Hacker News new | ask | show | jobs
by cupofjoakim 1806 days ago
This is a great point actually - but it probably depends on if the data is regarded as "personal data" or not. IP-addresses is considered sensitive which would mean that if they're saving that it is probably not ok. I'm not a lawyer though :)
1 comments
Anunayj 1806 days ago
Storing IPs by themselves are not against the GDPR, and you do not really require consent for storing them for legitimate reasons, (Think nginx access logs, or rate limits on API endpoints/ banning IPs abusing your service). [1] Pairing IP addresses with other potentially identifying information can also be a little bit of a legal gray area (Look at Fingerprint.js) if done for legitimate reasons (Like fraud detection).

Though honestly most users do not really care about the check box that says "I agree to give you access to all my personal information and sell it to everyone" when they click install, and it's such a sad situation. GDPR had a great potential, it's sad it was unable to do it's best.

[1] https://ico.org.uk/for-organisations/guide-to-data-protectio...

link
gnud 1806 days ago
If you save IPs to use for fraud detection, then under the GDPR you can't use them for _ANYTHING_ else, and you need a sensible rule for how long you keep them.

Most of those checkboxes are not worth anything under GDPR, because people don't give a clear, informed consent when they have no chance of understanding what is being asked.

The law is not the problem. Lack of enforcement is.

link
eivarv 1806 days ago
In the cases you list, you have other legal basis for processing than consent – i.e. legitimate interest – but that doesn't mean it's not personal data.

Indeed, IP-addresses are considered [0] personal data in some cases – which only really means that you need to follow the GDPR: have a legal basis for processing, do not process the data for reasons other than that for which you have a legal basis, delete it as soon as you no longer need it, implement protective measures, etc.

[0]: https://www.whitecase.com/publications/alert/court-confirms-...

link
mschuster91 1806 days ago
> GDPR had a great potential, it's sad it was unable to do it's best.

Given the massive backlash against the GDPR and "cookie walls" by newspaper publishers, it's doing a pretty good job. Can you imagine a company like Apple whipping app vendors into shape regarding data collection without GDPR pressure?

link
Anunayj 1806 days ago
I agree GDPR did make a lot of good change. I don't mean to say GDPR was a waste. It was awesome. What i mean is, Some things (like Cookie banners) kinda defeat half it's purpose, and at times made browsing more annoying.

I'd love too see them do something about it. Amd i hope they do.

link