DEV Community

loading...

Discussion on: Clarifying GDPR

Collapse
jvanbruegge profile image
Jan van Brügge

The most important thing that I always see in the wild, is consent messages that have the trackers enabled by default, so pressing ok or consent will track you. This is explicitly not allowed. As this post says, you do not need consent for cookies necessary to function, but all tracking has to be opt-in. And the law explocitly says that having all checkboxes filled in by default does not count as consent!

Collapse
george profile image
George Nance

So wait, does this mean that having Google Analytics on your page is against the GDPR is they didn't agree to it?

Collapse
jvanbruegge profile image
Jan van Brügge

The question is if your analytics collect personally identifiable information, such as IP addresses.

Collapse
domysee profile image
Dominik Weber

If you have anonymizeIP enabled, then no, they don't have to agree. GA took precautions, they trim the IP on EU servers. Also they assure you (I think in their ToS) that they don't store the original IP address.
This means they don't have any personally identifiable information, and it doesn't fall under the GDPR.
What they can't ensure though, is that users store personally identifiable information in their events. So if you do that, you have to take your own precautions. Basically you should just stop doing that. Since afaik, GA doesn't allow selective deleting of data, so as soon as a GDPR delete request comes in, you'd have to delete all of your GA data.