jQuery CDN + GDPR


#1

The Casper theme is using a jQuery script loaded from the jQuery CDN. Wouldn’t it be better to directly include it into the theme? Is the current way GDPR compliant or do I need to explicitly mention it in my privacy disclosure?


#2

@Kevin I created a pull request for Casper that should fix that.


#3

No. jQuery CDN does not collect user data.


#4

Could you post a source making it clear that loading jQuery from CDN does not collect data? I find it very hard to find any informations about that. Would be very helpful to me!


#5

It’s understandable that the GDPR is important and that it must be complied with.

Nor is it easy to understand the means and obligations regarding this European conformity.

Yet it is not so complicated.

Rules are available here:

As for using a third party to deliver a script (or service) is not “GDPR no-compliant”.

The GDRP does not require everything to be stored locally, and fortunately.
In the simplest case, this third party must just be GDPR compliant.
In other cases, this is a little more complex to implement but often feasible.

In the case that concerns us here is:

“The Casper theme is using a jQuery script loaded from the jQuery CDN”

Well, step by step:

The file “jquery-3.2.1.min.js” is hosting on https://code.jquery.com powered by https://www.stackpath.com

So, the JQuery libraries are served through StackPath CDN.

StackPath CDN is GDPR compliant and that can be check here:

The fact that the Casper theme uses a third party service to host the jQuery script in order to guarantee the good functioning of the said theme can quite conform to the GDPR, it is enough simply that users are informed (with a readme file or any other way), of the files’s list using GDRP compliant third party services (or Links to 3rd Party Websites).

Hopefully this will help you better understand the GDPR and there’s nothing to worry about the Casper theme.


#6

This is an amazing summary :slight_smile: thanks for taking the time to detail everything for people here


#7

Thanks for your summary, but a few things to consider:

  • Hosting it locally would make this one paragraph just for the jQuery CDN unnecessary
  • Because the browser is submitting it’s IP to Stackpath, you would need to sign a DPA

I solved it by setting up a proxy for Unsplash images, jQuery CDN and Gravatar. Now all of these resources are load from my server, which downloads it from the original sites.

In Germany people already got a "Abmahnung " (a legal "warning ") because they used Google Fonts.


#8

You are right for this point because, for the moment, there is not possible to use Google Fonts with the CDN of google (like fonts.googleapis.com, fonts.gstatic.com …) and to be GDPR compliant because Google Fonts collect the ip-adress of the visitor and sent it to there own google server, it is not allowed to collect private data from your website visitors without approval.

So if you want to use google fonts, at the present time, the easiest way is to keep in local.
For Slackpath, it’s not the case because ip of your visitors are not tracking like google.

Another exemple: Google Analytics.
The usage of the standard script “analytics.js” is not GDPR compliant, but if you modify a little like:

ga('create', 'UA-XXXXXXX-Y', 'auto');
ga('set', 'anonymizeIp', true);
ga('send', 'pageview');​
...

where ‘auto’ is a the replacement of your domain name
Then, you could use GA and to be GDPR compliant because you don’t communicate ip addresses of your visitors to google.

But well, this is beyond the scope of this post :wink:.

In any case, it is also true that it’s the owner of the website who is responsible for its compliance with the GDPR, and where appropriate to inform its visitors of what is done with its data.


#9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.