
GDPR and Google Analytics - philnash
https://adactio.com/journal/13364
======
cromwellian
Let’s all have a moment of silence for John Perry Barlow’s Declaration of
Cyberspace Independence back when it was envisioned the internet would be a
place where any entities could communicate or associate free of government
control or censorship.

Loads of people in here who support the concept of net neutrality which helps
enable permissionless innovation by not imposing huge costs on those who
publish or allowing others to impose costs on them, now cheerlead for the
right to impose extraterritorial regulation without representation.

There was a time you could just set up a site on the net and not have to worry
about much, apparently now you have to worry about the Union of all possible
foreign laws in case anyone from outside geographic regions visits your site.
It’s could be a race to the lowest common denominator of freedom, or
conversely yield bulkanizarion of the internet as more Geo-IP blocks go up or
more great firewalls.

How many of you love “this video or music isn’t available for playback in your
region”?

That could be much more common in the future and contrary to commentary far
more likely to hurt smaller and medium sized players than the real targets of
the laws.

~~~
iddqd
You can still set up a site and not have to worry about much, as long as
you're not processing other peoples personally identifiable information
without their explicit consent.

~~~
smhg
But then you don't consider the IP address personally identifiable
information? The GDPR does.

~~~
iddqd
You can serve web content without storing the IP address of the user. If you
need to use it for anonymous correlation of requests, you can hash it first.

~~~
smu
In addition, you can store the IP address if you want to use it for infosec
(such as, finding out who to block in case of a ddos attack). See
[https://gdpr-info.eu/recitals/no-49/](https://gdpr-info.eu/recitals/no-49/)

The recital also mentions "accidental events that compromise availability,
integrity, authenticity,..." That seems to cover debugging for me. No need to
ask for consent.

To do certain analytics like page count, you don't need the IP, so that seems
ok for me. To track individual customers however, that's something else.

PS: according to GDPR, a hashed IP will be "pseudonimisation", not
anonymisation because you can have a key to go back to the original value.
True anonymisation removes all info (the IP in this case)

~~~
cromwellian
Most small web sites don’t have the resources for this. Many don’t even know
if they will have analytics in the beginning, or info sec.

People tend to set up sites and just stash web logs in the beginning. They
then learn later what their business needs are and may decide to post process
their logs.

You're suggesting a new site pay all of these costs up front to comply with
these regulations, you can’t time shift concerns by collecting data and
deciding whether you need it later.

Granted, you could argue that this is bad practice anyway, but many startups
work exactly like this, maximum logging early, dropping rention later after
beta.

If you are not physically hosting in the EU, how many people want to even read
the GDPR? A lot of sites don’t even know where their users are coming from
until they run analytics.

~~~
smu
Actually, I was trying to point out ways to not have to remove/prune your
logs...

~~~
cromwellian
Right but these days, if you rent a cloud hosted docker container with say,
nginx or httpd, you'll get HTTP logs via fluentd with full IP address
information, and a lot of people will push these into storage like S3 or GCP
buckets for analysis later.

If you say, use a point-and-click installation of Wordpress on AWS/GCP/Azure,
you're going to get IP logs being held. I'm just pointing out that the
regulations impose a lot of costs and expose people to huge risks.

I mean, can I be held liable if I use an open source downstream dependency
from npm or Maven, and it just so happens to have debug logs that are storing
info, and I didn't know about this logging cause I didn't audit every line of
code from a downstream dependency?

For large companies, this isn't going to be a problem, but the entire open
source ecosystem operates on a system that for the most part, you aren't
exposed to legal liability by them, except in cases like patent violations or
copyright infringement, but now there's a huge cognitive burden being levied
on top by a massively complicated new regulatory framework.

------
x0x0
My problem with the GDPR is the EU can't even be bothered to tell us what it
is before the effective date. And the GDPR itself is quite vague; lots of
balancing tests and blah blah with very little guidelines on what those mean
in practice. So where do the guidelines come from? Funny you should ask.

Consider the ICO -- the UK privacy commission -- has been promising final GDPR
guidance for perhaps half a year now, and instead are sitting around with
their thumbs up their asses waiting on the Article 29 Working Party final
guidance. The Article 29 Working Group held comments open until 23 January
2018. Some unknown amount of time later, that working group will finalize, and
_then_ some unknown amount of time later, the ICO will issue their guidance.

But don't you worry, the ICO plans to offer no grace period to us!

How the hell organizations are supposed to be ready by 25 May when they _may_
receive final guidance in late February is a hell of a question.
Realistically, considering the ICOs adherence to deadlines so far, they're
gonna deliver their final guidance promptly for May 2019.

I'm essentially assuming users will be hit with a blizzard of opt-in
dialogues.

One of the few things in the GDPR that will have impact is if you use consent
as a legal basis for processing, everything has to be default opt-out.

