Using Mod_maxminddb to Become GDPR/CCPA Complient
How I am using MaxMinds GeoIP databases to become GDPR/CCPA compliant.
By. Jacob
Edited: 2022-02-24 00:15
In the process of making Beamtic sites GDPR complaint, I have decided to make some changes to the way I collect consent from users. Some website owners decide to simply show the consent dialog to all their users, and thereby avoid having to deal with GEO location. I used to take that approach, but I realize this was a mistake.
Without getting into too many details, I think it was a mistake because I disagree with the requirement to show these consent dialogs. They are quite simply toxic for UX (users) and both unfair and unreasonable for website owners (that is us). The problem lawmakers seeks to address with these privacy laws should likely be solved in the browser – and certainly not by individual site owners.
Because of the GDPR/CCPA, I have decided to install a module for my web-server (Apache), which enables me to perform easy GEO location lookups. This allows me to only show the consent dialog to users within the EEA (European Economic Area) and California.
The module I am using is called mod_maxminddb and can be easily installed on an Apache server.
Note that this only covers the technical aspect of installing the module, not how to create the consent dialog mechanism, or how to fulfill the requirements of GDPR or CCPA. But, it lays the foundation of what is needed to comply with country and region specific laws.
Knowing if the user is in the EEA
There should be no need to maintain a secondary list of countries in Europe to compare against. Instead, using the city database, we add the following to Apaches configuration:
MaxMindDBEnv CONTINENT_CODE CITY_DB/continent/code
This gives us access to the "CONTINENT_CODE" variable. In PHP this may be accessed via the $_SERVER global:
echo $_SERVER['CONTINENT_CODE'];
This is better than manually comparing the COUNTRY_CODE variable with a list of EU countries, since you do not have to account for unexpected values in the COUNTRY_CODE, such as A1 for proxy servers. All we really care about is the client IP address, regardless if they are using a proxy.
If you want to tell if someone is a EU citizen, rather than relying on GEO location, it is probably best to have a login system, and have them give you this information when they sign up. It does not matter that they might give you inaccurate information, since it will be their own responsibility to keep the information accurate.
Links
- MaxMind DB Apache Module – github.com
- C library for the MaxMind DB file format – github.com
- GeoLite2 Free Downloadable Databases – maxmind.com
Tell us what you think: