I think the article might be reading too much into it
Is Plausible actually tracking users? I mean actually allowing you to get a user's history (or IPaddr history) on your website across multiple days? (or a subset of this?)
If it does, then yes, it is not compliant without the user agreeing. If it doesn't, then no.
Plausible Analytics is GDPR compliant - with one possible exception - the IP address which if they dropped the last 3 digits would probably be enough.
The blog post conflates general data points with PII. The IP address is considered PII.
While other info can be used for fingerprinting, it’s ok to use in some capacity as long as you don’t.
For background, I’ve done GDPR implantation a in the past, an a privacy advocate in that sense, and spent more time with lawyers in this subject then I’d care to admit.
(Pardon brevity/typos, on phone with unreliable connection)
The IP address, on its own, should not considered PII.
There was a ruling in Breyer vs. Germany that IP addresses can be considered PII – in certain circumstances.
The case was brought against an ISP, and the court ruled that the company had enough correlating data at its disposal to make an IP address de facto PII for any of its customers. The court limited its ruling, saying that with just an IP address alone, the protections associated with the directive wouldn’t apply.
"Most web analytics tools do this by excluding certain IP addresses from being counted. However, we do not store the visitors’ IP addresses in our database for privacy reasons"
According to GDPR Recital 26, anonymized data does not fall within the GDPR at all because data is no longer considered “personal data” following anonymization:
> The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
GDPR states “For data to be truly anonymised, the anonymisation must be irreversible”. So dropping 3 digits is clearly not enough to anonymize PII, it’s more pseudonymization.
I've been looking into GDPR and when a cookie consent is needed. In fact, there's no thing called "cookie consent". If you track a user, you have to get his consent before doing it, whether you use cookie consent or now. Ever since I joined HN, there's a lot of marketing going on here from privacy-first Google analytics alternative guys. I found this review showing Plausible and similar products using browser fingerprints and CName cloacking for user tracking, and they still promote those features.
I'd like to know your opinion on this. Do I still need to use a consent banner if I use these services?
> If you track a user, you have to get his consent before doing it
This would mean any server-side analytics (looking at access logs, which include IP address and user-agent) cannot be used for analytics or tracking, since there is no way for a user to give/deny consent to a page that already has logged information on them.
I don't have the answer, but the consent banners are interesting.
I have two browser plugins: "I don't care about cookies" and "Never Consent", I'm not sure what Never Consent doesn't technically, but the other one just hides the DOM element with the cookie thingy.
That means that I never see the "consent" banners so I can't click the "Okay" buttons. I should test to see how many sites just assumes OK to cookies because I didn't click "No".
On a positive note I do see more an more sites making it just as easy to say no to tracking as saying yes. Though sites are better at remembering a yes to tracking, compared to a no.
I think a lot of the confusion around the consent banner stuff arises from the 2002 EU ePrivacy Directive (ePD)[0] which long predates GDPR.
ePD introduced the idea of the cookie consent banners we see today.
While it was enacted in 2002, ePD didn't really start to come into broad legal force in many member states until ~2010ish (EU Directives are not like federal laws; instead they're implemented & enforced by individual member states separately).
GDPR's focus on prior consent makes consent banners in their popular format largely useless, but when GDPR came along, the intent was that PD should have been replaced by the accompanying EU ePrivacy Regulation (ePR)[1] to clarify this. ePR has been delayed, so we're in this ambiguous place.
Not a lawyer, but you do not need a consent banner with their services.
This is as much about what information is available AND what you do with it. Browsers send information whether you ask/use it or not.
At a high-level (and not necessarily speaking about Plausible here cos I don't know the inner workings), it is ok for a service to use personal information (looking at the IP address here) if in a form that is not traceable back to a user, and not used for tracking individuals.
In this case the use of CNAME is fine, its just to stop the blunt blocking of JS etc that happens as a reaction. Its worth noting that GDPR does permit data collection for essential services and (there is some dispute/debate on this) basic site analytics can be considered essential services.
In regards to Plausible, they are commenting directly here and seem to be address all these concerns.
IMHO the blog post author sees a problem at the surface level but is not an expert - but for those of us more familiar with the legal framework behind this, the exceptions, and the distinctions of how information is used (and supporters of GDPR), what Plausible doing is good and compliant.
(To be clear; I'm not affiliated with them - am just supportive of GDPR friendly alternatives like this one)
Cookies aren't regulated by the GDPR[0] but instead by the ePrivacy Directive.[1]
Article 5(3) of that directive states that
"Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user."
In other words, unless the cookies are strictly necessary to providing you with the service then you must provide users information about what the cookies are used for, and you must offer an opt-out.