~~~
BinaryIdiot
While I largely agree with you, for the most part enough guidance has been
available that many companies have been preparing to handle GDPR. They should
have done a far, far better job with this but it's not entirely a "We won't
know anything until late Feb" kind of thing.

~~~
x0x0
That's true, however, there's no fixed limit to the possible distance between
draft and final guidance.

Say you have a large marketing database and you're trying to figure out the
nuances of consent. Or you are a large bank and run on a fidgety mix of
consent and legitimate interests. Three months is nowhere near enough time to
get everything finished.

------
sb8244
It might be an unpopular opinion here, but I'm not entirely sure that the GDPR
is going to be a good thing. It seems strange to me to have this enforcement
of policies from countries that are not my own just because my website is
accessible from those countries.

On top of that, developing business software becomes incredibly complex when
navigating all of the potential ramifications of these policies. I thought it
was strange that the SAP SDK at a hackathon essentially required the app to
get OAuth permission from the user to access / write an encrypted payload that
the app couldn't read / access / delete / update without user consent.

~~~
danieldk
_It might be an unpopular opinion here, but I 'm not entirely sure that the
GDPR is going to be a good thing. It seems strange to me to have this
enforcement of policies from countries that are not my own just because my
website is accessible from those countries._

I see your point, but a large majority of web sites are extremely misbehaving,
since they allow Google (any typically a bunch of other analytics firms) to
track users around the web without any consent (through Google Analytics). I
find this terribly frustrating. I decided to opt out of the Google ecosystem
completely, but data about me is still vacuumed through Google analytics and
Google-hosted JavaScript/CSS. I use uMatrix, but blocking Google-hosted assets
is out of reach for most non-technical users.

We would not be here in the first place if companies and website owners
treated the user's privacy with respect. I don't feel pity for them that they
jump through hoops now.

If you host a small personal site, just consider axing Google analytics. You
can get reasonably good statistics by just using a local log analyzer that
does not upload your visitor's data to an analytics/ad company. Respect your
user's privacy.

~~~
jshen
Maybe I’m misunderstanding GDPR, can you explain how tracking your users
through logs is OK within the GDPR, but Google Analytics isn’t Ok.

~~~
beberlei
Logfiles are necessary to operate a service securely and guarantee quality of
service. This is one form of implicit consent that users are giving you
without you having to ask them for it.

But Storing IP addresses for each access indefinitely (> some days) is the
problem.

If you rotate the files into a version where IP addresses are without the last
part after a few days, then this is considered pseudonymous data and GDPR has
no problem with you keeping this for a long time anymore.

~~~
jshen
Local log files are not automatically compliant by my reading of the GDPR, but
IANAL. My understanding is that PII is a huge risk, regardless of it being
local or with a vendor, and you aren't allowed to track things that you aren't
actively using for some business process. Many default log formats have data
that people don't actively use, which seems to be a violation of GDPR even for
local files.

Again, IANAL.

------
ocdtrekkie
Can the US please just pass this too? The EU's current stance on privacy and
individual rights makes me want to pack up my life and move there. I'd much
rather the law just come here though.

~~~
ysv2
A lot of the GDPR's provisions are admirable, and fundamentally good for
citizens. I'd like (some) similar rules in my country.

I just wish they'd drop the absurd pretense that the EU is somehow capable of
imposing their provincial laws on foreign companies with no physical presence
in the EU.

~~~
thisacctforreal
I think it makes sense when your activities infringe on the rights of citizens
inside their borders.

It's not like the EU is saying "These activities must be abolished from the
planet!"; the EU is saying "You can't do these things to our citizens without
their explicit consent, and we will punish you if you do, regardless of where
you host your website."

~~~
JoshTriplett
To which the entirely reasonable response from anyone without a legal nexus in
the EU (or physical products to ship) is "we don't care and you have no legal
right or ability to enforce that". And the entirely reasonable response from
anyone _thinking_ of creating a legal nexus in the EU without an extremely
business-critical reason is "let's stay in our own country where it's safer
and we only have one jurisdiction to care about".

For the record, when I build services, I personally don't intend to ever keep
any records that aren't absolutely necessary to provide the service. That's a
personal decision, a voluntary one, and also one that can be marketed to
certain customers, though that isn't the reason. I also believe that if you
send data to a website then it becomes subject to whatever terms they want to
apply to it, and if you don't like how they use your data then don't send it
to them, and block them.

~~~
kuschku
That'll get you an interesting interaction with your bank, which does want to
have a branch in the EU, so they'll simply comply and freeze your accounts if
the EU requests it.

The US has forced its laws on other countries in this way for decades, always
to protect profits, it's great that now another actor enforces its laws the
same way, for the public.

------
andybak
I hope everyone is nice and busy setting up encryption, access control and
timely erasure for all their server and application logs:
[https://www.ctrl.blog/entry/gdpr-web-server-
logs](https://www.ctrl.blog/entry/gdpr-web-server-logs)

~~~
chmars
The article is full of misunderstandings. The following sentence for example
is just wrong:

'You can’t collect and store any personal data without having obtained, and
being able to document that you obtained, consent from the persons you’re
collecting data from.'

