[donohoe]

Plausible Analytics is GDPR compliant - with one possible exception - the IP address which if they dropped the last 3 digits would probably be enough.

The blog post conflates general data points with PII. The IP address is considered PII.

While other info can be used for fingerprinting, it’s ok to use in some capacity as long as you don’t.

For background, I’ve done GDPR implantation a in the past, an a privacy advocate in that sense, and spent more time with lawyers in this subject then I’d care to admit.

(Pardon brevity/typos, on phone with unreliable connection)

[nscmnto]

The IP address, on its own, should not considered PII.

There was a ruling in Breyer vs. Germany that IP addresses can be considered PII – in certain circumstances.

The case was brought against an ISP, and the court ruled that the company had enough correlating data at its disposal to make an IP address de facto PII for any of its customers. The court limited its ruling, saying that with just an IP address alone, the protections associated with the directive wouldn’t apply.

[fogihujy]

GDPR simply classifies "personal data" as any piece of information that can be used to identify an individual. A static IP used by one person could therefore be considered personal data while a public IP shared between thousands of people behind carrier-grade NAT would not.

The problem is that you can't tell the two apart and decide when it's safe handle the IP.

[magicalhippo]

Indeed. My dynamically allocated public IPv4 address, given to me by my cable company, has been the same for as long as I've lived here, over four years now.

Ironically, my IPv6 prefix can change several times a day...

[yorwba]

IP addresses IP addresses are never PII. PII means information about a person who can be identified. In that context, IP adresses are an identifier, not the information itself.

If you store IP adresses in your customer database, the information is that a person with that IP is one of your customers. This information is considered PII if it's possible to use the IP to identify the person the information is about, e.g. using a government database of everyone's IP address. If the data never reaches someone with access to such a database, it's not PII.

(This is a somewhat pendantic distinction, but it matters legally. Data protection law doesn't care about which identifiers are being used, but about the data associated with it and whether it tells you something about a specific identifiable person.)

[mikehall314]

I was under the impression that they did not store IP addresses, though I could be incorrect.

Their docs suggest as much https://docs.plausible.io/excluding/

"Most web analytics tools do this by excluding certain IP addresses from being counted. However, we do not store the visitors’ IP addresses in our database for privacy reasons"

[markosaric]

We never store IP addresses in our database or logs. See the full details of our data policy: https://plausible.io/data-policy

[frollo]

GDPR doesn't care about storage. Even if you just acquired personal information without processing it, you still had to be GDPR compliant.

In fact, the solution suggested above (only using a truncated IP address) would still require you to acquire and process the IP address and thus be subject to GDPR.

[ukutaht]

Thanks for clearing this up. The general data points and metrics we store are not personal data.

IP address is the only piece of data that we touch that is considered PII under some regulations including GDPR.

The IP address is fully anonymized by hashing it together with a daily changing salt. Old salts are deleted to as to prevent re-identification: https://github.com/plausible/analytics/blob/master/lib/plaus...

According to GDPR Recital 26, anonymized data does not fall within the GDPR at all because data is no longer considered “personal data” following anonymization:

> The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.

[corentin88]

GDPR states “For data to be truly anonymised, the anonymisation must be irreversible”. So dropping 3 digits is clearly not enough to anonymize PII, it’s more pseudonymization.

[dbbk]

How can an IP address without the last 3 digits possibly ever identify someone? That surface area is just way too large.

[M2Ys4U]

By using other information to narrow the pool of possible people.

[lez]

Aren't the biggest corporations doing the same on orders of magnitude larger datasets? They get away very well with merging data from quite a few acquired companies.

If small companies are called upon compliance with such vehemence, the big ones who know so much of us should be brought up, at least 100x times more.

[M2Ys4U]

> Aren't the biggest corporations doing the same on orders of magnitude larger datasets? They get away very well with merging data from quite a few acquired companies.

Yes, and it's worth noting how few data points one needs to identify an individual.

>If small companies are called upon compliance with such vehemence, the big ones who know so much of us should be brought up, at least 100x times more.

Absolutely, no argument from me here.

[that_guy_iain]

I am curious, how are you going to unanonymise an IP to something that could have 255 combinations (and that's just if you drop that last part on an IPv4). Nevermind that an IP alone is not PII. How can you reverse something that has many possibilties?

[donohoe]

>> IP alone is not PII

It is in Europe, despite some regional rulings (Germany?). It is not considered PII in the USA.

[fmajid]

IP addresses are also explicitly considered PII by California’s CCPA.

https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...

(o) (1) “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following: (A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

[donohoe]

That was true once. Longer answer "it depends":

“[I]f a business collects the IP addresses of visitors to its websites but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.”

Source: https://iapp.org/news/a/are-ip-addresses-personal-informatio...

[fmajid]

You missed the paragraph:

"However, when the attorney general revised its draft regulations for a second time March 11, the guidance was struck without explanation."

[that_guy_iain]

Just to be that guy. There is a slight difference between Personal Identifying Information and Personal Information.

[that_guy_iain]

GDPR is EU law. So the regional rulings are extremely important for deciding what you think you can and can't do.

And I think we're missing the main point. How can it be reversed if there are hundreds of possibilites.

[donohoe]

True. I was thinking more about how it drops some location level information.

I can't presume what Plausible does (have not read their docs in awhile) but they have commented here to provide more specific clarification that address IP usage (TLDR: what they do is fine and compliant)

[scoot_718]

Actually with CGNAT IP (and arguably before then) IP addresses aren't personally identifiable information.

That said, the GDPR is deranged and might define things differently. Blocking the EU is safer.

Of course there are research exceptions that you could drive a truck through, and logging is still valid, so none of this matters.