Ask HN: What do I need to do to make my blog GDPR compliant?
Hi HN,
Today I received an email asking if I would process a GDPR data request and what information I collect.
I run a simple static site on top of nginx. I don't set any cookies. The two things I collect are 1. I use Google Analytics and 2. server logs.
Do I really need to create a "privacy policy" and "terms of use" page and show every user a GDPR message? It feels overkill to me given that I collect nothing as far as I can tell. I don't even look at GA and could remove it if I need to.
16 comments
[ 4.0 ms ] story [ 52.4 ms ] threadTrying to avoid google analytics personally, but as you added them to your site you need a policy. You are the custodian and are sharing information to google through you. As you are the Data Controller: https://www.gdprsummary.com/gdpr-definitions/data-controller....
https://piwik.pro/blog/is-google-analytics-gdpr-compliant/#2...
Depending on the information logged by your nginx server, you may also need a policy. IP for instance is one thing you might need to cover.
I think you also have to provide a postal address on the website (I think that also applies without gdpr)
https://www.termsfeed.com/blog/privacy-policy-contact-inform...
At least when you have EU visitors.
There are free generators for policy’s. For personal use they are enough.
If you have readers in the EU and/or you are living in the EU, you are required to have a privacy policy.
This (https://www.iubenda.com/en/help/8385-gdpr-for-bloggers) article and this (https://adventurebagging.co.uk/2018/05/gdpr-guide-for-blogge...) is looking like a good read.
You could also be required to have data processing contracts.
Some local privacy protection offices have good information about GDPR for small blogs and sometimes you can even ask them directly.
no legal advice
If you are outside of the EU (e.g. US), I'd say the simplest is to ignore.
Frankly, even if you are in the EU I would probably ignore that email if it's from some random person.
If you have server logs and Google Analytics, you'd write that you need the logs for problem debugging and Google Analytics to improve your web site. Both are legitimate interests, and you don't need any kind of pop-up or so.
Removing GA is a good idea anyway, if you don't really use it (like most small private blogs who implement it, just because it's easy – I used to do that, too).
Use GA if you want to.
If you do not need GA why use it? It is a separate connection your visitors browser needs to open and it is a connection to a third party. If you want analytics, there are some privacy options, for example Umami. See also here: https://github.com/0xnr/awesome-analytics
You could also disable the Nginx logs from logging IP addresses and then you should be fine.
Maybe adding a simple site saying that you do not retain any IPs or other information, you can prevent these emails in the future.
Edit: Nice looking website.