top | item 40911055

(no title)

„ In comparison, in the context of the European GDPR, the Article 29 Working Party[6] considered hashing to be a technique for pseudonymization that “reduces the linkability of a dataset with the original identity of a data subject” and thus “is a useful security measure,” but is “not a method of anonymisation.”[7] In other words, from the perspective of the Article 29 Working Party, while hashing might be a useful security technique, it is not sufficient to convert personal data into deidentified data.“

https://www.gtlaw-dataprivacydish.com/2021/03/what-is-hashin...

discuss

number6|1 year ago

I am a DPO. The claims Plausible makes won't hold up to scrutiny.

It's a simple trick: declaring all data collected to technical data, when in fact it is linkable to a data subject.

Thus collection of the data requires consent, because a subject is identified at least for the session.

If you can identify unique visitors you are clearly identifying individuals.

makach|1 year ago

Indeed you are correct. Plausible it is not. They should put their cookie consent back up, and need to inform their users how they are indeed processing the data collected from personal users.

Symbiote|1 year ago

  hash(daily_salt + website_domain + ip_address + user_agent)

That's what they do. Within 24 hours the daily salt is gone, and the data is anonymous.

https://plausible.io/data-policy#how-we-count-unique-users-w...

newusertoday|1 year ago

what are your thought on aggregated data? you can still identify unique visitors but its aggregated data so you can't link it back to the individual.

I have doubts that just identifying unique visitors would also identify individuals. Their current approach of creating random id which is unique for 24 hours should not violate GDPR? or it would?