(It's also worth pointing out the generality of this Directive, too: It doesn't only apply to cookies, but also to things like localStorage).
The ePrivacy Directive is, as its name suggests, a Directive which is addressed to member states of the European Union which have all written it in to domestic law.
In the UK, for example, it was implemented as PECR[2].
[0] The ePrivacy Directive does reference the old legislation that the GDPR replaces, so you should consider the reference in the ePD to Directive 95/46/EC as a reference to the GDPR. This means the standard of "consent" is the GDPR's standard now.
Cookie consent is (mainly) a different EU directive and not part of GDPR. It will be newly regulated by the - long delayed - ePrivacy directive.
"Cookies are an important tool that can give businesses a great deal of insight into their users’ online activity. Despite their importance, the regulations governing cookies are split between the GDPR and the ePrivacy Directive."
https://gdpr.eu/cookies/
The cookie banners come from the ePrivacy Regulation and are supposed to inform you that the website is storing data on the your device and that you can opt out (not in) of it.
Consent is required by GDPR but not for the technical circumstance that you store a cookie but that you use it for profiling. Some lawyers argue that basic web performance is legitimate interest especially in e-commerce, others don’t risk it and ask for consent (which is strictly opt in).
If you're tracking a user in the EU, you need consent. The GDPR doesn't cover the 'how' -- just that it needs to be done. So, if there's tracking of any kind, you'll need consent.
Applies off site as well -- pretty much every cold email tracking software, like Yesware, is in violation of GDPR, since you didn't get the recipient's consent to track their opens and clicks.
doesn't the GDPR protect against storing "Personally identifiable information"? Plausible does use the IP address for the visitor to create a unique visitor ID, but it does not store it, so I am not sure how can you use that information to link it to an individual.
The GDPR regulates the use of "personal data", which is broader in scope than "personally identifiable information":
"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"
If the algorithm for turning an IP address into a visitor ID is reversible then that ID is equivalent to the IP address as far as the GDPR is concerned.
a.) The term "GDPR Compliant" does not exist. All software can be "GDPR Compliant" and still do fingerprinting it there is consent or necessities (hard to do). What they mean is that you do not need to get consent from your users to use Plausible.
b.) They don't store IP addresses. Information they gather are not stored in a way to build user profiles or do fingerprinting.
It doesn't look like the articles author took a look a the Plausible documentation or source code.
I've was implementation lead for several GDPR implementations in Germany. Only on HN would a comment with facts that clarify a subject where a lot of misinformation exists get downvoted.
If you've downvoted that comment you have done the community a disservice.
raverbashing|5 years ago
Is Plausible actually tracking users? I mean actually allowing you to get a user's history (or IPaddr history) on your website across multiple days? (or a subset of this?)
If it does, then yes, it is not compliant without the user agreeing. If it doesn't, then no.
markosaric|5 years ago
donohoe|5 years ago
The blog post conflates general data points with PII. The IP address is considered PII.
While other info can be used for fingerprinting, it’s ok to use in some capacity as long as you don’t.
For background, I’ve done GDPR implantation a in the past, an a privacy advocate in that sense, and spent more time with lawyers in this subject then I’d care to admit.
(Pardon brevity/typos, on phone with unreliable connection)
nscmnto|5 years ago
There was a ruling in Breyer vs. Germany that IP addresses can be considered PII – in certain circumstances.
The case was brought against an ISP, and the court ruled that the company had enough correlating data at its disposal to make an IP address de facto PII for any of its customers. The court limited its ruling, saying that with just an IP address alone, the protections associated with the directive wouldn’t apply.
mikehall314|5 years ago
Their docs suggest as much https://docs.plausible.io/excluding/
"Most web analytics tools do this by excluding certain IP addresses from being counted. However, we do not store the visitors’ IP addresses in our database for privacy reasons"
ukutaht|5 years ago
IP address is the only piece of data that we touch that is considered PII under some regulations including GDPR.
The IP address is fully anonymized by hashing it together with a daily changing salt. Old salts are deleted to as to prevent re-identification: https://github.com/plausible/analytics/blob/master/lib/plaus...
According to GDPR Recital 26, anonymized data does not fall within the GDPR at all because data is no longer considered “personal data” following anonymization:
> The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
ramboram|5 years ago
[deleted]
corentin88|5 years ago
scoot_718|5 years ago
That said, the GDPR is deranged and might define things differently. Blocking the EU is safer.
Of course there are research exceptions that you could drive a truck through, and logging is still valid, so none of this matters.
ramboram|5 years ago
I'd like to know your opinion on this. Do I still need to use a consent banner if I use these services?
