It's great to challenge established norms, so thanks for this article. Item 21 made me chuckle.
There's a bit of an urban myth mixed up in items 6-8, which is that laws such as the EU General Data Protection Act (GDPR), or the California Consumer Privacy Act (CCPA) are about "cookies". They most definitely aren't. The laws cover the collection and processing of data, no matter what technology you are using (even pen and paper). Collecting analytics server-side is covered by these laws just as much as collecting is client-side - and the notification about this processing, and the collection of either consent or objections to legitimate interest are legal requirements.
However, as you say - it's not necessary to go-full-modal on people or be invasive with notices and options. In many cases, the notices and consent forms seem to be explicitly designed to prevent a user from making an informed decision. This is the polar opposite to the intention of the privacy laws.
To summarise!
GDPR/CCPA are not "cookie laws", they are "privacy laws"
The laws apply to data collection and processing, not a specific technology
It is a legal requirement to explain to data subjects how their information will be used and for them to be able to reject "other processing purposes" (either by objecting to legitimate interest, or refusing their consent - depends on the type of processing)
Hopefully that wasn't to dry... but although privacy isn't the most exciting area in tech, it's important that we get it right as we are seeing what happens when tech doesn't pay attention to these laws.
Thank you for your very informed response! You're absolutely right, for some reason in my mind server-side analytics were in a different category but from the law's perspective it shouldn't really make a difference how data is collected.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
It's great to challenge established norms, so thanks for this article. Item 21 made me chuckle.
There's a bit of an urban myth mixed up in items 6-8, which is that laws such as the EU General Data Protection Act (GDPR), or the California Consumer Privacy Act (CCPA) are about "cookies". They most definitely aren't. The laws cover the collection and processing of data, no matter what technology you are using (even pen and paper). Collecting analytics server-side is covered by these laws just as much as collecting is client-side - and the notification about this processing, and the collection of either consent or objections to legitimate interest are legal requirements.
However, as you say - it's not necessary to go-full-modal on people or be invasive with notices and options. In many cases, the notices and consent forms seem to be explicitly designed to prevent a user from making an informed decision. This is the polar opposite to the intention of the privacy laws.
To summarise!
Hopefully that wasn't to dry... but although privacy isn't the most exciting area in tech, it's important that we get it right as we are seeing what happens when tech doesn't pay attention to these laws.
Thank you for your very informed response! You're absolutely right, for some reason in my mind server-side analytics were in a different category but from the law's perspective it shouldn't really make a difference how data is collected.