Using ActivityPub data protection compliant

Published: by Matze Leave a comment Last update:

ActivityPub in WordPress is great. But as per usual, using it blindly can bring you into legal trouble, especially regarding GDPR, if applicable to you. This is due to its nature that it loads data from remote servers. But that’s fixable, so let’s fix it.

Reactions block

First of all, while the reactions below a post are nice and are added after activating ActivityPub, it loads all user avatars from their Fediverse instance. That means, that you’re embedding content from different sources on your website. Usually, this would – at least – force you to add a declaration about it in your privacy policy, since by loading these avatars the IP address is shared with the instances avatars are loaded from, which is a personal data according to GDPR. There is a feature request about caching them on server-side, but that’s not yet implemented. Adding such text in the privacy policy is de facto impossible, since you never know from which instance the users are coming reacting to your content. Except you approve it manually accordingly, which nobody will do.

Webmention with Avatar Privacy

As an alternative, install and activate the Webmention plugin as well as Avatar Privacy. This way, reactions are displayed below the post via the Webmention plugin and automatically handled by Avatar Privacy, so that they are cached locally and thus GDPR and data protection compliant.

Privacy policy

Since the nature of ActivityPub is sharing data and thus displaying your likes, boosts and comments publicly, your server is processing all this data from users in the Fediverse. Thus, you need to declare in your privacy policy that and what data you process if someone from the Fediverse is interacting with your content.

If you have installed Webmention as stated above, it already comes with a predefined text, which can be viewed under Settings > Privacy > Policy Guide > Webmention. You can use this and add it to your privacy policy.

Alternatively, we’ve added a part for ActivityPub/Webmention some while ago in Impressum Plus, which also directly checks for existence of Avatar Privacy to properly update the text.

Conclusion

It’s not complex to use ActivityPub GDPR and data protection compliant. However, you have to make sure that you take all necessary steps to implement it this way. At least, Impressum Plus can help you with its automatically generated privacy policy.

Reposts

Leave a Reply

Your email address will not be published. Required fields are marked *

To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Learn more about webmentions)