| The GDPR is quite strict in that states in no uncertain terms when one needs to ask for consent. The notion "personal data" and "anonymized data" are quite clearly defined. [1][2] > Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible. [1] https://ec.europa.eu/info/law/law-topic/data-protection/refo...
[2] https://gdpr.eu/eu-gdpr-personal-data/ Especially that last part is important. If the output of the algorithm can be reversed in a way that it can be tied to a person, you're violating the GDPR. The responsibility of choosing a good algorithm is very much yours. And so, that algorithm is a liability on your part. Implementing a proper consent banner and adding a page with the correct GDPR information poses less of a liability when it comes to becoming GDPR compliant. There's plenty of information out there on how to do that properly. The EC even has a handy checklist just to get started: [3] [3] https://gdpr.eu/checklist/ The notion "personal data" should also be interpreted in the broadest terms possible. Barring a few exceptions, the definition of "personal data" is really a limited set of principles that you are required to apply to a dataset rather then "these types and groups of data are protected, these aren't". The GDPR acts akin to a "right of way" principle which you are required to apply regardless of the context. The nuclear way of becoming GDPR compliant without consent banners or GDPR notice pages is to not collect anything at all. Or even closer to home: not share anything with third party services. I've done that exercise for myself, and that's something to take extremely literal when you start to think hard about it. No Google Fonts. No analytics whatsoever. No using CDN's. No hotlinking. No embeds - No YouTube, Instagram, Google Maps, Vimeo,... - No collecting e-mail addresses for newsletters. No Avatars - no Gravatar - No comments - Not locally, not via Disquss. No keeping server side logs with IP addresses or any identifiable names. It's not mentioned all too often, but the GDPR isn't about restricting what you can and can't do. It tries to enforce website owners to make conscious choices over the technologies and the platforms they use and the content strategy they would like to apply. Looking at the author's site. Google Fonts is used, CloudFlare sets a cookie and the bottom of the page has a "subscribe to my newsletter" with a third party service. All of which are GDPR concerns. |
That checklist is not bad, but it's not legal advice, and it doesn't come from the EC (directly, anyway).