Not a lawyer myself, but as far as my understanding goes you are identifying your user already by determining his ip, and all the transformations you do to create an id is still reversible with the fixed seeds in your script - so you'll end up sending data to google that makes the user idenfiable nonetheless, so i HIGHLY doubt this is a legitimate way around gpdr.
correct me if I'm making wrong assumptions here, as staid - not a lawyer either, just having lots to do with the topic as a EU based webdeveloper.
This is how I understand GDPR as well. Just hashing the IP address along with other static values is too easy to reverse and not considered anonymization under GDPR.
For https://plausible.io we added a daily salt to the hash for this exact reason. By deleting the salt at the end of each day, the hash becomes impossible to reverse and visitor data can be considered anonymous.
We lose unique visitor tracking beyond one day, but for most sites this is a small price to pay to remove annoying consent banners.
Website owners are still sending visitors IP-addresses your way. They have to trust you to do the hashing and deleting the salt (and pepper?) and not delivering data to others (4th party).
I thought that "CNAME cloacking" was already addressed by uBlock and most similar tools last year already? I don't think it's a very effective method to bypass them.
In goatcounter the whole CNAME thing was just intended as a cute "shortcut" so you can have "stats.example.com"; I assumed that all adblockers would deal with that correctly, and it was never intended as a way to bypass them (and certainly never advertised as such).
As for "selling IP address", how do you know "blog.example.com" isn't just collecting and selling that? Or HN for that matter?
Googles system of removing the last part of the IP address exists specifically so you can be compliant. If you use tricks to store the data anyway, obviously you’re non compliant once more.
This is probably little of a grey area. I don't think that the IP-address by itself is considered personal data since it usually doesn't single out a specific living person. Unless you pair it with other information, like date and time.
But if IP was considered personal data you would need an active consent from the user where you also inform them why you are doing this, which paragraph in GDPR gives you legal right to do this, how long the data is stored and you will need a data processing agreement with Cloudflare. You will also need to be able to prove that you made sufficient effort to make sure you are not handling data of someone under 16 years of age.
People often think that GDPR is made to forbid processing of personal data. Actually you can pretty much do anything with peoples information and still be GDPR compliant. It's more that it becomes such a hassle to do it and still be compliant that it's just not worth it to collect personal data "just because you can".
Seems like you could fix this issue by generating a random salt for the unique ID and placing it in local storage. Never send the salt value to the server, but incorporate it in the unique ID. This would keep the uniqueness property, but eliminate your ability to reverse the computation to retrieve PII.
Yes since GDPR states that personal data is any piece of information that uniquely identifies a living person, creating a unique identifier for each visitor by definition will make you a data processor.
But a unique identifier doesn't necessarily identify a living person, particularly in isolation. It's just that it's frequently associated with a load of additional information that could eventually be used to identify someone (think advertising cookies when associated with a load of browsing data). So you can't escape from scope by saying you're using a unique ID rather than a name.
IP addresses are slightly different because that address can be used to identify the subscriber in certain cases (who in turn may or may not be an individual).
Suppose the government wants to know what a particular user was reading on your site. They can calculate the hashed ID for that user and then serve a warrant requesting the data for that ID.
You can, but you need to explicitly state in your data policy that this is what the data is used for and you can never use this data for any other purpose.
IANAL:
If you were allowed to use GDPR under an exemption, perhaps abuse protection, is that the only purpose the data will be used for by yourself and GA?
If you or a data processor you use, uses the data for secondary purposes not covered by any exemption to opt-in consent, I believe you would have to get opt-in consent for those secondary purposes beforehand.
Note: the cookie law is the ePrivacy directive (and national interpretations like PECR) and it goes beyond GDPR in some ways, as the ICO states "Although cookies that process personal data give rise to greater privacy and security risks than those that process anonymous data, PECR apply to all cookies." ( https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a... )
I think there are two misconceptions in this post.
1. Cookies do not automatically require consent. If you use a session cookie to remember someone's login session, that does not require consent. It's when you use that session cookie for analytics, advertising, etc. that consent enters the picture.
2. The fact that you can uniquely identify the user on an ongoing basis, even if you're not tying it to any actual personal details or an IP address, is what makes that identifier personal information. Just because you obfuscate it does not change that. A hash hides the original data but it does not change the fact that it's a unique identifier, and therefore it's still personal information.
