[eitland]

Not related to you, but from a description in the first link, in the description for Plausible:

> Because it does not use cookies their is no need to show cookie banner for this service.

This is IMO a rather fundamental misunderstanding of the current situation.

I'd be hesitant to using a product from someone who I think have misunderstood completely what the rules are about. (Again, IMO and also IANAL but I have followed GDPR more closely than most people.)

GDPR is about collection information, as far as I can see, the technical detailsbof how you do it doesn't matter. It could be pure magic and would still be illegal.

[birjolaxew]

I've actually had this discussion with Plausible directly back in 2022[1], and more recently with the lawyer they had write a blog post[2] on the topic. I wrote an article on it, that was recently discussed here on HN [3].

The response from Plausible is essentially "we've checked with legal council, and stand by the statement". The conversation with the lawyer started out well, but he stopped responding when I asked about the ePD, not GDPR.

There generally seems to be a lot of confusion, even in legal circles, about what ePD requires informed consent for. Many think that only PII requires consent, or think that anonymization bypasses it. That amount of confusion makes it very easy for a layman (e.g. Plausible) to find _someone_ willing to back up their viewpoint.

The EDPB released a guideline in 2023 that explicitly states that what Plausible et al. are doing is covered by the ePD's consent requirement, but that's a little too late: the implementations in member countries already differs massively on whether it's covered[4].

1: https://github.com/plausible/analytics/discussions/1963 2: https://plausible.io/blog/legal-assessment-gdpr-eprivacy 3: https://news.ycombinator.com/item?id=42792485 4: https://matomo.org/faq/general/eprivacy-directive-national-i...

[taw9838373]

> There generally seems to be a lot of confusion, even in legal circles, about what ePD requires informed consent for.

That seems to be true, going by this comment section and the other ones I've seen.

It's hard to get a non-hyperbolic answer to the question: if everyone is so confused, what's the real-world consequence of best-effort implementation?

Some would say it's the ultimate responsibility of the app owner to understand the law, but how much further can you go than hiring a lawyer?

If more diligence needed to be done than that none of us would get anything built, we'd all just be running around researching the laws around these dumb popups.

What are the real-world consequences of making a mistake here? What kind of boundary would you have to trip over to actually get the authorities to prosecute you for not having a consent popup or doing it badly?

[progmetaldev]

That is unfortunate, and seems to be similar to ADA compliance, as far as what is truly compliant and what is not. It seems like it is up to the courts to decide (speaking as an American, I know GDPR is a European law). I try to do as much as possible to keep up to date with ADA compliance and best practices, but when it comes to tooling around scanning for non-compliance, there seems to be differences. I believe that showing that you made an effort to comply is usually enough to avoid a lawsuit, but it would be nice if things like this were spelled out more clearly for those that need to implement these features.

I have recently gone through a conversation with a client that has been told in NY state (in the US) that something similar to GDPR is coming for those that deal with PII. Both the client and the agency I work for have added various scripts to the website for dynamic forms, tracking (Google Analytics), and newsletter functionality. It's at a point where everything that is 3rd party has to be discovered first, then seeing if there is the ability to anonymize everything (either by default, or with a user consent dialog). Even with current laws, it seems intentional to keep things vague.

[eszed]

Agreed. The company I work for has fought off two "ADA trolls" in the past ~3 years. I'm fully behind accessibility, and we design/develop our website specifically to conform with best-practice; I get, and generally accept, that civil remedies are (currently) the only way to enforce any kind of compliance. I nevertheless call the lawyers targeting us trolls, because their technical analysis was beyond incompetent, and their understanding of accessibility issues woefully out of date. It cost a few days of my + developer time, and I don't know how much lawyer-time, to make them go away.

We (I'm in the US) badly need clarifying regulation. Until then, compliance will mainly be about preventing yourself from being low-hanging fruit for opportunistic litigation - which, to be clear, can generate productive results, but is clearly inefficient.

[uallo]

It is not entirely clear who wrote these descriptions. Maybe it was not the vendor. At least their website https://plausible.io/ has a much better wording.

   > No need for cookie banners or GDPR consent
   > 
   > Plausible is privacy-friendly analytics. All the site measurement is carried out absolutely anonymously. Cookies are not used and no personal data is collected. There are no persistent identifiers. No cross-site or cross-device tracking either. Your site data is not used for any other purposes. All visitor data is exclusively processed with servers owned and operated by European companies and it never leaves the EU.

[marvinblum]

Correct, it's not so much about Cookies, but how data is collected and what is stored.

We have done a privacy risk analysis with an external lawyer and data protection officer, and concluded that Pirsch is in line with GDPR as we do not collect nor store personal identifiable information (PII). Processing stuff like IP addresses for example is legal as long as they are not stored and only cached for a reasonable amount of time (a few milliseconds in our case).

If you're interested, we have extensive documentation on this. You can reach out to support@pirsch.io to get it :)

If anyone is interested in doing something similar. This did cost us about 8,000 € in Germany.