Consent is just one option. You can do logging without personal data. You
might have a legal obligation do to (full) logging. You might have a
legitimate interest. And so one …

It is wrong to summarise the GDPR as 'consent is always necessary'.

~~~
lucideer
Your comment does clarify the issue by pointing out the alternative, and the
article could have mentioned that, but the quoted sentence is completely
correct as quoted. It fails to mention the alternative, but there's nothing
actually wrong in the statement.

I'll give you that the article is not very comprehensive, but the GDPR is
large and complex and the author doesn't set out to cover it in every detail.
What misunderstandings did you see?

------
yummybear
Why doesn't the main browsers implement some mechanism to help with the
notification and consent of cookies?

Some standards based description about the cookies/etc. that could be
consented. Non-consent means the cookie isn't accepted by the browser.

~~~
martin-adams
Certainly with the cookie law, I feel the EU should have legislated the top
browser makers to make this a spec and be implemented in the browser, than to
rely on each and every website.

~~~
chmars
The 'cookie law', the new ePrivacy Regulation, is still work in progress. And
yep, opt-in via browser configuration (instead of opt-out or no option at all)
might become a thing through the upcoming ePrivacy Regulation.

------
bryanrasmussen
There's a ux problem here, because Google needs to be able to determine if it
can save the data and the company using google analytics might also have a
requirement to notify the user they are saving other types of data.

Too many notices, requests for confirmation will be a problem. So I expect the
company should be able to instantiate analytics with a parameter saying that
they asked for confirmation and what the response was.

Aside from that I think there might end up being a performance benefit from
the GDPR. The difficulty of keeping permissions to track across different
adtech providers becomes onerous, and big media companies start throwing out a
bunch of them.

------
RutZap
Speaking of GDPR, I, like many others, am a little bit confused. I've read
parts of the legislation but not all of it, so perhaps somebody here can help
me out.

Moving towards slightly more delicate issues (compared to tracking someones
browsing habits), in relation to the right to be forgotten, if I make a
request to Equifax and Experian to remove all personal identifiable
information they hold about me, will this actually be possible?

Will my bank then contact me for consent to pass my data back over to them?
Will I be able to open a new bank account in the future if Experian and
Equifax delete my data?

How would this whole legislation deal with something like this?

~~~
kazagistar
(This response is quite late, but hopefully it helps at least a bit.)

1\. All third parties that a site might pass information to must be listed.

2\. The site is responsible for ensuring all the third parties it passes
information to support a way to delete that information. So if you ask them to
delete something, they have to forward that request to third parties, who then
have to delete what was provided by that site. The site is liable, so they
have to make sure they have contracts covering this with any third parties
they would pass the information to.

3\. The deleted information by the third party only has to be the information
from that site, not every site.

4\. There are a number of exceptions specifically involving things like
baking, especially if you have a legal, signed contract that obviously cannot
be erased with the click of a button. So specifically in the case of Equifax
and Experian, its unclear.

5\. I am not a lawyer, disregard everything I said lololol.

------
rapnie
well.. yes. super useful those google analytics. but maybe it is making things
to easy for you :)

if you come to think of it, it is also a privacy nightmare.. therefore google
analytics is blocked by my Privacy Badger!

------
gandutraveler
I got a speeding ticket in Germany last year. I want them to delete my record.
I own the data, they just tracked me over-speeding.

~~~
xxs
Data retention policies in GDPR specifically address the case, if there is a
legal reason to keep the data it should take precedence. That's it you can't
tell that you wish your 10k euro bank credit to be forgotten.

Accounting logs might need to be kept up to seven (in some cases 10) years, so
the data related to them should be kept. The data is sort of field based and
some might need to be able to be forgotten earlier.

~~~
woolvalley
So if another country says it's not legal to comply with the GDPR in their
country, they get off scot free? :P

~~~
xxs
totally, but then again you won't be able to transact with the EU, besides all
the diplomatic aftermath.

------
ysv2
> This regulation is not limited to companies based in the EU—it applies to
> any service anywhere in the world that can be used by citizens of the EU.

That's fundamentally incorrect. As a non-EU citizen, I reject the notion that
a foreign government has the right to impose their own laws on me, be it the
EU or China or anyone else. If the EU thinks it's a problem that I'm offering
a service to EU citizens that doesn't comply with laws I have no vote on,
frankly they can sod off.

