DragonPrime - LoGD Resource Community
Welcome Guest
  • Good morning, Guest.
    Please log in, or register.
  • October 22, 2018, 06:52:46 AM
Home Forums News Downloads Login Register Advanced Search
* * *
DragonPrime Menu
Login
 
 
Resource Pages
Search

Pages: 1 2 3 [4] 5   Go Down
  Print  
Author Topic: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd  (Read 6932 times)
0 Members and 1 Guest are viewing this topic.
TGTarheel
Codemeister
****
Offline Offline

Posts: 465


View Profile
« Reply #45 on: May 31, 2018, 04:51:23 PM »

@tgtarheel :what is your page again ?

The live site can be found at www.kalisiin.com

I am currently developing a new site, which runs the 1.1.2 server, that one will be called Rise of the Kujitai, and is set some 600 years in the future of the current realm...and it is a time of civil war...a civil war of not two, but THREE different factions.  The other site is nearly ready for live BETA testing.
Logged
pharis
Militia
**
Offline Offline

Posts: 59


Take this it's dangerous to go alone


View Profile
« Reply #46 on: June 01, 2018, 04:49:01 AM »

As far as i can see, you have two cookies set :

   -   PHPSESSION   -> obvious reasons
   -   lgi       -> dont know what this one does ( maybe someone can help here )

You should declare the use of those two cookies ( what they do and why they are needed for the game to work )
basically the one for the PHPSESSION is needed for state ( so that the user keeps his information when he switches pages )
and the other called "lgi" is unknown to me, not sure what that one does .. you should check this out.. if it is needed at all

Add a bottom bar ( or top ) where you warn anyone that the page uses those two specific cookies ( there are plugins for that and they are free ). This is annoying , but should be present at least in the front page

Create a page in the SAME domain that states what you do with the entered data from your users in general ( basically a PRIVACY POLICY )

When the user LOGS in , you should have a notice ( a small one ) that states that by logging in he/she agrees to the PRIVACY POLICY , and you should add a link to that page too. Try to do this in a non intrusive but clearly noticeable way. Do not use popups as they are often blocked, maybe in MOTD or above it.

When a user SIGNS UP, add 2 check boxes that MUST be checked before the account can be created. One stating that the user accepts the terms of service and the other more important, that he accepts the PRIVACY POLICY. Add a link to the privacy policy in the same page.

When a user is created, add a DB field to the user account with a timestamp so that you can provide the registration time when asked for it ( in case you should have to do it ).

Avoid putting extra conditions and terms on single pages, its better to have it in a dedicated page where the user is redirected to if he wishes so and this helps keep things organized.
Remember to keep some how a button or a link at the bottom with direct access to that page at all times.


Doing so should put you on the safe side.

As far as the contents of the privacy policy goes, besides having the usual stuff that you can get from anywhere in the web, you should at least put in what you do with inactive accounts, the time you take to delete Data if a user wishes to resign and the consequences of doing so ( i.e. the user account will be unrecoverable if the user really wishes to delete it )


You see.. even for a page that is very conservative and with almost no connections to data collection services like yours, it still is a pain in the ass ( literally ) to make it something like compliant with GDPR. But hey, once you have it, its done.



« Last Edit: June 01, 2018, 04:51:16 AM by pharis » Logged
TGTarheel
Codemeister
****
Offline Offline

Posts: 465


View Profile
« Reply #47 on: June 01, 2018, 09:48:09 AM »

As far as i can see, you have two cookies set :

   -   PHPSESSION   -> obvious reasons
   -   lgi       -> dont know what this one does ( maybe someone can help here )

You should declare the use of those two cookies ( what they do and why they are needed for the game to work )
basically the one for the PHPSESSION is needed for state ( so that the user keeps his information when he switches pages )
and the other called "lgi" is unknown to me, not sure what that one does .. you should check this out.. if it is needed at all

Add a bottom bar ( or top ) where you warn anyone that the page uses those two specific cookies ( there are plugins for that and they are free ). This is annoying , but should be present at least in the front page

Create a page in the SAME domain that states what you do with the entered data from your users in general ( basically a PRIVACY POLICY )

When the user LOGS in , you should have a notice ( a small one ) that states that by logging in he/she agrees to the PRIVACY POLICY , and you should add a link to that page too. Try to do this in a non intrusive but clearly noticeable way. Do not use popups as they are often blocked, maybe in MOTD or above it.

