Welcome to the the tenth door of the Drupal Advent Calendar. Today we hand over to Jürgan Haas to tell us about the Privacy track of the Starshot project.
Right after DrupalCon Portland, it was clear to us at LakeDrops that we would support the Starshot initiative wherever we could. And when the tracks had been announced, I applied for the privacy track, not only because it was still open but also because that topic is so close to my heart. In my view, the internet will only remain a benefit to us, the users, if it respects our privacy, a human right in more and more countries of the world. There is the danger that commercial interests outweigh this fundamental component of freedom, which would eventually turn the web into something most of us won’t want to participate in.
That was my motivation to get involved, in addition to helping Starshot become a reality. What I didn’t expect was the difficulty of building a global standard for Drupal sites out-of-the-box so that they can comply with legal requirements in that area.
In talking to many people, mainly Drupal experts in my network, something special happened: we suddenly established a group of almost 10 people who have been working together on this topic for already 6+ months. They are Nico Grienauer from Acolono, Laurens Van Damme and Valery Lourie from Dropsolid, Kai Gertz from Tojio, Richard Papp and myself from LakeDrops, Ralf Koller, Sven Berg Ryen and Martin Lund from Ramsalt, Jan Kellermann and Sascha Meissner from Werk21, plus some more in the issue queue and on Slack. All of them helped us with their experience and knowledge so that we were able to overcome all the challenges.
Privacy and Data Protection in Drupal CMS focus on the following aspects:
Enabled by default is the consent management and blocking of external content, so that PII (personally identifiable information) of website visitors will neither be processed nor shared with any third-party anywhere. Our objective was to provide this protection in a way which is non-invasive, so that the UX of any website won’t be affected in any negative way. There is no popup, there is no banner. The protection comes with legally correct defaults that won’t impact most websites in any way, yet the privacy of their visitors will remain respected. The privacy team has selected the Klaro! module for this part, and it works like a charm. More about that decision can be found in an ADR (Architecture Decision Record). By default, no cookies or other data will be stored in the visitor’s browser and external content like videos or maps will be blocked until the user requests them explicitly with a single click.
The second part of the privacy track is about protecting sensitive user data on the server side. This will be optional, and only required by websites that allow their visitors to sign up with a user account. Drupal CMS will then make sure that the data that is sensitive can be identified, and therefore protected. This will also enable the site owner to create reports about stored user data on their request. And should a user demand that their data is deleted, this will also be possible based on that configuration. This second part is not quite finished yet, but will follow soon.
With those two components, it becomes easy for a site owner to be compliant with various privacy and data protection legislation. Of course, the requirements are different in almost every country or region in the world. That’s why we’ve implemented this functionality towards the strongest requirements. There are multiple reasons for that:
- most commercial sites want to be covered globally as they provide their website to global audiences
- legal requirements are moving targets, and we found that globally, more and more countries are catching up with the strongest regulations like e.g. in the EU
- starting from the comprehensive standard, it’s much easier for site owners to roll back, should they not require the strong compliance, much simpler than building up from weak standards
Many interviews with Drupal agencies, Drupal experts, but also with non-technical decision makers on all continents have helped us to scope the requirements and make our decisions about what is now the standard configuration for Drupal CMS. With this setup, marketers and other (new) users of Drupal will have an easy start and get one of the best setups in the CMS marketspace to be prepared for solid compliance.
Being prepared for compliance doesn’t mean that they get everything out-of-the-box, and they are not responsible for checking the legalities. In fact, it’s an important disclaimer that all users of Drupal CMS, just like with any public facing website on any platform, the individual requirements still need to be checked with local experts. And e.g. documents like the publicly available privacy policy need to get created and published.
We’re working on documentation, that will support the site owner in getting this done. At the same time, all this should not be perceived as legal advice or consultancy. Drupal CMS provides reasonable default settings, but legal certainty cannot be provided.
Jürgen Haas (jurgenhaas) has been a Drupal enthusiast since 2006, and is founder of LakeDrops. He is passionate about automation and privacy, and is a maintainer for the popular ECA (Event - Condition - Action) module. He is pictured here with his dog, Bailey.
Comments