~~~
zuppy
Yes, it's your right to block the EU users. But, if you want their money (and
that's up to you to decide), you have to obey to their law, nothing new here.

~~~
TomasEkeli
It's not their money, it's if you store or process personal data about
individuals in the European Economic Area (slightly larger than the EU).

If you're running a Chinese site aimed at Chinese you're good.

If you're running an Indonesian site aimed at Germans you need to honour the
GDPR.

~~~
xxs
You don't need any personal data to conduct most of the business.

I work in a place that would be beyond heavily affected by GDPR and I find the
legislation a good change as companies should not hoard data they don't need -
just in case... or just to sell.

~~~
Shoothe
Wouldn't you need personal data to accept payments? Or maybe a broker (like
Stripe) would store these and the end business just a reference to payment.

~~~
xxs
You can get external ref to payment providers. Depending on the business you
might need KYC and anti laundering procedures and then it's harder.

However if you have some direct business and do accept payments - by all means
make it secure and transparent to your customers.

------
spektom
GDPR is coming really soon, but it's still unclear how "Big Data companies"
prepare to it from technical perspective. In addition to "getting consent"
requirement there are "the right to be forgotten" and "the right of access",
and it's not obvious how implementing these two are feasible or, at least,
cost effective.

------
neya
Edit: I want to make my distinction clearer - I don't SPECIFICALLY target/show
my site to EU citizens, I show it to everyone, unbiased, the same way. But, if
EU citizens SPECIFICALLY visiting my site have a problem with the way it works
(cookies, tracking, etc.), then they should simply stop visiting it instead of
their government trying to bully us webmasters.

What bothers me the most is, as a non-European citizen of a country that has
nothing to do with Europe, I'm expected to modify the source code of my
website to adhere to _their_ laws, which aren't from my country. The important
part: WWW is a global platform to showcase your service/work globally. I have
a problem because one entity thinks the global service needs to be customised
specifically for them. How about "don't like it, don't visit it?"

Simply put, I don't want to get into an argument whether this GDPR is
bad/good, but, I know that I didn't vote for or against this and it's not in
my jurisdiction. I don't belong to Europe either, so what are you going to do?

This is what I'm going to do: I'm going to block access to my services to
anyone based in Europe. It WILL affect our cash flow in the long run, but, I'm
tired of governments that I don't care about expect me to follow some nonsense
I have no part of under the guise of compliance on a global platform that is
WWW ("WORLD WIDE Web"). I think, if enough webmasters fight back, then they'll
realise. And the only way is to block your services to EU.

As a cherry on top, I'll even put up a redirect notice stating:

    
    
        "Sorry, you belong to the EU and we're not going to follow 
        your laws. Please fight back with your GOV if you wish to 
        have access to our services. This has nothing to do with 
        us."
    
    

So, what are you going to do?

edit: clarity

~~~
bonesss
> I'm going to block access to my services to anyone based in Europe... I'm
> tired of governments that I don't care about expect me to follow some
> nonsense I have no part of under the guise of compliance.

Ever been on a plane? ... Used a cellphone outside your own borders? ... Eaten
a beautifully ripened imported cheese along with a stunning imported wine?

Put your money where your mouth is: boycott all benefits of transnational
cooperation and international legislation. NGOs are how a lot of the
capitalism on this planet gets done. 'Compliance' is how we protect our
businesses and consumers against fraud and mislabeled products.

Functionally "compliance" is a judicial equivalent of an API... All I'm
reading is "Why do I gotta use Googles APIs? I wanna make my _own_ APIs! No
more API use, no matter the costs to my customers, because I'm sick of giant
oligarchies demanding I comply to _their_ demands! What are you gonna do?"

They'll stop doing business with you, that's what. And shrug about it. Your
website will be replaced with one from Romania, and you'll probably develop a
deep sense of irony if you feel they've infringed on your IP in any way and
want to sue them... because all that stuff is based on 'compliance' too.

~~~
neya
Sorry, wrong example.

When I take a plane to some country I will follow their rules, protocols, yes.

But imagine, I had a museum that can be accessed world wide, instantly and
some guy from a specific country/region had a problem with one of my showcases
in the museum, do you expect me to alter my museum for this guy and his
groupies so they'll be happy?

~~~
bonesss
Sorry, incorrect rebuttal.

Whenever you or anything you ship touches an commercial airliner you enter a
globally coordinated network of non-governmental compliance and multi-
government regulation spanning every aspect of every device and every
protocol. The only reason you CAN take planes to other countries is this
international "compliance". Where "you" had to do exactly what "we" have said,
because if "you" don't then "you" get to be excluded from global trade.

I have already addressed your hypothetical in my comment... There is no
"expect", only business reality. The same solution as above, and the same
irony, applies.

