undefined | Better HN

0 pointsfauigerzigerk2y ago0 comments

>Again, folks say the cookie banners are not required, but even the EU web managers are unable to build a site without them.

They have a pretty interesting explanation of each cookie they use:

https://european-union.europa.eu/cookies_en

What I never quite understand is the analytics issue. We had server logs for analytics long before everyone started using cookies for that.

In my opinion the cookie part of GDPR is clearly bad regulation. It requires cookie banners for some things that are not privacy issues. And at the same time it doesn't institute a sensible consent mechanism that doesn't in practice amount to constant harassment.

0 comments

runako2y ago

> We had server logs for analytics long before everyone started using cookies for that.

IIRC a server log that retains IP addresses is covered under GDPR and may itself require disclosure via e.g. a popup. (IP addresses are part of the protected class of personal data.)

More to the point, server logs != modern Web analytics. Modern Web analytics require someone to ingest lots of data and run an app to allow users to analyze that data. Common practice outside of sensitive industries like healthcare and finance means offloading all of that ingestion/storage/management/analytics to a third party, hence 3P cookies.

fauigerzigerkOP2y ago

>IIRC a server log that retains IP addresses is covered under GDPR and may itself require disclosure via e.g. a popup. (IP addresses are part of the protected class of personal data.)

It is covered under GDPR but I think the general consensus is that server logs containing IP addresses do not require consent. You just need a legal basis for collecting the data and this has to be spelled out in the privacy policy.

>More to the point, server logs != modern Web analytics.

Being "modern" is not a sufficient explanation for why it is necessary. Using third party services does not generally require consent either.

runako2y ago

> Being "modern" is not a sufficient explanation for why it is necessary.

It's considered commercially necessary because reading through logs is not as effective as using a Web tool like Google Analytics for the task of understanding what users are doing on a website.

If you want to make the argument that there's no difference between using e.g. Unix tools on a log file and using a tool like Google Analytics, that's your prerogative. But the industry as a whole disagrees.

openplatypus2y ago

> It is covered under GDPR but I think the general consensus is that server logs containing IP addresses do not require consent.

It depends on the legal basis. If you store these IPs to render service or combat fraud, you might get away from explicit consent. However, if you use and store these IP addresses for analytics, then it is a very different conversation.

GDPR is not just about what and how you collect and use data.

1 more reply

j / k navigate · click thread line to collapse

0 comments

runako2y ago

> We had server logs for analytics long before everyone started using cookies for that.

IIRC a server log that retains IP addresses is covered under GDPR and may itself require disclosure via e.g. a popup. (IP addresses are part of the protected class of personal data.)

fauigerzigerkOP2y ago

>IIRC a server log that retains IP addresses is covered under GDPR and may itself require disclosure via e.g. a popup. (IP addresses are part of the protected class of personal data.)

>More to the point, server logs != modern Web analytics.

Being "modern" is not a sufficient explanation for why it is necessary. Using third party services does not generally require consent either.

runako2y ago

> Being "modern" is not a sufficient explanation for why it is necessary.

It's considered commercially necessary because reading through logs is not as effective as using a Web tool like Google Analytics for the task of understanding what users are doing on a website.

openplatypus2y ago

> It is covered under GDPR but I think the general consensus is that server logs containing IP addresses do not require consent.

GDPR is not just about what and how you collect and use data.

1 more reply

j / k navigate · click thread line to collapse