[number6]

> Plausible also only processes it for uniqueness and doesnt save it as is

That's exactly the point. Processing of personal data to identify a unique person.

Regarding firewalls and logs: It's argued that this is legitimate interest as it is stated in Recital 49 of the GDPR. So they got a free pass, for the better or worth.

> I think you might be permanently spreading fear

Don't get me wrong, I like the approach. But it's not a get out of GDPR free card.

[omnimus]

> That's exactly the point. Processing of personal data to identify a unique person.

Not sure thats what i said. They cannot identify unique person. They identify unique legitimate visits per one day.

If logs and firewalls mean legitimate interest because you have to give server your ip address for everything to work then using same thing can be said about plausible especially since the ip address is immediately thrown away unlike with firewalls where the main point is to keep record of bad actors.

It is very different to google analytics where whole point is to pinpoint repeating visitors, their behaviour etc. You simply can't do that with service like plausible. What you can do is know how many legitimate visits you had and what was visited. For most websites that is enough at same time i would be surprised if not knowing how many people visited your site would not be legitimate requirement for service to function.

[janosdebugs]

Legitimate interest still requires the data subject to be informed under Art 13. Not sure how that would be accomplished without at least an info banner. (This goes for server logs too.)

[number6]

If you have a website you have to write this in your Privacy Policy and most do.

Firewalls are a curious case. It is argued that the data is not collected but transmitted to the controller. Almost as if you get a letter with personal data and now have to deal with it.

Yes, it's a stretch. Not happy with it but I don't see any practical solution either...

[janosd]

AFAIK it's not enough to write it in your privacy policy. Art 21 of the GDPR makes this explicit:

> (4) At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

I am not a lawyer, but as far as I can tell, there is no legal way to collect PII (including IP address) or place tracking identifiers on the user's device without at least informing the user explicitly under the GDPR and the ePrivacy Directive.

[number6]

You are correct. In early days of the GDPR people thought about a page in front of the original page without any data collection presenting only the privacy information.

But soon there was an agreement that Art 13 lit. 4 could be interpreted that as long as you don't have any data collection beyond server logs this would be deemed as sufficient. Or in other words if you won't invoke the Art 21 lit. 1 of the GDPR.

But since everybody wants to track you on basis of their legitimate interest the web became full of cookie banners