When I started Learn Code The Hard Way about eight years ago, I made a conscious choice to run my business ethically. I decided to never collect information unless I really needed it, to not track people as they went through my site, and to not sell anyone’s information to someone else. I felt this was the right move because education is a sensitive topic, and I didn’t really think it was appropriate for me to sell people’s behavior on an educational resource. I also would rather make my money by building good products rather than selling my customers like they are products.
For the last eight years I have only stored enough information to let you get back to your purchase. For example, I do not remember where you are in the book because if I store that information then I am tracking everything you’ve read, and that kind of violates your privacy. Some people have asked me to implement a feature for keeping track of what you have read, but I feel that that’s too risky of the feature to implement. I also didn’t include any passwords in my system. I simplified it down to the bare minimum necessary for you to access the content from your email. In fact, I store people’s names but I don’t even it enforce that they give me a real name.
I do collect people’s IP addresses, but that happened after almost a year of constant fraud and a barrage of continuous SSH attacks. I have to keep the IP address information for fraud prevention and security purposes, but I only keep your most recent IP address on your account and it gets wiped whenever your IP address changes. I also only keep logs for about a year, mostly because I’m too lazy to reconfigure the log rotation to do it faster.
I am also a very hated individual on the Internet. Because of this I have had to make sure that I have the best security I can get, but I also assume that no security is totally foolproof so I do my best to keep data off my service that I don’t really need. The data I do have is either minimal or I encrypt it with GPG and my private keys never touch the servers. Obviously none of this is totally secure in the face of a very determined attacker, but because I don’t really store much information about people and a lot of it is encrypted, the potential damage is very low.
Finally, I gladly delete people’s accounts if they email me, but I warn them that once they delete it all then our relationship is over and they would have to buy the product again to download it again. That seems reasonable to me because you can’t say, “Hey, forget everything about me,” and then come back a month later and say “Hey do you remember me?” No, because you told me to delete you.
I believe the only things I do is I have Google analytics on my site, and a Zendesk help chat system that nobody uses. I’ll just remove the Zendesk chat, and if you want Google to forget about you then contact them. You can still email me at email@example.com when you need help or you can use the forum at https://forum.learncodethehardway.org/ but that little chat thing is totally useless.
I actually believe that without a treaty between the United States and the EU, that the EU would be violating international laws by enforcing the GDPR. But, complying with it doesn’t seem to be too difficult for my business, and if I comply with it I can go to Europe in the future and study art at Louvre.
I’m not kidding. I really want to copy paintings at the Louvre. I can’t do that if I owe 20 million euros to France!
With that in mind I am going to be slowly rolling out some features to make my business compliant with the GDPR and it will be for everyone around the world:
- You will have a delete button for your account, but you will need access to your email to prove that you actually are who you say you are, and once you delete you have to buy the product again to get it back. As I said it’s not fair for you to want to maintain a data relationship with me but then also delete your data.
- You’ll be able to get a a JSON dump of the data I have on you. You are probably going to laugh because it’s literally like two database rows.
- I will follow the GDPR mandate to clear web traffic logs after three months, but I will keep all security related logs for two years because now the EU has declared IP addresses identifying information so I can start submitting your IP address from hack attempts against services to law enforcement in the EU.
- I will keep your purchase information and my payment processor because my country’s tax system demands that I keep that information for at least seven years and maybe longer.
- I will be the data officer, until I can afford enough money to hire someone official in the EU, or I have a real reason to do it.
Hopefully that’s enough to show a good faith attempt to follow the law, and my track record of basically already complying with the law should be good enough to avoid the €20 million fine that they are going to give me. I’ve been told by several Europeans that as long as I’m following the law as best I can that, “Totally nobody’s ever going to go after. The EU is a nice guy eh? Buddy pal you can trust us? <big grin>.” We shall see.
I like the spirit of the law, and it matches what I do already, but I will be honest and say I worry it will be abused by bigger corporations to stifle speech and stop bad press. I also feel the GDPR will mean nothing to large corporations and that the EU government will only enforce it on small companies that can’t defend themselves. Time will tell, but in the mean time, I’m going to keep my European customers happy and bring this out to everyone at the same time.