4.4 KiB
GDPR (General Data Protection Regulation) & ePrivacy Compliance Report
Overview
This report evaluates the current tracking, analytics, and marketing campaign features of the platform against the requirements of the GDPR and ePrivacy Directive.
With the recent additions of detailed analytics, session tracking, and individual email tracking, the platform collects, processes, and stores Personal Identifiable Information (PII).
1. Analytics & Web Tracking (Cookies & PII)
Current State:
- The
analyticsMiddlewaregenerates and assigns aSESSION_COOKIE(pm_sid) to track website visitors across sessions. - IP addresses are anonymized before writing to
analytics.jsonl— the last octet is zeroed for IPv4 (e.g.203.0.113.47→203.0.113.0) and the last 5 groups are zeroed for IPv6. Full IPs are still used transiently for geo-resolution (BigDataCloud API) and cached incache/geoip.jsonfor operational purposes. userEmailanduserNameare not logged. OnlyuserIdis persisted for correlation.- User Agents, Referers, Language, and inferred Geographic locations are logged.
Remaining Deficiency:
- Cookie Consent: The ePrivacy Directive requires explicit, opt-in consent before setting any non-essential cookies (including analytics and session tracking IDs). Currently, the
pm_sidcookie is placed automatically on all routes not in the ignore list.
Recommendation:
- Consent Banner: Implement a Cookie Consent UI. Only set the
SESSION_COOKIEand execute the tracking portion of the middleware if the user has explicitly accepted.
Google Analytics (GA4)
Status: ✅ Removed
- The GA4 script (
G-QZ02JX0J0L) has been removed fromindex.html. No third-party analytics cookies are set, no data is transmitted to Google.
Security Middleware (unaffected by anonymization)
The rateLimiter and autoBan middleware continue to use full, un-anonymized IPs in-memory at request time. These IPs are never written to the JSONL analytics log — they exist only in transient memory structures (Map) and the operational config/ban.json blocklist. This is permissible under GDPR's "legitimate interest" basis (Article 6(1)(f)) for security and abuse prevention.
2. Marketing Campaigns & Email Tracking
Status: ✅ Per-contact tracking disabled
- The 1x1 tracking pixel (
pixel.gif) injection is commented out — no individual open tracking. - Per-contact
c_idURL parameters are commented out — no individual click tracking. - The
pixel.gifroute is disabled in theCampaignsProductroute registration. - Campaign-level
trackingparam is preserved on links (non-PII, used for aggregate campaign attribution only). - Unsubscribe links continue to function via
unsubscribe_token.
3. Data Retention and Erasure (Right to be Forgotten)
Current State:
analytics.jsonlcontinuously appends telemetry data without a predefined rotation or deletion policy.- Campaign interactions and
marketing_emailsrecords preserve history.
Deficiencies:
- Right to Erasure (Article 17): If a user requested their data be deleted, the system would need to scan and purge their
userIdfrom the rawanalytics.jsonlfile. - Storage Limitation (Article 5): PII should only be kept as long as necessary.
Recommendations:
- Structured Log Rotation: Implement a background job that aggregates or rotates the
analytics.jsonlfile (e.g., deleting logs older than 90 days). - Deletion Workflows: When a user invokes their right to be forgotten (or deletes their profile), ensure that cascading deletes cover the
contacts,contact_group_members, andmarketing_emailstables.
Summary
Completed mitigations:
- ✅ IP anonymization — last octet zeroed in persisted logs; geo data preserved via pre-anonymization lookup.
- ✅ PII minimization —
userEmailanduserNameremoved from JSONL logs; onlyuserIdretained. - ✅ Google Analytics removed —
gtag.jsstripped fromindex.html. No third-party cookies. - ✅ Per-contact email tracking disabled —
c_idandpixel.gifcommented out incampaigns/index.ts.
Remaining housekeeping (non-blocking):
- Automatically rotate/expire old unstructured analytics logs (recommend 90-day TTL).
- Implement deletion workflows to purge
userIdfrom JSONL on erasure requests.