After receiving tons of, uhhh... "feedback," I've updated the recent article on GDPR to present a more nuanced viewpoint and conclusion. Specifically, I have provided further elaboration on legitimate interests.

Show this thread

pilcrow

@pilcrowonpaper

May 10

Uh... ok so it hit the front page of HackerNews and r/webdev. I'm kinda anxious with how much attention it's getting I have never felt so relieved reading a comment tho:

Quote Tweet

pilcrow

@pilcrowonpaper

May 10

I wrote my first blog! It's about GDPR and analytics, but it should be a good general introduction to EU privacy laws as well. pilcrow.vercel.app/blog/gdpr-anal

pilcrow

@pilcrowonpaper

May 10

I wrote my first blog! It's about GDPR and analytics, but it should be a good general introduction to EU privacy laws as well.

pilcrow.vercel.app

Your "GDPR compliant" analytics is probably violating GDPR

Let's clear up some misconceptions surrounding EU privacy laws and look at why your privacy-friendly analytics is probably violating them.

pilcrow

@pilcrowonpaper

May 8

And yes, a full article on everything GDPR and analytics is coming soon

🌶️

Quote Tweet

pilcrow

@pilcrowonpaper

May 8

It's possible that most analytics provider, including @PlausibleHQ , @vercel , and @googleanalytics are violating GDPR and the laws surrounding it, strictly speaking. Of course, I'm not a lawyer and this is my own opinion.

Show this thread

pilcrow

@pilcrowonpaper

May 8

There is hope though. The EU is considering updating the existing ePrivacy Directive to allow non-privacy intrusive cookies without the user's consent.

It's important to remember that each EU member may interpret laws differently. Notably, France's CNIL has allowed for non-essentials cookies to be used without consent under some conditions. However, this should only be applied to French users and it is not a EU wide decision.

Germany's highest court has also ruled that this directive should not be interpreted differently even if the data is not personal data. This means you cannot check for first time users using cookies. curia.europa.eu/juris/document

Next, the ePrivacy Directive (2022/58/EC) prohibits data from being stored to the device without the user's consent. This includes local storage in addition to cookies. The only exception is data strictly required to provide the requested service/content. eur-lex.europa.eu/legal-content/

This means automatically generating and storing an id, regardless of the method used (such as fingerprinting and hashing/encryption), is a violation. Vercel and Plausible claims GDPR compliancy by hashing the IP address and user agent.

commission.europa.eu

What is personal data?

Data covered by the EU’s data protection rules, including name, email, IP address and health information.

Names and home addresses are obvious, but online identifiers, such as email addresses, IP addresses, and session ids, are included. Any data that is linked to a single user (or approximately so), whether it reveals any personal info or not, is considered personal data.

GDPR prohibits the processing (incl. storage) of personal data without a legal basis (e.g. consent). Personal data is a broad term that describes data that relates to an identified or identifiable user. The combination of non-personal data may be personal data as well.

EU laws make it remarkably difficult to count unique visitors, even in a privacy friendly way. To count visitors, you need to either: 1. Assign ids to users 2. Store data to the client Both options will likely result in a violation of GDPR and/or the ePrivacy Directive (EU+UK).

It's possible that most analytics provider, including

@PlausibleHQ

@vercel

, and

@googleanalytics

are violating GDPR and the laws surrounding it, strictly speaking. Of course, I'm not a lawyer and this is my own opinion.

I do not feel comfortable advertising my analytics library as "GDPR compliant" when it's really "maybe GDPR compliant" I'm giving up on counting unique visitors from EU A 🧵 (last one on EU laws!)

I think I found an ingenious way to count daily unique visitors. GDPR compliant (likely - can't say for certain), no cookies, no localstorage, no fingerprinting, no IP addresses, no user agents.

pilcrow

@pilcrowonpaper

May 7

I should really just write an article about GDPR

pilcrow

@pilcrowonpaper

May 7

Keep in mind that data may not be considered anonymized if it's stored alongside data that, in combination, could be used to identify the user. For example, storing the masked IP address with the user id (which connects to an account that stores IPs)

Cookieless analytics (like Plausible) counts unique visitors by creating a hash of the IP + user agent with a daily rotating salt. Even if the salt is deleted in 24 hours, I'm still not sure if that counts as anonymization.

As for hashing, it might still be considered pseudonymization. For IPv4, there's only 4 billion combinations, which means hashes can be brute-forced in a few seconds. Brute-forcing IPv6 is near impossible so hashing it might be fine but ehhhh.....

Personal data where attributes that identify a user is removed is anonymized. Gender, country, and initials fit into this category.

What's the difference? Pseudonymization is the process of making data "no longer be attributed to a specific data subject without the use of additional information." Encryption is one example as you can decrypt it if you have a key.

Correction - pseudonymised data are still considered personal data and require consent to be processed. I meant to say anonymized data, which does not have that requirement. IP masking (which I gave as an example) are considered anonymization, though it's still a grey area.

Quote Tweet

pilcrow

@pilcrowonpaper

May 6

I spent the entire day researching GDPR and the ePrivacy Directive uuuhhgggg Anyway, here's what I found (NOT LEGAL ADVICE!)

Show this thread

pilcrow

@pilcrowonpaper

May 7

Made a mistake. Personal email address are 100% personal data, my bad. Company emails are not.

As for how I'm going to track unique users, EU users will use the IP without the last 4 digit + user agent, while non-EU users will use regular cookies.

A lot of things are still in the gray zone but your website should have a privacy policy if you handle personal data. Make sure you mention where the data is being processed as well.

As a side note, using cookies and data collected on the basis of protecting users seems like the most common way websites handle first party analytics.

Anything related to analytics and ads is not considered "strictly necessary." There isn't an EU wide consensus yet on exceptions but not using cookies at all for analytics is the safest bet.

You may skip getting a consent if it's reasonable from the user's perspective. For cookies, this means you can only store those that are deemed "strictly necessary" for the website to run, including auth and storing user preferences.

Consent must be a positive opt-in. Visiting your website does not count as consent, nor does scrolling or navigation.

The most commonly known one being consent, but it also includes "legitimate basis," legal obligation, and vital interests of the user. Security related things (like IP logging) may fall under the last basis.

Any data that can be used to identify a user (actual person) is considered personal data. This includes names and IP addresses, but not email addresses. Alongside setting cookies, processing (includes storing) such data is prohibited unless you have a legitimate legal basis.

I spent the entire day researching GDPR and the ePrivacy Directive uuuhhgggg Anyway, here's what I found (NOT LEGAL ADVICE!)

Just found out that UK's ICO explicitly mentions that counting unique visitors using cookies does not fall under neither of the cookie consent exemption

ico.org.uk

What are the rules on cookies and similar technologies?

I thought about using IP addresses for counting unique visitors, but those are personal identifiable data, which is subject to much stricter rules. Hashing or encrypting it may not make it GDPR compliant as well.

Huh, you can use cookies for analytics (at least in FR) if they meet certain conditions: - 1st party cookie - mentioned in the privacy policy - not connected to user data - not shared with 3rd party - short lived cnil.fr/fr/cookies-et-

It will only track common metrics and customizability will be limited. Like I said, it's intended for side projects and smaller stuff like that :D

I'm not sure if I should be using divs for charts ...and yes, my next open source thing is for handling analytics!

0:08

635 views

Show this thread