Smugmug and the new European GDPR

Lille Ulven

I don't know how many of you are aware of it, but on May 25, 2018, a new European Law is going to be established. From that day onward all European users (this translates to all users who use a website from an EU/EEA country, so a US tourist in Norway would be affected too, even a Chinese website targeting European customers, though located in China would have to obey this new law) of a website have the right to download all information that a website has stored about them. This includes all personal data that somehow can be connected to a specific person including addresses, birthdates, emails ... and they have the right to be forgotten, which means that website will have to be able to delete all that data of a specific person. The storage of such information is then restricted to what is absolutely necessary for said website to know. So for example: if someone would buy a photo from one of our websites, we would have to know the address of where to ship it to, but we would not have to know that person's license plate number.
It also targets things like people having to login using their emails/fb accounts to comment on something, as long as that login information is stored somewhere.
There is probably quite a bit more to it than I am able to explain.
The fee if sued and found guilty of breaching the law: 20M € or 4% of net income, whatever of those two is the higher amount (not super certain about the amounts, but it was way more than I will ever own.)

I am just wondering as to how far a) Smugmug is covered by it and b) if there is anything we as website owners would have to do to be covered.

Lille Ulven

Richard

Good question, Lille.

Lille Ulven

Thanks, @Richard
I had a brief conversation with the SuperHeroes about one of the rules of GDPR yesterday. They ensured me that Smugmug is working hard on reaching GDPR compliance and will be compliant within the deadline. So that's at least some good news.

The rule I was questioning about is Google Analytics. As you probably all know, in Account Settings => Stats we have the possibility to connect our SmugMug website to Google Analytics. As a consequence of GDPR, only the anonymous data collection by Google Analytics will be allowed and this restricted to those visitors who allow data collection in the first place. So there will have to be some sort of button/pop-up which will allow our site-visitors to choose if they allow the anonymous data collection by Google Analytics. If they choose to not allow this, they will still have to get the same access to our websites as those visitors that allow the data-collection.

I believe what is installed now is the anonymous version of Google Analytics because I could not find any report in my Analytics setup that would have allowed me to see full IP addresses. But that is a belief and not a certainty. @leftquark it would really help if you could confirm this and possibly get us some sort of overview if there is anything we need to do.

As you probably know too, you can also connect your Smugmug page to Statcounter. Though I haven't yet heard anything if Statcounter would be allowed to collect full IPs even after GDPR or not, I found that in the project settings on your Statcounter-project-page the anonymous collection (masking of the last three digits of the IP) can be enabled rather easily. Just cross off a checkbox and you are good to go (it seems). I have enabled that right away.
If there is anything more for us to do - I'd love to hear, I really don't want to be the first person sued over this one...

leftquark

@Lille Ulven: thanks for reaching out. We have a team working on GDPR compliance but I don’t have any specifics at this time. Stay tuned!

Lille Ulven

@leftquark thanks - I shall stay tuned

leftquark

We are aware of GDPR requirements and our team is working hard on addressing them. We are working with outside counsel on developing and implementing policies and procedures to comply with the GDPR and to ensure that our subscribers can meet their GDPR obligations as to their customers in the near future. When we have more details to share, we'll let you know!

AlastairM

Thanks @Lille Ulven for raising this. Looking forward to hearing more about this from @leftquark and the team soon...

Richard

@leftquark said:
We are aware of GDPR requirements and our team is working hard on addressing them. We are working with outside counsel on developing and implementing policies and procedures to comply with the GDPR and to ensure that our subscribers can meet their GDPR obligations as to their customers in the near future. When we have more details to share, we'll let you know!

Any update? The GDPR takes effect tomorrow.

leftquark

We’re hard at work getting ready . Stay tuned for an email with more information.

mikeelbon

Hi, its the 25th May and the new laws come into power today. Any news on what is happeing with GDPR?

wallace2110

Please give us some information. We have the 25th May!!!!!

Richard

I don't think SmugMug customers have much to worry about with regard to our visitors, though we might have to review how purchase and contact form data are handled and retained. If you are using Statcounter, you may notice some changes, in particular, personal information will no longer be accepted in IP address tags. If you're using Google Analytics, you've already heard from them (at great length). IP addresses themselves are not considered personal information for businesses that cannot tie them to a specific person: so they would be personal for an ISP but not for a SmugMug customer's site. SmugMug itself may have issues to address with regard to how it stores our information, but I expect we'll hear from them soon.

mikeelbon

What about client names and addresses that are stored when purchasing products?

Richard

Arrgh. I live in the EU so I've been inundated by notices all day about GDPR compliance, including an email from SmugMug, which I haven't looked at yet.

As a public service, here's the xkcd summary of all of them:

afx

@smugmug:

Looks like you have not understood what the GDPR is about.
You still use elev.io and intercom.io in the image pages.
So if I use SmugMug to display images to EU users I would have to explicitly disclose their tracking.
In the profile pages under privacy, I don't see neither elev.io nor intercom.io mentioned, so for an average Smugmug customer it might not even be possible to find out.
You are basically making it impossible to conform to the GDPR for your users.
Your statement about the usage of external parties does not mention them explicitly, so you do run into a GDPR violation yourself.

It is not rocket science to perform the needed statistics gathering for yourself, so why use opaque external entities and that without even disclosing them?

Lastly, your update on the 25th of may leaves all your customers who do have to conform to the GDPR scrambling to handle the situation you created because you took until the last minute to update your privacy policy. It is 2 years since the GDRP was made public.

cheers
afx

leftquark

@afx said:
It is not rocket science to perform the needed statistics gathering for yourself, so why use opaque external entities and that without even disclosing them?

Our focus will always remain on building amazing experiences and solving customer problems for their photography related needs. When there's areas that we can take advantage of 3rd party tools that help us build a great experience and aren't necessarily photo related, we'll often integrate those tools. These 2 are perfect examples.

Elev.io is used to power the "Support" panel, when you're looking to get help.
Intercom is used so we can push relevant messages to you, for example when we launch new features or iterate on something you've used and we want to let you know that it's been improved.

leftquark

I'm not a lawyer, nor a GDPR expert, so I won't be able to conduct a discussion on GDPR, other than to say that our team has been working with our counsel regarding GDPR compliance and have updated our Terms of Service and Privacy Policies with their input. If you have additional concerns you can reach out to the Support Heroes.