You have to anonymize the data in such a way that you couldn't pick out the specific individual from any stored data. A lossy anonymization step is one way to do it. A hash of a browser thumbprint is not, unless that hash also pools multiple users together and mixes the data up so that you can't pick them apart again.
The blog post is at best disinformation on this topic.
GDPR does not require cookie banner at all for this use case. GDPR is not about cookie banners at all. It is about consent of using personal or identifiable information. It is about safely processing data and not collection personal information that you were not permitted to have. This gets tricky as IP is recognized as private information in EU. This can be solved by telling GA to not collect it.
Google Analytics does not require you to post cookie banner, but you have to inform user on your privacy policy page that you are tracking their "anonymous" activity. How much it is anonymous knows only Google.
Source: https://marketingplatform.google.com/about/analytics/terms/u... section "7. Privacy"
What requires consent banner is Google Ads! Google is through you creating unique profile for each visitor that makes him identifiable. This is in direct conflict of GDPR that prohibits such behavior without explicit consent. So mere "We are storing cookies. > Accept <" is actually also in direct conflict with GDPR as you are lying or hiding this information from the user.
I am also not lawyer, but I was involved in implementation of this for e-commerce.
Let's say I write a site that doesn't set any cookies when you load it, but, it does have a login form on a few pages.
If you fill in the form and click submit, a cookie is set by that site (not by some auth server, SSO system, adserver, etc) which keeps you logged in for future visits. It contains a unique token. You know, the usual way to do basic web form -> server checks via bcrypt or some other password hashing scheme -> generates a long unique token and saves it in a DB -> sends it to the client via a cookie -> that cookie is looked up in the DB for a period of time which will then authenticate the incoming request.
This does not require a cookie banner whatsoever. Right?
Correct. You only need a banner for invasive tracking.
Normal visitor counting, login handling, preference setting, etc. is all allowed by default. Only when you don't have a valid reason to process the user's data, then you need to ask them for consent, and that's the only time you need a cookie wall. Everything else is opt-out.
Would be a crazy world if I ask the pizza store to deliver my pizza but I need to consent to them using my address to deliver it. It's obviously essential. Many people see it as such, though, and they resort to including weird clauses like "by hitting submit I consent to the processing of the data in the contact form for the purpose of fulfilling my request". That is like the definition of one of the legal bases you can use (aside from consent) and definitely does not require consent.
Example, 6(1)(a) says: "in order to take steps at the request of the data subject", so you don't need to have any GDPR checkboxes or banners when you have a contact form.
Trying to track "return visits" often requires installing identifying tokens (cookies, localStorage, etc.). Even if no human ever looks at an individual person's data, you are processing it, so GDPR applies.
But that's where the last legal basis comes in:
> processing is necessary [for] the legitimate interests pursued by the [website], except where such interests are overridden by the interests [of] the data subject
So:
(1) on the one hand, the site owner has a legitimate interest in making the website better. This really can even solely benefit the user, e.g. if you're a non-profit like Wikipedia, but it might also just benefit you and that's okay.
(2) on the other, everyone has the right to privacy. Is privacy violated if you analyse this in an automated fashion? Is there any potential negative consequence for "private and family life, his home and his correspondence"[1]?
If the answer to (2) is a very clear "no" then here's your legal basis for data processing. Since it is not consent-based, you can do it without consent and without 'cookie wall'.
I'm no lawyer, I don't know if this is a clear "no" or if it's a "maybe somehow" or how a judge would rule that or what judges previously ruled on that. I don't have all the answers, but it should be clear not all tracking has to be consent-based, especially when you have the user's privacy at heart. Hence my phrasing of 'invasive tracking' earlier in the thread.
Also, if you're a small company or startup that really tries to do good but misinterpreted the law, the data protection agency is not going to give you a large fine. If there is neither an intention of violating privacy (in an ethical way, not a letter-of-the-law way) nor clear negligence, then the DPA will probably send you a warning. It's also a fundamental right to get a reasonable punishment, so they can't give you a fine that creates major issues if you didn't do anything majorly wrong (people often look at GDPR's vague clauses and €20 million fines and think "how could your mom and pop store ever pay that for small violations" while in practice that's not how this works).
I believe you are correct, but I believe you also need to have a cookie/privacy policy page, where you explain what data you are storing and processing. I forget off the top of my head if that's a requirement of GDPR or ePrivacy, but you need to comply with both.
Correct, you need a page but not a wall/banner unless you need to seek consent for something.
