Update website and contents in accordance to German law #1
Description
Currently, the website can't be kept online because it violates certain different laws in Germany, where I (as the domain/hosting owner) reside. Thus, the site needs to be in compliance with German and EU legislation, which requires a good amount of consideration.
Unless the following issues are fixed, I'll keep the website offline, returning a 403 error. The file responsible for this is owned by root, and can only be removed by me. Deployment should still work though, but the page isn't accessible. If someone needs access for testing, I can add IP-based temporary exceptions.
Currently, the site has the following issues:
- There is no imprint. Germany has very strict rules (link is German only!) for imprints.
- The privacy terms are missing. The EU GDPR policies apply.
- The video on the home page has an audio track, which is most probably not licensed for online use.
Imprint
The imprint has to list the following information:
- The name of the person or legal entity resposible for the website's contents.
- The postal address of the above person to which any mail (legal documents, requests etc.) can be sent.
- At least one "electronic" way of contacting the above entity, e.g. e-mail, phone or fax.
For commercial websites, additional information regarding tax office registration, court location etc.(doesn't apply in our case).
Privacy Statement
Important: This should not be confused with user consent - if there's anything which requires user consent, e.g. setting persistent cookies, this must be handled separately.
A valid privacy statement must include at least the following information:
- The name and contact data (postal and electronic) of the responsible person for data protection. If this person/company hosting the website is not a EU resident, a person or legal entity residing in the EU must be named instead.
- Which data is collected or asked for by the website, where and how long it is stored, transferred to etc. This includes:
- Webserver log file data as well, if IP addresses are logged.
- Cookies.
- Any personal data collected in addition to the normal usage data.
- If any of the above data is sent to third parties for processing/storage, these must be named and a reason given why this is necessary.
- If the website loads content from other domains, e.g. Google fonts and other stuff, this must also be listed. Important: If these third-party sites set cookies or store/log access data, the user must be asked to consent to this before any request is made! Listing it in the privacy statement is not enough. This is specifically required for any Google services or social media embeds.
Depending on the website contents, additional information might be required. There are GDPR privacy statement generators available, which ask all the details and then generate a template privacy statement which can be used with some additional editing.
GDPR Best Practices
In general, the best way to reduce collected data and keep the privacy statement short is by following these rules:
- Only use local content, e..g. from the same server the website is running on (includes subdomains).
- Do not use cookies or other client-side storage if not absolutely necessary.
- If cookies are required, try to only use sesssion cookies. Otherwise reduce the storage duration to a minimum (e.g. a month) and update the cookie if the user revisits the site within that period.
- Do not include scripts, fonts, images or other resources from external domains, e.g. Google fonts, JS etc. and don't call any third-party APIs from the browser unless strictly necessary for functionality.
- Do not use social media embeds (i.e. iframes or scripts). Link to social media sites are fine though as the user can decide to not click on those.
Demo Video
The current demo video contains a (potentially) copyright-protected audio track. This can lead to costly takedown notices, infringement/licensing fees etc. if the responsible copyright holder finds the content, e.g. via web crawling.
In addition to the copyright issue, Germany has yet another "institution" callled "GEMA", which collects fees for publicly performing artistic work like music. This company can actually make a guess that the music in the video is probably part of their portfolio, and then require the website author to pay twice the usual licensing fee - if the website owner cannot prove that this audio track is actually not part of their portfolio, which is almost impossible except for musicians who explicitly provide IDs for their tracks which GEMA can then check against their database.
Thus, if the video should contain music, this has to be carefully selecting with the following requirements:
- The music itself is not commercially licensed by a label or company, and the author excplicitly allows the audio to be used royalty-free on websites. CC licenses except those with "-ND" are fine.
- The music must not be part of the GEMA catalog. This can be checked in advance, as GEMA is required to check this on request. This check should be done regularly, as sometimes musicians change their label, and the new label may automatically register the tracks with GEMA, at which point license fees would be due.
Ideally, the audio track has an associated ISRC number, which can be passed on to GEMA. Many tracks made by Kevin McLeod are licensed under CC-BY and are not in the GEMA catalog.