[anonzzzies]

I guess because you store their fingerprint (for uniques) only 24 hours, it is ok?

[marvinblum]

This also factors in, yes. If we would store it indefinitely, there is the risk of profiling (estimating who someone is by their behaviour).

[michpoch]

> This did cost us about 8,000 € in Germany.

The apparently extensive legal assessment you just described costed just 8'000 euro?

I am sorry but that had to be some hasty review at best. Do you take the full legal risk in case any of your customers would be found in violation of privacy laws because of using your service?

For reference, with similar hourly rates as Germany, reviewing a standard apartment-purchase contract cost me ~3500 euro.

[marvinblum]

We had someone with a lot of experience in this field working for very large German corporations and got a discount/startup bonus. I wouldn't call it cheap.

Imagine starting a business in Germany. How are you suppose to pay 30-50k for legal questions before selling anything?

[michpoch]

> I wouldn't call it cheap

The moment someone sues your customers, or some European agency will gets onto them, that 8000 euro opinion is all you're basing your company's legal security on. In that context, yes, this is being very cheap.

[account42]

Analytics and other forms of tracking are not required to do do business. Don't try to skirt the law and you won't have as many legal questions to answer.

[XCSme]

So, if I run ads or a marketing campaign, I shouldn't be able to know if it brings a positive ROI or not?

Let's assume I pay $1000 for Google Search Ads, wouldn't it help the business to know that "from my sales, $800 came from Google Search Ads"?

People do this all the time, even in real life, with coupon codes fliers for example.

[wongarsu]

You need consent for (not functionally necessary) cookies because of the ePrivacy Directive (the "cookie law"). Additionally, you also need consent for processing, storing or sharing personally identifying information (PII) because of the GDPR. Usually you do both in the same consent popup.

Plausible doesn't store visitor's IPs or any other PII, and doesn't set any cookies. The reasoning given in the quoted paragraph is incomplete, but the result is correct. You only need to mention them in your privacy policy, they don't require any opt-in popups

[robin_reala]

PII isn’t a concept in GDPR. GDPR talks about personal data, which on its own might not be identifying, but which in combination with other personal data can successfully identify a person.

[youngtaff]

Regardless of whether they store it Plausible is exposed to the visitors IP address though isn't it?

[jgalt212]

At the end of the day it comes down to enforcement. If the rules make no sense, and they can't be enforced. They might as well not exist.

[velcrovan]

I'm curious: running a static website with no JS-based analytics whatsoever — only Apache logs in standard format (so including IP address and user agent string) — does GDPR require consent banners in this case? If so, doesn't essentially every website require consent banners due to the way websites work?

[xorcist]

GDPR does not require a consent banner. If you want to process the user's personal data outside what is strictly necessary, you need permission. One way to get that permission is for the user to specifically consent to it. It does not have to be a banner. (In fact, many banners out there are probably not enough for informed consent anyway, as they provide no information about what data is collected or any reasonable way to opt out.)

Personally identifiable information has nothing to do with javascript, or analytics. Do you have GET requests with parameters containing enough to identify a specific individual? Then your logs are sensitive and you must have a valid contract, informed consent, or provide some important service where this information is necessary.

There are gray areas which can make this difficult, but you the basic idea is enough information to identify an individual. A basic website where you log that IP address A viewed home.html is not enough. The knowledge that a 55 year old woman with particular name on a particular street address has an interest in photograhy and shoe size 9 probably is. The line is somewhere in between.

[input_sh]

GDPR is about collecting personally identifiable information, which is distinct from aggregate data that you can't trace back to the individua. Recital 26:

> The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.

So details definitely matter. Some self-hosted analytics do this by getting rid of the last octet of the IP address, though I doubt that's been tested in courts.

[anonzzzies]

If you can figure how many unique visitors your have, you have a problem. That must somehow fingerprint you.

[input_sh]

I posted a quotation straight from the recital of the GDPR that says anonymised data does not matter. I even gave a reference that you can look up. The recital even ends with this:

> This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

There is no ambiguity here, aggregate data is completely fine as long as I can't trace it back to you with a reasonable amount of effort.

[anonzzzies]

A DPO would disagree with you depending on the circumstance; if you know a user is unique then you have a fingerprint; if you keep that fingerprint forever, when the user comes back to the site, it's trivial to know it is that user.

[tonyhart7]

Anonim jwt guest literally did this same thing noo??? I mean if you just track anonim data

what I mean is you can track unique visitor of your app without privacy breach because you use anonim data

[tasuki]

If I install the Apache web server and accidentally expose the machine to the internet, am I violating GDPR by not having a cookie banner on the "Apache Default Page"?

[eitland]

Probably not.

But of you can still find a way to identify users from server logs, then probably yes.

[Reubensson]

Yeah, not using cookies is irrelevant if you use other means to track user. Also people like to think they need to show the "cookie banner" for all cookies regardless of how they are used.