> This would allow you to avoid displaying the cookie banner.
That isn't actually true (or at least is only allowed in the "it's a small enough violation of the law that the enforcers have bigger fish to fry" sense).
Cookie banners are required to gather informed consent, which is relevant for two EU legislations: the ePD, which requires it to access or store _any_ data from terminal equipment, and the GDPR which requires it for personally identifiable data. Most people only consider the latter, but the former is a much bigger hurdle to pass.
Despite Plausible's claim of not requiring cookie banners, their processing still accesses data from the terminal equipment. That was made very explicitly clear in a 2023 guideline from the EDPB[1].
The one saving grace for Plausible is that the ePD is a Directive, so the actual implementation into law differs by Member country. The claim might be true for some EU countries, but certainly isn't for all.
I've written a longer analysis of this in the context of Plausible for anyone interested[2] (although it might be worth skipping the first section, to get to the meat of the issue).
The user can always sue Plausible for lying about their product to get their damages back. In the end, the user of these services is responsible for maintaining the privacy of their customers/visitors.
I'm not a lawyer but Company using Plausible gets fined, but then they can sue Plausible. most likely.
But GDPR enforcement is more like 'you need to fix this, if you don't you get the fine' - if you are actually helpful and do your duty to improve the process the fine is usually reduced.
I would like to turn this comment into a gold plaque and point to it any time an HN commenter repeats the “EU privacy regs and GDPR are actually super simple!” narrative.
As someone living in Europe who watches the EUs best and brightest mostly go to work in consulting firms because the only growth industry in the EU is “companies spending money on regulatory compliance,” it pains my soul.
I think you're posting a strawman here. ePD is known to be bad (though for different reasons depending on who you ask), GDPR on the other hand _is_ easy to understand and follow.
Understanding the GDPR is quite easy, but following it can be quite hard if you're intending to violate people's privacy. If you read the GDPR because you want to enable the full Google Analytics suite without users even knowing, the GDPR will read like an absolute nightmare.
Except it isn't. I too thought this was the case. Please talk to a lawyer sometime for a more nuanced take (I begrudgingly have).
The funniest part about GDPR is that currently any organization that uses pretty much any US tech is in violation of the latest rulings, including much of the EU government itself running on Microsoft tech.
If you've just been consuming journalist or internet comment narratives on this topic you have no idea.
oh I know. And considering the CLOUD act that's how it should be. Maybe I shouldn't have written "easy to follow" since stuff like backups can get tricky and DSARs can be a pain on the receiving side, but it is certainly easy to understand. I do hope that GDPR does add a wedge for getting less dependent on US companies that obviously do not care about privacy at all.
But please also share the more nuanced take on the GDPR of your lawyer. You can't go around making claims like that without substantiating them ;).
That isn't actually true (or at least is only allowed in the "it's a small enough violation of the law that the enforcers have bigger fish to fry" sense).
Cookie banners are required to gather informed consent, which is relevant for two EU legislations: the ePD, which requires it to access or store _any_ data from terminal equipment, and the GDPR which requires it for personally identifiable data. Most people only consider the latter, but the former is a much bigger hurdle to pass.
Despite Plausible's claim of not requiring cookie banners, their processing still accesses data from the terminal equipment. That was made very explicitly clear in a 2023 guideline from the EDPB[1].
The one saving grace for Plausible is that the ePD is a Directive, so the actual implementation into law differs by Member country. The claim might be true for some EU countries, but certainly isn't for all.
I've written a longer analysis of this in the context of Plausible for anyone interested[2] (although it might be worth skipping the first section, to get to the meat of the issue).
[1] https://www.edpb.europa.eu/our-work-tools/our-documents/guid... [2] https://jfagerberg.me/blog/2022-06-09-analytics-cookie-compl...