Again, the law is not all lawyerspeak and it's fairly easy to find if you click my link to the law above. Article 14(3):
> The [website] shall provide the information referred to in paragraphs 1 and 2:
> (a) within a reasonable period after obtaining the personal data [...]
> (b) [...] at the time of the first communication to [the user] [...]
Where "the information referred to in paragraphs 1 and 2" is the basics: who you are, what you collect, for what purpose (marketing or so), retention period, what the user's rights are, and other things that may apply from the lists in those paragraphs.
The easiest way to fulfill this is, of course, a nice little link at the bottom with this info laid out for everyone.
This is also perfect if you're Google and your products, taken together, process basically every piece of data about a human going about their daily life. Then you basically say "we collect basically every piece of data that you supply or that we can otherwise get our hands on" and the user is not only none the wiser when they use only reCAPTCHA, but they now also agreed to the rest because that's all in one policy.
By and large I'm still happy that it has improvements over the previous law (most notably enforcement and uniformity between member states) even if there are things to be improved, but I digress. Point is: policy available to read when desired: yes; annoying pop-up banner: NEIN :)
Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
...
To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:
- Receive users’ consent before you use any cookies except strictly necessary cookies.
If the cookie is purely functional, and is not used for any other purposes, you are neither required to request consent nor inform, provided it is for a service the user explicitly requests.
For example, authentication, preference setting, form submission, etc. are all explicit requests.
If your cookies do not require consent, you are not required to explain them to the user (although personally I'd say it's a good practice).
EDIT: the above is not true, please check the comments below for further discussion.
> you are not required to explain them to the user (although personally I'd say it's a good practice).
Nitpick: you are actually required to explain it, but not by shoving a banner in their face. You can explain it in the privacy policy, to be retrieved on demand by the user themselves.
See also GordonS' comment elsewhere in this thread, who is correct about the need for a privacy policy (and I posted a more elaborate comment with more info below it): https://news.ycombinator.com/item?id=25305722
Honestly, if you’re just a small personal website or blog then just don’t bother with those idiotic cookie consent banners. Use Google Analytics or whatever makes you happy and nobody will ever say anything to you unless you’re an extremely famous person and even then the chances of someone ever bothering you regarding a GA cookie is very unlikely. Especially if you’re a tech blog your readers know how cookies work and how to protect themselves from “tracking” so you’re not even doing anyone a favour. It’s pure annoyance with zero benefit. Obviously if you’re a big corp you’ll have to comply, but I’d even question then what the EU is really going to do. Just write a page of how you use data and be honest, transparent and ethical about it and spare yourself to bastardise your beautiful website with EU shenanigans. And I’m from the EU and even dislike it.
Honestly, please respect the laws (unless you are doing civil disobedience, I won't judge you) and people even if they are techies.
You don't want to show me a banner because it's painful? Right, I agree. Just don't opt me in into this crap and then you don't need to show me the banner.
You can use your server logs to measure your audience.
You want the warning banners simply because it's a law or do they actually help you with something?
Out of curiosity, do you ever break driving laws such as speed limits?
"the banner" is nowhere stated in the law. it's a way people have chosen to comply with the law, and most of the implementations currently out there are still in violation of what the law states. The law simply mandates you get informed, "written" consent from any visitor before tracking them or collecting PII in any form or function.
"The GDPR does not allow controllers to offer pre-ticked boxes or opt-out constructions thatrequire an intervention from the data subject to prevent agreement(for example ‘opt-out boxes’)."
This in my mind pretty much invalidates most of the existing cookie banners out there, not to mention the multi layered messes some sites do (oath comes to mind).
yep, that's exactly what i mean by "informed & written" - quite literally it must be active by definition of "informed", but furthermore in a way that is clear to the user of WHAT he actively consented to, and written meaning "proveable".
It's difficult to quote what does not exist, but yes, GDPR only require asking explicit consent (which can be implemented in different ways, cookie banners being one).
And this is not for cookies required for technical reasons (seesion cookies and cookies to save preferences) - you don't need consent for them. Only for marketing / statistical cookies. See [1], it does a good job of explaining this.
Supposing that I break laws such as speed limits, it's still something I should not do, voluntarily anyway.
Look, I'm not that much into respecting laws for the sake of respecting laws. I actually don't really like rules all that much. And there are shitty laws. GDPR and speed limits aren't in my opinion though. I find them sensible. If you think they are not, I got you covered with my civic disobedience parenthesis.
That said, breaking the law has risks, you cannot lightly advise people breaking it as they feel like it.
