Add information relating to GDPR

[schrej]

We should have a section in the documentation with GDPR related information for people hosting the panel.
The panel is using ReCAPTCHA by default for example, and that requires to be mentioned in the Privacy Policy. We can then also include information on what kind of information the panel collects (cookies, ips?, email) so people know what they have to mention in their Privacy Policy.

This should not be a full privacy policy, just information on what to include/mention in it.

• Cookies
• IP logging
• LocalStorage?
• ReCAPTCHA
• Gravatar (E-Mail Address!!)

[lancepioch]

I agree and think it's important to help our panel users support and follow EU's GDPR and related privacy laws. I have some questions hopefully that are helpful:

• If the cookies only contain the encrypted session data, then does it count as personally identifiable information (PII)? Same for the localstorage.
• Are we storing IP addresses? Can this be toggleable if so?
• Don't the ReCaptcha and Gravatar services have their own policies? Do we just have to link to them or do we also have to include a copy of them? Can we just make the services toggleable?

PII to be included (and deletable/removable):

• Names
• Emails
• IP Addresses

[schrej]

Good point regarding the services: ReCaptcha is toggleable already, Gravatar should be easy enough. And yes we should link to their Policies of course.
I had them on the list because it's easy to forget that they're there.

[DaneEveritt]

I'm thinking of removing the gravatar stuff as well as first last name anyways, but we should still document that since we're using it on prior versions.

@lancepioch I think the cookies being encrypted doesn't change anything. They're encrypted to the user, but still readable by the server. But they also don't contain any PII as far as I can remember.

[lancepioch]

Do we actually need to do anything extra besides updating the privacy policy @schrej ?

[schrej]

Hmm, not really sure about that. I'm not an expert on GDPR either.
Also, we certainly shouldn't write up a privacy policy for the panel. I was talking about providing information that helps to write a privacy policy: What data does the panel collect and for what reason.
Additionally we could consider the amount of data the panel is collecting and whether we can reduce it, but I guess it's pretty minimal as it is.
We should also maybe add a "This website uses cookies" banner, that can be enabled. The text should also be editable.

[iksan22-06-2011]

Wan

[iksan22-06-2011]

Forr