Hey, just went through a few different checklists, and discovered that Lemmy does not meet GDPR requirements for notifying users for how servers handle the data. I’ve brought up this request on github, and I hope to get it fixed soon, but in the meantime I’ve compiled a list of EU address blocks and intend to add them to my firewall. Just thought you all should know.
I have had this concern for a few days and adapted the Mastodon privacy policy (adapted from the Discourse policy) and published it https://github.com/BanzooIO/federated_policies_and_tos/blob/main/lemmy-privacy-policy.md
Discussion on this has been started: https://lemmy.ml/post/1431759 and https://lemmy.ml/post/1431930. Open to any recommendations
There is also not a “cookie accept” when you first visit the site that is now standard convention.
That’s because Lemmy does not use tracking cookies! Lemmy only uses one authentication cookie, cookies such as these do not require user consent (at least under the GDPR). More info: https://gdpr.eu/cookies/
Cool, thank you.
I was told by the owner of Beehaw that login cookies are excluded from the cookie dialog requirement, and Lemmy doesn’t use tracking cookies which are subject to the requirement.
yup, this
IANAL, but user consent is actually only one of the six legal bases of data processing under the GDPR. it is the most “universal” one, and the only one that enables most of the tracking and advertising bs that a lot of web services love to do, but it is possible to collect and process data without ever having to rely on user consent. if you provide a service without abusing your user’s data you likely won’t need a cookie consent dialog at all.
of course, there are a lot of companies that do love abusing their users’ data, so they benefit a lot from normalizing those dialogs. but that’s not actually the piece of the gpdr that might bite lemmy – it’s federation, or more specifically, sending personally identifiable data to non-gdpr compliant federated instances. the eu is actually aware of the fediverse and is discussing it, so we’ll likely see something on that front in the future.
there actually is a second, older style of cookie dialog which i’m not yet sure is still a requirement, which merely needs to inform the user of the presence of cookies if there are any on the site. of course this is entirely useless because everything with a login uses cookies by necessity – which is why the gdpr refocused on the collection and processing of user data instead. (which is another common misconception btw: it’s okay to have user data that you could use for nefarious purposes if you have another non-nefarious purpose you need it for, such as providing a service, but using the data for said nefarious purpose would be a violation of the gdpr. it’s less about what you collect and more about what you do with it, although if you have nothing legal to do with it you shouldn’t have it either.)