Not a lawyer myself, but as far as my understanding goes you are identifying your user already by determining his ip, and all the transformations you do to create an id is still reversible with the fixed seeds in your script - so you'll end up sending data to google that makes the user idenfiable nonetheless, so i HIGHLY doubt this is a legitimate way around gpdr.
correct me if I'm making wrong assumptions here, as staid - not a lawyer either, just having lots to do with the topic as a EU based webdeveloper.
This is how I understand GDPR as well. Just hashing the IP address along with other static values is too easy to reverse and not considered anonymization under GDPR.
For https://plausible.io we added a daily salt to the hash for this exact reason. By deleting the salt at the end of each day, the hash becomes impossible to reverse and visitor data can be considered anonymous.
We lose unique visitor tracking beyond one day, but for most sites this is a small price to pay to remove annoying consent banners.
Website owners are still sending visitors IP-addresses your way. They have to trust you to do the hashing and deleting the salt (and pepper?) and not delivering data to others (4th party).
Googles system of removing the last part of the IP address exists specifically so you can be compliant. If you use tricks to store the data anyway, obviously you’re non compliant once more.
This is probably little of a grey area. I don't think that the IP-address by itself is considered personal data since it usually doesn't single out a specific living person. Unless you pair it with other information, like date and time.
But if IP was considered personal data you would need an active consent from the user where you also inform them why you are doing this, which paragraph in GDPR gives you legal right to do this, how long the data is stored and you will need a data processing agreement with Cloudflare. You will also need to be able to prove that you made sufficient effort to make sure you are not handling data of someone under 16 years of age.
People often think that GDPR is made to forbid processing of personal data. Actually you can pretty much do anything with peoples information and still be GDPR compliant. It's more that it becomes such a hassle to do it and still be compliant that it's just not worth it to collect personal data "just because you can".
Seems like you could fix this issue by generating a random salt for the unique ID and placing it in local storage. Never send the salt value to the server, but incorporate it in the unique ID. This would keep the uniqueness property, but eliminate your ability to reverse the computation to retrieve PII.
Yes since GDPR states that personal data is any piece of information that uniquely identifies a living person, creating a unique identifier for each visitor by definition will make you a data processor.
But a unique identifier doesn't necessarily identify a living person, particularly in isolation. It's just that it's frequently associated with a load of additional information that could eventually be used to identify someone (think advertising cookies when associated with a load of browsing data). So you can't escape from scope by saying you're using a unique ID rather than a name.
IP addresses are slightly different because that address can be used to identify the subscriber in certain cases (who in turn may or may not be an individual).
I think there are two misconceptions in this post.
1. Cookies do not automatically require consent. If you use a session cookie to remember someone's login session, that does not require consent. It's when you use that session cookie for analytics, advertising, etc. that consent enters the picture.
2. The fact that you can uniquely identify the user on an ongoing basis, even if you're not tying it to any actual personal details or an IP address, is what makes that identifier personal information. Just because you obfuscate it does not change that. A hash hides the original data but it does not change the fact that it's a unique identifier, and therefore it's still personal information.
You have to anonymize the data in such a way that you couldn't pick out the specific individual from any stored data. A lossy anonymization step is one way to do it. A hash of a browser thumbprint is not, unless that hash also pools multiple users together and mixes the data up so that you can't pick them apart again.
The blog post is at best disinformation on this topic.
GDPR does not require cookie banner at all for this use case. GDPR is not about cookie banners at all. It is about consent of using personal or identifiable information. It is about safely processing data and not collection personal information that you were not permitted to have. This gets tricky as IP is recognized as private information in EU. This can be solved by telling GA to not collect it.
Google Analytics does not require you to post cookie banner, but you have to inform user on your privacy policy page that you are tracking their "anonymous" activity. How much it is anonymous knows only Google.
Source: https://marketingplatform.google.com/about/analytics/terms/u... section "7. Privacy"
What requires consent banner is Google Ads! Google is through you creating unique profile for each visitor that makes him identifiable. This is in direct conflict of GDPR that prohibits such behavior without explicit consent. So mere "We are storing cookies. > Accept <" is actually also in direct conflict with GDPR as you are lying or hiding this information from the user.
I am also not lawyer, but I was involved in implementation of this for e-commerce.
Let's say I write a site that doesn't set any cookies when you load it, but, it does have a login form on a few pages.
