GDPR violation

  • Resolved Benedikt Ledl

    (@benniledl)


    1 month, 2 weeks ago

    Hello ??

    The plugin embeds an external .js script in the frontend of the website.

    The script is loaded from browser-update.org and is behind a Cloudflare proxy (USA).

    Loading resources from a company in the USA generally violates the european GDPR.

    I recommend that the plugin fetches the script once a month with wp-cron and caches it.

Viewing 1 replies (of 1 total)
  • Plugin Author MacSteini

    (@macsteini)

    I get the concern about loading an external JavaScript file, especially since it’s coming through Cloudflare’s US-based proxy. But from a GDPR standpoint, there’s really no issue here.

    Since summer 2023, the EU and US agreed on a new data transfer framework. Any US company that signs up to the Data Privacy Framework is considered to provide an adequate level of protection, making data transfers legal without extra red tape. Cloudflare is part of this and is also certified under the EU Cloud Code of Conduct, following Standard Contractual Clauses (SCCs) and a Data Processing Addendum (DPA). In other words, they’ve already got the necessary safeguards in place to handle data properly under EU regulations.

    As for the browser-update.org script, it’s purely functional – it just nudges users with outdated browsers to update for better security and performance. There’s no tracking or personal data collection going on, so embedding it directly doesn’t violate GDPR.

    Bottom line: the current setup is fine under GDPR, but I’m happy to tweak things if there’s a real compliance issue I’ve missed.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.