I’ve been digging into the details behind various countries’ and states’ privacy laws, trying to figure out how to comply with them all, and wowee is it complicated.
Fortunately I’ve been fairly privacy focused with Shmeppy from the get-go, so I don’t have too complicated of a situation. For example: I don’t have Google Analytics or federated login, and the only third-parties with access to any user data are Mailgun (the service Shmeppy uses to send emails), Digital Ocean (the service that provides the computers that Shmeppy runs on), and Backblaze (an archival service that stores Shmeppy’s backups).
But even with my relatively simple situation, it’s taken me all day to figure out whether it’s even feasible for me to comply with them all. But I think I can do it.
I wanted to share some of these changes I’m planning on making with ya’ll cause it seems interesting:
- Any data necessary for generating statistics (like number of users hosting games over time) will be stored in a completely anonymized form (I may even make this information public for ya’ll).
- Logs and any other personal information will only ever be used for debugging, maintenance, health monitoring… Activities necessary for keeping Shmeppy up and running for ya’ll. Though I think I’ll generate the anonymous data mentioned above from info in the logs where possible, to avoid duplicating collection efforts (I’m not totally sure this is OK to do, and might muddy the “necessary for site function” basis of my logs in general, but I think it’s likely OK).
- All logs and database backups will be irrecoverably deleted once they’re 3 months old.
- Users’ accounts without activity for a long time (probably 6 months? 12? ) will trigger an automatic deletion process (users will be warned via email and have a month to stop the process).
If anyone’s an expert on international privacy laws… please feel free to weigh in.
This’ll take me awhile to complete (god, it took me awhile just to plan out) and is the least important item on the Updated long-term roadmap. So I’m not quite sure exactly how I’ll schedule time for this, but stay tuned for some privacy-centric Shmeppy updates .