"compile logs" feature, sensitive info included in ZIP, and ZIP file access in forums

[bmos]

GDPR and CCPA do not apply to SmiteWorks

GDPR does apply to "A company not based in the EU offers (a) products or services to EU citizens and residents...". Is FG not available to EU citizens and residents?

[ddavison]

GDPR does apply to "A company not based in the EU offers (a) products or services to EU citizens and residents...". Is FG not available to EU citizens and residents?

It is government overreach. There is no enforcement of GDPR on US based companies who don't also have a physical presence in EU countries under the GDPR. Large US companies such as Twitter, Google, Apple, etc. will have to interact with GDPR, but small US based companies can ignore it. This can always change in the future, but IP address refers to a device (at best) and not to a person, and often not even to a device. Anyone who is concerned with using the same IP address over and over can and should employ a VPN to mask this.

I personally think it is a stupid law written by people who don't understand the Internet and how it works. For instance, our relay server records and uses the Host's IP address to facilitate easy connections between players and GMs without requiring the host to configure port forwarding on their router. That would not work without the IP address. The FG Classic system did something similar with the alias system. VPN's themselves need to record the IP address. Server logs are full of IP addresses. Our Privacy policy clearly states that we use IP addresses. Every single company that has an online presence should also declare this and therefore would make that part of the GDPR completely useless. Any company that doesn't declare that they are recording IP addresses is almost guaranteed to be violating the GDPR unknowingly.

*Edit*
I want to add that I think GDPR is not all bad. In general, companies should retain only the minimal amount of information in order to properly service the customer.

[TeamRodriguez]

yeah, there's one's opinion of GDPR and there's what is required regardless of opinion. What you are describing is not a fully accurate representation of GDPR in relation to the information being collected.

It is about _my right as a consumer/user of services to request my personal information be deleted upon my request_. It's the service's responsibility to comply with the laws. You're right, everyone collects IPs in some form or another in order to deliver the services you are describing. If you need to keep doing that, great. The problem is that if I request my information be deleted, it doesn't seem like FG can comply with this request with the way software and service requests are handled, nor is it handling it correctly because this PII (again whether you agree with IPs being PII is irrelevant, or whether those who included it understand the internet, it has already been designated as PII) is potentially posted in a public forum.

If we were posting logs with diagnostic information that didn't have PII this becomes a non-issue. So maybe that is something that can be clarified - if the current log process includes things that under the law are considered PII (again, regardless of opinion, this is the law), what processes are in place to ensure that if I wanted to stop using FG and requested my personal info be deleted, that this would be completed in full compliance with GDPR? Because now that this has surfaced there are potentially users who have, or may continue to, post their logs here without realizing there is information they may not want to share. Yes, there are narrow scopes around when a company does NOT need to comply with this but again this is a narrower definition; GDPR/CCPA/COPPA is intentionally broad.

SmiteWorks is incorporated in Florida. I don't understand the reasoning behind why CCPA/GDPR would not apply to it. I work for a global organization with corporate headquarters in a US state and I have worked on numerous projects surrounding GDPR compliance.

This isn't meant to be a debate or argument over whether GDPR/COPPA/CCPA are relevant or useful. This is about a discovery I made that sensitive information is included in logs and there doesnt seem to be any transparency around what is included in those logs so that users can decide whether to post them in a public forum. And GDPR/CCPA mandate this. i have "a right to be forgotten". That means users have to have a clear transparent understanding of what is logged when using the service and how that information is handled when I choose to make it available.

Again thank you for your input and attention on this.

Others may find this useful.
https://gdpr.eu/right-to-be-forgotten/

[jharp]

I think what Doug is saying is that a EU individual can certainly go to whatever body enforces the GDPR and that body can make a ruling to punish SmiteWorks but since SmiteWorks has no physical presence in the EU it would be impossible for that body to enforce any ruling.

Edit:
I imagine you could take that ruling and attempt to have it certified by a US court but that seems unlikely.


Jason

[ddavison]

We occasionally have users who request that their information be deleted from our system. We let them know that they cannot use the software without this information, but if they choose, we can delete them entirely from our system. This only really happens if someone is leaving the platform fully. It's rare, but it happens and we assist the user in their request. If someone posts a log file to the public forums, they can delete that attachment or ask us to delete it for them. Any request for account deletion can be sent to support.fantasygrounds.com.

