
Show HN: Trackless - A GDPR-Friendly Google Analytics Opt-In Button - ascorbic
https://github.com/ascorbic/trackless
======
galadran
> Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other
> method of default consent.

[...]

> You must ask people to actively opt in. Don’t use pre-ticked boxes, opt-out
> boxes or other default settings.

Source:

[https://ico.org.uk/for-organisations/guide-to-the-general-
da...](https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/lawful-basis-for-processing/consent/)

~~~
jdietrich
_The GDPR sets a high standard for consent. But you often won’t need consent.
If consent is difficult, look for a different lawful basis._ (ibid.)

Anonymous data is specifically excluded from GDPR. Google Analytics provides
an IP anonymization feature. If you're absolutely confident that your users
can't be personally identified based on the data being sent to Google
Analytics, then you don't need consent.

[https://gdpr-info.eu/recitals/no-26/](https://gdpr-info.eu/recitals/no-26/)

[https://support.google.com/analytics/answer/2763052?hl=en](https://support.google.com/analytics/answer/2763052?hl=en)

[https://support.google.com/analytics/answer/6366371?hl=en&re...](https://support.google.com/analytics/answer/6366371?hl=en&ref_topic=2919631)

~~~
Silhouette
There is a broader issue with web sites that incorporate external content that
I haven't yet seen addressed.

The moment you load a resource on your page from an external source, you lose
almost all control of what the operator of that external source does with any
personal data that your visitor's browser sends to them, any cookies it sends
with its reply, or what it does more generally in the case of executable
resources.

Given that modern web sites routinely incorporate external assets for a
multitude of reasons, has anyone ever found any official, authoritative
guidance on who is the data controller or data processor in such cases, how
they are expected to meet any obligations they have in terms of transparency
and obtaining consent, or the related question of who is responsible for
giving notifications or obtaining consent if required under the "cookie law"?

~~~
Kliment
The way I understand it it's extremely simple. Say you have a site. You are
the contact point with the data subject, and therefore you are the controller.
Anyone you subcontract spying on your users to is a data processor acting on
your behalf, and therefore you are responsible for their behavior. You should
have agreements in place with all your external resource providers that touch
personal data. If any personal data leaks to them, you are responsible for
notifying users of this and obtaining their consent if required. In most cases
for external assets where no personal data is expected to flow to the asset
provider (say loading fonts from a CDN) it's sufficient for the asset provider
to give you their assurance that they don't collect or store data from
visitors you send their way. If you have an adverterrorist-operated spyware
embed like most ad networks on your site, then it's your responsibility to
ensure that the adverterrorists are handling the data in a compliant way, and
you need to notify your users of your relationship and obtain their consent to
pass their data to a third party. Just because you are using a third party to
do the spying does not remove your responsibility.

~~~
Silhouette
_Say you have a site. You are the contact point with the data subject, and
therefore you are the controller._

But that's not what how the controller is defined in the regulations. To be
the controller, you must be "the natural or legal person, public authority,
agency or other body which, alone or jointly with others, determines the
purposes and means of the processing of personal data". If you don't even have
any way to know what personal data a third party is collecting or how it's
being used, and you're linking to content that is freely available but over
which you have no control, you're not even close to fitting that definition.

 _You should have agreements in place with all your external resource
providers that touch personal data._

But that fundamentally breaks most of the modern WWW, which is not a
reasonable thing to do. You can't even have a personal blog linking to a
jQuery CDN to expand or contract your sidebar or Google Fonts to make things
look pretty at that point.

 _Just because you are using a third party to do the spying does not remove
your responsibility._

If they're spying at your request and on your behalf, that's one thing.

But it is inherent in the technologies of the web that third parties may be
doing all kinds of things without your knowledge, consent or control.
Moreover, even if you have somehow satisfied yourself that there is nothing
inappropriate going on when you first incorporate external content in your
page by reference, there is in general no technical mechanism to guarantee
that the situation will not change later. In some limited cases tools like
subresource integrity can help, but they only address specific parts of the
general issue.

------
weinzierl
Matomo (formerly Piwik) offers an iframe you can insert in your privacy policy
to handle the opt-out and opt-in.

