[miragecraft]

A couple of days ago I was researching website analytics and GDPR/cookie law, and it seems clear that you need user consent even if IP addresses are only processed or temporarily stored before being discarded.

Arguing otherwise is like claiming it’s legal to steal from a store as long as you return the goods the next day - it’s legal fantasy.

I don’t think the EU is eager to go after these “ethical” analytics companies or their users, since they have bigger fish to fry. But if you think you’re legally in the clear using these solutions without user consent, you’re fooling yourself.

[XCSme]

The law will change soon as far as I know, but still, the best way to respect data privacy laws is to not send your data to other companies AND to avoid tracking personal and sensitive data as much as possible. If you self-host and don't share the tracked data, you are already doing better than 99% of the companies

[dns_snek]

> it seems clear that

Can you elaborate?

[miragecraft]

The logic is simple, as soon as you collected and/or processed IP addresses, you need user consent as it is personal data.

You don’t get to “undo” this requirement by discarding the IP address afterwards, the law doesn’t care.

Others have come to the same conclusion: https://github.com/plausible/analytics/discussions/1963

[dns_snek]

I see, I was confused because you mentioned GDPR but it has everything to do with ePD and I wasn't aware of this issue, thanks for sharing!

> Arguing otherwise is like claiming it’s legal to steal from a store as long as you return the goods the next day - it’s legal fantasy.

That said, this strongly implies that these privacy-focused analytics platforms are unquestionably breaking the GDPR and behaving in an unethical way, but that seems like a huge overstatement.

I've read the linked blog post and it seems like the analysis hinges on the precise wording of the ePD rather than GDPR. By their own admission, these analytics solutions seem to be in line with both the letter and the spirit of GDPR. The author even agrees that the wording of the ePD should be addressed and notes:

> Unfortunately I came to the rather demotivating conclusion that there simply isn’t any way to implement web analytics without running afoul of the ePrivacy Directive.

> This was a surprising conclusion at the time. Morally we can go very far: we can put a lot of smart stuff together and create a system that can’t be used to track individual users. But legally, that doesn’t particularly matter. The ePrivacy Directive is written as it is.

> Even the EU Data Protection Working Party decries this. In their 2012 opinion they write:

> the Working Party considers that first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards. […] In this regard, should article 5.3 of the Directive 2002/58/EC be re-visited in the future, the European legislator might appropriately add a third exemption criterion to consent for cookies that are strictly limited to first party anonymized and aggregated statistical purposes.

So it's not that these companies are doing anything inherently immoral or unethical as far as their handling of personal data goes, but they might be behaving unethically by making claims that run afoul of other legislation (ePD) that clashes with the GDPR.