top | item 40924176

(no title)

janosd | 1 year ago

AFAIK it's not enough to write it in your privacy policy. Art 21 of the GDPR makes this explicit:

> (4) At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

I am not a lawyer, but as far as I can tell, there is no legal way to collect PII (including IP address) or place tracking identifiers on the user's device without at least informing the user explicitly under the GDPR and the ePrivacy Directive.

discuss

number6|1 year ago

You are correct. In early days of the GDPR people thought about a page in front of the original page without any data collection presenting only the privacy information.

But soon there was an agreement that Art 13 lit. 4 could be interpreted that as long as you don't have any data collection beyond server logs this would be deemed as sufficient. Or in other words if you won't invoke the Art 21 lit. 1 of the GDPR.

But since everybody wants to track you on basis of their legitimate interest the web became full of cookie banners