[argon81]

Wait. You tracked users after they opted out of tracking? How else did you get this data?

[abofh]

Counters are not pii

[GlitchMr]

It's not personal data, so it's not under the scope of GDPR.

[BeniBoy]

Yeah, no. This about the ePrivacy directive, if you don't have proper consent, you can't read/write tracers regardless of wether this is personnal data or not, except for tracers needed to establish the communication or demanded by the user (carts, login, etc).

EDIT: Thought about it, and if you only record the button click and does not identify the user, it works, and I am wrong! In general ePrivacy is very restrictive, only about access to terminal and not about personnal data ( and btw PII is not a GDPR thing, we say personnal data), but here it's ok! So yeah, no to me!

[kevsim]

There’s no tracer. Just a counter of how many said yes vs how many said no. There’s no personally identifiable information there

[afiori]

the downside of this method is that it is impossible to discard duplicated negative answers.

[iso1631]

Functional cookies (e.g has displayed banner to this user) are fine, you don't need consent

[crawlcrawler]

GDPR defines what is PII and then regulates when companies may use PII. A page visit counter collects anonymous data. Anonymous data is not PII. You cannot tell I was their 345th visitor.

>> Yeah, no.

Exactly.

[tzs]

GDPR doesn't actually require consent to process personal data. It requires that the processing be lawful. Consent is one basis for lawfulness, but it is not the only one. There are 5 others.

One of these is that the processing is necessary for the performance of a task carried out in the public interest.

You could probably make a colorable argument that research for publication into the effectiveness of GDPR implementation approaches is in the public interest.

[richv]

Not if you're a private company or an individual

[tzs]

That basis of lawfulness, from Article 6 section 1(e), is "processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller".

On the face of it there doesn't appear to be any restriction on who can use that basis.

The only recital I've found that mentions this is Recital 45. It says:

> It should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association.

That seems potentially pretty expansive.

[iamacyborg]

You can track things anonymously in a way which complies with the GDPR without requiring consent.