New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
There is already geoblocking regulation (EU) 2018/302.
if i understand it correctly:
unless it’s for functionality.. then no consent required. For example, if you had a streaming service that served content in different languages to users in different countries automatically* — you can pull their geoip without consent, as long as they are aware of what your service offered. It doesn’t even need to be stated what’s being done or how it’s being done.
You should however, somewhere in your service say: We use your approximate location to provide … at the very least
I'm not sure this would be enough. You always have multiple things to think of at the same time like geoblocking regulation, gdpr and so on.
For example; if you have a spanish and german version of the website and now a german visitor visits the spanish website you can't redirect him to the german version without consent. Even if he consents he can withdraw the consent at any time and you would have to make it easy for him to switch back.
For language preferences this falls under UI customization "cookies"(even if cookies are not used). For example; you can have a flag the user clicks to select a language and this is ok just for short term session cookies(or whatever you use instead of cookies). But to persist the setting for longer time there should be some kind of opt-in where the user is informed that the setting will persist.
agreed -- persistence changes the law. You can use data for functionality without consent, but once you make it user-specific or remember it beyond the current session, it becomes personalization. But it’s fine if the user explicitly checks “make default,” because that act itself gives consent.
in the same concept, business analytics are completely normal and valid too -- you can track how your site or product is used, as long as that data isn’t tied to an identifiable user.
for example, you could log a random window or session hash (that isn’t linked to any user ID or login) to understand general behavior — like “this session viewed the homepage and the about page.” Once aggregated, this becomes non-personal data, yet useful analytics that requires no consent under any law.
what matters is that the analytics are anonymous or aggregated and not used to profile folks. that's just normal operational insight, not tracking.
selling that information to a third party is a different story.
EDIT: also, this wasn't in response to Umami btw, Umami, if you're logging IPs & full UAs as one post mentioned -- would require consent. In self-hosted, cookie-less mode & anonymized (you can still log region/country but not IPs etc), it does not.
Not exactly. In the previous example when a user clicks a flag that is considered a "functionality explicitly requested by the user" so it is exempt from consent. But you still can't assume the user intended for it to be persistent. Doesn't mean you can use data for functionality that the user didn't request or if the data is not necessary for the functionality.
That will not do. Like it says in my first post ePD applies even to data that is not PII (tied to an identifiable user). It applies to any kind of "information"; so anything that originates from the users terminal equipment or anything you or someone else stored there.
That would be fingerprinting or using a unique identifier and also you would use data originating from the terminal equipment of the user. ePD still applies.
Also it's not necessary to be tied to any user ID or login. As long as you can single out someone from a group of users (even if that someone is anonymous), or even if you can just group users from a larger group into smaller groups, or if you have other data that you can somehow link to somone and so on... This is all tracking and triggers privacy laws like ePD and GDPR.
First-party analytics is one of the things that is explicitly mentioned in EDPB guidelines as not exempt from consent. It doesn't matter how you do it, store it in a cookie, memory, hash it or whatever, consent is required.
I think it's CPU hungry; it's used for several active sites.
I don't see these numbers in netadata dashboard. What's are you using to get these charts so I can confirm?
HetrixTools
I don't have HT setup with data, but I don't see any difference since 28th Sep.