When a user SIGNS UP, add 2 check boxes that MUST be checked before the account can be created. One stating that the user accepts the terms of service and the other more important, that he accepts the PRIVACY POLICY. Add a link to the privacy policy in the same page.

When a user is created, add a DB field to the user account with a timestamp so that you can provide the registration time when asked for it ( in case you should have to do it ).

Avoid putting extra conditions and terms on single pages, its better to have it in a dedicated page where the user is redirected to if he wishes so and this helps keep things organized.
Remember to keep some how a button or a link at the bottom with direct access to that page at all times.


Doing so should put you on the safe side.

As far as the contents of the privacy policy goes, besides having the usual stuff that you can get from anywhere in the web, you should at least put in what you do with inactive accounts, the time you take to delete Data if a user wishes to resign and the consequences of doing so ( i.e. the user account will be unrecoverable if the user really wishes to delete it )


You see.. even for a page that is very conservative and with almost no connections to data collection services like yours, it still is a pain in the ass ( literally ) to make it something like compliant with GDPR. But hey, once you have it, its done.





Appreiacate the guidance.  Now...can I get that in a checklist format so I can check off each thing as I do it...and of course I then have to figure out how.

Should not be terribly hard to create the privacy policy since we really do use a minimum of cookies and, as far as I know, only for legitimate game purposes, the game literally would not be playable without them.

I think the hardest thing is the two check boxes...how to make it not create an account if the boxes are not checked...I make them, currently, agree to the policy at character creation, and that creates a timestamp of it's own
Logged
pharis
Militia
**
Offline Offline

Posts: 59


Take this it's dangerous to go alone


View Profile
« Reply #48 on: June 01, 2018, 10:26:51 AM »

You can treat every paragraph as a checklist point Smiley
Logged
TGTarheel
Codemeister
****
Offline Offline

Posts: 465


View Profile
« Reply #49 on: June 01, 2018, 12:35:11 PM »

You can treat every paragraph as a checklist point Smiley

Anyone know what that cookie pharis mentioned is or what it does or if it is needed?

This stuff is seriously stupid...I mean, what we have to go thru for a GAME that most of us who run them, end up running them at a cost out of our pocket, not making a profit or even covering our costs.

But the law is the law.

You know that the law is intended for the big offenders, but you ALSO know they will find someone little to make an example of.  So best to have your ash titanium-plated.

TBH, they wrote this law horrible.  First, I do ot see why I as an American, should be subject to EU law, anyway.
Second, I work all day with what we call PHI in my biz.  This is Protected Health Information.  And I can tell you the laws in that area...are less strict than this is.  And all I have to do is show that I am making a reasonable effort.  What you have to go through with THIS law is beyond reason...for people operating at OUR level.

Almost easier to just not accept players from the EU, huh?  Except that the pool of players on this game is so limited, you can't afford to not take anyone who wants to play, so long as they follow the rules.
« Last Edit: June 01, 2018, 12:41:25 PM by TGTarheel » Logged
Aeolus
Mod God
*****
Offline Offline

Posts: 1896


You're welcome.


View Profile WWW
« Reply #50 on: June 01, 2018, 06:50:03 PM »

Anyone know what that cookie pharis mentioned is or what it does or if it is needed?

This stuff is seriously stupid...I mean, what we have to go thru for a GAME that most of us who run them, end up running them at a cost out of our pocket, not making a profit or even covering our costs.

But the law is the law.

You know that the law is intended for the big offenders, but you ALSO know they will find someone little to make an example of.  So best to have your ash titanium-plated.

TBH, they wrote this law horrible.  First, I do ot see why I as an American, should be subject to EU law, anyway.
Second, I work all day with what we call PHI in my biz.  This is Protected Health Information.  And I can tell you the laws in that area...are less strict than this is.  And all I have to do is show that I am making a reasonable effort.  What you have to go through with THIS law is beyond reason...for people operating at OUR level.

Almost easier to just not accept players from the EU, huh?  Except that the pool of players on this game is so limited, you can't afford to not take anyone who wants to play, so long as they follow the rules.

