zlacker

I think it gets "hate" from people who don't have much data but they still have to implement all the requirements, which go beyond than their own data storage. Ad-supported websites are probably the most common case here, even if the sites don't store any data themselves.

>>zerost+(OP)
And that is a good thing. This >23 different trackers and adservers just to read crappy news content BS is so nice to be shaken.

I really love the GDPR for just making the life for such business models way harder.

Implementing data, analytics, tracking and stuff in a way that is compliant with GDPR (or its local equivalents) is doable and from an architectural point of view even interesting imho.

I love building GDPR conforming data architectures with my clients right now.

>>sdoeri+b2
i suggest you remove the 3 trackers from your blog, or at least let me see it without them. I m not trying to be snarky, just pointing out that removing everything is often very hard.

>>zerost+(OP)
Or perhaps these people/businesses have much more data about you and don't want to share how they monetize their "free" services by selling/renting/aggregating/analyzing your data?

Think of all the free apps: I was in a conference with startup founders bragging about the business they make selling the location data of app users by incorporating some third party libraries in their apps without the users knowing. Of course, everything is anonymized, is it?

Add-supported websites on the other hand have only to document what is going on and get the consent of the user. That's a simple notification bar with a button, like the cookie notice, plus a page detailing the privacy policy. The GDPR even mentions legitime reasons for collecting, storing and transmitting personal identifiable data like technical or business needs. And in addition, almost all ad networks are going to anonymize IP addresses by stripping some bits and have opt-out features for being profiled.

>>mstolp+K2
I d wager for the vast amount of websites (>90%) it's just the ads, IPs and email addresses. Most websites have no monetizable use of your private info other than ads.

>>zerost+p2
The site linked in their profile works just fine with all JS disabled.

>>zerost+p2
Well. I know that I have GTM, GA with DC integration (currently) still active on my blog. DC integration will be dropped and the privacy page will be updated to describe, what I am tracking and how long data is being stored. As needed to comply with GDPR/DSGVO.

As I am still having 7 days to go and that is just a personal blog, I plan on using my free time to do that (would just take 3 - 5 minutes to disable everything if I wanted to by removing GTM and redeploying).

So removing everything is quite easy. It is way more difficult to selectively remove singular features - in this case the DoubleClick integration. As I am not doing that exact step all day (even being a data analyst with a focus on web data), I would have to look, where to configure that exactly. That would take longer.

So be snarky - I don't care, as I am already preparing for GDPR compliance and will have my house in order come May, 25th.

[Edit] Took 12 minutes in the end. Will take some time until caching catches up. Using a incognito instance all good to go regarding the trackers. "Only" the update for the privacy page remains for the weekend to do.

>>def_tr+q5
Thanks. I tried to achieve that. As I am surfing with a lot of JS being blocked/disabled, I wanted my own site to be usable for myself.

>>def_tr+q5
i did not mean that the site doesnt work without tracking, but according to the law i should have the option to access the site without being tracked.

>>zerost+g6
No. That is just plainly wrong. GDPR allows for tracking without opt in. It just needs to enable you to opt out of being tracked with for example a link to opt out in the privacy policy page. Something I still plan to make more visible (in the footer or something like that), but is already there [0].

These so called cookie layers are not necessary for tracking. They are not even necessary for first party on site advertising. For that you also do not need consent if you read the GDPR/DSGVO (German version).

In the DSGVO it is §6.1f [1] you would want to read about. There is even an elaborate explanation from the German legistlation [2] what "Berechtiges Interesse" ( legitimate interest) exactly means.

So to make this short: direct marketing as well as tracking is totally fine even without consent. Give an option to opt out, explain why you need the data, what you do with it and how long you store it as well as a point of contact (for people wishing for their data to be deleted) and you are fine.

As long as you do not do profiling or stuff like that. A personal blog/website is then totally fine with GDPR. Btw. you would need to add all of this to your privacy page even if you had no web tracking installed, as your webserver probably would have logging activated. Having an IP address in there make this data fall under the GDPR (at least in Germany). So you would need to explain all that stuff because of the log files non the less.

[0]: https://schriftrolle.de/datenschutz [1]: https://dsgvo-gesetz.de/art-6-dsgvo/ [2]: https://dsgvo-gesetz.de/erwaegungsgruende/nr-47/

[Edit:] Ordered the footnotes

>>zerost+(OP)
> Ad-supported websites are probably the most common case here, even if the sites don't store any data themselves.

Internet advertising is a viper pit of privacy invasion. They didn't get their house in order, and let it turn into the horrible mess it is today, so they shouldn't be surprised that the regulators stepped in.

>>sdoeri+K7
First of all i did not mean to make you change your blog site - I was just pointing out that the law applies to everything no matter how small.

Second, are you sure about this? My understanding is that if you use third-party tags such as analytics you need to get consent from users and not to use them if they don't consent.

One other thing that is not clear to me is if we need cookie prompts, and how can we implement cookie opt-ins/outs without being able to set cookies.

>>zerost+Ae
IIRC, the cookie law applies only to third party cookies. So you can freely set a first party cookie to store their opt-in/out.

>>sdoeri+b2
Don’t go to this kind of websites then. There is nothing warranting you to kill them though.

>>sdoeri+Z5
> the privacy page will be updated to describe, what I am tracking and how long data is being stored. As needed to comply with GDPR/DSGVO.

I thought the GDPR required users to opt-in to tracking (if consent is used as the lawful basis for processing), and if they choose not to opt-in, you must disable the tracking while still providing the service. Are you sure just updating your privacy page is enough?

Then there are the requirements to allow users to download or delete their data.

>>zerost+Ae
I am sure. At least in Germany the respective privacy protection agencies (federal system so multiple agencies have their say) already stated, the "pure" analytics and "pure" advertising is ok without opt-in, only an opt-out needs to be provided.

If you do linking of such stuff (like Google Analytics with DoubleClick) you need an opt-in. Only then the opt in cookie banner is really necessary.

Please excuse the late answer - was on holiday.