GDPR - general questions (penalty, rationale)


#1

Hi Friends,
With the email notification for the latest upgrade, I saw the link to this article: Piwik and GDPR assumptions: What do you need to know in order to have a Piwik GDPR compliant installation?. It’s about GDPR, apparently a new privacy law or regulation being proposed in Europe.

If this is the wrong place to post this, I apologize, and please move it. (I have to think you might want a whole board to handle all the questions this is likely to spawn.:roll_eyes:)

I only use Piwik as a security tool for my 2 very small sites - get a spammer’s IP address, for example. (Mostly I’m only interested in the Real-Time Visitors section and Visitor Log.) If we can’t see IP addresses, doesn’t that prevent us from securing our sites properly?

And second, a question about the penalty. If your site is not proprientary, earns no income, how can you be penalized? Me and my sites originate in the US, btw.

Does this only apply to proprietary sites? Or maybe only sites of a certain size?

Do I understand correctly that we could use Piwik’s Log Analytics to continue to see what GDPR considers personal data?

Thank you very much!


GDPR, DoNotTrack by default
(Lukas Winkler) #2

Hi,

I am definitely for general discussions about topics that affect Piwik and Web Analytics in general. (Maybe we’ll create a new category for it if more people are interested)

I can’t say much about the implications of the GDPR, but non anonymized IP addresses will definitely be considered personal data. (and already are here in Austria)


(Ronan Chardonneau) #3

Hi,
Nice question,
first of all Piwik will have less chance to be worried than most information systems. For example a contact form with a database is already more concerned than Piwik.
Concerning the IP address part, you are concerned if it is considered as a European one because GDPR concern only European citizens.
About the penalty, yes you are concerned, either as a peer like for a company, same rule apply, a European citizen need to have the same protection level.
To be honest you do not risk anything as there are so many cats out there that the authority will not be able to apply it on small companies.
Regarding log analytics, as far as you anonymize the data, it is ok.

To make it simple you should not collect any personal information about EU citizens without their consent. If you do so, then you need to respect somes rules (edit, delete, export)


(Lukas Winkler) #4

Hi,

Just one note, so there is no misunderstanding: While GDPR is a new law the content isn’t. In quite a few European Countries (at least Germany and Austria) already have data protection laws which have more or less the same implications. So the only thing changing next March (at least for me living in Austria) are the height of the penalties and the amount of effort spend in enforcing those laws.


#5

Thanks for your comments.

I’m not a company. And as I said, my sites don’t generate income. It’s the opposite – I pay for the webspace without recompense. My sites provide user support for an open source graphics program. All provided freely. But it is an international community. So I have many European visitors (although I don’t necessarily know who lives where).

I don’t know what you mean by “contact form with a database”.

For my question about log analytics, it comes from this:

Yes, you read it well, by default, unless the internet user uncheck this option, Piwik respecting DoNoTrack would not be able to track any user. If one needed to collect data anyway, Piwik Log Analytics and server-side tracking can be considered.

Does that mean I can still connect an IP address to a particular user (using log analytics)?

Well yes, now that I think of it, how can they ever enforce it? I mean, doesn’t google alone provide all the snopping capabilities that a snooper needs (and often for free, right)? This is so pervasive, the ability to know the IP address of the visitor. It seems like people who are so concerned about that, have the ability to mask their identity already, like with proxies or other ways.

I’m certainly not very knowledgable about IT, but couldn’t ISPs offer a way to mask identity? For all I know, maybe they already do.