Smugmug and the new European GDPR

Lille UlvenLille Ulven Lille UlvenScandinaviaPosts: 493Registered Users Major grins

I don't know how many of you are aware of it, but on May 25, 2018, a new European Law is going to be established. From that day onward all European users (this translates to all users who use a website from an EU/EEA country, so a US tourist in Norway would be affected too, even a Chinese website targeting European customers, though located in China would have to obey this new law) of a website have the right to download all information that a website has stored about them. This includes all personal data that somehow can be connected to a specific person including addresses, birthdates, emails ... and they have the right to be forgotten, which means that website will have to be able to delete all that data of a specific person. The storage of such information is then restricted to what is absolutely necessary for said website to know. So for example: if someone would buy a photo from one of our websites, we would have to know the address of where to ship it to, but we would not have to know that person's license plate number.
It also targets things like people having to login using their emails/fb accounts to comment on something, as long as that login information is stored somewhere.
There is probably quite a bit more to it than I am able to explain.
The fee if sued and found guilty of breaching the law: 20M € or 4% of net income, whatever of those two is the higher amount (not super certain about the amounts, but it was way more than I will ever own.)

I am just wondering as to how far a) Smugmug is covered by it and b) if there is anything we as website owners would have to do to be covered.

Lille Ulven

http://www.lilleulven.com - The Photos of my travels
http://blog.lilleulven.com - The Stories of my travels
Tagged:

Comments

  • RichardRichard Mildly bemused Madrid, SpainPosts: 18,417Administrators, Vanilla Admin moderator

    Good question, Lille.

  • Lille UlvenLille Ulven Lille Ulven ScandinaviaPosts: 493Registered Users Major grins

    Thanks, @Richard
    I had a brief conversation with the SuperHeroes about one of the rules of GDPR yesterday. They ensured me that Smugmug is working hard on reaching GDPR compliance and will be compliant within the deadline. So that's at least some good news.

    The rule I was questioning about is Google Analytics. As you probably all know, in Account Settings => Stats we have the possibility to connect our SmugMug website to Google Analytics. As a consequence of GDPR, only the anonymous data collection by Google Analytics will be allowed and this restricted to those visitors who allow data collection in the first place. So there will have to be some sort of button/pop-up which will allow our site-visitors to choose if they allow the anonymous data collection by Google Analytics. If they choose to not allow this, they will still have to get the same access to our websites as those visitors that allow the data-collection.

    I believe what is installed now is the anonymous version of Google Analytics because I could not find any report in my Analytics setup that would have allowed me to see full IP addresses. But that is a belief and not a certainty. @leftquark it would really help if you could confirm this and possibly get us some sort of overview if there is anything we need to do.

    As you probably know too, you can also connect your Smugmug page to Statcounter. Though I haven't yet heard anything if Statcounter would be allowed to collect full IPs even after GDPR or not, I found that in the project settings on your Statcounter-project-page the anonymous collection (masking of the last three digits of the IP) can be enabled rather easily. Just cross off a checkbox and you are good to go (it seems). I have enabled that right away.
    If there is anything more for us to do - I'd love to hear, I really don't want to be the first person sued over this one...

    http://www.lilleulven.com - The Photos of my travels
    http://blog.lilleulven.com - The Stories of my travels
  • leftquarkleftquark SmugMug Product Team Posts: 3,143Administrators, Vanilla Admin, SmugMug Product Team SmugMug Employee

    @Lille Ulven: thanks for reaching out. We have a team working on GDPR compliance but I don’t have any specifics at this time. Stay tuned!

    SmugMug Director of Product / dGrin Afficionado
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • Lille UlvenLille Ulven Lille Ulven ScandinaviaPosts: 493Registered Users Major grins

    @leftquark thanks - I shall stay tuned :smile:

    http://www.lilleulven.com - The Photos of my travels
    http://blog.lilleulven.com - The Stories of my travels
  • leftquarkleftquark SmugMug Product Team Posts: 3,143Administrators, Vanilla Admin, SmugMug Product Team SmugMug Employee

    We are aware of GDPR requirements and our team is working hard on addressing them. We are working with outside counsel on developing and implementing policies and procedures to comply with the GDPR and to ensure that our subscribers can meet their GDPR obligations as to their customers in the near future. When we have more details to share, we'll let you know!

