undefined | Better HN

0 pointsmartijnvds4y ago0 comments

Self-hosting something is always going to be less complex, but you'll still need to determine what you're tracking and why, write that down in a form people can understand easily, and let people opt in explicitly (with a just-as-easy way to opt out later).

People don't have to opt in for you to keep the data for technical reasons, for instance if you keep IP addresses for while to find and block abuse, but you can't keep data longer than strictly necessary and can't use the data for other purposes than you declared beforehand.

Write down your policies and put them in an (again, easy to read, understand and find) privacy statement and you should be pretty much GDPR-proof.

0 comments

shadowgovt4y ago

What's the rule for aggregated data?

I track page view counts as simple sums, and it's not feasible to drop an individual user's page counts because I don't have enough info to identify a unique user. In fact, I put no cookies on the user's machine (but that means I have no way to identify a specific user for opt-out purposes for these aggregated page counts).

_notathrowaway4y ago

I am not a legal advisor, but I believe the matter is settled by what you said:

> I don't have enough info to identify a unique user

If it is not user identifying information, then it should not be an issue.

j / k navigate · click thread line to collapse