IP processing and GDPR framing #1820
Replies: 5 comments 1 reply
-
thanks for reaching out @fjsousa! if you're unsure about our approach, it's best to consult with your legal team. we provide detailed information on how Plausible is built to help you comply with the different privacy regulations in documents such as the data policy and the DPA. by looking at this info, your lawyer can help you decide whether our service allows you to fulfill the legal requirements that apply to you about legal verification more in general: we work with an international law firm to consult us about the privacy regulations, help us draft the legal documents etc. recently, an external legal team that we have no connection with audited Plausible and gave us top scores: https://www.privacyboard.co/software/plausible. hope this helps but again if unsure, best to consult your legal team. |
Beta Was this translation helpful? Give feedback.
-
Hi @metmarkosaric. After a closer look, I'm not sure https://www.privacyboard.co/software/plausible is a valid legal report. There's no one signing the document with legal accreditation, or any legal background at all, as far as I'm aware, it's just someone else's opinion. You make bold claims about not needing cookie consent, but when pressed about it, you reply that "it's best to consult with your legal team". You mentioned that you were working with an international law firm looking at your stuff, could you share any documentation stating that indeed, collecting IPs for analytics in this case does not require user consent. The fact that I'm sending personal identifiable information from my users to your servers for analytics should require consent. The care you put into the hashing algorithm are reasons for users to accept consent, not to assume implicit consent. If you have a professional statement about it, please share, otherwise statements like these will mislead people: This is important because I was about to tell clients that run small businesses that "it's fine, you don't need to run those pesky consent banners if you use analytics like plausible". Now I fell I can't make that claim any more. I'm not trying to attack your tech. I do think that your approach to privacy is sound, and your business model is laudable. But technically, with the way GDPR is stated, unfortunately, it seems that you can't make the claim that you don't need to ask user consent before running your script. |
Beta Was this translation helpful? Give feedback.
-
For reference, I found this document from the French data protection authority(in French) - it lists a set of analytics solution, and it's correct configuration to fall within the scope of legitimate interest. Based on that, Matomo published this caveat stating an exception from cookie/tracer banner in France only. |
Beta Was this translation helpful? Give feedback.
-
@fjsousa Thank you for this thread. I have done some research on this topic as well - and have not arrived at a definitive answer either. Have you found any more insight on this? The more I read, the less I trust claims like "no need for consent". |
Beta Was this translation helpful? Give feedback.
-
@Fruup this topic seems to generate a lot of discussion online. I wrote my thoughts on my blog, which got some clarifying comments on reddit. Here's another interesting issue opened shortly after mine. It seems that under a strict interpretation of the "cookie law" you need consent because you're processing user/device information. On the other hand, because Plausible and other privacy-friendly technologies are not tracking users across the internet, some people are saying that you don't need consent. I wish the latter to be true, but so far I haven't seen anyone with authority signing off on this, and @metmarkosaric refuses to address their user's concerns. |
Beta Was this translation helpful? Give feedback.
-
I've been a customer for a few years, and I'm now considering using Plausible for a commercial project of mine, which shares the same privacy-focused values. I do have some questions about the legal framework in the EU, namely, if I have to ask for user consent given that IP are considered PII.
I'm by no means knowledgable on GDPR and from what I've read there's a lot of room for manoeuvre regarding for instance the notion of legitimate interest.
First, it seems to me that the cookie consent banners are more of an industry standard than an explicit GDPR requirement. GDPR frames user consent in terms of processing of PII and touches only briefly on cookies. From https://gdpr.eu/cookies/:
According to Article 6, all processed PII needs, among other options, consent from the user or to be a case of legitimate interest - Lawfulness of processing.
What I take from this is that even if you don't set cookies, you might have to ask for consent if you're handling PII in a way that isn't of legitimate interest (or falling under any of the other justifications in Article 6.)
Given that IP is PII (according to Recital 30) and that Plausible processes IP to dedup page views (although it doesn't store it), is this processing falling under legitimate interest? Has there been some sort of legal verification?
Again, I'm by no means an expert in GDPR, so feel free to correct me in any of the points above.
Beta Was this translation helpful? Give feedback.
All reactions