Both free and paid versions of our plugin are GDPR compliant. The compliance is achieved by displaying a security message on the login screen. This message can be turned on and off from the Settings page of the plugin.
Doesn’t GDPR require an explicit consent of the subject for collection or storage of personal data (including IP addresses that are considered personal data by GDPR)?
No, it doesn’t. GDPR does not make consent a mandatory requirement for all processing of personal data. Consent (Article 6 (1)a) is indeed one of conditions that can be used to comply with the GDPR requirement that processing must be lawful, but it is not the only condition available to the controller to ensure lawful processing – there are alternatives (before the list of conditions it says that “at least one of the following” must be satisfied).
All the conditions for lawfulness of processing are spelled out in Article 6 of the GDPR. One of alternatives is Article 6 (1)f. It says it is legal to process personal data if
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Logging IP addresses for the purpose of security is an extremely widespread practice. It is a legitimate interest to comply with standard security practices. It is the default, and most (all?) web-sites do this.
I.e. it is legal to do this without a consent.
Do you save any IPs of people who try to access my customers’ sites or install any cookies? Do you transfer it to some server?
Yes, we save IPs locally in the free version and send them to our cloud in the paid version. We don’t install any cookies, except for the two in the dashboard “llar_enable_notify_notice_shown” and “llar_review_notice_shown”. This fixes AJAX-related issues for some customers with misconfigured sites. Those cookies don’t track anything.
You just need to turn on that GDPR message. That should be enough. If not, you can copy the explanation above and paste it into your policy directly. Here’s the link to our GDPR policy.
If I use the free plugins the IP data will only reside in the site’s database?
You used to have IP obfuscation, why did you remove it?
Because a message is enough to be GDPR compliant. The obfuscation feature takes a lot of maintenance time and is incompatible with our cloud service. Hence we got rid of the redundant unnecessary piece of code and replaced it with a simplified but working solution.