undefined | Better HN

0 pointsx0x08y ago0 comments

I'd call it a legitimate interest (site development and debugging tools) and skip the consent. Simply say you must allow cookies and our debugging tool or don't use the site. Particularly with SPA or js framework heavy sites where more bugs occur only in the browser, this is simply a development tool. Now, if you were primarily a rails site that uses very little javascript, this would be a much more questionable call.

There's no possible way to keep an app that can reconstruct screen state anonymous. The app, by necessity, records all info the user enters.

I'd be more concerned about PCI.

0 comments

5 comments · 2 top-level

bryanrasmussen8y ago· 3 in thread

This would probably run into legal problems, you're essentially saying you must allow us to track everything or don't use the site, but GDPR is about granular permissions - if you assert that users must give blanket permissions I would argue that breaks GDPR right away. The legitimate interest is maybe arguable, but then people can argue hey you can develop and debug your site without these pervasive tracking tools. I think allowing this as a legitimate interest would be a big attack on the law.

x0x0OP8y ago

No one is discussing blanket permissions, ie using these cookies or information for advertising.

You cannot have a site with a login without a cookie. It's gdpr compliant to inform users you will use cookies for that purpose and not pretend there's some magic way to have a login gated site without a cookie or something functionally equivalent. A site development tool is very similar. Understanding if code is working and where it's breaking is a fundamental technical requirement to build and operate a production website.

Stoking paranoia by calling bug reporters "pervasive tracking tools" is misguided; this tool only sees information that the user was handing to the site. ie any personal data is obviously already disclosed to the site.

bryanrasmussen8y ago

I wasn't talking about the cookie.

As far as blanket permissions goes you said 'Simply say you must allow cookies and our debugging tool or don't use the site', saying if you use the site we gather all this data sort of implies a blanket permission is given by using the site. This is generally what one does with the cookie warnings - the ones that say if you continue to use the site you agree to us setting cookies. I suppose you meant that you would have a message like - in order that we can keep our site performing optimally and fix any errors that might arise in day to day operations we need to track your actions on this site. (only a better message than that) - maybe that works but - well I think it might run into problems.

Blanket permissions do not only mean we allow you to advertise to us.

The bug reporter, as I understand in this case, tracks everything the user does on the site and associates it with the user account. I suppose that something that tracks everything you do on a site can be considered pervasive.

You can argue you have a fundamental technical requirement to gather some particular data, but going from the technical requirement is to understand if code is working and where it's breaking to therefore we will need to gather every action users do on the site seems shortsightedly heading for a significant fine.

This is what I meant in my other comment that if data is saved for a reasonable amount of time - 3 weeks maybe - and especially if the customer gives permission to analyze the data when they make a bug report then you would free from any problems.

x0x0OP8y ago

The simple fact is the tracking tool knows nothing that the site doesn't already know. Because the user performed it on the site. If the user wasn't comfortable with the site knowing information X, and associating that information with that account, then the user shouldn't have done it on the site.

The sole additional information this tracking tool gathers is things like internal state of the application. There is zero additional personal information disclosure.

1 more reply

bryanrasmussen8y ago

actually I think about the legitimate interest defense.

If saving of data was time limited (less than a month), customer contacts says they had a bug and they get back an email allowing the retention of the data for fixing the bug.

Especially if you could limit recording to new features/worked on parts of the application.

These would be totally defensible.

j / k navigate · click thread line to collapse

0 comments

5 comments · 2 top-level

bryanrasmussen8y ago· 3 in thread

x0x0OP8y ago

No one is discussing blanket permissions, ie using these cookies or information for advertising.

bryanrasmussen8y ago

I wasn't talking about the cookie.

Blanket permissions do not only mean we allow you to advertise to us.

x0x0OP8y ago

The sole additional information this tracking tool gathers is things like internal state of the application. There is zero additional personal information disclosure.

1 more reply

bryanrasmussen8y ago

actually I think about the legitimate interest defense.

If saving of data was time limited (less than a month), customer contacts says they had a bug and they get back an email allowing the retention of the data for fixing the bug.

Especially if you could limit recording to new features/worked on parts of the application.

These would be totally defensible.

j / k navigate · click thread line to collapse