Here isn't the place to complain about something we at DP can't change. Take it elsewhere.
Logged

TGTarheel
Codemeister
****
Offline Offline

Posts: 465


View Profile
« Reply #51 on: June 01, 2018, 08:43:58 PM »

Anyone know what that cookie pharis mentioned is or what it does or if it is needed?

This stuff is seriously stupid...I mean, what we have to go thru for a GAME that most of us who run them, end up running them at a cost out of our pocket, not making a profit or even covering our costs.

But the law is the law.

You know that the law is intended for the big offenders, but you ALSO know they will find someone little to make an example of.  So best to have your ash titanium-plated.

TBH, they wrote this law horrible.  First, I do ot see why I as an American, should be subject to EU law, anyway.
Second, I work all day with what we call PHI in my biz.  This is Protected Health Information.  And I can tell you the laws in that area...are less strict than this is.  And all I have to do is show that I am making a reasonable effort.  What you have to go through with THIS law is beyond reason...for people operating at OUR level.

Almost easier to just not accept players from the EU, huh?  Except that the pool of players on this game is so limited, you can't afford to not take anyone who wants to play, so long as they follow the rules.

Here isn't the place to complain about something we at DP can't change. Take it elsewhere.
I know, LOL.

But do appreciate the guidance been getting here.  Do you have any idea what that cookie pharis mentioned is and what it does and if it is needed...and if not, how to remove it?
Logged
Nightborn
Captain of the Guard
***
Offline Offline

Posts: 216


View Profile WWW
« Reply #52 on: June 03, 2018, 01:46:05 PM »

Just a few things in the posts I picked up and wanted to give my 2 cents:

 -> the cookie in lotgd (the lgi) stores i.e. the unique cookie ID which identifies PCs (last accessed) --> that *needs* to be in your data privacy statement, it is a tracker
     it also has the template i.e.the user selected stored, but that's rather uninteresting (no personal data)
 -> as soon as you store personal data, you need either a deletion date or a consent for the being-stored. If somebody deletes himself and can choose what he wants (also a statement how he can later request deletion) that is fine. But what about expired chars? There is no consent really... which is the major problem that forced me to hash the emails.
  -> The "creationaddon" is a really nice thing to put up. You should use it. (maybe expand to make all users agree as I did)

From what I have seen currently, not much is enforced - so it's a bit of a breather.

@the argument "I'm outside the EU, why should it apply" --> "do you deny EU citizens your service? if not, you have to protect their data according to GDPR"
it's that simple. A EU citizen could go to court if you don't. "could" being the word.

Logged
pharis
Militia
**
Offline Offline

Posts: 59


Take this it's dangerous to go alone


View Profile
« Reply #53 on: June 04, 2018, 07:23:34 AM »

I agree. Most likely,nothing will happen. But that could scenario can just be someone being a stupid person making your life difficult. As with most laws of this kind, it will serve ppl who are in the sueing business and want to hinder rivals. Or just maybe a random dude that just does not like you. And that is the tragic part of this. And it already started between businesses over here, mostly rivals. Probably the whole thing will settle down, but its hot waters right now.
Logged
TGTarheel
Codemeister
****
Offline Offline

Posts: 465


View Profile
« Reply #54 on: June 04, 2018, 09:31:43 PM »

Just a few things in the posts I picked up and wanted to give my 2 cents:

 -> the cookie in lotgd (the lgi) stores i.e. the unique cookie ID which identifies PCs (last accessed) --> that *needs* to be in your data privacy statement, it is a tracker
     it also has the template i.e.the user selected stored, but that's rather uninteresting (no personal data)
 -> as soon as you store personal data, you need either a deletion date or a consent for the being-stored. If somebody deletes himself and can choose what he wants (also a statement how he can later request deletion) that is fine. But what about expired chars? There is no consent really... which is the major problem that forced me to hash the emails.
  -> The "creationaddon" is a really nice thing to put up. You should use it. (maybe expand to make all users agree as I did)

From what I have seen currently, not much is enforced - so it's a bit of a breather.

@the argument "I'm outside the EU, why should it apply" --> "do you deny EU citizens your service? if not, you have to protect their data according to GDPR"
it's that simple. A EU citizen could go to court if you don't. "could" being the word.



What is the "creationaddon"??  Where can I get it?

