GDPR: Don't Panic

>>grabeh+(OP)
The GDPR gets so much hate because it hits so many businesses where it hurts: data. GDPR "simply" gives you guidelines on how you can handle data from people within the EU. And that that data cannot be handled so liberally as it has been before. Of course that's annoying from a business perspective, but from an individuals privacy perspective, it's fantastic.

>>mrleit+s2
I think it gets "hate" from people who don't have much data but they still have to implement all the requirements, which go beyond than their own data storage. Ad-supported websites are probably the most common case here, even if the sites don't store any data themselves.

>>zerost+B9
And that is a good thing. This >23 different trackers and adservers just to read crappy news content BS is so nice to be shaken.

I really love the GDPR for just making the life for such business models way harder.

Implementing data, analytics, tracking and stuff in a way that is compliant with GDPR (or its local equivalents) is doable and from an architectural point of view even interesting imho.

I love building GDPR conforming data architectures with my clients right now.

>>sdoeri+Mb
i suggest you remove the 3 trackers from your blog, or at least let me see it without them. I m not trying to be snarky, just pointing out that removing everything is often very hard.

>>zerost+0c
The site linked in their profile works just fine with all JS disabled.

>>def_tr+1f
i did not mean that the site doesnt work without tracking, but according to the law i should have the option to access the site without being tracked.

>>zerost+Rf
No. That is just plainly wrong. GDPR allows for tracking without opt in. It just needs to enable you to opt out of being tracked with for example a link to opt out in the privacy policy page. Something I still plan to make more visible (in the footer or something like that), but is already there [0].

These so called cookie layers are not necessary for tracking. They are not even necessary for first party on site advertising. For that you also do not need consent if you read the GDPR/DSGVO (German version).

In the DSGVO it is §6.1f [1] you would want to read about. There is even an elaborate explanation from the German legistlation [2] what "Berechtiges Interesse" ( legitimate interest) exactly means.

So to make this short: direct marketing as well as tracking is totally fine even without consent. Give an option to opt out, explain why you need the data, what you do with it and how long you store it as well as a point of contact (for people wishing for their data to be deleted) and you are fine.

As long as you do not do profiling or stuff like that. A personal blog/website is then totally fine with GDPR. Btw. you would need to add all of this to your privacy page even if you had no web tracking installed, as your webserver probably would have logging activated. Having an IP address in there make this data fall under the GDPR (at least in Germany). So you would need to explain all that stuff because of the log files non the less.

[0]: https://schriftrolle.de/datenschutz [1]: https://dsgvo-gesetz.de/art-6-dsgvo/ [2]: https://dsgvo-gesetz.de/erwaegungsgruende/nr-47/

[Edit:] Ordered the footnotes

>>sdoeri+lh
First of all i did not mean to make you change your blog site - I was just pointing out that the law applies to everything no matter how small.

Second, are you sure about this? My understanding is that if you use third-party tags such as analytics you need to get consent from users and not to use them if they don't consent.

One other thing that is not clear to me is if we need cookie prompts, and how can we implement cookie opt-ins/outs without being able to set cookies.

>>zerost+bo
IIRC, the cookie law applies only to third party cookies. So you can freely set a first party cookie to store their opt-in/out.

zlacker