Where did you read that I want cookie banners? They ask me whether I want to be tracked. They are nonsense, often bad UX, and often riddled with dark patterns. The GDPR never forced anyone to implement them. It requires explicit consent for tracking in essence, which cookie banners often do a very bad job of.
If you think that as a visitor I am not going to opt in, don't ask me, and definitely don't force me into it with dark patterns. If you think your cookie banner is going to annoy me, well don't design your website this way, or you are not being coherent. Or, more accurately, you are solving a problem that is yours, not mine, and yet putting the burden on me.
Maybe you don't want them but someone else who visits your website does. You can't assume everyone dislikes the same laws as you and since it's a law people kind of have a right to it.
I think it is helpful to point out that some laws are poorly written, are pointless, too aggressive, or impossible to comply with properly. When someone realizes that there are laws they themselves break, hopefully they tone down their conviction that they're law abiding and others are not. This then helps to process the actual problems with individual laws.
Do you really need Google Analytics if you just have a small personal website?
Now that we know the privacy cost, is it worth sending yet another node of a user’s browsing behavior from a presumably well intended personal website?
If you're just a small personal website and still need analytics, than just use a self-hosted solution, as it will be really cheap (or even free) to host and your data is never sent to 3rd parties.
For example, if you have a WordPress site, you could install https://www.usertrack.net as a WP plugin and all data will be stored locally.
honestly this is terrible advice. I know it's annoying to many people, but the EU isn't autonomously pursuing corps big or small - its legislation will kick into action if _anyone_ files a complaint after visiting your website, and you'll be subject to the same possible penalties as anyone.
Iirc, though, the law states that the fine will come only if you don’t comply with an initial warning, which will always have to be the first step. In that case, you can easily comply and not be fined.
This is vapid reactionary nonsense of the worst kind: The kind that gives you bad advice and appeals to you to accept it from a position of outrage. Anyone can and should make an informed choice not to follow rules they find problematic, that decision should not be based on how upset you feel.
You have misinterpreted that (which I understand if you're American, since the word personal have a different legal definition there).
Purely personal activities is not really interpreted as "I have a personal blog" sense, but in "I need to call my friends" sense. If you are indiscriminately processing data of possibly hundreds of people (note that at least on cases in Austria, it can be as low as 50 individuals), it is no longer purely personal and is now partially commercial, and unless you have other reasons to collect the data (research or you have actively obtained consent), you cannot simply do this.
I completely agree, if you're acting outside of personal bounds this does not exclude you. ex, generating profit by selling ads, which gets taxed as income.
Probably shouldn't have tacked on the company bit.
A personal blog would likely qualify for that, however, many personal websites would not pass the test of "no connection to a professional or commercial activity" (from https://gdpr-info.eu/recitals/no-18/) - if you sell something on that site, or have ad revenue, or use it as advertisement for your professional consultations, then it's not purely household activity.
If you have a bootstrapped web startup project that you want to launch (e.g. collecting "pre-sales" signups from a minimum viable product), then it's definitely not purely personal or household activity even before you have registered a company.
This is one of those laws on the books to punish people who the EU (or relevant national government) think needs to be punished. It's end result is just endless fucking annoyance to use any website and from every one of these threads I read all the annoying cookie permission and opt in popups ar e probably illegal under the GDPR anyway. If I'm going to slap google analytics on a personal site, I'm going to do it and not worry.
For all I know doing that might be forbidden under the GDPR or it might not, I don't care to find out.
Google recently introduced "Consent Mode" which basically disables cookie-based tracking and collects anonymous data only. I still find it problematic as Google probably doesn't need a cookie to identify you but it's at least something that is officially backed by Google, instead of a hack like this.
BTW if you use client information to derive an identifier that is unique within a session and you send that identifier to a third-party (e.g. Google) this approach gives you zero benefits. In fact ePrivacy & GDPR don't mention cookies anywhere and don't care what technology you use to derive identifiers, if they can robustly identify an individual or device and you actually send them to another service (for purposes that are not strictly necessary for the performance of your service) you're obliged to asked for consent.
They are are using a 53-bit hash cyrb53 [1] of the string "IP address + website domain + user agent + language + validity days". It looks feasible that many of the generated IDs could be retroactively brute-force mapped back to an IPv4 address with high confidence (small chance of error due to hash collisions).
I wouldn't trust any article that purports to be about GDPR that uses the term 'PII' a term which itself isn't anywhere to be seen in the regulation!
