Generally speaking using any public CDN is not GDPR compliant. If you _could_ self host the files, then you can not meet the necessity test required for any of the relevant legal basis in GDPR art 6(1).
Google Fonts and FA are worse, because the personal data is shipped off wholesale to the USA. Neither FA or Google (for fonts) offers a data processing agreement that would make it legal to use.
> This ruling, should Google comply in the end, will not change anything. Google will store the data in the EU and that's it.
The US CLOUD Act allows US law enforcement to force Google to hand over data; even if that data is stored outside the USA.
It is highly likely that processing and storing analytics data only in the EU is not enough to "fix" Google's issue here, because the USA still has juristiction.
By its very nature, an analytics product must process personal data.
Personal data is "any information relating to an identifiable individual" (see GDPR art 4(1).
Your IP address, browser and OS (via user agent), the website you visited, the pages you visited, time of visit, the site you came from (via referrer) are all personal data.
If Plausible have put a US owned cloud provider in-front of their Hetzner infrastructure, even if for a legitimate purpose (CDN, DDoS prevention) then that is likely an unlawful transfer of personal data to the USA.
>> Your IP address, browser and OS (via user agent), the website you visited, the pages you visited, time of visit, the site you came from (via referrer) are all personal data.
No. These are all not considered PII. Only the IP address in this list definitely is.
All other information with a wholly anonymized user would be considered by most interpretations to be ok. Often it depends on the context and presence of other meta-data on whether something is PII or not.
“PII” is not a term the EU or UK GDPR recognises. It may have a specific meaning in American law; but the GDPR definition of personal data is significantly broader.
It certainly includes the items I listed; particularly when linked to an identifier like an IP address.
> As for the privacy laws regarding tracking IP addresses, it's not very clear whether it requires consent or not as the law is ambiguous. The IP itself alone can not be directly considered personally identifiable information (PII) as having an IP address only, can not define which real person is the data associated with.
"PII" has a specific meaning, in American law. Sites with references to it are likely not relevant to you, as you are based in Romania. The GDPR is crystal clear that IP addresses are personal data. There is no ambiguity. Depending on how you derive the hash of the IP and user agent, this could also be an "identifier" that may be personal data.
But! There are six different reasons you can legally process personal data. Consent is only one of them. It is quite likely that a website owner would have a valid legitimate interest basis for having analytics. This does not require consent from the user.
The only caveat to that; is that if the analytics needs a cookie (or local or session storage item) then you must seek consent for the cookie.
I wish it was this explicit, but it isn't. EU member states have all interpreted the regulation differently.
Making it harder to opt out than in is explicitly prohibited in the UK and Germany. It is perfectly legal in Italy. In Spain, it is legal to bury the opt out buttons at the end of a 50 page cookie policy.
Full compliance, across the whole of the EU, is exceptionally difficult.
To be legal you need to get the user's consent, upfront, for that tracking. Technical challenges are not a defence.
GDPR is not the only regulation at play here. The PECR also applies. You need consent for the session cookie in the public areas of your site. It doesn't become essential until the user logs in, registers, adds an item to the cart, etc.
Honestly, considering the state of play at the moment the law is pretty much unenforcable. They literally can't fine everyone who is breaching it, they don't have the manpower.
And considering the ICO, the UK org that enforces these laws and where you have to go to find out the UK laws on it, literally just tell you that they use cookies to make their website work and don't ask for consent makes me think this is so much more complicate than any of us truly understand.
If they're setting cookies without consent with a user tracking id, I am going to guess that my session cookie falls under the same thing theirs does.
> To be legal you need to get the user's consent, upfront, for that tracking.
No, that's just one basis for processing data. Another basis for server-side tracking like this could be legitimate interest. The site will need to provide evidence that they've weighed up the user's interest in this and be able to demonstrate a convincing case in favour of the site.
For example, it could be a legitimate interest to track A/B testing in order to increase shopping cart checkout rates - the legitimate interest is arguably that the site wants to increase its revenues and if it can demonstrate a convincing case for this, it will be allowed by the regulator.
Storing a cookie which is not strictly necessary to provide the service, requires explicit consent. This is a PECR requirement, not a GDPR one. Tracking the source and campaign of a user between pages is not required to deliver the page.
So you may rely on legitimate interest to process the data, but you need the consent to store the session cookie to collect the data in the first place.
If you have A/B testing in place it is strictly necessary to have a session cookie. Otherwise a user could end up in a case where they where in the A group on their first request but their second has them in the B group but the page they visited isn't enabled or displays different content than what they expected to see.
If you have special offers based on the URl they came from then it is strictly necessary to be able to remember where they came from so they get the special offer and don't fall victim to false adverstising.
Strictly necessary means if the website will break in anyway without it.
Your understanding of strictly necessary is incorrect. You do not need to a/b test a website for it to function. It is optional. It doesn’t become legal just because your tech stack makes it difficult, or because you engineer the site not to work without a non-essential cookie.
You could a/b test based on even or odd numbered IP address and not require consent to store a cookie. You can pass the referrer around via query string and not require consent to store a cookie.
However, as you said, there is no enforcement of the regulation so the risk of non-compliance is basically zero :)
>Your understanding of strictly necessary is incorrect. You do not need to a/b test a website for it to function. It is optional. It doesn’t become legal just because your tech stack makes it difficult, or because you engineer the site not to work without a non-essential cookie.
No if a user clicks a button to see the prices at 10 euros but see the prices at 20 euros then that is an issue. That is a rather serious issue, if I show you a price and then when it goes the payment processor on the second request that is illegal.
There are many ways of doing things but considering the ICO's list of strictly necessary this falls into it.
Also, I use the session id in my logs so I can debug issues such as the user saw x on page then did y so z happened. This is falls under it as well due to it being required for the operation of the website.
The fact there are other ways of doing things doesn't remove the fact for my way the cookie is strictly necessary. The system will fail. And yes, the tech stack and the way I built it does affect this. Look at the laws and you'll see a number of times where they say something along the lines of "if feasible". The recommendation from ICO is that you don't need to ask for permission for everything and they kinda make a point of saying that as it's annoying as hell for everyone.
> No if a user clicks a button to see the prices at 10 euros but see the prices at 20 euros then that is an issue.
I agree with you, that is a serious issue. But that issue is caused by your use of a/b testing, and if you solve that issue with a cookie then you need consent.
The ICO PECR guidance explicitly states that you can not rely on the strictly necessary exemption for analytics cookies.
A/b testing is not analytics. Analytics is how many people are using the site not market testing. And it says you can‘t use it for soley analytics, soley being a keyword. The analytics from market research which results in a legal requirement of having to charge the price advertised is not the same as Web Site analytics of how a user used the site. Just which version of the site they used and what legal requirements/contracts are in place.
Using FA as a CDN is not GDPR compliant, either.
Generally speaking using any public CDN is not GDPR compliant. If you _could_ self host the files, then you can not meet the necessity test required for any of the relevant legal basis in GDPR art 6(1).
Google Fonts and FA are worse, because the personal data is shipped off wholesale to the USA. Neither FA or Google (for fonts) offers a data processing agreement that would make it legal to use.