[kuschku]

That’s all fine and nice, but how did Mozilla Legal approve this in the first place?

It’s obvious this violates both the so-called "Cookie Law" and the Google Analytics ToS, as both require any page with tracking to specifically tell the user that they will track the user. And the so-called "Cookie Law" goes even further, and requires it to be directly done in a modal.

How did Mozilla, a company saying they fight for privacy, approve something that does not even meet the absolute minimum bar for privacy, the actual privacy laws?

[eli]

It's not "obvious" that it violates either of those.

The general consensus is that normal GA tracking alone does not meet the standards to trigger either the EU or the stricter Dutch cookie notification requirements since they are using first-party cookies not tied to PII and don't follow you across sites. And that's assuming a standard GA snippet, not the smaller subset of data Mozilla is collecting here.

And the GA ToS require you to have a privacy policy and to make users aware of it. It doesn't require a link on every page. You already agreed to the Mozilla privacy policy as part of the Firefox install process, right?

[gcp]

The general consensus is that normal GA tracking alone does not meet the standards to trigger either the EU or the stricter Dutch cookie notification requirements since they are using first-party cookies not tied to PII and don't follow you across sites

Do you have a good reference for this? Especially the "don't follow you across sites" seems weird as Google will end up collecting hits from the same IP/browser/etc combo across sites, which trivially allows following.

[amichal]

Found a source for this opinion. Here [1] are instructions from the Dutch Government's "Personal Data Authority" on setting up GA in compliance with their laws in a way that does (did?) not require an explicit notice. See [2] for an explanation in english

[1] https://autoriteitpersoonsgegevens.nl/sites/default/files/at... [2] https://www.iabeurope.eu/eucookielaws/nl/

TLDR: If you use the following code. You are fine to use GA without a notice under Dutch law.

ga('set', 'forceSSL', true); ga('set', 'anonymizeIp', true);

[gcp]

Thank you! This is really useful.

[kuschku]

Be aware, this changes in 316 days, when the EU GDPR comes into force, and makes even for those cases opt-in required.

[amichal]

Opt-in via published policy or some silly explicit checkbox?

[amichal]

I don't know what firefox addon pages does (and i see they have a special arrangement) and am not taking sides but for IP at least there is an option partially scrub it before it gets to disk at Google.

https://support.google.com/analytics/answer/2763052?hl=en

Edit: what do we think?

[lucideer]

> The general consensus is that normal GA tracking alone does not meet the standards to trigger either the EU or the stricter Dutch cookie notification requirements since they are using first-party cookies not tied to PII and don't follow you across sites

I don't know about following you across sites, but "PII" is a US legal term, so I highly doubt it's a determiner in applying EU law. GA may not collect PII under US law, but it does fall into EU data protection compliance.

The problem in the EU is the system of enforcement. EU directives require member states to legislate individually, and to enforce their own legislation individually. If that enforcement is deficient, the case can be taken to the ECJ on an individual basis (at possibly significant cost). This doesn't work. Which has motivated the creation of GDPR[0], but unfortunately this doesn't come into play until 2018

[0] https://en.wikipedia.org/wiki/GDPR

[lucideer]

I'm not sure what the "Mozilla Legal" process is, but this thread[0] from 2012 seems to be a recurring source of authority on decision-making around this, from my reading of Bugzilla.

This is what tofumatt was referring to when closing this Github thread.

[0] https://groups.google.com/forum/#!msg/mozilla.governance/9IQ...