In May 2018 the General Data Protection Regulation (GDPR) was implemented, which applies to all websites that collect data of EU residents. Part of being compliant is being aware of all network requests that transfer Personal Identifiable Information (PII) to third parties that are performed on your website and making sure they are triggered after a visitor gave their consent.
You browse the web and click on the Ryte Product Insights page to open this article. As easy as that sounds - in that moment you performed a network request and sent Personal Identifiable Information (PII) to the Ryte servers. Well not you, but your browser.
But let’s take a closer look at what exactly happened.
When accessing a website the browser performs a network request while simultaneously transmitting your IP address to the website’s server. The website’s server in return responds with the website’s content (also known as HTML) and typically instructs your browser to load additional resources such as JavaScript files, images, videos, fonts or third-party widgets (like a badge displaying reviews). In case these resources are loaded from third parties (other servers than your own) you might run into potential GDPR issues:
Since a ruling of the European Court of Justice (19.10.2016, AZ: C-582/14) an IP address is considered Personal Identifiable Information (PII) which according to GDPR legislation might only be processed - and transferred to third parties - with explicit consent of the user.
Network requests still sound very theoretical. Let’s look at an explicit example:
In January 2022 a regional court in Germany indicted a website owner for breaching GDPR regulations. The website owner used Google fonts on their website and was sued for transferring users' personal data (IP addresses) to Google servers without the users' consent. As a result, the court set injunctive relief and damages in the amount of €100 as the sentence (Source: GDPRhub.eu).
Sounds scary? You now might wonder how you can upgrade your compliance?
At one glance review network requests from all pages of your website (including subdomains) that transfer Personal Identifiable Information (PII) to third parties without users' consent.
Since our crawler is never giving consent to any form of processing PII, all network requests that our crawler detects, that point to a different server than your own server(s), are a potential(!) violation of Art. 6 GDPR. Unless network requests are considered ‘legitimate interest’ of the processor, for example if they are technically necessary to provide the services of the website as such.
However, our crawler can’t detect whether a network request is technically necessary or not: Thus, by displaying all detected network requests in one comprehensive report, we facilitate the screening of network requests for legitimate interest. By filtering these network requests out, a semi-manual screening from legal experts can be done easier and more efficiently.
Network Requests happen all the time when we browse the web. With the new Ryte Network Requests report you become aware of potential GDPR violations before they cost you money, while also providing your website visitors with a safe experience.
Published on Nov 2, 2022 by Stefanie Kirschner