Coyote Blog

I have been reading all the articles (and the storm of emails in my inbox) on European GDPR privacy rules implementation with some dispassion.  After all, it does not affect me, right?  I run a camping business all in the US.  But then I got to thinking about it and realized that I had three avenues of exposure  -- my blogs, my jobs mailing list, and my company web site.  I will preface this by saying that I am no expert and I am not really hugely at-risk, but perhaps this will be useful to someone.  More importantly, if you ARE an expert and see something I am screwing up please email me!

The blog exposure strikes me as pretty narrow, particularly since we do not serve up advertisements (except in the comments via Disqus) and do not have a mailing list.  I don't store or have access to any user data (though I wonder if server logs count?) so I assess my main liability as secondary if Disqus screws up something.  I have been reading Disqus's updates and I would evaluate them as working on it but not done.  I suppose if the EU wants to come after me for "up to 4%" of this site's revenue they are welcome to do so.  Sort of like when I was unemployed being told to spend 2 months salary on my wife's engagement ring  (which in fact I did exactly, since it was my mom's ring given to me as a gift for the purpose).

Similarly, I think my liability surrounding the mailing list we maintain for job openings is pretty limited.  First, it would shock me if more than 0.0001% of the people on that list are in Europe, since I can't really legally hire Europeans in most cases and it is unlikely they will drive their RV over here to work in a campground.  More importantly, all the names are there through what I would call extreme opt-in -- they have to click on a special link and go sign up on a dedicated page just to join the mailing list.  The email provider is Constant Contact so again my liability is likely limited to whether they screw anything up in their compliance, but this is probably unlikely in my case.  Again there is no advertising and all people on the list ever get are notifications of new job openings and links where to apply.

Which brings me to our business web site.  There is no log-in or user information entered or advertising on our web site, so we are mostly fine.  With one large exception -- we have our own reservations site that gathers and stores customer reservation information.  Eek!  That sounds like it could be a problem.  The most dangerous piece of data we could potentially have in our hands is a credit card number, which is why our system was set up so our company never has the credit card number in our possession.  Customers are passed over to Stripe (highly recommended company, by the way) who handle all that dangerous stuff on their servers, and just pass us back a confirmation.  But we do have customer name, address, email, and camping stay dates on our server.  Maybe we are compliant already -- we treat that stuff with a lot of care.  Maybe we are not.  But since we really don't get any reservations at all from Europe, it was easier just to go black there, so right now my software guy is working on blocking traffic from European IP addresses.

Postscript:  On some of my posts, people write me and ask, "Why did you even bother to publish that."  And my answer is that I often write to think, so it may be that it is only for my own benefit.  My software guy is a reader of this blog and was probably laughing as he read this post because I stopped a couple times in writing it to fire off new questions or requests to him.

Update:  Hah, what timing!   This just appeared on my blog when I scrolled down to the comments so I guess Disqus must indeed be working on this.