Prepping up for GPDR

As you have probably been made aware by the flurry of privacy policy updates in your mailbox, GPDR ^[1] is coming.

While I am not convinced GDPR will not turn into a perfect showcase for “the road to hell is paved with good intentions”, this is also a good opportunity to update BeginEnd.net ^[2] to use the 64bit version of DWScript and add a few missing features.

BeginEnd.net ^[2] has now been running for a few weeks with the 64bit DWScript sample/simple web server, without crashes so far 🙂

In the updated account page (click on your alias once logged in), you have access to

• The list of your votes
• The list of your “quieted” blog feeds
• The list of current active sessions, with a button to drop them
• A link to delete your account

In terms of cookies, BeginEnd.net ^[2] uses the following cookies:

• Session cookie, once you have logged in
• CloudFlare security cookie ^[3], not sure what will happen with that one, I do not see how CloudFlare could provide security convenience without it, but they may have some technological surprises.
• Google Analytics cookie, the data retention ^[4] has been set to 14 months and the ip anonymization ^[5] is active, but there are still cookies, so in theory explicit opt-in consent is required.
• The current/old cookie notice’s cookie.

Interestingly enough, GDPR Recital 42 requires a demonstration of consent ^[6] (aka proof) of both acceptance and rejection of cookie consent. While poorly defined, such a proof can only be a form of personally identifiable information… Meaning that even if you say “no” to cookies, the website has to keep a record of you saying “no”, as well as any subsequent change of heart. Orwell would be proud.

Direct consequence is that at the moment, the only way to fully comply with all GDPR recitals seems to either

• have a static website with no persistent user interaction, as you cannot really do without cookies for bot abuse.
• require users to register an account (or social login), ie. make consent and social tracking compulsory.

In particular, for websites financed through advertisement, this may to be the only option as “tracking walls” are not allowable under GDPR, and no advertiser will be willing to return to the days of click-abuse-by-robots era. The social login requirement nicely defeats AdBlockers and other browser-based privacy features.

If you use a social login on the other hand, then consent can be gathered only once for all (rather than once per site), user experience stays friendly, the social networks gather more data, and they do not need to share personal data to take advantage of it on its own ad network. Everything is fine from a GDPR point of view.

Thus my contrarian point of view is that the GDPR will turn out as a big boon for the Big Four:

1. social logins will become a requirement for merely browsing the web from the EU
2. people will be locked-in once they are using their social logins everywhere
3. regulatory barriers ensure no EU-based social login or advertisement alternative will emerge

So depending on how strictly the GDPR gets applied on May 25th, a social login may be required for EU users to access BeginEnd.net and DelphiTools.info, or I may block them entirely from EU users if fines start falling around.

But hopefully, sanity will prevail…