement.

    • b3nsn0w
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      yup, this

      IANAL, but user consent is actually only one of the six legal bases of data processing under the GDPR. it is the most “universal” one, and the only one that enables most of the tracking and advertising bs that a lot of web services love to do, but it is possible to collect and process data without ever having to rely on user consent. if you provide a service without abusing your user’s data you likely won’t need a cookie consent dialog at all.

      of course, there are a lot of companies that do love abusing their users’ data, so they benefit a lot from normalizing those dialogs. but that’s not actually the piece of the gpdr that might bite lemmy – it’s federation, or more specifically, sending personally identifiable data to non-gdpr compliant federated instances. the eu is actually aware of the fediverse and is discussing it, so we’ll likely see something on that front in the future.

      there actually is a second, older style of cookie dialog which i’m not yet sure is still a requirement, which merely needs to inform the user of the presence of cookies if there are any on the site. of course this is entirely useless because everything with a login uses cookies by necessity – which is why the gdpr refocused on the collection and processing of user data instead. (which is another common misconception btw: it’s okay to have user data that you could use for nefarious purposes if you have another non-nefarious purpose you need it for, such as providing a service, but using the data for said nefarious purpose would be a violation of the gdpr. it’s less about what you collect and more about what you do with it, although if you have nothing legal to do with it you shouldn’t have it either.)