top | item 24979937

(no title)

fuzzymind | 5 years ago

Cookies are not an issue for GDPR, it's all about respecting users' privacy. In fact you can freely store anonymous data to cookies, localStorage, and sessionStorage without issues. The problem comes when you are dealing with personally identifiable information such as permanent identifiers.

You definitely need a "cookie banner" when using Simple Analytics, Fathom, or Plausible. Any service that accesses the device information such as the URL needs a permission from the user according the ePrivacy directive.

We have consulted EU law specialists when building our upcoming analytics service that is as privacy-friendly as Simple Analytics, while still measuring important things like retention and conversions. More information:

https://volument.com/learn/data-privacy

discuss

AdriaanvRossum|5 years ago

Founder of Simple Analytics [1] here. There is a lot of information around cookie banners that is just not true. For example cookies are not limited to the technology of cookies, it contains any piece of information that you can use the track a user. An IP address, localStorage, sessionStorage, ... You are allowed to add a functional cookie with a dark mode setting for example without a cookie banner. You can't use an analytics cookie without a cookie banner.

What you are sharing is simply not true and I will clarify. A cookie banner is required when you store PII data. This is personal identifiable information. This includes, but is not limited to an IP address, a cookie with an user identifier, ... You are free to collect data that is not part of this without a cookie banner. You are also referring to a URL as being device information, this is not device information but basically a page view. You are allowed to collect page views and URLs that a linked to this page views with a cookie banner.

You are describing retention for your business. That's only possible with a cookie banner. It makes perfect sense because you need to calculate retention somehow. If you can calculate retention and conversions you are tracking a user. So you need a cookie banner.

Cookie banners are also a thing that are implemented on the web in many wrong ways. You should always have a way to disable cookies. Just a "accept all cookies" is legally invalid under the GDPR. The e-Privacy was already in place before the GDPR and the GDPR is somewhat a clarification of it.

Simple Analytics does not use cookies and does not require a cookie banner. We don't track your visitors and don't calculate retention or conversions. If your service does this, they a tracking your user and you might need a cookie banner.

[1] https://simpleanalytics.com

tipiirai|5 years ago

Hey. Founder of Volument[1] here. We consulted EU law specialists on this particular matter. You are right: you definitely need a cookie banner when you store or process PII data. But GDPR is just an extension to ePrivacy, which says that you also need the cookie banner when any of the device information is accessed (such as the browser URL) for non-essential purposes.

The ePrivacy is just a _directive_ and doesn't oblige to anything. It's the local laws of Europe that do. We have compiled a detailed list of all the European countries and the respective laws that require an analytics service for opt-in or opt-out style banner. [2]

Retention is not possible without cookies or localStorage, but you can measure retention without storing or processing any PII information.

[1] https://volument.com [2] https://volument.com/learn/data-privacy

ThePhysicist|5 years ago

The GDPR is not a clarification of the ePrivacy directive, on the contrary. The ePrivacy directive "particularises" certain aspects of the GDPR. National implementations of the ePrivacy directive (which, unlike the GDPR, needed to be put in laws within each EU country) that e.g. regulate certain aspects of electronic communication have priority over the GDPR as a "lex specialis". Wherever such provisions do not exist, the GDPR takes precedence as a "fallback legislation".

If you don't trust my word on this you might want to check out the official stance of the European Data Protection Board on this (from 2019): https://edpb.europa.eu/sites/edpb/files/files/file1/201905_e...

The EU is working on an ePrivacy regulation btw, which will indeed replace the ePrivacy directive, but it's not likely that it will be passed before 2021 or 2022.

briandear|5 years ago

> You can't use an analytics cookie without a cookie banner.

In what country? There is certainly no US law to my knowledge, that says that.