Note: I'm not a law professional. Well, not even an amateur. And this article is not a legal advice. However, I believe these examples may be a good practical introduction to the large and complex topic of GDPR-compliance.
GDP... what?
It was a buzzword some time ago, and still is a discussed thing. Very briefly,
- GDPR is a EU law which applies to all websites and apps used in EU
- GDPR prohibits personal data collecting without explicit user consent. Personal data examples:
- Name
- IP address
- Cookie, local storage property, or any other tool to recognise a unique user
- GDPR also prohibits transferring user's personal data outside EU without their consent
Do you have ideas how your site can possibly violate these? Let's see!
1. Google Analytics
Google Analytics is a great tool... which sets cookies to tell apart unique users, and this is impossible to turn off. Which means, to use Google Analytics, you need to show a banner and ask user consent.
What to do if I don't want showing any banners?
You may switch to the different analytics provider. I tried two:
Both can be set up to comply with GDPR, but for me the key difference was that Piwik allows up to 10 projects on a free plan, while Posthog allows only one.
How can I tell apart unique users without cookies and local storage, but also without this annoying banner?
You can't. If for some reason you need recognising individual users you need their consent.
2. Google Fonts
What? Is it just a convenient fonts API? Yes, but this API collects user's IP address and may use it for analytics purpose. Some time ago the German court sentenced some site operator to a fine of 100 € for using Google Fonts.
What to do?
If you need one or two fonts, you may just host them. If you need many, and cannot host them, then you need user consent.
3. Hosting provider
This part is tricky. Much of US-based hosting providers (including e.g. CloudFlare, and GitHub Pages) record your IP-address in their logs. For this, you need a user consent.
However, this example is different from fonts and analytics because, according to providers' statements, this is required for their normal operation and troubleshooting. Unfortunately this topic is not actively discussed on internet, and there is no well-known judicial precedent so far.
What to do?
At least you should disclose the fact of collecting data by your hosting provider in your Privacy notice. If possible you may use EU-based hosting like Statichost. For complex cases you need legal advice.
Well, is it really a thing for my small site? What about pet-projects?
The law is strict — it applies to any organisation or person running a site available in EU. However, there's no well-known precedent where a court would fine some hobby-project owner. Seems the intention is to reduce usage of US-based BigTech products from within EU in order to protect EU residents of tracking them by foreign entities.
Anyway, abiding the law is always the safest. And protecting users privacy — a thing we really miss these days — is definitely worth our engineering efforts.
Top comments (0)