In reality an IP address is generally not PII, but it may be personal data - the case is Breyer which was decided on pre-GDPR law but still relevant. If you could use reasonable means to identify someone from the IP address then it will be personal data. I don't really agree with the outcome of the case because it implied it was easy to contact an ISP to get them to disclose details of the subscriber information associated with the IP address. In the UK at least it would require cause, and a court order.
So sending a request to cloudflare to get your users IP makes this GDPR compliant? This is not how any of this works. Be careful when using this script.
In any case, the cloudflare dependency needs to be listed in your Data Protection page.
Love the contrast between the title and the text. This isn't even about GDPR, it's about a completely different piece of legislation, the E-Privacy Directive. This is completely agnostic on personal data and so the post is largely flawed.
Even if you're not dealing with any personal data, if you're placing a cookie (or doing anything analogous device fingerprinting etc) you are in scope of the Directive and need consent, irrespective of GDPR.
The new E-Privacy Regulation is looking to implement an exception to consent for analytics but that would have providers like Google Analytics out of scope. Anyway, it's stuck in the mud at present...
How does something like truecaller work with gdpr? I mean you are given some sort of one way access to names of contacts from their database and in return you pay them real money, you are shown ads based on your IP address, who you call, how long and other parameters and the most problematic is the fact that your phone contacts are taken as a payment.
I came across this app back in 2011 and noped the fuck away. Never installed trucaller once and my details may be there but I don't want it.
My question, can truecaller take your contacts not to serve you in particular but to build a wordwide database and they dont say that in clear terms from what I have asked its users. They DONT know the software is doing that
Peripherally related question. Is it GDPR compliant to hash a user's IP address to just a wide region and store only that? e.g. "Finland", "California", "Chennai". Just to get an idea of from where visitors come?
I'd like to add only usage tracking to my sites to see how they are used, but I have zero interest in selling or using user data for any other purpose. I could add a pop-up banner, but that's for consent on using personally identifiable information (and I associate it with sleaze, to be honest).
By "hash" I just meant its broader meaning of "converting": "IP address" to "broad geographical region". There would be no way to convert, say, "Monaco" back to an IP address
You don't need consent to share personally identifiable data like IP addresses with Google. For GDPR purposes you need a legal basis and "your legitimate interest" is one. You need to honestly assess - ideally write down - your determination of how your need to analyse website performance is balanced against the user's right to privacy. One thing you might consider here is the impact on the user. Then you need to fulfil your duties as a data controller with respect to accuracy, security and so on.
What you do need is consent for cookies (or local storage or similar)· That is required by the ePrivacy Directive (aka cookie law). If you want to persist an identifier on a user's device you need to get consent before you put it there.
GDPR and ePrivacy are related but not the same. You can use GA without cookies (or with only "strictly necessary" cookies which are an exception to the consent rule) and therefore not fall foul of ePrivacy.
> For GDPR purposes you need a legal basis and "your legitimate interest" is one. You need to honestly assess - ideally write down - your determination of how your need to analyse website performance is balanced against the user's right to privacy
Come on, analytics,especially 3rd party analytics, is never considered a "legitimate interest". As if it was needed, this is spelled out explicitly in the ePrivacy directive and official EU opinion documents.
Legitimate interest is a GDPR thing and you can indeed choose to share personal information under legitimate interest and you can do so for analytics. There are countless examples of privacy policies all over the web doing exactly that.
The ePrivacy directive is much more proscriptive about consent but applies only very narrowly - to cookies and similar technology.
Conflating GPDR and ePrivacy leads to much confusion, they are to all intents and purposes separate.
For anyone looking for a GDPR-compliant solution without Google, take a look at Plausible. Not at all as mighty as GA, but it delivers the most important data IMHO.
This is great info on how to substitute IP address or turn off user tracking. I do think the replacement is dubious ( especially forwarding to CF) and not GDPR compliment so I would use something else like user agent, timezone, languages to form a hash. It's doesn't need to be precise and in some ways it's good if it's a bit rough. I only want general trends on a website.
in fact it can't and shouldn't be precise, as this would still make the iser clearly identifiable. You have to discern between GDPR (which governs tracking purposes as well) and E-Privacy laws (which concern PII) here
The GDPR is quite strict in that states in no uncertain terms when one needs to ask for consent. The notion "personal data" and "anonymized data" are quite clearly defined. [1][2]
> Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
Especially that last part is important. If the output of the algorithm can be reversed in a way that it can be tied to a person, you're violating the GDPR. The responsibility of choosing a good algorithm is very much yours. And so, that algorithm is a liability on your part.
