1. Login

Using Mod_maxminddb to Become GDPR/CCPA Complient

How I am using MaxMinds GeoIP databases to become GDPR/CCPA compliant.

2529 views
d

By. Jacob

Edited: 2022-02-24 00:15

GDPR, GEO Location, and Apache

In the process of making Beamtic sites GDPR complaint, I have decided to make some changes to the way I collect consent from users. Some website owners decide to simply show the consent dialog to all their users, and thereby avoid having to deal with GEO location. I used to take that approach, but I realize this was a mistake.

Without getting into too many details, I think it was a mistake because I disagree with the requirement to show these consent dialogs. They are quite simply toxic for UX (users) and both unfair and unreasonable for website owners (that is us). The problem lawmakers seeks to address with these privacy laws should likely be solved in the browser – and certainly not by individual site owners.

Because of the GDPR/CCPA, I have decided to install a module for my web-server (Apache), which enables me to perform easy GEO location lookups. This allows me to only show the consent dialog to users within the EEA (European Economic Area) and California.

The module I am using is called mod_maxminddb and can be easily installed on an Apache server.

Note that this only covers the technical aspect of installing the module, not how to create the consent dialog mechanism, or how to fulfill the requirements of GDPR or CCPA. But, it lays the foundation of what is needed to comply with country and region specific laws.

Knowing if the user is in the EEA

There should be no need to maintain a secondary list of countries in Europe to compare against. Instead, using the city database, we add the following to Apaches configuration:

MaxMindDBEnv CONTINENT_CODE CITY_DB/continent/code

This gives us access to the "CONTINENT_CODE" variable. In PHP this may be accessed via the $_SERVER global:

echo $_SERVER['CONTINENT_CODE'];

This is better than manually comparing the COUNTRY_CODE variable with a list of EU countries, since you do not have to account for unexpected values in the COUNTRY_CODE, such as A1 for proxy servers. All we really care about is the client IP address, regardless if they are using a proxy.

If you want to tell if someone is a EU citizen, rather than relying on GEO location, it is probably best to have a login system, and have them give you this information when they sign up. It does not matter that they might give you inaccurate information, since it will be their own responsibility to keep the information accurate.

Links

  1. MaxMind DB Apache Module – github.com
  2. C library for the MaxMind DB file format – github.com
  3. GeoLite2 Free Downloadable Databases – maxmind.com

Share with your friends:

Tell us what you think:

  1. Google wants us to use a "Google certified" CMP
    Google is now forcing AdSense publishers to use a certified CMP whether they want it or not.
  2. GDPR, Cookies and Consent Management Platforms
    Handing cookies just got more difficult. Implied consent is dead, and still no browser-level consent, but IAB Europe is working on a industry supported standardized solution.
  3. The Quest for GDPR Complience With AdSense
    To reach compliance with GDPR while using Adense on out sites, we need to disclose our ad providers and obtain consent from users.
  4. Adsense Crawler May Not Like GDPR Cookie-Walls
    Depending on your cookie-wall implementation, AdSense might stop displaying ads if ad-code can not be found.

More in: GDPR