top | item 29923634

(no title)

cdrx | 4 years ago

> As for the privacy laws regarding tracking IP addresses, it's not very clear whether it requires consent or not as the law is ambiguous. The IP itself alone can not be directly considered personally identifiable information (PII) as having an IP address only, can not define which real person is the data associated with.

"PII" has a specific meaning, in American law. Sites with references to it are likely not relevant to you, as you are based in Romania. The GDPR is crystal clear that IP addresses are personal data. There is no ambiguity. Depending on how you derive the hash of the IP and user agent, this could also be an "identifier" that may be personal data.

But! There are six different reasons you can legally process personal data. Consent is only one of them. It is quite likely that a website owner would have a valid legitimate interest basis for having analytics. This does not require consent from the user.

The only caveat to that; is that if the analytics needs a cookie (or local or session storage item) then you must seek consent for the cookie.

discuss

No comments yet.