With the strict requirements of the General Data Protection Regulation (GDPR) and the associated potential warnings from consumer protection and data protection authorities, financial and legal risks are growing in organisations.
An important part of the GDPR - and unfortunately the main cause of potential trouble - is the consent requirement for sharing personal data of website visitors. It covers much more than just tracking cookies from googleAnalytics. According to the GDPR, the IP address of the website visitor is part of the personal data. However, this address is mandatory in order to communicate with another system. Specifically, this means:
Any access within a website to a server other than the web server requires consent.
Apart from the notorious tracking tools, this concerns e.g.:
the integration of fonts from external servers
the integration of external maps (e.g. GoogleMaps)
embedding external videos (even without cookies!)
embedding social media contributions (not to be confused with mere linking)
Embedding of external content via an iframe (weather, real estate offers, etc.)
Lead tracking with Google Ads
the use of Content Delivery Networks (CDNs) to accelerate websites
the integration of external CAPTCHA functions as SPAM protection
Particularly piquant: According to this definition, the use of an external cookie banner tool also requires prior consent, which seems to be the "cat bites the tail".
Note on masking IP addresses
The much-cited masking of IP addresses (e.g. by "fixing" the last two numbers in log files: 88.57.x.x) is, strictly speaking, a "fake protection". The target server must know the complete address. Masking or complete deletion only serves to protect against misuse by unauthorised persons later on. In any case, it is not enough for the operator of an external service to assure that the IP addresses are masked.
The safety audit for risk minimisation
For most website operators, it is very difficult to find out whether their website and the associated processes are data protection compliant.
We therefore recommend having regular audits carried out. Regularly because even careless editorial changes can result in violations of the rules. The direct embedding of a YouTube video is an example of this.
With our offer "Security Audit for TYPO3 Websites", we would like to help you not only to comply with the legal regulations, but also to ensure that possible security gaps are closed as quickly as possible.