If you fill in the form and click submit, a cookie is set by that site (not by some auth server, SSO system, adserver, etc) which keeps you logged in for future visits. It contains a unique token. You know, the usual way to do basic web form -> server checks via bcrypt or some other password hashing scheme -> generates a long unique token and saves it in a DB -> sends it to the client via a cookie -> that cookie is looked up in the DB for a period of time which will then authenticate the incoming request.
This does not require a cookie banner whatsoever. Right?
Correct. You only need a banner for invasive tracking.
Normal visitor counting, login handling, preference setting, etc. is all allowed by default. Only when you don't have a valid reason to process the user's data, then you need to ask them for consent, and that's the only time you need a cookie wall. Everything else is opt-out.
Would be a crazy world if I ask the pizza store to deliver my pizza but I need to consent to them using my address to deliver it. It's obviously essential. Many people see it as such, though, and they resort to including weird clauses like "by hitting submit I consent to the processing of the data in the contact form for the purpose of fulfilling my request". That is like the definition of one of the legal bases you can use (aside from consent) and definitely does not require consent.
Example, 6(1)(a) says: "in order to take steps at the request of the data subject", so you don't need to have any GDPR checkboxes or banners when you have a contact form.
I believe you are correct, but I believe you also need to have a cookie/privacy policy page, where you explain what data you are storing and processing. I forget off the top of my head if that's a requirement of GDPR or ePrivacy, but you need to comply with both.
Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
...
To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:
- Receive users’ consent before you use any cookies except strictly necessary cookies.
If the cookie is purely functional, and is not used for any other purposes, you are neither required to request consent nor inform, provided it is for a service the user explicitly requests.
For example, authentication, preference setting, form submission, etc. are all explicit requests.
If your cookies do not require consent, you are not required to explain them to the user (although personally I'd say it's a good practice).
EDIT: the above is not true, please check the comments below for further discussion.
Honestly, if you’re just a small personal website or blog then just don’t bother with those idiotic cookie consent banners. Use Google Analytics or whatever makes you happy and nobody will ever say anything to you unless you’re an extremely famous person and even then the chances of someone ever bothering you regarding a GA cookie is very unlikely. Especially if you’re a tech blog your readers know how cookies work and how to protect themselves from “tracking” so you’re not even doing anyone a favour. It’s pure annoyance with zero benefit. Obviously if you’re a big corp you’ll have to comply, but I’d even question then what the EU is really going to do. Just write a page of how you use data and be honest, transparent and ethical about it and spare yourself to bastardise your beautiful website with EU shenanigans. And I’m from the EU and even dislike it.
Honestly, please respect the laws (unless you are doing civil disobedience, I won't judge you) and people even if they are techies.
You don't want to show me a banner because it's painful? Right, I agree. Just don't opt me in into this crap and then you don't need to show me the banner.
You can use your server logs to measure your audience.
You want the warning banners simply because it's a law or do they actually help you with something?
Out of curiosity, do you ever break driving laws such as speed limits?
Do you really need Google Analytics if you just have a small personal website?
Now that we know the privacy cost, is it worth sending yet another node of a user’s browsing behavior from a presumably well intended personal website?
If you're just a small personal website and still need analytics, than just use a self-hosted solution, as it will be really cheap (or even free) to host and your data is never sent to 3rd parties.
For example, if you have a WordPress site, you could install https://www.usertrack.net as a WP plugin and all data will be stored locally.
honestly this is terrible advice. I know it's annoying to many people, but the EU isn't autonomously pursuing corps big or small - its legislation will kick into action if _anyone_ files a complaint after visiting your website, and you'll be subject to the same possible penalties as anyone.
Iirc, though, the law states that the fine will come only if you don’t comply with an initial warning, which will always have to be the first step. In that case, you can easily comply and not be fined.
This is vapid reactionary nonsense of the worst kind: The kind that gives you bad advice and appeals to you to accept it from a position of outrage. Anyone can and should make an informed choice not to follow rules they find problematic, that decision should not be based on how upset you feel.
You have misinterpreted that (which I understand if you're American, since the word personal have a different legal definition there).
Purely personal activities is not really interpreted as "I have a personal blog" sense, but in "I need to call my friends" sense. If you are indiscriminately processing data of possibly hundreds of people (note that at least on cases in Austria, it can be as low as 50 individuals), it is no longer purely personal and is now partially commercial, and unless you have other reasons to collect the data (research or you have actively obtained consent), you cannot simply do this.
A personal blog would likely qualify for that, however, many personal websites would not pass the test of "no connection to a professional or commercial activity" (from https://gdpr-info.eu/recitals/no-18/) - if you sell something on that site, or have ad revenue, or use it as advertisement for your professional consultations, then it's not purely household activity.
If you have a bootstrapped web startup project that you want to launch (e.g. collecting "pre-sales" signups from a minimum viable product), then it's definitely not purely personal or household activity even before you have registered a company.
This is one of those laws on the books to punish people who the EU (or relevant national government) think needs to be punished. It's end result is just endless fucking annoyance to use any website and from every one of these threads I read all the annoying cookie permission and opt in popups ar e probably illegal under the GDPR anyway. If I'm going to slap google analytics on a personal site, I'm going to do it and not worry.
For all I know doing that might be forbidden under the GDPR or it might not, I don't care to find out.
Google recently introduced "Consent Mode" which basically disables cookie-based tracking and collects anonymous data only. I still find it problematic as Google probably doesn't need a cookie to identify you but it's at least something that is officially backed by Google, instead of a hack like this.
BTW if you use client information to derive an identifier that is unique within a session and you send that identifier to a third-party (e.g. Google) this approach gives you zero benefits. In fact ePrivacy & GDPR don't mention cookies anywhere and don't care what technology you use to derive identifiers, if they can robustly identify an individual or device and you actually send them to another service (for purposes that are not strictly necessary for the performance of your service) you're obliged to asked for consent.
Readit News
correct me if I'm making wrong assumptions here, as staid - not a lawyer either, just having lots to do with the topic as a EU based webdeveloper.
However, IANAL.
So A user visited me on the 12th. That user visited me again on the 15th. Is that PII?
For https://plausible.io we added a daily salt to the hash for this exact reason. By deleting the salt at the end of each day, the hash becomes impossible to reverse and visitor data can be considered anonymous.
We lose unique visitor tracking beyond one day, but for most sites this is a small price to pay to remove annoying consent banners.
Website owners are still sending visitors IP-addresses your way. They have to trust you to do the hashing and deleting the salt (and pepper?) and not delivering data to others (4th party).
Another problem you - and others like goatcounter have - is described here https://blog.paranoidpenguin.net/2020/07/plausible-analytics....
But if IP was considered personal data you would need an active consent from the user where you also inform them why you are doing this, which paragraph in GDPR gives you legal right to do this, how long the data is stored and you will need a data processing agreement with Cloudflare. You will also need to be able to prove that you made sufficient effort to make sure you are not handling data of someone under 16 years of age.
People often think that GDPR is made to forbid processing of personal data. Actually you can pretty much do anything with peoples information and still be GDPR compliant. It's more that it becomes such a hassle to do it and still be compliant that it's just not worth it to collect personal data "just because you can".
IP addresses are slightly different because that address can be used to identify the subscriber in certain cases (who in turn may or may not be an individual).
Dead Comment
1. Cookies do not automatically require consent. If you use a session cookie to remember someone's login session, that does not require consent. It's when you use that session cookie for analytics, advertising, etc. that consent enters the picture.
2. The fact that you can uniquely identify the user on an ongoing basis, even if you're not tying it to any actual personal details or an IP address, is what makes that identifier personal information. Just because you obfuscate it does not change that. A hash hides the original data but it does not change the fact that it's a unique identifier, and therefore it's still personal information.
You have to anonymize the data in such a way that you couldn't pick out the specific individual from any stored data. A lossy anonymization step is one way to do it. A hash of a browser thumbprint is not, unless that hash also pools multiple users together and mixes the data up so that you can't pick them apart again.
GDPR does not require cookie banner at all for this use case. GDPR is not about cookie banners at all. It is about consent of using personal or identifiable information. It is about safely processing data and not collection personal information that you were not permitted to have. This gets tricky as IP is recognized as private information in EU. This can be solved by telling GA to not collect it.