Thanks.
franky47|5 years ago
This would mean any server-side analytics (looking at access logs, which include IP address and user-agent) cannot be used for analytics or tracking, since there is no way for a user to give/deny consent to a page that already has logged information on them.
mrweasel|5 years ago
I have two browser plugins: "I don't care about cookies" and "Never Consent", I'm not sure what Never Consent doesn't technically, but the other one just hides the DOM element with the cookie thingy.
That means that I never see the "consent" banners so I can't click the "Okay" buttons. I should test to see how many sites just assumes OK to cookies because I didn't click "No".
On a positive note I do see more an more sites making it just as easy to say no to tracking as saying yes. Though sites are better at remembering a yes to tracking, compared to a no.
lucideer|5 years ago
ePD introduced the idea of the cookie consent banners we see today.
While it was enacted in 2002, ePD didn't really start to come into broad legal force in many member states until ~2010ish (EU Directives are not like federal laws; instead they're implemented & enforced by individual member states separately).
GDPR's focus on prior consent makes consent banners in their popular format largely useless, but when GDPR came along, the intent was that PD should have been replaced by the accompanying EU ePrivacy Regulation (ePR)[1] to clarify this. ePR has been delayed, so we're in this ambiguous place.
[0] https://en.wikipedia.org/wiki/Privacy_and_Electronic_Communi...
[1] https://en.wikipedia.org/wiki/EPrivacy_Regulation
donohoe|5 years ago
This is as much about what information is available AND what you do with it. Browsers send information whether you ask/use it or not.
At a high-level (and not necessarily speaking about Plausible here cos I don't know the inner workings), it is ok for a service to use personal information (looking at the IP address here) if in a form that is not traceable back to a user, and not used for tracking individuals.
In this case the use of CNAME is fine, its just to stop the blunt blocking of JS etc that happens as a reaction. Its worth noting that GDPR does permit data collection for essential services and (there is some dispute/debate on this) basic site analytics can be considered essential services.
In regards to Plausible, they are commenting directly here and seem to be address all these concerns.
IMHO the blog post author sees a problem at the surface level but is not an expert - but for those of us more familiar with the legal framework behind this, the exceptions, and the distinctions of how information is used (and supporters of GDPR), what Plausible doing is good and compliant.
(To be clear; I'm not affiliated with them - am just supportive of GDPR friendly alternatives like this one)
M2Ys4U|5 years ago
Article 5(3) of that directive states that
"Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user."
In other words, unless the cookies are strictly necessary to providing you with the service then you must provide users information about what the cookies are used for, and you must offer an opt-out.
(It's also worth pointing out the generality of this Directive, too: It doesn't only apply to cookies, but also to things like localStorage).
The ePrivacy Directive is, as its name suggests, a Directive which is addressed to member states of the European Union which have all written it in to domestic law.
In the UK, for example, it was implemented as PECR[2].
[0] The ePrivacy Directive does reference the old legislation that the GDPR replaces, so you should consider the reference in the ePD to Directive 95/46/EC as a reference to the GDPR. This means the standard of "consent" is the GDPR's standard now.
[1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A...
[2] https://ico.org.uk/for-organisations/guide-to-pecr/what-are-...
KingOfCoders|5 years ago
"Cookies are an important tool that can give businesses a great deal of insight into their users’ online activity. Despite their importance, the regulations governing cookies are split between the GDPR and the ePrivacy Directive." https://gdpr.eu/cookies/
sarnowski|5 years ago
Consent is required by GDPR but not for the technical circumstance that you store a cookie but that you use it for profiling. Some lawyers argue that basic web performance is legitimate interest especially in e-commerce, others don’t risk it and ask for consent (which is strictly opt in).
bmcn2020|5 years ago
Applies off site as well -- pretty much every cold email tracking software, like Yesware, is in violation of GDPR, since you didn't get the recipient's consent to track their opens and clicks.
_the_special_|5 years ago
M2Ys4U|5 years ago
"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"
Nextgrid|5 years ago
lez|5 years ago
cuu508|5 years ago
Storing a "user has opted out from tracking cookies" binary flag in a cookie is not the same as storing an unique identifier in a cookie.
nodex-alex|5 years ago
KingOfCoders|5 years ago
b.) They don't store IP addresses. Information they gather are not stored in a way to build user profiles or do fingerprinting.
It doesn't look like the articles author took a look a the Plausible documentation or source code.
KingOfCoders|5 years ago
If you've downvoted that comment you have done the community a disservice.