What do I have to do to comply with the GDPR. Even if I have e.g. no user accounts, access logs probably count as "user data", do I have to preserve them in any way? Do I have to secure them? What can/can't I do with them?
Do I need to present a "cookie warning", how should that cookie warning be worded, what requirement does it need to fulfill, what cookies can I set under these circumstance? How does this change if I do not use cookies?
What personal Information do I need to include, are real name+address+email enough? How do they need to be included? Do I have a legal requirement to respond to communications over that address, in what time frame?
Surely there are more things to consider here. Do I need to register this website, do I need to register it under a buisiness?
I really do not know. But to be honest the obligation to dox myself is pretty much enough for me not to give it a try.
This is before putting anything on the website. The concerns about speech restrictions are a completely different topic.
You are speculating quite a bit here from a position of ignorance. Googling can answer most of your questions in 5 minutes or so.
These are all questions that are VERY easy to answer. You do not need consent to place strictly necessary cookies (think a session id that identifies a shopping cart). Other cookies you do need consent for.
Access logs, don't 'probably count', they only count if they include information that could be used to identify a person, like an email address or ip address. Pretty easy to not log that info.
Do you need to 'register' a website as a business with your local authorities? Likely not, but I don't know where you live.
Easiest way is to not place any cookies and not keep any logs.
You don't have to show a cookie warning if you don't place any cookies and you're not processing any user data if you don't keep logs.
> Easiest way is to not place any cookies and not keep any logs. You don't have to show a cookie warning if you don't place any cookies and you're not processing any user data if you don't keep logs.
That was very much in my mind when making LokiList.
Since I made LokiList after FOSTA killed Craigslist personals, I also made sure that all user interactions occur offsite on a decentralized, end-to-end encrypted network to minimize reliance on Section 230 protections.
At least some organizations are legally required to archive certain information.
I could imagine that there are certain obligations towards law enforcement to keep certain data and make it accessable upon court order.
You might be thinking of "Know Your Customer" laws, which only apply to some industries and definitely not private persons for a blog. It applies to industries like financial, identification and certain types of commerce (eg: regulated products). Even then, only in some countries.
I don't know where you live but maybe just knowing of the concepts should be helpful. I think you should be totally fine to start a non-commercial website without consequence, but of course this isn't legal advice.
If you get a court order you have to hand over everything you have. But in most jurisdictions if "everything you have" is nothing there is nothing they can do about it.
>However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
But hosting a website means processing personal data. This very much reads to me like the user is exempt. But the moment I am hosting a blog, I am providing a service which processes personal data.
I fail to see how I would be exempt.
And even if, at what point am I not? If I am taking donations? If I have a comment section? If I have accounts?
All of these things are defined in the GDPR, even the on-the-face-of-it term "economic activity," which is what differentiates "enterprise" from "household and personal." You just have to keep reading. You can process all the personal data you want as long as you're not a business entity selling goods or services. The thresholds involved are also defined.
Why not go after, e.g., wiki.freifunk.net, www.fefe.de, https://weimarnetz.de/freifunk/vpn/ or a million other noncommercial websites with some of these questions. See how far that goes. This comment is pure nonsense. "Tech" companies, i.e., websites set up to collect personal data for commercial purposes, usually advertising, is a relatively new phenomenon on the internet.
Personal information about yourself which you have to include on your website, and how to register it, depends on the laws of the country you reside in (e.g. Germany has strict requirements on this), so I can't say anything about that in general, but I believe most countries have pretty lax rules here, which should make it totally fine to run your a personal website.
I can say something more sensible wrt your GDPR and "cookie" questions:
The GDPR has one overarching principle: "data minimalisation".
There are no requirements to preserve things like access logs, but rather the opposite: you should only retain personal information for as long as you _need_ it - and then once you no longer need it, you should remove it. And while you have the information, you should take meaningful steps to secure it, where the definition of that changes based on best practices over time.
The important thing here is that you think about what information you need, for what purpose (so something specific like "prevent abuse" rather than "it could come in handy at some point"), and then consider the tradeoff between privacy of your users and your own need for the information (and document this thinking in some way, so that you can later prove that you've done so).
So for those access logs, write down that you log e.g. ip address, timestamp, UA string, referer, visited page (possibly including querystring with search terms), that you retain this information for 2 weeks, maybe that you then aggregate it in some ways, and that you'll delete the information after this time. Your purposes for doing this are probably insight into usage patterns and detecting and fighting abuse. You're explicitly not connecting these logs to other data sources to identify specific visitors, nor sharing this information with any third party, so you believe the privacy impact for your visitors is minimal.
On your website, have a page (accessible from anywhere, so e.g. linked in the footer) that says the same. Specific wording effectively doesn't matter, but what does matter is that it's understandable by your average visitor.
As for cookies:
"Functional cookies" (shopping cart, "remember me" function etc) you can set without any permission.
"Tracking cookies" (advertising, analytics, etc), you can only set based on explicit and voluntary permission (visitors need to be able to say "no" as easily as you say "yes", without negative consequences, and if they say give permission, they need to be able to withdraw it just as easily at a later date, so one-click in the footer or somesuch - they also need complete and understandable information what they give permission for, so put that in the question, and link to a similar page as above for the GDPR).
I am in Germany, so the requirements definitely apply to me.
I appreciate the effort. Clearly there is quite a bit of effort involved to comply with just EU law. To me the legal aspect is the largest hurdle, it turns a fun weekend project into wading through unbearable legal requirements and in the end I still will not know if I am actually in compliance.