Furthermore if the ePrivacy Regulation (ePR)[2], which was supposed to enter
into force along-side the GDPR on May 2018 but was delayed, should be adopted
in it's current form first party analytics like Matomo will not require
consent. See [3]:

> The proposal also clarifies that no consent is needed for non-privacy
> intrusive cookies improving internet experience (e.g. to remember shopping
> cart history) or cookies used by a website to count the number of visitors.

[1]
[https://matomo.org/faq/general/faq_20000/](https://matomo.org/faq/general/faq_20000/)

[2]
[https://en.wikipedia.org/wiki/EPrivacy_Regulation_(European_...](https://en.wikipedia.org/wiki/EPrivacy_Regulation_\(European_Union\))

[3] [https://ec.europa.eu/digital-single-market/en/proposal-
epriv...](https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-
regulation)

------
neetso
Don’t think you need this if you’re just using Google Analytics and have set
it to only log anonymous IPs. You do need to have a cookie policy on your
website such as this one on the ECB’s website:
[https://www.ecb.europa.eu/home/data-
protection/html/index.en...](https://www.ecb.europa.eu/home/data-
protection/html/index.en.html)

------
StavrosK
This is a good idea (even though it's actually not GDPR compliant by default),
but I think it would be much more useful if it were a "click here to install
AdBlock Origin" button.

Also, who in their right mind would click "enable Google analytics" in opt-in
mode?

~~~
ascorbic
I'm planning on adding to one of my sites in opt-in mode. I can write a post
on what that does to the analytics after it's been up for a month or so.

~~~
StavrosK
I would be extremely interested to read the results.

------
lazyjones
DNT is already opt-out functionality. Why force users to press extra buttons
and provide localstorage? Does this even work in private browsing mode?

~~~
weinzierl
This is actually what the (hopefully) upcoming ePrivacy Regulation (not to be
confused with the existing ePrivacy Directive) suggests [1]:

> Simpler rules on cookies: the cookie provision, which has resulted in an
> overload of consent requests for internet users, will be streamlined. The
> new rule will be more user-friendly as browser settings will provide for an
> easy way to accept or refuse tracking cookies and other identifiers.

[1] [https://ec.europa.eu/digital-single-market/en/proposal-
epriv...](https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-
regulation)

~~~
kodablah
Ug, legislation requesting/suggesting browser features now? Or am I
misreading? I wish they'd just leave people alone.

------
dtx1
> GDPR-Friendly

> Opt-Out

I don't think thats how it works

~~~
merinowool
It is also missing "Delete my data" and "Download my data" options.

~~~
shabble
A good point!

How do you access data that's held about you by/in Google Analytics, anyway?

~~~
butz
Not sure about accessing collected data, but you can delete user data from
Google Analytics using User Deletion API
([https://developers.google.com/analytics/devguides/config/use...](https://developers.google.com/analytics/devguides/config/userdeletion/v3/))

------
czardoz
Great, another button I've to click (apart from the annoying cookie notices)
before getting to the website content. If this becomes popular, I'd think
about creating a browser extension that automatically opts out of this.

------
Sir_Cmpwn
Instead, consider simply removing Google Analytifs from your website entirely.

~~~
nicbou
There are legitimate reasons to need to know how your website is being used.

~~~
Sir_Cmpwn
You can find them out without Google Analytics. Careful study of your HTTP
logs or tools like Piwik are also suitable.

------
FabianBeiner
Why not just use what Google already provides?
[https://developers.google.com/analytics/devguides/collection...](https://developers.google.com/analytics/devguides/collection/gajs/?hl=de#disable)

------
polote
Why would you want to opt out from Google Analytics seriously ?

They just record on what you click, and have no (and will never have) idea of
who you are.

~~~
yoz-y
Google Anlytics provides only aggregate data to the site owners. But I think
that Google themselves use it to improve their ad targeting algorithms,
because why wouldn’t they?

~~~
ascorbic
Yes, exactly this. Even if site has enabled IP anonimity, Google still has the
tracking cookies.

~~~
dbbk
Yeah IPs are only used for determining location I believe.

