ThingLink GDPR Compliance

Posted by Andrew Beelitz on May 25, 2018 1:44:27 PM
Find me on:

Screen Shot 2018-05-25 at 11.50.01 AM

As we are sure you are aware, the EU General Data Protection Regulation (GDPR) is now in full effect as of May 25th, 2018. We have clarified our Privacy Policy and Terms of Service to let you know about your new rights under this new regulation. Please read and familiarize yourself with them, as you will need to accept them before you continue to use ThingLink.

We won’t be sending you an email asking you to stay on our mailing lists, because we already asked about that when you first signed up. If you chose to opt-out at that point, we’re not going to bother you unless it’s about invoices or technical problems. Remember that you can always change your preferences in your account settings. Our monthly newsletter is a good source of information and inspiration, as we highlight great content from our users.

The biggest visible change to you that GDPR brings is important: Your images and videos that contain third party embedded content will be showing a popup detailing all the domains that the viewers information may be sent to so that the user can give informed consent. This lets you continue embedding ThingLink content with confidence that your own customers have their privacy protected.

Pro and Premium users: If you have your own GDPR consent scheme in place on your own site, you can turn off the ThingLink GDPR notification in your account settings under Advanced Media Settings.

Implementing GDPR is quite an ordeal for a small company. Luckily, because Thinglink is proudly a Finnish company and therefore has already been subject to EU legislation for quite some time, the necessary changes that we had to do were mostly about going through our practices,  legal agreements and writing everything up.

Among the things that we have done are:

1. We internalized all of the Javascript and CSS that we were previously using third party CDNs for (jsdlivr, Google, MaxCDN, etc.) and are now serving all of them from our own infrastructure. This means that your IP address isn’t being leaked all over the place as your browse Thinglink images.

2. We reviewed all the data we were sending to different analytics services and deleted anything that we didn’t absolutely need, and pseudonymized the rest. Pseudonymization is done also on a per-service basis, so even if two services combined, they wouldn’t be able to figure out who is who.

3. We looked our internal data gathering and dropped some data collection points that weren’t simply used anymore.

4. We checked all external services for GDPR compliance and removed the ones that we weren’t actively using anymore or could be replaced with GDPR-compliant ones.

5. We went through our codebase and added tests to check that when you delete an account, we really do go delete your data from external services as well (where applicable). The good thing is that GDPR compliance means that companies offering services do have to provide an API for this as well, so it’s now actually possible to do that.

6. We reviewed our security practices and added checks and processes with improved documentation.

7. We brought our password and signup handling in compliance to NIST 800-63-3 Authenticator Assurance Level (AAL) 1 -standard. This means e.g. that the minimum password length is now 8 characters and we do check on people trying to use “12345678” as their password.

8. We rewrote our Privacy Policy and our Terms of Service to be GDPR -compliant. Now they address the terms for underage users a lot better than before.

9. We added a new section about our Privacy Architecture to our Terms of Service-page to describe more exactly what kind of data we collect and where, and how we store and treat your data.

10. The topic of third-party embeds on images was the most interesting: The main issue with embedding content in a Thinglinked image is that upon viewing the image, your data is shared with the embedded site – if you embed a YouTube video, YouTube sees when the video opens without you getting a say on the matter. So after looking at different options, we decided to add a new consent screen on images and videos: if, the act of viewing and exploring the image would cause data to be shared with another site, we let you know before you proceed. We store the consent for some time, so you don’t have to keep clicking “Accept” every time you watch the image.

11. Finally, we trained the sales, support and developer staff about GDPR.

If you have any questions, please reach out to support@thinglink.com!

Topics: Policy, TOS