Viewing 5 replies - 1 through 5 (of 5 total)
  • MA

    (@gasparnemes)

    Hi there,

    Thanks for your suggestion, I’ll look into it and probably will be implemented in a future release.

    This is something I’ve been considered. Unfortunately use of a 3rd Party API (e.g. Maxmind – I assume others are the same) as in the (pre GDPR) example link would make GDPR Cookie Compliance er NON COMPLIANT!

    Maxmind sets a uniquely identifying cookie (__cfduid) for the individual/device that makes the request. Maxmind’s privacy policy is vague; but it might also be recording data from such requests in its own database (requiring consent under GDPR). Elsewhere on its site Maxmind points out it is up to a site to obtain consent when providing Maxmind API services.

    i.e. to comply with GDPR you could only check the visitor’s location via a 3rd party API AFTER they accept cookies (when it is pointless).

    • This reply was modified 6 years, 5 months ago by wrigs1.
    Thread Starter net

    (@krstarica)

    How about freegeoip.net or ipinfodb.com?

    I was looking at adding a client side option to a (GDPR compliant) server side geolocation plugin; but did not follow up with the 2 you mentioned because I would have had to register to use/test the API; and their privacy policies gave me the impression data that might be considered PII was gathered.

    Note: on my visit neither site (despite identifying my EU location) displayed a cookie bar of any kind; let alone asked me to accept cookies.

    Ipstack (freegeoip): “Data processed when using the Services is processed by us only as a processor, not as a controller.” I assume this means your site is responsible for obtaining consent if required – which makes sense as the user is unaware they are being connected to the API site.

    Under terms for API it says it “collects information, including standard information of the type normally exchanged when accessing any web site or web service” and refers back to Privacy Policy (presumably para 2.1, which includes IP, date time, site from, browser + version, operating system, and language).

    To me the information collected is similar to Google Analytics (and the majority view appears to be that GA requires consent).

    IPInfoDB privacy policy is even more opaque: “information may be kept in its identifiable form, or in an aggregated form (so that individuals cannot be identified)“; and a right to pass aggregated data to 3rd parties for business purposes.

    Under “cookies” the policy mentions “user ID” and “tracking”. I assume this refers to the API service as well as website, as later it refers to turning off cookies in your browser and “you may not be able to take full advantage of IPInfoDB Website & Web Service“.

    Based on these policies I decided to assume consent would be required and not to spend more time checking.

    My impression may be wrong, a plugin developer considering these APIs should contact the API provider for a definitive answer. Apologies for my original comment which was too categorical, and its mention of CF cookie a red herring (more important is what information the 3rd Party is gathering on its own servers (GDPR relates to collection of PII data on other media, not just cookies).

    • This reply was modified 6 years, 5 months ago by wrigs1.
    Thread Starter net

    (@krstarica)

    Have you seen this interesting thing at:
    https://developers.google.com/admob/android/eu-consent

    “The Consent SDK has different behaviors depending on the value of ConsentInformation.getInstance(context).isRequestLocationInEeaOrUnknown(). For example, the consent form fails to load if the user is not located in the EEA.”

    It uses: https://adservice.google.com/getconfig/pubvendors (check out JSON returned)

    • This reply was modified 6 years, 5 months ago by net.
Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘EU countries only?’ is closed to new replies.