    SmugMug Director of Product / dGrin Afficionado
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • AlastairMAlastairM UKPosts: 1Registered Users Beginner grinner
    edited April 30, 2018
    Thanks @Lille Ulven for raising this. Looking forward to hearing more about this from @leftquark and the team soon...
  • RichardRichard Mildly bemused Madrid, SpainPosts: 18,417Administrators, Vanilla Admin moderator

    @leftquark said:
    We are aware of GDPR requirements and our team is working hard on addressing them. We are working with outside counsel on developing and implementing policies and procedures to comply with the GDPR and to ensure that our subscribers can meet their GDPR obligations as to their customers in the near future. When we have more details to share, we'll let you know!

    Any update? The GDPR takes effect tomorrow.

  • leftquarkleftquark SmugMug Product Team Posts: 3,143Administrators, Vanilla Admin, SmugMug Product Team SmugMug Employee

    We’re hard at work getting ready . Stay tuned for an email with more information.

    SmugMug Director of Product / dGrin Afficionado
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • mikeelbonmikeelbon Beginner grinner Posts: 9Registered Users Big grins

    Hi, its the 25th May and the new laws come into power today. Any news on what is happeing with GDPR?

  • wallace2110wallace2110 GermanyPosts: 1Registered Users Beginner grinner
    Please give us some information. We have the 25th May!!!!!
  • RichardRichard Mildly bemused Madrid, SpainPosts: 18,417Administrators, Vanilla Admin moderator
    edited May 25, 2018

    I don't think SmugMug customers have much to worry about with regard to our visitors, though we might have to review how purchase and contact form data are handled and retained. If you are using Statcounter, you may notice some changes, in particular, personal information will no longer be accepted in IP address tags. If you're using Google Analytics, you've already heard from them (at great length). IP addresses themselves are not considered personal information for businesses that cannot tie them to a specific person: so they would be personal for an ISP but not for a SmugMug customer's site. SmugMug itself may have issues to address with regard to how it stores our information, but I expect we'll hear from them soon.

  • mikeelbonmikeelbon Beginner grinner Posts: 9Registered Users Big grins

    What about client names and addresses that are stored when purchasing products?

  • RichardRichard Mildly bemused Madrid, SpainPosts: 18,417Administrators, Vanilla Admin moderator
    edited May 25, 2018

    Arrgh. I live in the EU so I've been inundated by notices all day about GDPR compliance, including an email from SmugMug, which I haven't looked at yet.

    As a public service, here's the xkcd summary of all of them:

  • afxafx Major grins Posts: 102Registered Users Major grins

    @smugmug:

    Looks like you have not understood what the GDPR is about.
    You still use elev.io and intercom.io in the image pages.
    So if I use SmugMug to display images to EU users I would have to explicitly disclose their tracking.
    In the profile pages under privacy, I don't see neither elev.io nor intercom.io mentioned, so for an average Smugmug customer it might not even be possible to find out.
    You are basically making it impossible to conform to the GDPR for your users.
    Your statement about the usage of external parties does not mention them explicitly, so you do run into a GDPR violation yourself.

    It is not rocket science to perform the needed statistics gathering for yourself, so why use opaque external entities and that without even disclosing them?

    Lastly, your update on the 25th of may leaves all your customers who do have to conform to the GDPR scrambling to handle the situation you created because you took until the last minute to update your privacy policy. It is 2 years since the GDRP was made public.

    cheers
    afx

  • leftquarkleftquark SmugMug Product Team Posts: 3,143Administrators, Vanilla Admin, SmugMug Product Team SmugMug Employee
    edited May 29, 2018

    @afx said:
    It is not rocket science to perform the needed statistics gathering for yourself, so why use opaque external entities and that without even disclosing them?

    Our focus will always remain on building amazing experiences and solving customer problems for their photography related needs. When there's areas that we can take advantage of 3rd party tools that help us build a great experience and aren't necessarily photo related, we'll often integrate those tools. These 2 are perfect examples.

    Elev.io is used to power the "Support" panel, when you're looking to get help.
    Intercom is used so we can push relevant messages to you, for example when we launch new features or iterate on something you've used and we want to let you know that it's been improved.

    SmugMug Director of Product / dGrin Afficionado
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
  • leftquarkleftquark SmugMug Product Team Posts: 3,143Administrators, Vanilla Admin, SmugMug Product Team SmugMug Employee
    edited May 30, 2018

    I'm not a lawyer, nor a GDPR expert, so I won't be able to conduct a discussion on GDPR, other than to say that our team has been working with our counsel regarding GDPR compliance and have updated our Terms of Service and Privacy Policies with their input. If you have additional concerns you can reach out to the Support Heroes.

    SmugMug Director of Product / dGrin Afficionado
    aaron AT aaronmphotography DOT com
    Website: http://www.aaronmphotography.com
    My SmugMug CSS Customizations website: http://www.aaronmphotography.com/Customizations
Sign In or Register to comment.