[Tropical on Rails 2026] Privacy on Rails

Transcript

1. Privacy on Rails Pragmatically complying to data protection laws

2. Talysson Oliveira Software architect & Chief Learning Officer at Codeminer42

   @talyssonoc beacons.ai/talyssonoc

3. codeminer42.com ai.codeminer42.com @codeminer42

4. ⚠ I'm not a lawyer This is an engineering perspective

   talk

5. On calm and peaceful day…

6. None

7. Would you know what to do?

8. Or would you freak out thinking… - What tables store

   user private information? - Are we able to remove them from the logs too? - Oh no, what about ActiveJob payloads? - How much time do we have to respond to that email?! - Are we breaking any law? Are we going to be fined?

9. What are data protection laws?

10. Data protection laws - Exist to enforce data protection and

    user privacy - Present in more than 140 countries - Most don't apply only if you are based in the country, but also if you have users there - They are about consent, data minimization, access rights, breach notification, and purpose limitation

11. What private data are we talking about?

12. Name Email Phone Government ID Date of birth Race Religion

    Prescriptions Tax records IP address Browsing history Chat messages Salary Behavior profile AI generated predictions Gender identity Location history

13. Name Email Phone Government ID Date of birth Race Religion

    Prescriptions Tax records IP address Browsing history Chat messages Salary Behavior profile AI generated predictions Gender identity Location history AND MORE!

14. Thinking about it made you sweat? Then this talk's for

    you

15. Privacy used to be a competitive advantage Now, it's the

    baseline for a product

16. Why do companies fail to comply?

17. They treat privacy as just a legal concern They put

    innovation above user privacy

18. Privacy by design Privacy as an engineering quality attribute

19. Privacy by design - Don't implement privacy as an afterthought

    - Implement it as any other normal engineering constraint - Like we do for security, for performance, for responsiveness - Think about your user's privacy first - Don't gamble with user data to pay for innovation - Start with a set of principles

20. Privacy by design principles 1. Data minimization - Don't collect

    what you can't protect (or don't need) - Less data = less to concern about 2. Private by default - Every data exposure requires an explicit reason - Data must be protected with appropriate technical measures 3. Transparency - Users should know and control what you store from them

21. Privacy on Rails "I'm not a lawyer either, show me

    the code!"

22. Data minimization Less data = less to concern about

23. Minimize data that enters your app

24. Use strong parameters - Create an explicitly permitted list of

    parameters - Be intentional about what you permit - Filtering at the entry point covers the whole application

25. Anonymize user's IPs - Doing it at the entry point

    covers the whole application - If geocoding is important for your app, it'll still work - Use the ip_anonymizer gem

26. Minimize data that leaves your app

27. Explicit serialization - Create an explicitly permitted list of what

    data will be exposed

28. Safeguard error tracking strategies - Error tracking services capture full

    request context (PII, params, …) - Filter request params and use the logstop gem

29. Anonymize analytics data - Innovation should not be at the

    expense of your user's privacy - Use a privacy-first analytics service + consent-gated scripts - Anonymize any personal information sent do analytics - We'll see consent modeling and anonymization techniques soon

30. No personal data in emails - Data can leak in

    email logs and bounced email handling - Enforce minimal PII in emails and filter email logs - Use signed URLs with auto-expiry and authenticated downloads

31. Data retention and TTL policies

32. Implement data retention and TTL policies - Don't keep older

    unused data - Delete (or anonymize) inactive users - Delete inactive sessions - Clear SolidQueue completed job records - Make it automatic

33. Deleting/anonymizing inactive users

34. Private data by default Protected data without extra effort

35. Logs

36. Log with care - Logs are the #1 silent leak

    - Always check everything that is explicitly logged - Filter request params and use the logstop gem

37. Security

38. Encryption at rest for models Decrypt Search Use ✅ ✅

    ✅ ❌ ❌ ❌ (just verify) - Rails supports three levels of data protection - Choose based on the field's usage pattern

39. Protect cookies properly - Be intentional about cookies usage -

    Define proper same_site policy

40. Make your backups secure - Always encrypt the database backups

    - Adopt a retention policy for backups as well

41. Protect direct console access in production - Track who, why

    and how console was accessed in production - Use console1984 and audits1984 gems for that

42. Transparency and data rights Users should know and control their

    data

43. Consent

44. Creating a consent model - It's not just about using

    a cookie banner - Marketing, analytics tracking, 3rd party sharing, features, … - Each consent should be per-purpose, versioned and with proof - Consents should be explicit - No user consent = no action

45. Creating a consent model

46. None

47. Data subject access rights

48. Data subject access rights - Users have access, rectification and

    erasure rights over their data - LGPD requires a response in 15 days to respond - GDPR requires a response in 30 days (extendable until 90 days) - Make it as automatic as possible

49. Creating a data subject request model

50. Implementing access request (aka DSAR) handling

51. Implementing access request (aka DSAR) handling

52. Implementing erasure request handling

53. Implementing anonymization

54. Implementing anonymization

55. Ok, this is a lot of things to remember

56. And we are in the age of AI…

57. Automate it with agent skills!

58. Privacy by design Rails agent skills, by Codeminer42 - Bring

    privacy-by-design into your Rails workflow - Two modes: - Complete codebase assessment - Review your recent changes - Generates a thorough report + offer fixes - Fully open source and ship with Ruby scripts for easy auditing

59. Privacy by design Rails agent skills, by Codeminer42 or https://github.com/codeminer42/skills

60. Privacy by design Rails agent skills, by Codeminer42

61. Privacy by design Rails agent skills, by Codeminer42

62. Privacy by design Rails agent skills, by Codeminer42

63. Privacy by design Rails agent skills, by Codeminer42

64. Data privacy laws don't kill innovation Not complying is a

    skill issue Respect your users privacy Rails is privacy friendly

65. Thank you! @talyssonoc beacons.ai/talyssonoc codeminer42.com ai.codeminer42.com @codeminer42