Implementing a proper consent banner and adding a page with the correct GDPR information poses less of a liability when it comes to becoming GDPR compliant. There's plenty of information out there on how to do that properly. The EC even has a handy checklist just to get started: [3]
The notion "personal data" should also be interpreted in the broadest terms possible. Barring a few exceptions, the definition of "personal data" is really a limited set of principles that you are required to apply to a dataset rather then "these types and groups of data are protected, these aren't". The GDPR acts akin to a "right of way" principle which you are required to apply regardless of the context.
The nuclear way of becoming GDPR compliant without consent banners or GDPR notice pages is to not collect anything at all. Or even closer to home: not share anything with third party services.
I've done that exercise for myself, and that's something to take extremely literal when you start to think hard about it.
No Google Fonts. No analytics whatsoever. No using CDN's. No hotlinking. No embeds - No YouTube, Instagram, Google Maps, Vimeo,... - No collecting e-mail addresses for newsletters. No Avatars - no Gravatar - No comments - Not locally, not via Disquss. No keeping server side logs with IP addresses or any identifiable names.
It's not mentioned all too often, but the GDPR isn't about restricting what you can and can't do. It tries to enforce website owners to make conscious choices over the technologies and the platforms they use and the content strategy they would like to apply.
Looking at the author's site. Google Fonts is used, CloudFlare sets a cookie and the bottom of the page has a "subscribe to my newsletter" with a third party service. All of which are GDPR concerns.
What is forbidden by GDPR isn't specifically cookie or IP, but but any tracking mechanism which allows to identify an individual uniquely with some amount of certainty, and without prior consent.
log files have a different original purpose. But yes, if you repurpose your log files to track individual users granularly, that processing would be illegal without gathering informed consent first.
Unless it's necessary. The legitimate interests basis of the GDPR allows you to make a balanced decision of your business requirements against user privacy expectations.
yes, and you have to line out how the processing is necessary for providing the service, there has to be no less-intrusive method of achieving the desired result and be ready to prove it.
hint, user-level analytics rarely is. And in this specific example, repurposing logs kept for one purpose(ex, security/auditing) to user analytics is definitely not something you can just do
The main conceptual issue is that it's about the purpose of use rather than the technical implementation. Access log files used for debugging purposes only is one thing; but if the exact same access log gets forwarded to a data mart that later gets used for mining marketing analytics, that's a completely different issue.
If they contain IPs, and are stored for >30 days, they're automatically illegal, yes.
Below 30 days it's a grey area as long as you only store as much information as is technically necessary (so e.g. for 14 days IP addresses could be okay, ask your lawyer about specifics), but you definitely need to inform your users about this.
Processing PII doesn't need consent if it's necessary to provide the service. Keeping logs fits in this category: to run a website, you need the ability to debug problems, analyze frauds and attacks. Moreover, you have the responsibility to protect your users, hence be able to analyze attacks, and block malicious IP addresses. And lots of countries have laws that make it mandatory to keep these logs in case police needs them (e.g. France, 1 year mandatory retention).
To make this processing legal, then GDPR demands that you inform your users, minimize the amount of PII, anonymize as soon as possible, and most of all not use this PII for other purposes.
Remember the time when every serious homepage had a visitor counter? I don't recall any issues with privacy laws in those days. I think "tracking" back then was decentralized?
I keep saying this: centralization is the core issue of privacy. If every website would keep their own visitors data to themselves, no one would care and businesses would thrive. This is why I think the future is self-hosted, where every site is a complete platform that locally contains all the services it needs (eg. analytics, chat, etc.).
Many of those also were incredibly simple, just counting requests, or at max setting a non-unique cookie to indicate "counted already", which has little privacy implications. And of course yes, privacy legislation and people's awareness of these things has evolved over time.
Tracking users is unethical. The law is there not so that you can wiggle your way around it, but to make a statement about this behavior. Laws are not scripts and they are not interpreted by computers. You are going to get fined for doing this, and it'll be well deserved.
Do not spy on people.
It's that simple.
Don't use google analytics. Don't use any of the dozens of alternatives which are selling you "pro-privacy" analytics, which is a contradiction of terms. Just don't spy on people.
correct me if I'm making wrong assumptions here, as staid - not a lawyer either, just having lots to do with the topic as a EU based webdeveloper.