[rosmax_1337]

I've done some basic reading on GDPR but can't honestly say I have it completely figured out. Can someone help me out with a use case that I come across frequently? Selling tracking data to third parties is the kind of thing noone wants to actually opt in to, and what I imagine GDPR partially tries to combat. (among other things)

What about site statistics keeping? If say a newspaper collects statistics about visitors to their articles, and does browser/user tracking by implementing cookies, for __internal__ use, rather than selling data to third parties. Is a cookie banner still neccesary for that kind of consent?

Personally, I don't care if my IP appears on any website log that I have visited, or if a unique cookie ID becomes present on the site until I clear my cookies. If i cared about my IP being tracked, or cookie IDs like that, I would browse using a VPN and "Private mode" in browser. What I do care about is the complex browser fingerprinting that keeps track of (essentially) my entire browser history, externally, with everything from my google searches, youtube videos, online purchases and website visits being visible in some kind of giant aggregate form.

Basically compare it to being videotaped when entering a store. Yeah sure, I might be a bit irked by the camera but I don't care too much. Comparing that to putting a camera on every street corner, and using facial recognition to generate a day by day pattern of all my visits to all stores the last 30 years, and I'm not a happy camper any more.

I would even go as far as cookie banners for the above tracking scenario, where you are tracked completely, should be illegal. That kind of "consent" can't even be gained by just clicking a <button> on a website, it would require a valid ID and signature at least.

And on the other hand, the "internal store videocamera" taping customers as they enter, perhaps even applying face recognition software to count unique visitors per year to the store, is hardly worth the hassle of a clicking a cookie banner personally. I'm certainly not averse to a position of not wanting to be tracked when entering a store or a webpage though, and if someone has a personal need to not be tracked like that, they should be able to apply basic non consent based tools to avoid being tracked. Like wearing sunglasses and a cap when entering the store, or browsing using a VPN.

[jeroenhd]

Tracking visits to articles can be done entirely server side, no need for consent there as long as you just increment the counter by one. If you store PII to do it (IP address) you will need consent.

You don't need consent to store the IP in your server logs because that serves an undeniable legitimate interest for detecting abuse and diagnosing issues. However, you cannot use that information to generate statistics without consent.

As others said, gather as little as possible, for as short as possible, with a simple explanation and you should be golden. Lazy implementations (slapping Matomo on a server and calling it a day) do not comply with "as little as possible", and limitations in your tech stack ("we use cloudflare so we HAVE to use a cloudflare cookie") don't count either; it has to be as little as possible for the functionality to work, not for your developers to be comfortable.

Consult a professional for legal advice, but most websites don't strictly need consent popups. The advertisers do, and the marketeers want as much info as possible as well, but on a technical level, there's no need for most reasonable use cases to have a consent form. It all comes down to the bad decisions the website owners make.

I think it's disgusting that tracking has become the standard and opting out needs to be something special only some people can choose to do. Your comparison works for self-hosted monitoring (though I doubt a business that loudly proclaims, in text and audio so blind people can enter as well, that it tracks your ever move will get much business). However, most websites use third party trackers, so the comparison becomes closer to your own personal entourage if men in trenchcoats, following you around and occasionally writing something about you down.

[nicbou]

Gather as little as you need, share it as little as you need, and keep it as long as you need to fulfil your customer's request. For anything else, get consent.

Any kind of private information you store or share needs consent.

This is why plausible.io doesn't require consent, but Google Analytics does.

[kybernetikos]

I'm not an expert but I have read the text. You should talk to an expert.

Having said that my understanding is you don't need consent if the information processed is not personally identifying. The gdpr text is also quite clear that consent is just one of a number of legal bases for processing pii and there are a whole bunch of provisos for relying on it (which are still ignored on most sites)

For your stats use case I think the best option would be to store and log anonymized stats that wouldn't be considered personally identifiable information. And then you shouldn't need a consent form.

[ratww]

The most important concept of GDPR is "Personal Identifiable Information", or PII: https://en.wikipedia.org/wiki/Personal_data

You can collect statistics all you want if you anonymize data such as IP addresses. But you can't collect and store PII (or even aggregate data that can be used to identify a certain user, aka fingerprinting) without consent, or without having a legitimate reason.

By legitimate reason I mean that you can freely collect information that is strictly necessary for performing tasks expected by customers. For example, you don't need explicit consent to collect a customer's address for delivering a package via Post. You can also have a cookie for login without requiring "cookie banner". However, you can't repurpose data you collected legitimately for other purposes, such as sending spam.

(Please notice that legitimate reasons don't include anything marketing-related, spam, selling to third parties. "Legitimate interest" in GDPR means the legitimate interest of the customer, not of the business)

About fingerprinting, if it can be used to identify single users, it becomes PII. This means fingerprinting also falls into GDPR.