Plausible Analytics is GDPR compliant - with one possible exception - the IP address which if they dropped the last 3 digits would probably be enough.
The blog post conflates general data points with PII. The IP address is considered PII.
While other info can be used for fingerprinting, it’s ok to use in some capacity as long as you don’t.
For background, I’ve done GDPR implantation a in the past, an a privacy advocate in that sense, and spent more time with lawyers in this subject then I’d care to admit.
(Pardon brevity/typos, on phone with unreliable connection)
The IP address, on its own, should not considered PII.
There was a ruling in Breyer vs. Germany that IP addresses can be considered PII – in certain circumstances.
The case was brought against an ISP, and the court ruled that the company had enough correlating data at its disposal to make an IP address de facto PII for any of its customers. The court limited its ruling, saying that with just an IP address alone, the protections associated with the directive wouldn’t apply.
GDPR simply classifies "personal data" as any piece of information that can be used to identify an individual. A static IP used by one person could therefore be considered personal data while a public IP shared between thousands of people behind carrier-grade NAT would not.
The problem is that you can't tell the two apart and decide when it's safe handle the IP.
Indeed. My dynamically allocated public IPv4 address, given to me by my cable company, has been the same for as long as I've lived here, over four years now.
Ironically, my IPv6 prefix can change several times a day...
IP addresses IP addresses are never PII. PII means information about a person who can be identified. In that context, IP adresses are an identifier, not the information itself.
If you store IP adresses in your customer database, the information is that a person with that IP is one of your customers. This information is considered PII if it's possible to use the IP to identify the person the information is about, e.g. using a government database of everyone's IP address. If the data never reaches someone with access to such a database, it's not PII.
(This is a somewhat pendantic distinction, but it matters legally. Data protection law doesn't care about which identifiers are being used, but about the data associated with it and whether it tells you something about a specific identifiable person.)
"Most web analytics tools do this by excluding certain IP addresses from being counted. However, we do not store the visitors’ IP addresses in our database for privacy reasons"
GDPR doesn't care about storage. Even if you just acquired personal information without processing it, you still had to be GDPR compliant.
In fact, the solution suggested above (only using a truncated IP address) would still require you to acquire and process the IP address and thus be subject to GDPR.
According to GDPR Recital 26, anonymized data does not fall within the GDPR at all because data is no longer considered “personal data” following anonymization:
> The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
GDPR states “For data to be truly anonymised, the anonymisation must be irreversible”. So dropping 3 digits is clearly not enough to anonymize PII, it’s more pseudonymization.
Aren't the biggest corporations doing the same on orders of magnitude larger datasets? They get away very well with merging data from quite a few acquired companies.
If small companies are called upon compliance with such vehemence, the big ones who know so much of us should be brought up, at least 100x times more.
> Aren't the biggest corporations doing the same on orders of magnitude larger datasets? They get away very well with merging data from quite a few acquired companies.
Yes, and it's worth noting how few data points one needs to identify an individual.
>If small companies are called upon compliance with such vehemence, the big ones who know so much of us should be brought up, at least 100x times more.
I am curious, how are you going to unanonymise an IP to something that could have 255 combinations (and that's just if you drop that last part on an IPv4). Nevermind that an IP alone is not PII. How can you reverse something that has many possibilties?
(o) (1) “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
“[I]f a business collects the IP addresses of visitors to its websites but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.”
True. I was thinking more about how it drops some location level information.
I can't presume what Plausible does (have not read their docs in awhile) but they have commented here to provide more specific clarification that address IP usage (TLDR: what they do is fine and compliant)
The blog post conflates general data points with PII. The IP address is considered PII.
While other info can be used for fingerprinting, it’s ok to use in some capacity as long as you don’t.
For background, I’ve done GDPR implantation a in the past, an a privacy advocate in that sense, and spent more time with lawyers in this subject then I’d care to admit.
(Pardon brevity/typos, on phone with unreliable connection)