[daoist_shaman]

I’ve been concerned about this.

My tech stack is built on various products, including no-code site building tools, and I believe these tools employ JavaScript/cookies at layers which are inaccessible to me. Some of these may cavort with GA.

How liable am I?

[lmkg]

Under GDPR, if you use a third-party tools, and those tools process user data (including just being loaded onto the page from a third-party server, because that requires processing IP Address), then your arrangement with that third party must describe the processing that they are going to perform. The description of processing is often a separate document from other contract stuff, called the Data Processing Agreement (DPA), but that's a convention and not a requirement.

Your responsibility is making sure that data processed under the terms of that agreement conforms to GDPR. Your primary responsibilities are the articles in Chapter 3 "Rights of the Data Subject" under GDPR, and making sure you can do that for data sent to the third-party.

Their responsibility is making sure that data is only processed how they describe it in the DPA. If they surreptitiously add Google Analytics, that's their violation.

If the contract is too vague to tell what processing is going on, then that is your violation for choosing to engage with them as a processor. In practice this might be your biggest risk.

[karatinversion]

IANAL

Under GDPR you are the data controller of you decide what data is collected and for what purposes.

I would expect this to cover you as the operator of the website (or other service). Your agreements with your tool providers probably specify that they are data processors for you.

If data was being collected and accessed without lawful basis (by eg GA embedded somewhere in your stack), this would count as a data breach. You would have to inform your data regulator (eg ICO in the UK) within 72 hours of becoming aware of it, and tell them among other things what remedial action you are taking. You could also be fined for failing to do due diligence.

[tpxl]

Under GDPR, you have to ensure you gather consent properly. If your tools are not equipped to deal with that, that's your problem, not the tool's author's.

[daoist_shaman]

You seem to imply that consent is required. Consent is not required if you are not gathering data that needs to be consented to.

If my tools are gathering data behind my back and not telling me, that is troubling. I should not be liable for this, as it is an abuse of trust that would result in me no longer using the tool had I known prior.

[tpxl]

> I should not be liable for this

If you can't ensure the tools you use are not fucking your customers over, you shouldn't be using those tools.

Sure if you did the due diligence, and they actually hid that they use cookies[0], both in their documentation and technically while you were developing, then enabled them in production, where you missed them, sure. But most don't hide they use cookies, not in documentation and not while developing.

[0] By cookies I mean anything that would require consent

[dylan604]

Yes, using 3rd party tools that you don't fuly understand should not be a plausible deniability shield. Otherwise, everyone with intent would be hiding behind it.

[xani_]

> If my tools are gathering data behind my back and not telling me, that is troubling. I should not be liable for this, as it is an abuse of trust that would result in me no longer using the tool had I known prior.

Well, you can sue tool makers if they lied to you.

But ability to just say "but I didn't know" would be catastrophic to any accountability, as nobody would even read a manual to be able to plausibly claim that they didn't knew.

In similar way you can't go shoplifting then claim you didn't know that was a crime.