Hi @kittmedia,
Sorry, I’m not quite understand why Google avatars are highly problematic in EU, please explain what you mean?
The plugin is not collecting/sharing any new data from the user here and it’s simply showing existing public data (user photos) from Google.
This has nothing to do with the GDPR because user has already accept Google consent when they leave a review and they don’t mind showing their photo and profile name as a public data.
Thanks!
Any external source receives at least the IP address of the visitor, which is personal data according to the GDPR. Thus, you need the explicit consent to load the data beforehand and furthermore need to update your privacy policy to match these data transfer.
Since these avatars are far beyond necessary, it just doesn’t make sense to take this effort by implementing additional parts to the privacy policy as well as get the explicit consent of the user.
So it’s not targeting the user that left a review but all visitors of your website. I hope this made it more clear.
Hi @kittmedia,
At the moment we don’t have any solutions here, but I’m not quite sure that it’s needed at all.
I doubt that the IP address which is passed with every request to your website and any other third-party site (from your website page), for instance, a photo of the author of a Google review, is personal information. Since the IP address is impersonal without reference to a specific user (name), and this is exactly how (as impersonal) it is passed to Google when loading a photo.
I find confirmation of my words immediately when I try to find the answer to this question in Google by search request: GDPR is ip address personal data:
https://news.ycombinator.com/item?id=22241363
> GDPR treats an IP address as personal data.
No it doesn't. GDPR only treats IP address as personal data if it is associated with actual identifying information (like name or address).
https://cms.law/en/bgr/publication/does-the-ip-address-represent-personal-data
The IP address should be considered as personal data only when it could identify a particular person in each specific case.
Please let me know if you have any thoughts on this.
Thanks!
Did you also read the answer below your quote in the first link?
> An IP address is itself personal data, it does not have to be associated with other personal data.
https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
^- This is also a the most valid source since it comes directly from the official website of the European Union.
Hi @kittmedia,
The transfer of only IP addresses for requesting images from third-party websites (like Google) can also be interpreted as a need for the provision of services for the correct operation of the site, and in this case this is also not personal data. You can see it in the same the second answer:
See my comment about <strong>consent not being required when the data is needed to provide a service</strong>. Logging is reasonably required to provide a service.
Thanks!
It simply is not required since you can always serve images locally. If there is a better alternative in privacy-related way, it has to be used. This is “privacy by design”, which is also part of the GDPR.
There already are identical disputes about Google Fonts, see here for more information:
https://wptavern.com/german-court-fines-website-owner-for-violating-the-gdpr-by-using-google-hosted-fonts