GDPR cannot impose any requirements on our business based in Florida. We did not vote for anyone who wrote those laws, and they have no power whatsoever to enforce it upon us. The GDPR is silent upon any sort of enforcement for foreign businesses that do not have a presence in the EU. This is because they know they can't enforce it. This goes back to the very founding of the United States and it is not something that the GDPR will ever be able to accomplish unless they convince the US federal government to also adopt it. We follow any and all federal and state laws that we are required to, but we would join the lobby against such laws if they were proposed. It would have to be voted into US law and we would have a say on whether or not the law passed. Then, win or lose, we would be obligated to follow whatever was passed.

COPPA is handled differently and any COPPA users have to submit a COPPA form before they are allowed to access our forums. They are kept in a different group called COPPA users as well.

[TeamRodriguez]

I think what Doug is saying is that a EU individual can certainly go to whatever body enforces the GDPR and that body can make a ruling to punish SmiteWorks but since SmiteWorks has no physical presence in the EU it would be impossible for that body to enforce any ruling.

Edit:
I imagine you could take that ruling and attempt to have it certified by a US court but that seems unlikely.


Jason

Thanks, I follow what you're saying.

[TeamRodriguez]

We occasionally have users who request that their information be deleted from our system. We let them know that they cannot use the software without this information, but if they choose, we can delete them entirely from our system. This only really happens if someone is leaving the platform fully. It's rare, but it happens and we assist the user in their request. If someone posts a log file to the public forums, they can delete that attachment or ask us to delete it for them. Any request for account deletion can be sent to support.fantasygrounds.com.

GDPR cannot impose any requirements on our business based in Florida. We did not vote for anyone who wrote those laws, and they have no power whatsoever to enforce it upon us. The GDPR is silent upon any sort of enforcement for foreign businesses that do not have a presence in the EU. This is because they know they can't enforce it. This goes back to the very founding of the United States and it is not something that the GDPR will ever be able to accomplish unless they convince the US federal government to also adopt it. We follow any and all federal and state laws that we are required to, but we would join the lobby against such laws if they were proposed. It would have to be voted into US law and we would have a say on whether or not the law passed. Then, win or lose, we would be obligated to follow whatever was passed.

COPPA is handled differently and any COPPA users have to submit a COPPA form before they are allowed to access our forums. They are kept in a different group called COPPA users as well.

Thank you for describing this process. Sounds like there is no formal FG presence in EU.

[LordEntrails]

Thank you for describing this process. Sounds like there is no formal FG presence in EU.

This is the key part. Any company that does not have a presence in the EU can not be held accountable to EU laws. It is the simple definition of sovereignty. Even "International Law" is only recognized by those countries that sign up to be held accountable to those various laws (like human rights, navigation of the seas, etc) and in those cases are generally handled by the UN or other agency as agreed to by all parties who opt-in to be subject to the law. (Note, there are often such laws that are imposed by a majority upon small nations that do not agree to such, but that is a whole other issue of international politics and influence.)

Think of it this way, if any nation could pass a law and hold entities (businesses or people) who reside outside that nation to those laws, then North Korea could pass a tax on EU citizens, or a small country could outlaw equal rights, or any other such preposterous idea.

International companies (like yours and mine), often comply with various national laws (like GPDR) because either they want to do direct business with companies that do fall under those laws, or have a presence themselves in those countries and therefore are subject to penalties if they do not comply.

[bmos]

GDPR cannot impose any requirements on our business based in Florida. We did not vote for anyone who wrote those laws, and they have no power whatsoever to enforce it upon us.

Those laws are for protecting consumers and those consumers live and shop in the jurisdiction of the EU.
If you want to do business with EU customers you should follow the consumer protection laws they have opted to enact. You don't have to do business abroad if you don't feel like complying.

/s

[ddavison]

Those laws are for protecting consumers and those consumers live and shop in the jurisdiction of the EU.
If you want to do business with EU customers you should follow the consumer protection laws they have opted to enact. You don't have to do business abroad if you don't feel like complying.

/s

That is not how that works. Again, our Privacy Policy is clearly stated and publicly available. Customers can read this and determine whether or not that works for them. I'm locking the thread though because the original post has been addressed.