[islanderfun]

> that means is you just can't blindly collect them

Genuinely curious, what about all of the web servers that log every request which usually by default includes the client IP? Not doing anything special with the IP, they are just there in log files and archives.

[jesdjkeujjuju]

Personally, I'll activate anonymization of ip addresses in my logs coming next week. There are various solutions for that available.

I think you can also log the ip, you just have to get your user's explicit consent.

I will also remove Google Analytics, and switch AdSense to contextual ads. I am a bit worried about the latter step, but if the losses are too great I can still try to get consent from my visitors and switch to personalized ads again. As for Google Analytics, I never did get that much out of it, but perhaps I should have used it more. I never activated the "deep personalization" options in GA to begin with.

It bothers me to pester my visitors with consent popups. On the other hand, looking at what Google proposes for compliant AdSense, it also bothers me that apparently multiple companies get to track my users if I enable personalized ads. I wasn't really aware of that, and just accepted Google as tracking because they know everything anyway.

So much as I dislike the new privacy laws, at least the made me reconsider my AdSense settings.

[binarnosp]

Google analytics has an option to anonymize the IP and remove unique user id from the data collection.

[jesdjkeujjuju]

Sure, not saying you can't use Google Analytics, just that my choice is to remove it.

[scaryclam]

It's fine to collect this information in your logs as it's part of the normal operation. I log them for security reasons and the logs do not persist for more than a week or two, which is less than the month I'd have to comply within. Provided you're not logging IP addresses for non-legitimate reasons and you're not keeping the data for longer than you reasonably need to, you have nothing to worry about.

[jtl999]

`tail /var/log/nginx/access.log` Oops.

Also the section of the GDPR that talks about pseudonymization using a token how should my user DB table be GDPR compliant? Contains ID (primary key), username, password hash, email, etc and the ID is also in other DB tables for obvious reasons (such as user posts/actions).

[jesdjkeujjuju]

I think it can simply be GDPR compliant if you inform your users that you are saving that data in your database, and they give you the explicit OK to do to. Explicit consent meaning they tick a checkbox saying "I understand that page x is saving the data y in a database and I am OK with it".

If you have a site where users can make posts, I'd say they pretty much give you consent by signing up. IANAL, though.

[scaryclam]

The consent has to be explicit. Of course, you can always just require consent in order to sign up. Just as long as it's clear what's going on and you can remove/anonymise the data if the user decides to revoke their consent and leave the service.

[jesdjkeujjuju]

OK, but explicit in what sense? Does it have to refer to the GDPR, as in "I agree my dta will be stored according to GDPR"? I must admit I have trouble understanding it - how could anybody sign up anywhere without data being stored?