True, they are not. The opt-out analytics is not allowed and they are sending th...

dangrossman · on April 30, 2018

There are expensive lawyers that disagree on that, and think that the EU DPAs would consider basic website analytics a legitimate interest (one of the alternative justifications to consent for processing), and the current draft of the upcoming ePrivacy regulation explicitly excludes the use of first- and third-party cookies for those analytics from the requirement to obtain express consent. You can review the privacy policies of some very large companies with huge legal teams that have already made their updates for GDPR (like LinkedIn/Microsoft for example) that use Google Analytics and many other third party cookies on their site without asking for consent...but describe the legitimate interest reasons for doing so.

_o_ · on April 30, 2018

Legitimate interest is one of the hardest parts to actually go for (I wouldn't use it for anything that is not seen by naked eye from the Moon) and you can argue that analytics improves the "user expierience" while on the other side the user will argue, that it is not necessary for the site functionality to work. And it isn't. And this is the fundamental condition for legitimate interest. So the "expensive" lawyers are wrong but I think they are just trying to push the limits to see how far they will be able to go.

Something about legitimate interest: https://youtu.be/-stjktAu-7k?t=4563

Let me just point to one sentence: "Processing conducted due to "faulty" balance test (your interest vs. person fundamental human rights) may expose the controller (you) to highest level of fines". I wouldn't gamble here and go for local analytics (again piwik is simple to install and use) or require consent from the user.

ePrivacy is not here yet, GDPR is and I doubt the analytics will be excluded as it is tracking in its purest form and you can set up your own software, no need for 3rd party processor here. It would literally destroy the GDPR principles which I doubt ICOs will allow.

For my (user) perspective: I don't have problems giving consent to particular site if they don't give the data to any 3d party processor, from google, fb, amazon to various ad networks. Bottom line, the problem is not for various sites to have my PII, but I have huge problem with agregating those data by single entity and I will never give consent for that (read as: google analytics).

dangrossman · on April 30, 2018

What makes you think the compliance burden is any different for self-hosted analytics vs third-party analytics? You're the data controller in both cases, your obligations for consent/interest, disclosure, access requests, etc are all the same. Google Analytics has a DPA where they guarantee they meet their GDPR obligations relating to your data, and Google is a member of the US-EU Privacy Shield, which takes care of your obligations with respect to transferring data outside of the EU. If anything, hosting your own Piwik instance greatly increases your compliance burden and risk of a costly breach, as you'll be collecting and storing much more personal data than Google does, in a less secure environment -- Google Analytics is mostly aggregate/sampled data, and supports IP anonymization at the edge before any processing/storage is done.

_o_ · on April 30, 2018

Just for the sake of not relying on google to do their work and not having to rely on someone who has huge conflict of interest with anything regarding user privacy. But regardless of that I would offer a consent pop up, for this site it is trivial, you are surprisingly clean :) Excuse me, I will refrain from further commenting about GDPR, I am sick of downvoting and quite frankly, people will figure it out on their own.

dbbk · on May 2, 2018

My understanding for Google Analytics is that as long as you're not using the User ID feature (I can't imagine Hacker News would be), and you enable anonymisation of IP addresses, you don't need to get user consent as users' privacy is sufficiently protected.