I just want to comply with this the best I can with as little extra effort and BS as possible.
Logged
TGTarheel
Codemeister
****
Offline Offline

Posts: 465


View Profile
« Reply #55 on: June 04, 2018, 10:03:41 PM »

As an aside....
if we can have a module that is a character restorer...could we not have on e that was a total character destroyer?  That it would literally remove any line from the database attached to the specific acctid or something??

I am just curious.

Like I said, looking for a way to deal with this with as little extra NBS as possible...because as you all correctly point out above, this law will never be used to protect anyone...just for some people to try to hurt other people.
Logged
pharis
Militia
**
Offline Offline

Posts: 59


Take this it's dangerous to go alone


View Profile
« Reply #56 on: June 05, 2018, 11:03:11 AM »

In a broad sense it will help all users to better control their data, but that will take some time. For now , i guess noone really knows what is going on.
Logged
TGTarheel
Codemeister
****
Offline Offline

Posts: 465


View Profile
« Reply #57 on: June 05, 2018, 08:44:49 PM »

In a broad sense it will help all users to better control their data, but that will take some time. For now , i guess noone really knows what is going on.

Just throwing ideas out there.  I know you can remove lines of data from a table with php coding within a module of LOTGD...even if you just zero out the data, right?

So why not something like that?

I propose to start from something I have on my server, attached to Circulum Vitae, called Dwellings Destroyer...and it destroys all the dwellings of one going thru Circulum.  Why could that not be expanded upon to destroy all data from a player who so wishes to have their data destroyed??  That is what I am saying.

If anyone wants t see the file, let me know, I do not know that one is available here on DP.

Just checked.  That file is not here on DR...at least not in the downloads section.  There's a coffers emptier...but mine is a dwellings destroyer that destroys the dwellings entirely.

Seems to me that function could be expanded on nd serve as a complete character deleter.

Here is the basic meat of that code
Code:
$dw=db_prefix("dwellings");
$sql="update $dw set gold = 0, gems = 0 where ownerid = " .$session['user']['acctid'];
db_query($sql);
$sql="delete from $dw  where ownerid = " .$session['user']['acctid'];
db_query($sql);

Of course, you would need to do this code string over and over again for every table you have in your database....right??

This one just wipes out the character's dwellings...of course along with any gold, gems or commentary that was there.

You'd need to know each table...and you'd need to know which column to focus on, so it would take a little work, but would this not do the trick for GDPR compliance?

Just as an example, in the commentary table, you'd key on the column "author" matching the $session['user']['acctid']

« Last Edit: June 05, 2018, 08:57:36 PM by TGTarheel » Logged
Nightborn
Captain of the Guard
***
Offline Offline

Posts: 216


View Profile WWW
« Reply #58 on: June 06, 2018, 11:15:18 AM »

CreationAddon: http://www.orpgs.com/downloads
But it seems that's offline =/
I added my copy, but it's modified, I commented some stuff out I didn't need.

@removal of data / deletion
you *only* need to delete personal data. any items, achievements... no worries.
but email, name, cookie id, ip ... that's personal and can be requested to be deleted.

You can keep dwellings etc too...
Logged
TGTarheel
Codemeister
****
Offline Offline

Posts: 465


View Profile
« Reply #59 on: June 06, 2018, 11:17:31 AM »

CreationAddon: http://www.orpgs.com/downloads
But it seems that's offline =/
I added my copy, but it's modified, I commented some stuff out I didn't need.

@removal of data / deletion
you *only* need to delete personal data. any items, achievements... no worries.
but email, name, cookie id, ip ... that's personal and can be requested to be deleted.

You can keep dwellings etc too...

Thanks, let me check this out.

OK, skimmed it.  I see where you must put in your own privacy statement and so on...it would seem to take care of the front end of the GDPR.  Now how about the back end...as far as data deletion on request?

Would a mod of my Dwellings Destroyer do the trick here??  Just delete what must be deleted...from the database, on request??

By the way, nice work, Nightborn!  Many thanks.
« Last Edit: June 06, 2018, 11:22:46 AM by TGTarheel » Logged
Pages: 1 2 3 [4] 5   Go Up
  Print  
 
Jump to:  


*
DragonPrime Notices
Version 1.1.2 is the current supported version and is available for download.

Support Us
No funds raised yet this year
Your help is greatly appreciated!
Recent Topics
DragonPrime LoGD
Who's Online
45 Guests, 0 Users
Home Forums News Downloads Login Register Advanced Search