Google Analytics does not require you to post cookie banner, but you have to inform user on your privacy policy page that you are tracking their "anonymous" activity. How much it is anonymous knows only Google. Source: https://marketingplatform.google.com/about/analytics/terms/u... section "7. Privacy"
What requires consent banner is Google Ads! Google is through you creating unique profile for each visitor that makes him identifiable. This is in direct conflict of GDPR that prohibits such behavior without explicit consent. So mere "We are storing cookies. > Accept <" is actually also in direct conflict with GDPR as you are lying or hiding this information from the user.
I am also not lawyer, but I was involved in implementation of this for e-commerce.
Let's say I write a site that doesn't set any cookies when you load it, but, it does have a login form on a few pages.
If you fill in the form and click submit, a cookie is set by that site (not by some auth server, SSO system, adserver, etc) which keeps you logged in for future visits. It contains a unique token. You know, the usual way to do basic web form -> server checks via bcrypt or some other password hashing scheme -> generates a long unique token and saves it in a DB -> sends it to the client via a cookie -> that cookie is looked up in the DB for a period of time which will then authenticate the incoming request.
This does not require a cookie banner whatsoever. Right?
Normal visitor counting, login handling, preference setting, etc. is all allowed by default. Only when you don't have a valid reason to process the user's data, then you need to ask them for consent, and that's the only time you need a cookie wall. Everything else is opt-out.
Would be a crazy world if I ask the pizza store to deliver my pizza but I need to consent to them using my address to deliver it. It's obviously essential. Many people see it as such, though, and they resort to including weird clauses like "by hitting submit I consent to the processing of the data in the contact form for the purpose of fulfilling my request". That is like the definition of one of the legal bases you can use (aside from consent) and definitely does not require consent.
The law is quite readable and not overly elaborate, see Article 6(1) of the GDPR: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
Example, 6(1)(a) says: "in order to take steps at the request of the data subject", so you don't need to have any GDPR checkboxes or banners when you have a contact form.
To my knowledge that might need consent, depending on what do you mean / how it's performed.
You should still have a notice somewhere that explains this though.
Consent is mainly required for cookies that are not technical requirements for providing the service.
Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
...
To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:
- Receive users’ consent before you use any cookies except strictly necessary cookies.
If the cookie is purely functional, and is not used for any other purposes, you are neither required to request consent nor inform, provided it is for a service the user explicitly requests.
For example, authentication, preference setting, form submission, etc. are all explicit requests.
If your cookies do not require consent, you are not required to explain them to the user (although personally I'd say it's a good practice).
EDIT: the above is not true, please check the comments below for further discussion.
You don't want to show me a banner because it's painful? Right, I agree. Just don't opt me in into this crap and then you don't need to show me the banner.
You can use your server logs to measure your audience.
Now that we know the privacy cost, is it worth sending yet another node of a user’s browsing behavior from a presumably well intended personal website?
For example, if you have a WordPress site, you could install https://www.usertrack.net as a WP plugin and all data will be stored locally.
edit: here's a source: https://gdpr-info.eu/art-2-gdpr/
This Regulation does not apply to the processing of personal data:
(c) - by a natural person in the course of a purely personal or household activity;
Purely personal activities is not really interpreted as "I have a personal blog" sense, but in "I need to call my friends" sense. If you are indiscriminately processing data of possibly hundreds of people (note that at least on cases in Austria, it can be as low as 50 individuals), it is no longer purely personal and is now partially commercial, and unless you have other reasons to collect the data (research or you have actively obtained consent), you cannot simply do this.
If you have a bootstrapped web startup project that you want to launch (e.g. collecting "pre-sales" signups from a minimum viable product), then it's definitely not purely personal or household activity even before you have registered a company.
This is one of those laws on the books to punish people who the EU (or relevant national government) think needs to be punished. It's end result is just endless fucking annoyance to use any website and from every one of these threads I read all the annoying cookie permission and opt in popups ar e probably illegal under the GDPR anyway. If I'm going to slap google analytics on a personal site, I'm going to do it and not worry.
For all I know doing that might be forbidden under the GDPR or it might not, I don't care to find out.
BTW if you use client information to derive an identifier that is unique within a session and you send that identifier to a third-party (e.g. Google) this approach gives you zero benefits. In fact ePrivacy & GDPR don't mention cookies anywhere and don't care what technology you use to derive identifiers, if they can robustly identify an individual or device and you actually send them to another service (for purposes that are not strictly necessary for the performance of your service) you're obliged to asked for consent.