Hacker News new | past | comments | ask | show | jobs | submit login

There's no definitive answer to this as it would take a court ruling (that hasn't happened), but my own I am not a lawyer but deal with GDPR/CCPA professionally understanding does not match the "You don't need to deal with GDPR" pitch of these services.

Say you run a SAAS and install this on your marketing site. You're still sending IP address and potentially identifiable information to a third party processor.

We (on HN) don't consider IP addresses as PII, but from a purely practical standpoint ad data brokers are selling/bidding on IP addresses all the time which makes them more than nothing.

You (as the controller) also need to validate that processors (services that you are using) are in fact doing what they're saying. You'd still need a Data Processing Agreement in place with GoatCounter because otherwise Goat could start collecting additional information without your knowledge, start generating more metadata (GeoIP/Company) from the IP, etc.

I'm just saying it's not only about not collecting data, but the processes that surround it and safeguarding users and their privacy.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact