Just two weeks after Austria, another EU country has deemed current Google Analytics implementation illegal in EU.
From the article:
> "It's interesting to see that the different European Data Protection Authorities all come to the same conclusion: the use of Google Analytics is illegal. There is a European task force and we assume that this action is coordinated and other authorities will decide similarily."
I am really looking forward to seeing how this will play out in the rest of the EU, and which practical consequences it will have.
And, as usual, fellow EU citizens, support NOYB work, if you care about data protection: https://noyb.eu/en/support-us
The onus is on Google to suspend or anonymize Analytics. Individual Website managers can't be expected to discriminate based on geographical origin, as the document seems to imply.
If Google does not do so or fails to do so adequately, then the onus is on website owners to stop using a service which does not allow them to meet their data protection obligations. The data controller can't offload all responsibility to the data processor, in GDPR terms.
It's worth noting that GA4 does this already. GA3 (AKA Universal Analytics) requires owners to set the anonymize_ip flag though. I agree that Google should have retroactively changed this policy for GA3 accounts, even if it would cause some breakage.
The English post from CNIL makes it clear it's not just IP that's the issue:
>In this context, a unique identifier is assigned to each visitor. This identifier (which constitutes personal data) and the associated data are transferred by Google to the United States.
If Google doesn't offer the ability then it is up to the customer to not use GA until Google complies. I hate this ruling, but implying it's just Google's job to do this and everyone else should just do nothing is crazy.
1. Legal: It's the site owners integrating GA and therefore taking on the liabilities just like they do with every other supplier. When a part in your car fails immediately after you bought it, it's the manufacturers job to fix it even if they acquired the parts from a third party (e.g. Bosch).
2. Practical: A website 100% located in France and catering to 100% french customers is much more likely to fix the problem than the international anonymous machine that is Google.
> When a part in your car fails immediately after you bought it, it's the manufacturers job to fix it even if they acquired the parts from a third party (e.g. Bosch).
And the manufacturer can go after Bosch, who is responsible in the end.
> than the international anonymous machine that is Google.
Except the law applies to Europe as a whole, and it's really not that much to ask one of the biggest technology companies in the world to use European servers and anonymize European traffic by default. They just don't want to or don't care. Which both should be reason enough to stronger regulate them.
I think we will see a two pronged approach to the Problem.
On the EU level, the commission and the states will engage Google directly while on a national level individual companies will be "encouraged" to find alternatives.
> the international anonymous machine that is Google.
Uber, Google etc really wants this to be true.
However, it is trivial for a nation state to shut down Google's commercial interest in the country.
Just have the police lock the door to their office and blacklist a bank account or two. If doing business with Google becomes illegal, they will lose almost all revenue except some indirect shell company ads.
Seems way less work to make Google compliant than to figure out which sites in French are actually French jurisdiction.
I both agree and disagree. I agree what Google has been doing for years is morally/legally wrong. I disagree that they should change it, because it would still be triggering 3rd party requests from your browser to Google which is wrong for so many reasons (first and foremost latency and privacy).
IMO we should break away Google entirely and trial their execs for crimes against humanity. They're cooperating with USA, China, Saudi Arabia... by helping murderous regimes deploy their techno-police, how many million people have they helped imprison/murder?
Haven't seen mentions of GA itself, but it was obvious from context, as GA is part of wider ad targeting system - and those were explicitly used both by secret services as well as random hackers for target acquisition and initial hacks through vulnerable browsers of social engineering.
I don't like Google but seriously this whole GDPR thing is getting out of hand.
Anyone who's concerned about their data being collected can just block Google-or-like-related domains. Rest is just making life of web developers/admins/tech company owners harder.
Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies. (No, I'm not from US as well)
You need to drink water to survive. You browse web voluntarily, picking the website you want to visit voluntarily and with intention to go there. No one dies if they don't visit a website.
Surely that is to do with her knowledge and education around privacy and data collection. Ignorance to the issue doesn’t mean we should ignore people like this.
I am perfectly educated about privacy and data collection and I completely fail to see the actual harm being done. I am much more bothered by those incessant cookie dialogs.
Overall, yes. At the very least it's been incredibly enlightening. It's amazing how random websites have 50 "partners" all of which for some reason need to know what I'm doing.
So you think your "enlightenment" is worth the millions of work-hours people are putting in just to read and click a cookie banner they give absolutely not a single crap about?
They wouldn't have to do this if they didn't spew personal information indiscriminately to scumbag "partners". So yes, I do think that is worthwhile. The cost is born by the correct people.
And every single user outside the EU. I never voted for these crazy runaway regulations, but I can’t browse many sites on mobile at all with all the damn banners.
EU bureaucrats are effectively prescribing how the web should work for everyone. Ridiculous.
Not for nothing, as you can see in this post. Little by little we're stopping to send private data to the US. That's a good thing, even if it's painful at the start.
Says who?! I have zero problems sending my private data to the US. I did it for years and I still think is one of the better places to send my private data to. Definitely better than my own country.
Answering here because there's a thread depth limit.
> Free content and services. What do you lose in exchange?
Privacy. What I do shouldn't really be anybody else's business.
An ad-targeted web. IMO ads are a plague on useful content, because everything is about getting views and clicks. This makes actual content less useful and more annoying to consume. It incentivizes posting low effort, watered down content rather than smaller amounts of great content. It also means content creators are trying to please the advertiser, and not me.
Risk of manipulation. Lots of effort has gone into figuring out how to best manipulate people, and when you know who somebody is and how to best tailor any given message to them, you can get pretty far. I'm quite sure that I also have buttons that can be pushed if somebody knows how, and I don't particularly like the thought of that.
Never a shortage of people mad that they can't eat trans fats or inhale leaded gasoline exhaust anymore, either. Not great analogies, since giving up personal info to use free services is a reasonable choice for individuals... But in aggregate, it's like giving up a bit of sovereignty to be that transparent. Microtargetting has helped enable some serious societal harms, i.e. spreading lies to the gullible while evading scrutiny from others, and that pales to how intelligence agencies can use the hoards of personal data. I think France and the EU are moving in the right direction, given the CLOUD act exists, and given all the other bad societal effects enabled by a surveillance focused economy. US politics hasn't weathered the shift well, unless of course your fitness function for politics is how resilient the elected government is against voters, i.e. how little can it serve their interests without losing power.
Noone is dictating you how to live your life. The recent EU privacy laws are about giving people a choice how there data is used. You are free to accept the cookies. You are even free to automate that via browser extensions. You are free to build websites in ways that don't require tracking user data and thus don't require consent. You are free to vote for politicans that are against privacy right or even campaign yourself.
But a fundamental issue with freedom is that sometimes freedoms conflict with each other. Here the freedom to do whatever you want conflicts with the right to privacy of others and the EU has decided that in this instance the right to privace takes precedence.
I am not free to use add-supported US services when they stop being provided to EU citizens due the onerous requirements imposed on them by privacy laws.
I am not free to use a website and give away "my data" by default without having to click Allow All on a damn cookie popup.
The EU politicians unilaterally decided to steal these freedoms from all EU citizens.
The right to privacy is not a freedom. I am not sure it's even a real right. But it was easily accessible even before the current privacy laws, even if it needed a little technical competence. It wasn't the default though. And the current laws do not provide me the privacy I actually need: from EU government(s).
> I am not free to use add-supported US services when they stop being provided to EU citizens due the onerous requirements imposed on them by privacy laws.
Those companies are free to not to do business wit you but it is not the EU privacy laws making that decision. Those companies can provide their service in a privacy-respecting way and many will - the EU is not a small market to give up on. You can also use a VPN.
> I am not free to use a website and give away "my data" by default without having to click Allow All on a damn cookie popup.
And don't forget that hose consent popups are likely specifically designed to be annoying in order to get you mad at the privacy laws. Don't fall for it - the EU privacy laws do not required websites to be user-unfriendly.
> The EU politicians unilaterally decided to steal these freedoms from all EU citizens.
I am not going to pretend the EU is a perfect democracy, but ultimately, those decisions are made by those elected by the peole - directly or indirectly.
> The right to privacy is not a freedom. I am not sure it's even a real right.
It is a real right that has historically been enforced in many EU countries. The recent laws do nothing more than update that enforcement to the digital age.
> But it was easily accessible even before the current privacy laws, even if it needed a little technical competence.
No, it really wasn't. You can block cookies but you cannot stop companies from tracking you via the 10 million other ways they have available or to trade information about you with third parties. You cannot use technical means to find out what information companies have collected about you. You cannot use technical means to compel companies to delete information they have already collected. THAT is why we have new laws.
This is so funny. Under GDPR everything is illegal, the only legal website is no website.
Good for Europe, they are just going to law themselves out of the internet. Up to the point were your ISP doing hops to send your TCP packet will be illegal unless you approve them sharing that info with all the shops.
What about clicking or typing in a site? Is your webserver processing those? That means you’re gratuitously using user data to run your for-profit business! That should be illegal!
I feel for my European brothers and sisters these days. As an American, I hardly ever see these banners. Went to an EU country for work and... Holy cow. Y'all get these banners every site. How do you tolerate it?
That ruling declares that a centralized solution is no good.
The predictable outcome from that ruling is a decentralized solution: a few libraries attempting to build frameworks that are compliant, everyone implementing their own one-off versions of permission-granting and cookie consent using those frmeworks as a basis, and the Authority chasing mom-and-pop sites that are out of compliance until the sun goes cold.
In a sense, that may satisfy the goals: the data will be decentralized, stored widely, and harder to aggregate. On the other hand, what we learned from the virus era and the Windows OS monoculture is thousands of nodes running the same software (but not centrally maintained; maintained by people who have a job other than maintaining a website and are therefore slow to patch security holes) will be vulnerable to scripted attacks against frameworks.
My prediction is a net increase in stolen PII and, while individual site-runners will get screwed, the number of sites collecting the data won't go down. It's just too valuable, and the odds you will get hit by a hacker are too low.
And web server logs are fine for troubleshooting and detecting abuse, you don't even need to ask for consent!
Only things like tracking, ads, and sending data to areas without equivalent privacy laws are forbidden. The intent and usage of the collected information is a big part of what is and isn't allowed.
I looked into this at back when the GDPR came into effect [0]. I am not a lawyer but in summary:
Web sites are allowed to log data (including visitor requests and IPs) required for the smooth running of the site. It could be argued that keeping logs allows for trouble-shooting so web server logging is probably OK in most circumstances.
However, there is no reason to keep months/years of logs around. Having this data is actually a liability under the GDPR and you should be aggressively deleting logs after a few days.
If you want to toss some static HTML into a host, go for it. If you want to record statistics on how many page hits you had, go for it. If you want to add JavaScript for interactions and making it look prettier, go for it.
But if you want to contribute to a privacy-violating network that tracks individual users, then that goes far beyond wanting "just to put up a website somewhere".
> so long as the data is located and processed in France.
... you also have to ask for permission first.
The main difference is that for a data processor in France it seems possible to get all the right contracts in place, while a US based data processor is incapable of doing that thanks to FISA and similar US initiatives.
> you can totally contribute to a privacy violating network … so long as the data is located and processed in France.
While that's not the issue being discussed here, you should by default only collect & process the minimum amount of data needed for the product/service to function. Analytics aren't part of that and would need to be opt-in.
I'd be interested to hear exactly what default configuration violates GDPR, as that wasn't something I'd heard before. However, even if that is the case, that would imply that the defaults should be changed.
Imagine that you run a workplace where floor space is relatively expensive. To avoid increasing the floor space, you determine exactly how wide each hallway must be, exactly how much space is required, and build everything to that specification. Your hiring decisions take the weight of an applicant into account, so that nobody will be too large for those hallways. Then a law comes along saying that your coal mine is dangerous, and your use of child labor is unethical. "But look at the cost!", you cry, "I can't afford to enlarge every tunnel to accommodate full-grown adults!" But there was no reason the tunnels couldn't have been built larger in the first place.
There was no reason why the web and the internet could not have chosen to respect privacy by default, and thereby avoid the current costs of changing their software and business models. If it is true that the default apache configurations violate privacy standards, just as any configuration of Google Analytics violates privacy standards, then that is a sign of just how much the regulation is needed.
It would appear public IP addresses are PII. Apache (and most web servers) log those by default.
A case can be made, on a site-by-site basis, that those are necessary for providing the functionality of the site. But that's a hard case to make if the logs are never actually read, and then if they're collected for that purpose, timely deletion is important (and unless your host also configures log rotation and disposal, timely deletion isn't happening).
I'm pretty sure all of this has to be declared in a privacy declaration anyway, even if they are collected for site operations purposes and deleted in a timely fashion. With all these constraints, probably safer to run in a privacy-configured Docker in one of the big Cloud hosts than to stand up one's own apache install.
Thank you, that was an aspect I hadn't considered. That said, I'm not sure how much I agree with the conclusion of this particular answer. My understanding is that IP addresses are only considered personal data if they either uniquely identify a person (e.g. a static IP address), or can be joined with additional available data to uniquely identify (e.g. a dynamic IP address logged by somebody who also has logs on the dynamic IP assignment).
In addition, that there is an exception allowing the collection of personal data for legitimate interests without prior consent. While that has been erroneously argued to enable a business model (e.g. Facebook's ongoing collection), server security by applying IP address bans would be be a more solid case [1].
This! GDPR is a big block towards technological improvement.
Do virtually any business that involves user registration at some point, and now you need to be sure that you're compliant with all those rules, spending limited resources on that to avoid ridiculous fines.
It benefits only the big players who has lawyers to know exactly what to do and not, and a nightmare for anyone who tries to grow a small business or have a small website.
It was already non-invasive. I, as a conscious human being browse a website, use their (potentially free) services. The website can of course put a cookie and track me. If I'm really paranoid I could block cookies etc but regardless, no one forces me to use their website.
If someone pointed a gun and forced me to go to a website, enter my personal data and give my data to trackers that would be something else (still not website's fault but anyway).
I have a collection of small, US-focused websites.
I'm investigating low-effort ways to geo-fence the EU. At some point it just becomes easier to ban Europeans, rather than keep up with whatever they'll come up with next. I saw in this thread that the Google fonts on my website are now a problem as well!? That's the first I heard of it.
This is the perfect example of why government oversight is needed. You run a bunch of websites and aren’t aware that you are inadvertently involved in violating the privacy of the people who visit your sites. How are non-technical people supposed to deal with this?
No, this is a perfect example of the exact opposite.
A bureaucrat on the other side of the planet comes to a conclusion and I, who never voted for this person or knew about their existence, am legally bound by their decision.
On pain of who knows what fines or penalties. I’m nearly overwhelmed by the amount of work on my core product, I can’t add “keep up with European legal opinion” to my todo list as well.
As I said, it’s simpler to just geofence everything.
The argument is not that Google shouldn't hand over data with a warrant if it resides in an appropriate jurisdiction. The argument is that Google shouldn't have the data in that jurisdiction to hand over in the first place unless an individual user has given consent for that.
Why should every US tech company be expected to duplicate its infrastructure in the EU? Google isn't special, this applies to EVERY US-based competitor to GA. This gives EU competitors an unfair advantage.... and that's the real point.
Because the US cannot implement reasonable privacy laws that give basic safeguards to personal information expected by EU citizens (or even UK citizens).
If anything, EU competitors to Google Analytics are at a _disadvantage_ because they can't apply the same lassaiz-faire techniques for US-based customers that US-based companies get away with.
"As regards the limits on intelligence activities, the referring court emphasises the fact that non-US persons are covered only by PPD‑28, which merely states that intelligence activities should be ‘as tailored as feasible’. On the basis of those findings, the referring court considers that the United States carries out mass processing of personal data without ensuring a level of protection essentially equivalent to that guaranteed by Articles 7 and 8 of the Charter."
and
"As regards judicial protection, the referring court states that EU citizens do not have the same remedies as US citizens in respect of the processing of personal data by the US authorities, since the Fourth Amendment to the Constitution of the United States, which constitutes, in United States law, the most important cause of action available to challenge unlawful surveillance, does not apply to EU citizens."
So, basically, the US security services can hoover up data about EU citizens, and those EU citizens aren't allowed any legal redress about it. Which, unsurprisingly, they aren't okay with.
> So, basically, the US security services can hoover up data about EU citizens, and those EU citizens aren't allowed any legal redress about it. Which, unsurprisingly, they aren't okay with.
Nothing about this stops that. Like I said to the other person this is protectionism. Requiring every US-based tech company to duplicate its infrastructure in the EU, Which in turn gives EU competitors an unfair advantage.
Have you seen the list of companies that typically show up when you opt-out of data-sharing? It's frequently in the hundreds. I'm incredibly sick of them so frequently starting with "Your privacy is very important to us" immediately followed by "So we're going to share your data with these 100 anonymously named shell and reseller corporations."
It's not GDPR making life harder for companies, it's the shadowy practices of businesses that are finally being brought to light.
> Rest is just making life of web developers/admins/tech company owners harder.
there are hundreds of alternatives to Google Analytics, developers/admin/companies should just choose wisely. That's what the GDPR is about: end of free lunch for everybody at the expenses of people's privacy, choose your shit carefully.
I don't want to comment on GDPR, but you must be kidding with 'can just block'. Do you expect that average joe can do that ? It like saying, we don't need police you can simply defend your self.
Everything comes at a price. I don't expect every average Joe to be tech savvy to use extensions. Though when visiting a site (an action that a personal deliberately takes) if they really care about their privacy on web, cookies, GA tracking they aren't probably average Joe and can use a blocker.
You are conflating "technically savvy" and "doesn't want to be spied on". I understand that these probably correlate in your world, but a simple moment to think about why most people click "no" to the iOS tracking opt-in prompts explains that these are orthogonal issues.
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies. (No, I'm not from US as well)
No, Germany is a big leader in the EU. They are very sensitive to issues around privacy, from the DDR era.
They don't want private corporations having DDR-like folders of information on citizens.
Government surveillance on citizens has a long history of horrifying consequences, especially in Germany. What is the worst corporations are doing with our data? Better ads?!
> working from home monitoring, or insurance companies profiling individuals
Comparing that with what governments can do with data gathered about me, I know which ones I want to be protected from. Unfortunately they are the ones writing privacy laws and they leave huge loopholes for themselves.
especially not in systems in which the goverment turns totalitarian. (see, fascism and while stalinism doens't have the concept of a company, many of its state owned enterprises where former companies).
Yup. Governments already can access any data they want anyway. Sure, with access to big data collected from corporations that would be easier, but even without that, government can do whatever they want (unfortunately).
This harms companies, website owners trying to use services, and users (someone using my free site, I need to monetize it, targeted ads was a nice way, now I can't).
I don't see that as a relevant distinction. Democratically elected governments can do really bad things, too, and they have a much bigger tool kit for it than corporations.
That's the funny thing: they are sensitive of data collection by corporations when the data collection during the DDR was done by the government, something that they surely dont care about.
I have somewhat of the opposite opinion. I use Google search and Gmail and think they are good products. When GPDR was first being rolled out I was convinced that it was going to destroy the web and ruin a lot of what I like about it. I was wrong and now I’d like to see the US provide similar protections for consumers.
> Anyone who's concerned about their data being collected can just block Google-or-like-related domains.
This requires a level of access and technical skill which most people don’t have. If you have ever tried doing this, think about how many sites break because they have code which assumes GA calls always succeed and then ask what percentage of the population would be able to identify and work around those problems.
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies. (No, I'm not from US as well)
Yes, that's happening, and it's a good one. Privacy Shield was cancelled because of Schrems II. The US simply don't care (intentionally?) to protected any data of people not living in the US. With FISA (Foreign Intelligence Surveillance Act) or "Executive Order 12333" they can get every data they want, even silently. Disclosing that a company had to handover any data will get them prison time.
This is against the intention and protection the EU set for european people. So if a company is violating these terms, it's good to take action.
The CNIL was created in the 1970s. The main thing the GDPR has done is give it a lot more teeth. So in effect data privacy has been the law for over 40 years now. Ignorance of the law is not an excuse, not for such large corporations in particular.
When I was young adult, when visitor counter on a website was en vogue, I was building a system that would take note of where user came from, which pages they visited how long have stayed there, which page they exited through. What paths they took through a site.
It didn't go that far. But when I saw people plastering Facebook like button everywhere I knew exactly what that meant. That one random corp now can know everything about everybody's behaviour everywhere.
Then Google put out Google analytics and I just switched my sites to this thing. I didn't mind all that much because it was Google and do no evil was still a thing.
But GDPR is something that reminds me of how ridiculous things we accepted as if they were normal just because they were technically feasible.
The industry standard is to show utter contempt for the user. It's expected that every site will show you tacky and distracting ads and will dump 90 third party cookies on you. It's beyond belief.
Imagine going into a travel agent to inquire about a flight. The moment you step through the door 50 people attach themselves to you. Some start recording your every action in a notebook, others flash torches in your eyes, two of them start showing you a video at the same time. And the rest follow you around holding up large ads. And they carry on following you around even after you leave the store!
Imagine there is another travel agent not doing all that, but it costs money while the first is free. Wouldn’t you like to have the right to choose which one to visit, or do you prefer that choice to me made for you by politicians instead?
I would absolutely like the ability to pay for services which do not track or advertise to me. But they don't exist for the most part, and the existence of those services does nothing to diminish the requirement of the ones engaging in poor practice to make their service "free" to obtain _consent_ for what they are doing.
Then focus on the people that do want it - which by the count of the number of people who say no to Facebook tracking on iOS, is a very high number. Enough to be of material impact to Facebook's bottom line.
The law does not allow Facebook to refuse service to those saying no to tracking. If they were faced with that choice, I am sure most users would've made a very different selection.
> Rest is just making life of web developers/admins/tech company owners harder.
Seriously? People spend tons money and time to track users. If you want to be GDPR-compliant, simply don't save unnecessary userdata and if you still feel the urge to do so, give users the option to control it. It's that easy. Any problems you get from it are of your own making.
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies
We created the GDPR, but then knee-capped it with safe harbor. Then Schrems sued and the courts dropped it, but the EU simply reinstated it under the name privacy shield. Then Shrems sued again and after having to have a legal battle again, it unsurprisingly turns out that it's still illegal. I can't see how you think of the EU as anything but overly lenient.
Many just want analytics and GA is the most convenient option. Though with GDPR now website owners (many offering free content and hosting a site where a user explicity browses into with their own will) need to learn law to make sure they are compliant, which obviously shouldn't be the case for such a simple task.
I'm not going into anyone's house and force them to give me their data, I'm collection anonymous data from people who, with their own will, visit my website/use my service. Don't want me to collect your anonymous data? Sure, don't visit my site/use my service then. No one forces anyone. Regulating what tech I can use on my own website? This is ridiculous.
> Many just want analytics and GA is the most convenient option. Though with GDPR now website owners (many offering free content and hosting a site where a user explicity browses into with their own will) need to learn law to make sure they are compliant, which obviously shouldn't be the case for such a simple task.
The problem is that we made collecting user data the easy task while ignoring privacy protection. The fact that Google spend billions to make spying easy does not mean it should be legal. And it's really easy to be compliant - don't collect data. You don't need it to host your website, you really don't.
> I'm not going into anyone's house and force them to give me their data, I'm collection anonymous data from people who, with their own will, visit my website/use my service. Don't want me to collect your anonymous data? Sure, don't visit my site/use my service then. No one forces anyone. Regulating what tech I can use on my own website? This is ridiculous.
And you're absolutely free to ask people for consent for collecting their data or to simply block visitors from the European union. You can also not collect data or do so in compliance with the GDPR, by the way. All ways are perfectly viable.
But just because I opened a link in my browser does not mean I consent to anything - by that logic, ransomware is perfectly fine, because you visited their website and downloaded their software. This is ridiculous.
GDPR is not merely a list of bad things not to do. You aren’t compliant unless you follow slow, expensive processes to continually demonstrate compliance.
I'd really love to see a quote on the section you're referring to. The GPDR has some processes for larger companies (i.e. DPOs), but they're neither expensive nor slow, and small companies have a lot more leeway.
The most egregious I know of is https://gdpr-info.eu/art-36-gdpr/, which calls for an 8–14 week delay that may or may not apply to any launch. I don’t even think the entire EU must agree on what the conditions will be.
Apart from “a natural person in the course of a purely personal or household activity” I don’t know of any size exemptions.
Well no one puts a gun on your head and forces you to visit a website. Anyone who cares can always block GA with extensions either. If you are entering my site, hosted by me, owned under my domain, I can put whatever tracking script I want, controlled and used by any company and no one should have a right to control it.
This is completely unrelated to GDPR. In France, Google Analytics was illegal since it was ever started. French privacy laws from 1978 are still to this day MUCH STRONGER than GPDR which is just salt on the wound and does not prevent malicious collection of data (though now you have to come up with a "legitimate interest" excuse for that).
Google knew they were making an illegal business and still went ahead. IMO they should be charged for being a criminal ring defrauding small businesses for SEO as part of a global scheme... if not for helping genocidal regimes surveil/censor/imprison/murder their population as they have been doing for years.
I don't like the meat industry, but seriously all these food safety laws are getting out of hand.
Anyone who's concerned about salmonella, hormone levels or animal welfare, can just not buy any products that could potentially contain animal products from countries with weak animal welfare or sanitary laws. The rest is just making life of farmers/shops/wholesalers harder.
Especially with these European intentions, I frankly believe that one single country's laws should be universal and no other country may implement or enforce laws that protect their consumers. The onus to protect themselves from harm must lie with the individuals and governments should not dare inconvenience anyone just to protect their citizens' interests.
And governments now outsource some of their functions to bigger corporations as a loophole around human rights- mass spying and censorship, for example.
Then let's fight the actual problems - the governments - and stop going after the decoys. Let's make it illegal for government to access and use business data. That will fight the actual problem while allowing businesses to keep serving us better.
> Rest is just making life of web developers/admins/tech company owners harder.
Well, of course, tech companies, especially Google, Facebook, Amazon (and this one doesn't even respect basic work and union regulations and rights) are getting out of hand, making their life harder (if not dismantling them) is the legislator's job.
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies.
Again, yes, of course, so what ? The US (tech and government) has been prying on the rest of the world with its tech advance and has been using it to spy and gather data it could not get otherwise. France, the EU, are just defending their citizens' rights and their interests, especially economical, against another threat to civil liberties.
I wasn't referring to FAANG, I was referring to smaller devs/admins who try to keep up with analytics and don't have ridiculous amounts of money to work with lawyers to see what they are doing for analytics for the sake of improving their service might be landing them $1m fines for some new rule in some geographical locations.
Well, if they want to operate somewhere, they have to follow local rules.
I doubt American companies wouldn't comply with American law, European law is no less important than the American one and I don't see a reason why we should be accommodating towards foreign businesses, especially, again, those of a country which is a threat. Big companies shouldn't serve as a model to follow.
That's the problem: web should be global and open: a website shouldn't be bound to laws of somewhere. It's 2022 and forcing following local rules for a web based global service only does harm to users (and the service).
A basic example: government of my country requested all data and payments to/from PayPal to be controlled by them, PayPal naturally rejected it, and they got banned from my country.
Now who is affected? Us! The whole world can use PayPal to send/receive money pretty much everywhere, but we can't.
These regulations and "needing to follow local rules" itself is alone a reason for a completely decentralized-countryless web to succeed.
>Anyone who's concerned about their data being collected can just block Google-or-like-related domains. Rest is just making life of web developers/admins/tech company owners harder.
The GDPR is not limited to the internet. So say you go to make a blood test to check your health, GDPR will apply there too, you don't need to go with a fake ID and with a mark on your face, the law protects you from greedy companies so you and your family don't have to use weird workarounds to protect yourself.
> I don't like Google but seriously this whole GDPR thing is getting out of hand.
IMO it's the other way round: data collection and lack of respect for privacy got out of hand and has been like that for a long time now. It's finally coming under control, albeit slowly. This is not the end of it. And I'm super happy about GDPR.
> Anyone who's concerned about their data being collected can just block Google-or-like-related domains.
Why is it on the victims to protect themselves against illegal practices? We have courts and authorities for a reason.
If it stopped at Google, this would be easy. But GA is just tip of the iceburger.
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies. (No, I'm not from US as well)
I don't believe that at all. But ultimately what I believe does not matter. I'm just happy that right to privacy online is finally becoming a thing.
Due to a misconfiguration by my local ISP which meant Google services were not accessible, I discovered that the UK government's 'parliamentlive.tv' has a dependency on JQuery loaded from Google's CDN.
You might say that it's up to the UK government to fix that, and I agree, but as an individual with no direct influence on the implementation of this service, it's also clearly not the case currently that:
> Anyone who's concerned about their data being collected can just block Google-or-like-related domains
Or at least, they can, but they may be excluded from civic services they are entitled to avail themselves of, which their taxes go towards paying for.
Self hosted Matomo/piwik is pretty good. You probably want to make sure it's on servers in the EU owned by a EU company (Hetzner, OVH, Griscale, etc). Alternatively you can configure it in a way that avoids collecting PII [1] (which also removes the need for consent popup, privacy policy etc). You won't get much info about repeat visitors that way, but I imagine it's quite usable for many use cases.
I just started using Goatcounter for a noncommercial site (music history research blog) and I'm happy with it. All I wanted was a glorified hit counter.
It doesn't have the goal conversion metrics and other advanced features of GA, so obviously not a drop-in replacement for all use cases.
We host Matomo (formerly called Piwik) ourselves. And we also host the fonts we use ourselves. Since we are a healthcare based startup we prefer not to share any data outside of our controlled servers.
We even disabled the cookie based tracking inside Matomo at the cost of not linking different visit sessions. Same session visits are fully tracked though. Saves us a cookie warning.
This is the way! Glad you went that way, still struggling to get everything set up like this for our company. But marketing will come around the corner soon... ;-)
Funny thing... I went on their site (fr.matomo.org here in France) using Safari.
All images are not displayed (? on each images). Tried on Firefox, displays the images fine...
Checked what kind of images are these, all .webp ! :D
They have improvements to do if they want to be "google free" themselves...
What type of server specs (memory, CPU, disk size, etc.) do you use to self host it?
Based on an open issue[0], it's suggested to run a server with 32GB+ of memory to handle hosting Clickhouse but that would mean self hosting Plausible would end up being $160 / month on DigitalOcean which would make it 10x more expensive than hosting my custom app that I want to see analytics for.
I know you can use less memory but it sounds like using less can result in an unpredictable environment where everything can stop working at any given moment depending on what Clickhouse wants to do. This happened to someone who replied in that issue. Their production set up stopped working because it ran out of memory.
Someone else wrote about it using close to 8GB of disk space to track ~8k page views at https://cyberhost.uk/plausible-3-month-review/. That was only written back in March 2021 too. They said they are going to look for an alternative solution because the the storage costs are too high.
The Clickhouse instance run on a Render[0] "Standard" private service. So 1 CPU (no idea what that means), 2GB of RAM, and a 10 GB disk. So far I've been using 10% of the disk and it's not growing very much.
Clickhouse has got a lot better in limited memory environments. They now recommend 4GB minimum.
The production environment that crashed due to Clickhouse OOM was our hosted product a while ago :) After that, we haven't had any downtime on our Clickhouse DB for over a year.
The issue with disk space stems from a bad default configuration. Clickhouse used to have EXTREMELY noisy debug level logging enabled by default with no rotation. This has been fixed in our hosting repo[1] so you get sensible defaults.
If you don't want to worry about downtime, planning disk space or compute capacity, then that's exactly what we offer at https://plausible.io. We process and keep the visitor data on our Hetzner servers in Germany.
Plausible founder here. There's nothing automatic but you can track your campaigns with utm_campaigns manually.
Google has made sure that analytics for Google Ads works best within their own walled garden. Same with Facebook and Twitter with their Pixel products.
Instead of using the Referer header or utm parameters as intended, these large corps send obtuse random IDs (gclid, t.co/<id> links) which only they can correlate to an ad, search query or tweet using their internal database.
So until there is anti-trust action in this space towards more oppenness and competition, you're stuck with the ad provider if you want tight integration between ads and analytics.
Nobody is going to get in “legal hot water” on account of Google Fonts or Google Analytics unless they’re Google themselves or a top 10 ecommerce company some politician wants to make an example of. There’s millions of sites relying on those things.
Is the EU going to drag them all into court?
This is like saying you never jay walk because you want to avoid the legal hot water. The water isn’t even lukewarm!
GDPR mechanisms are directed at pushing you towards compliance, not getting big payouts. So in many cases you can even avoid any fine if you cooperate on first notice.
> The ruling directs the website to stop providing IP addresses to Google and threatens the site operator with a fine of €250,000 for each violation, or up to six months in prison, for continued improper use of Google Fonts.
So, if you feel brave you can challenge some courts on this.
I would venture most of the internet is not hosted in the EU. You expect US, Chinese, and Japanese citizens to respect an EU fine for a law they have no say in? Sure they are doing "business" in the EU, but many of them are not doing business at all.
> You expect US, Chinese, and Japanese citizens to respect an EU fine for a law they have no say in?
No. What is the EU going to do, besides nothing? If you do business in the EU they will take your business away, and if you don't there's nothing they can do. I'm sure we all break some foreign countries laws every day and there's nothing they can do about it.
I do expect fines to be handed to EU companies and I expect them to pay them though.
> I would venture most of the internet is not hosted in the EU
Most content isn't made in the US, and the US somehow still forced its copyright system on the world.
Not the EU itself... but your competitors, who can not just complain at your respective data protection agency but also file for c&d letters, court injunction orders or penalties.
Self-hosting something is always going to be less complex, but you'll still need to determine what you're tracking and why, write that down in a form people can understand easily, and let people opt in explicitly (with a just-as-easy way to opt out later).
People don't have to opt in for you to keep the data for technical reasons, for instance if you keep IP addresses for while to find and block abuse, but you can't keep data longer than strictly necessary and can't use the data for other purposes than you declared beforehand.
Write down your policies and put them in an (again, easy to read, understand and find) privacy statement and you should be pretty much GDPR-proof.
I track page view counts as simple sums, and it's not feasible to drop an individual user's page counts because I don't have enough info to identify a unique user. In fact, I put no cookies on the user's machine (but that means I have no way to identify a specific user for opt-out purposes for these aggregated page counts).
> I've already offloaded Google Fonts due to the German ruling. I'm happy to self-host piwik if needed, but could that fall foul of regulators?
Well... if you self-host Piwik or Matomo, you're relatively safe and you can avoid a lot of the bureaucracy bullshit that you'd have with external services.
However, check with a lawyer before setting it up, and definitely get user consent for detailed tracking. There are basically two camps of thought how much is allowed without explicit user consent: the more strict camp (which I belong to) believes that it is illegal to even use technically required data (like IP address, browser agent, date/time of visit, URL/query parameters) for analytics of any kind. The other camp is more relaxed and believes that it is OK to conduct basic analytics on that data (justified as "legitimate interest" of the site operator to provide a good experience to the user), but don't set anything like cookies or localStorage that could allow detailed tracking.
It is not yet clear by a supreme court decision which school of thought is going to win out - personally, I follow the requirement of data minimization per Art. 5 Nr. 1 lit c) EU-GDPR. Data that you do not have cannot be stolen, seized, abused or used as justification for fines, after all.
If the web-page's javascript ONLY stores and processes data stored in the client's localStorage to generate the local page, and sends nothing back to the server, so the web-site operator never sees that data, then is the web-site operator processing that data, or is it only the user-agent's operator ?
The web-site operator certainly wouldn't be a "data controller" since it isn't collecting or storing the data. And it's hard to see how the web-site operator would be a "data processor" in that circumstance.
Never thought about that scenario, I only mentioned localStorage or sessionStorage because it has been abused in the past to get around tracking blockers and to create "supercookies".
I've just asked the UK ICO for advice and got a confirmation it wouldn't be considered as a data controller or processor. I gave this example:
Me: "Effectively, in my case, the user is adding 'post-it' notes of their own devising that remain 'sticky' so the next time they visit the same page they'll see their own notes - but those notes are never sent to the server"
Me: "It's effectively the same circumstance as a classical computer program being downloaded by the user, and then used (locally) to create/save files on their local device. In that case you wouldn't consider the author of the computer program to be the data controller, surely?"
ICO (Flynn): "Flynn: Okay that sounds reasonable."
ICO (Flynn): "So if your product/service is not dependant on personal data and you are not processing it then you appear to not be captured by data protection legislation."
I'm the creator of Fugu (https://github.com/shafy/fugu), if you're looking for an event-based analytics solution that is open-source, free and self-hostable. Fugu doesn't track unique users, just anonymous events.
I also offer hosted version if you don't want to deal with hosting (currently using Digital Ocean with their Frankfurt data center, but will switch to an EU company soon).
It looks like self-hosting Posthog (https://posthog.com/) should work, and they look great.
They're a US company, so you can't use their cloud service, but it's designed to be self-hosted and they have a list of EU cloud providers so you can do 100% EU-based self-hosting if you want: https://posthog.com/docs/self-host/deploy/hosting-in-eu
It's only ok if you self-host on a server in the EU, right? It'll be interesting when different regions of the world start having mutually exclusive laws about where data has to be stored.
For those that missed it and are interested, there was a similar HN discussion around a German GDPR ruling last week. It already has quite a large debate and a lot of opinions on the matter:
So I can take follow someone in public, take picture of them in public places from some distance, follow them into stores, see what they are spending and what they are using, etc. Store owners can have cameras, track the behaviour of customers, etc
But if I use a service which anonymously tracks which pages they opened on a website they voluntarily visited and are exploring, then I'm in trouble?
You're also in trouble if you send the data you collect by other methods without consent, to servers based in the USA for NSA to snoop around on and correlate with all their other data points.
Unless your argument is "but how would they know about it", in which case that applies to any other crime.
You are not stalking, like doing it all the time. And you are not taking closeup in your face picture but from a distance. All that is not illegal in a lot of countries.
In most countries, you may take a photo including some person walking down public space. However, if you follow this person, aim your camera at this person specifically, or take several pictures of the same person it would be considered an infringement of their "right to image" if not criminal stalking.
What you're describing is very illegal in France, and you might have the police called on you or the person reacting aggressively if you're filming them like that. In fact there were a few incidents of that nature with Twitch streamers pointing their cameras at people and complaining online they were being mistreated by the locals.
There are plenty of privacy respecting analytics out there - Plausible, Matomo or Simple Analytics. Depending on what your actual needs are, you can also just use something like GoAccess, logwatch, Splunk or multitail to check your logs and use those for analytics information.
In one of my previous jobs the marketing department complained about Google Analytics not working on one of our pages. GA hadn't been working for about 10 months when they raised the incident. It was such a low priority that it took another 4 months for someone to fix it.
While I get that someone people are slightly foaming at the mouth because of GDPR (and this starts an entire debate about an aging political population that doesn't understand technology AT ALL) going overboard, my question is - do we actually use all the analytics that are provided by GA?
How many marketing teams/sales teams/etc actually use ALL the information provided by these tools. Aren't there other better ways to measure your campaign and product performance? Do you just want to see time on site/page? Abandon rate? I mean, most of these tools feel like they concentrate the Western mentality of "I need an SUV because I might have to put in more than 2 bags in my car".
> While I get that someone people are slightly foaming at the mouth because of GDPR (and this starts an entire debate about an aging political population that doesn't understand technology AT ALL) going overboard, my question is - do we actually use all the analytics that are provided by GA?
No, you download chrome. You agree to the analytics when you install/first open it.
This is different from going on the site of your local company and feeding data into Google analytics involuntarily.
The relevant legislation is about whether or not you agree to data being collected and shared, and the issue is that US companies are essentially data funnels for NSA & co.
I have just posted this link for everyone on the Slack of the french web agency - specialized in Google/Facebook/Instagram campaigns - I work for.
Not one reaction. I was left on seen.
I've found that most agencies love to preach that they are data driven, but in reality they only care about the perception of being data oriented. They won't care until clients start asking questions, then it will be a panic.
Each jurisdiction is going to be slightly different, depending on what the law regarding data protection is like in each place.
Russia hasn't been deemed adequate by the Commission under the GDPR, but it is a member of the Council of Europe (and is thus bound by the ECHR) and it has ratified Convention 108 (and has signed, but not ratified, the modernised Convention 108).
Of course Russia is a deeply authoritarian regime which has no problem violating human rights and international treaties at will so...
Sadly I don't see how this decision can be translated into practice, since I strongly doubt the CNIL will be able (or willing) to send formal notice, and fine after a grace period, all French companies that make use of Google Analytics on their website.
Why is the onus on the CNIL to notify companies on the law (which they actually did by issuing this press release) and not on companies to keep up-to-date with the law (which they could to by reading the news)?
This is just how it works. I'm not making the rules. The CNIL send "mise en demeure" to companies that do not complies with the GDPR and even before that with the "loi informatique et libertés" and if the companies ignore the "mise en demeure" after some time the CNIL can fine them.
It also happens that the CNIL is notoriously more and more lenient on a lot of things.
Note that Wikimedia has been not using Google Analytics since forever because they're concerned about precisely the same privacy problems as the regulators.
It would seem Wikimedia is still violating the law as they keep Analytics data/data of users[0], but haven't yet pulled the Microsoft move of creating a separate EU company that the US-based entity has no control of.
"The CJEU had highlighted the risk that American intelligence services would access personal data transferred to the United States if the transfers were not properly regulated."
A lot of this seems to be coming due to US regulations that compel US registered companies to hand over data from subsidiaries in Europe markets if asked by US intelligence and law enforcement agencies.
With these various data locality regulations, i wonder if a standard operating approach could be to split tech companies into 3 legal entities, a technology licensing company, a US registered operations company and a Europe registered operations company and hand the shares in all three companies to the current shareholders. This would insulate the Europe entity.
I think a lot of the big tech companies are very reluctant to split their operations inside/outside europe.
They gain big benefits by having a single pool of datacenters able to serve users from anywhere in the world. If they needed to guarantee that an EU user would always be served with a machine in the EU, I can imagine it would add at least 20% to their operating costs.
They'd need more equipment both inside and outside the EU to handle failover, maintanance, etc. They'd also have more complexity slowing development down (they can no longer have small services 'mastered' in just one region). And there is substantial extra complexity in application design (what when a tweet from an EU user is retweeted by a US user, but then replied to by an EU user. Where will the text of the tweet be stored? How will deletion be handled?).
For example, will HN have to have seperate databases for "comments by EU users" and "comments by US users"? And will they need a process to migrate your account from one to the other?
It's not only "a machine in the EU" . It's a company in the EU totally separated from the main company in the US to be out of the reach of the US government and legal system. Maybe the EU company could license software and knowledge from the US one, to keep sending a steady flow of cash there. But it's going to have its own goals and it will want to go its way soon. A hard problem IMHO.
When I hear arguments like this I always think about what it would be if we were to replace 'user data' with 'financial data'.
"It would be so easy if companies could just pay their taxes in one country. Think of how much they could scale their finance department."
The same applies for start ups : "book keeping is such a hassle for start ups, why impose that on them? All these financial regulations are really anti business".
Hah, it's a myth that Switzerland is so privacy oriented. They have laws saying that the Swiss intelligence services can access all data, so it wouldn't help.
Why tho?
Do you think German citizens have more privacy in Germany than in the US, where the US legislature clearly states that non US citizens have zero privacy rights whatsoever?
I don't think it's delusion, I think it is literally correct.
You gonna have to be a bit more specific than that.
When I think "Swiss", "Germany" and "government intelligence agencies" then the things that come to my mind are Crypto AG [0], how the BND started out as a CIA OP [1] and how the very same BND seems to be more interested in pleasing American interests than protecting Germans [2].
Which is btw the same BND who cooperates with the NSA [3] to help them tap directly into one of the world's largest IXP De-CIX, completely legal in Germany [4].
The US made sure of that by pressuring the West German government into watering down the G-10 law [5] during the cold war.
So whatever "delusions" you are referring there to, you have to be a bit more concrete about them.
Right now, the data sits where it “loses” the least amount of money (I.e. where it is most efficiently spaced). If we start arbitrarily forcing companies to move their data elsewhere, then they’ll incur serious costs without any real benefit.
I’d almost rather just give a French company control over some section of the US warehouse if I’m Amazon.
The point is more nuanced: The problem is not the handing over (happens here too), but the fact EU citizens do not get informed this has happend and have no legal way to challenge this (especially concerning FISA/FISC). They have the opportunity to do so in the EU.
Yes, this is what will happen with a setup of 3 entities, b/c FANG will not want to miss EU revenue.
Right but the solution is for there to be a treaty between the US and the EU that allows for this. Putting the burden on every foreign company to duplicate their infrastructure is stupid work to solve a human problem.
Mark one for another American conundrum: having so much distrust for "the man" while at the same time being completely oblivious to the amount of personal data being skimmed off their daily activities. But it's all to guarantee Freedom™ so it must be ok?
Much of the Constitution in the US was written by people who wanted corporations to do whatever they wanted and no government can intervene. You see a lot of this philosophy still living today in rulings and precedent.
There is no different solution. The EU tried twice to build this kind of solution and EU courts have shot it down twice with the argument that in the face of no legal representation of EU citizens in the US it is not possible.
So the US needs to move here or it can not happen.
The only problem that I see is that it's hard(er) for US companies to collect data about EU customers. That's hardly a problem for the EU customers; they can just buy from EU importers (if there's no equivalent EU product) or rely on EU service providers.
Treaties are not necessarily worth much these days, when the next populist can just pull out unilaterally, or decide that following international law is for chumps.
We already had two (I don't remember the order, but they were called Privacy Shield and Safe Harbour) and somehow US and US companies "forgot" to upheld their part in any meaningiful way, so there's some mistrust on the whole idea at the moment...
Both were illegal because they did not address the core issue. The EU commission (representing EU country governments) is more business driven and wants it to work, so they created Safe Harbour etc. They also drove the standard clauses which are illegal too (or better: If as an EU company you sign them, it's your responsibility to make sure the US three letter agencies do not access the data of your customers, good luck with that).
The EU parliament have the people in mind, so they don't think it works and drove the GDPR. The EU courts look at the law and see it's not possible to create contracts, so shot down Safe Harbour and Privacy Shields. The EU courts say standard clauses could work in principle, but see above.
I'm not sure such split would require sub-companies to be public, they could likely be private, owned by a single publicly traded US company. Tech companies already have many subsidiaries in countries that they have offices in, for example employees in European countries are not employed by a US company, but a subsidiary which is not publicly traded.
They already have EU subsidiaries. The problem seems to be that US laws seem to be able to compel US based parent companies to hand over data from their overseas subsidiaries.
If you make it a EU based public company and give control to your own shareholders, it's no longer a subsidiary and your shareholders are holding shares in a European company.
The EU part cannot be owned by the US entity since the US government can compel the US mother company to have it's subsidiary hand over data.
In fact this is how most of the companies operate already to cheat on taxes.
The way microsoft did it for a while here in Norway was to license azure cloud stuff to a sub operator (EVRY) that is completely insulated except for the licensing agreement.
To fall out of scope of the CLOUD act, the subsidiary needs to be independent and prevent any data access by its holding company. The holding company can in no way have "possession, custody or control", which are not well defined so that doesn't make it easier to assess if a subsidiary is out of scope.
So is it likely the European Commission did this in an attempt to block US companies from offering internet services to the EU (or at least, internet services that handle user info)? It's pretty hard to make a profit or operate in the EU if you literally can't control that entity.
> So is it likely the European Commission did this in an attempt to block US companies from offering internet services to the EU
More like the European Commission did this in an attempt to protect European citizens from having their personal data exfiltrated against their will to the US on order of US law enforcement agencies.
Schrems II (and the Privacy Shield invalidation) has been in response to the aggressive data collection by the US government, and the extra-territorial nature of legislation used to achieve this. The US is able regain access to the EU market by repealing/changing CLOUD act and similar legislation, so I personally don't think this is (primarily) done to block US companies. However I am not the one implementing these rulings, so the best I can is speculate.
It seems pretty hard to think the US will drop the legislation every 3-letter-agency had wished for over the decades before it became law. The only thing I can imagine that actually gets the law changed is if the EU heavily invests in prosecuting these cases, to the point that tons of US companies worry they'll lose access to the EU market (with non-negligible fines to back up the law).
No, EU had an agreement with the US called Privacy shield that allowed US companies to process EU data. However this was struck down by US courts and that is what leaves us with this mess.
> However this was struck down by US courts and that is what leaves us with this mess.
According to Wikipedia, it was struck down by the CJEU, not by a US court:
"The EU-US Privacy Shield for data sharing was struck down by the European Court of Justice on the grounds it did not provide adequate protections to EU citizens on government snooping."
> The EU part cannot be owned by the US entity since the US government can compel the US mother company to have it's subsidiary hand over data.
As it stands, the US part can be owned by a EU company. Or, probably more realistically, both EU and US parts could be owned by a mail box in the Caimans.
> The EU part cannot be owned by the US entity since the US government can compel the US mother company to have it's subsidiary hand over data.
Is this true for ownership by individuals too?
If I, an American citizen & resident, owned and operated a company registered to a European nation to serve my European customers (with European hosting), does that make me compliant? Does an American solo founder have a path to compliance at all, or would I be required to collaborate with a completely separate workforce that has no ties to America?
> Another way to be compliant is to not collect PII.
The GDPR extends far beyond the US notion of PII. As I understand it, it covers basically all user-submitted or user-related data if it's possible for that data to be hypothetically tied to an individual in the EU (even if that can be done without your service holding traditional PII).
> As a private individual I suspect you would not have much to stand on if the NSA knocked on your door.
Yeah, a federal agent with a wrench can do anything they want to me (https://xkcd.com/538/), but I'm trying to figure out my options.
It includes IP address... the fundamental glue that makes routing to and from said servers possible. Good luck being able to resolve web requests without knowing where to send the response.
IP address is both personally-identifying information and also technically required to provide computational service.
Just like your name is personally-identifying information and (usually) required to provide medical service.
But being required for service doesn't automatically mean that it can be shared with third parties. You can't share names with third parties. Why would you share IP addresses?
A name is not a requirement to render medical service, so I don't see how that example is relevant. A practioner is capable of treating patients without knowing their name. Laws may compel them to keep track of that data, but it's not strictly necessary.
And the act of connecting to a server hosted in another jurisdiction (e.g. America) would require sharing your IP. This could be directly (the entire web service hosted in the USA), or indirectly (some of the web service's assets are hosted in the USA).
If you put a CDN in-front of your web service, then that CDN will most likely be sharing your IP with the host server too. Especially if the web service wants to do something non-cacheable that they can't offer from behind the CDN.
There are many (!) types of medical treatments. Some require multiple visits. A medical practitioner needs some way to ensure that progress is maintained across multiple visits.
The internet has multiple visits too. They're just called packets instead.
If someone is running a global web site and wants analytics, which of the 2 entities, or both, would he reference in HTML? Even if we're going to region-lock Europe to the European Analytics servers, analytics today often involves some computation done over the entire data set, including both US and the EU, done on the backend. Which backend would that be?
The privacy aspect has become something of a "think of the children" reason for a sort of "Internet xenophobia", as well as creating huge barriers to entry for small companies which cannot comply.
It's easy to do things online as a company of any size, post-GDPR: Don't scrape user data. Done - no compliance required, because the law is not about you in that case.
I've read most of the EU rulings and court cases on this topic. The CLOUD Act is basically the only US law that any of them mention or refer to.
And let's be explicit here: The entire purpose of the CLOUD Act is to bypass EU data protection laws. The incident that led to the creation of this law is that Microsoft didn't hand data over to the FBI because the data was on a server in Ireland. This isn't an unintended consequence, this is what the law is supposed to do.
The point of the CLOUD Act was to say that if you are a company in the US you can't ignore an order to turn over a copy of data you control just because you happen to have stored that data with a third party storage provider that is not in the US.
It doesn't matter that the third party storage provider is not under US jurisdiction because the US government isn't trying to compel the third party storage provider to do anything. They are trying to compel the US company to access its own documents that it stored with that third party, using the same mechanisms the US company normally uses when it wants to access its data.
From the third party storage provider point of view there is no difference between the US company retrieving the data because it wants to do something with it itself or the US company retrieving the data because they are being compelled to by law enforcement.
This is really just clarifying that the rules for electronic documents are not very different from the rules for physical documents. If I am in the US and own a document that a US court orders me to produce a copy of I'm not going to be able to get out of that by telling them that the document is in a filing cabinet in a storage unit I rent in Canada or Mexico. No, they are going to order me to either go get that document or have someone go get it for me and give it to the court.
If it didn't work this way every US company that has any documents they think might get them in trouble if they are ever investigated would rent some storage space outside the US, physical space if the documents are on paper and cloud storage space if they are electronic, and store everything there. Boeing for instance would have all its information about the 737 MAX outside of the US. Tesla would have everything related to full self-driving outside the US. Everyone would keep HR records outside the US to make it harder for plaintiffs if the company is ever sued over alleged discrimination.
There's a critical nuance that you're ignoring, which is whose data is being stored. In the incident in question, it wasn't Microsoft's data. It was the data of a customer of Microsoft. You're treating several different scenarios as "data controlled by Microsoft," but there are sharp distinctions between Microsoft's own HR records, vs an email belonging to one of Microsoft's customers.
US law doesn't distinguish these scenarios very much because of the Third Party Doctrine, where data given to a third party has no expectation of privacy. But this is a view rather particular to the US not shared by much of the rest of the world, and certainly not by GDPR (or its predecessors). One way or another, the CLOUD Act is still basically saying that US legal doctrine applies to data stored in other jurisdictions. And GDPR is stating, correctly, that this doctrine is not compatible with EU data privacy obligations. EU policy is very much the opposite of the Third Party Doctrine (and the winds are slowly turning against it in the US as well), and third-party data controllers have positive obligations to safeguard the privacy of data given to them.
Given this scenario, I don't see the nightmare scenario you're posing actually manifesting. EU data protection laws do nothing to curtail Microsoft handing over Microsoft's data. There's just data that Microsoft physically stores which they is not legally theirs.
Is the CNIL actually starting to do its job? Since the early 2000's they were doing literally nothing against the many crimes against users committed by big tech. In the past few years though they started to distribute fines when the law was obviously and willingly broken (eg. Google)... did they suddenly start to care for users? or do they care that they can fill the pockets of the government (who doesn't dare to tax those evil multinationals) while making it look like they care for users?
I mean CNIL does not exactly have a reputation of helping/protecting users... they more have a reputation of being a watchdog who sees no problem with government surveillance programs and does not react when you send them reports of illegal activities surrounding personal data. For their defense, their budgets and prerogatives have been cut so many times they probably couldn't investigate/fine anyone if they wanted to.
Not sure why you're being downvoted. People from such non-profits were key to european institutions developing a proper understanding of the problem space, which directly led to GDPR legislation.
If you're rich enough, be sure to donate some money to LQDN/EFF and others to protect human rights in the digital realm.
> I mean CNIL does not exactly have a reputation of helping/protecting users... they more have a reputation of being a watchdog who sees no problem with government surveillance programs and does not react when you send them reports of illegal activities surrounding personal data
> Every time I hear about them, they're either giving GDPR fines or signalling illegal government activity
Yes, now think about all the times we don't hear from/about them. It seems that they are doing more as time goes, but they have done little to stop dragnet surveillance, racial/religious/political profiling by the authorities, the deployment of CCTV all across France, (il)legal ⁽⁰⁾ obligations for ISPs to track their users, school restaurants requiring fingerprints to get a meal (yes that's a thing), public services using Google Analytics / Zoom / Microsoft / Doctolib, stingrays operated by police for political repression, and the list goes on and on...
In "digital freedom" (LQDN, FFDN, April, Framasoft, etc) the CNIL is (or at least used to be) rightly regarded as a joke when it comes to human/user freedom, despite having very noble goals. The fact that the press only talks about them when they're doing their job doesn't change that they've clearly failed their mission to protect civil rights in the computer era, despite very good and reasonable legal guidelines dating from 1978.
⁽⁰⁾ French data retention laws are illegal by european standards.
Google Analytics is the best analytics tool out there.
By getting their companies off GA, European governments are weakening their industry.
This probably holds true for many SAAS products. Many of the best are from the USA. Forbidding European companies to use them is a desaster for the European internet industry.
Google Analytics is hugely overrated. Most people don't use it properly, many browsers block it entirely, and you can usually do a better job just by looking at server logs.
Saying so just tells me that you never been analyzing and optimizing websites with millions of users. Websites on which a whole company depends on. It would be a crazy approach to try and do it via server logs.
Actually, there are some nice tools (e.g. GoAccess) that produce pretty graphs. The vast majority of people just want pretty graphs; the more fancy data Google Analytics produces is nowhere near as accurate as the number of trailing non-zero digits would have you believe.
Depending on your userbase, the regular traffic data can be off by significant proportions. I've seen pages where the number of logged-in interactions are higher than the number of Google Analytics hits.
> and you can usually do a better job just by looking at server logs
Yes, if you only want to count visits and don't have a problem having all bot traffic included. For everything a bit more advanced you need a proper analytics tool.
Filtering out bot traffic is easy enough with server logs. A self-hosted JavaScript analytics tool gives you more data, but Google Analytics filters out Firefox users too; contrary to ReCAPTCHA's apparent beliefs, Firefox users are mostly not bots.
There are many niche systems that fit specific purposes. Sure GA can benefit from scale and existing profiles with user data gatherer in other context, which a self-hosted solution would not have acces to. But does it address every need better than specific systems? And is the added benefit worth sacrificing your users' data to google?
I think the main thing is not to send your customers' data to third-parties without their consent. It's usually fine if you use internally analytics for the purpose of running the company, it's not fine if you send those data to other companies that use it for marketing purposes.
Isn't it? Isn't the problem that the data is sent to a third-party service outside EU (in the US) that doesn't offer the same data-protection rules as EU?
I don't get your point, are you saying that the solution as webmaster is NOT to use a self-hosted solution, but to just sit and blame the EU/US legislation?
Shameless plug: I have been building a self-hosted-only analytics platform for a long time: https://www.uxwizz.com. It looks like a good time to switch to self-hosted analytics.
Is it really such a rare occurrence for people to want to see statistics for a specific page or compare pages/articles? Because almost all new-wave analytics tools either do not support it, or it’s hidden and not easily discoverable.
Are you referring to stats such as time-spent on a specific page?
From my experience, there are several thousands of people/companies using UXWizz and so far no one has requested this feature yet.
But now that you mentioned, it seems like a pretty useful feature, especially if you can see top performing pages/articles.
I think one reason why people don't care about the specific analytics for a page is that they usually write pages/articles for SEO purposes. To see how well a page is performing SEO-wise, you usually go to Google Search Console (or Bing Webmasters) and see search terms/click-through-rates for that page.
Also, time spent on a specific page is not that useful, typically you want to see: if people are buying stuff, where do people that buy stuff come from and what page do they land on.
General information. How many views/visitors over time, referrers, etc.
I did try to click on the top page lists, but those weren’t links. I found "Add segment" eventually, but at least on the demo page it’s not working (for the pages I tried, eventually I found a page with stats), and the interface is atrocious [0] for finding anything and breaks the site [1].
Our website is not posting articles to get people to buy other stuff, but the actual main part of the website (articles, and free or paid product tests; money is made both by selling tests and ads, with the ads not just being generic but specifically bought by companies with often contextual targeting). So my boss usually wants to know what articles do well (and not just from SE’s, we have a lot of repeat visitors), how soon interest drops, etc.
I will add the per-page stats to the Roadmap, as I think it's a useful feature.
I agree, the UI can be greatly improved, and it is something that I will be working on soon, especially making sure all the edge-cases are covered.
Regarding the screenshots, the long page-name indeed breaks the UI, but normally you wouldn't search for a specific page including all the query parameters, you would add something like "/pricing*" (so it matches all visitors that visited the pricing page, regardless of the query parameters). I am still not sure whether I should separate query parameters from URL path, I did consider it but many pages use query parameters to display a different page/content (e.g. /article?id=5, where changing the id of the article leads to a completely different page, maybe I could by default exclude all query parameters and then have the option to keep custom an allow-list).
Could you list a few of the per-page stats that you would want to see? I can only think of time-spent, which I think I could simply display in the top pages list.
You can already see sessions count for a specific page using the current segment feature, just add that page name to a new segment, and you can see the count of sessions that saw that page and the referrer (for that specific visitor though, not necessarily that specific page).
To talk about UXWizz specifically, I try to implement only core stats (to not bloat the platform). But because you have access to the MySQL database directly, you can always create your own graphs on top of it or run a query to find the time spent on a specific page.
To give a concrete example, a such query would be, which would show all pages and the average time-on-page, ordered descending by time:
SELECT MIN(page), AVG(TIME_TO_SEC(timediff(last_activity, date))) as avg_time
FROM ust_clientpage
GROUP by page_hash
ORDER BY avg_time DESC;
I contacted them approximately 4 years ago to denounce the developers of TrackMania that don't hash passwords [1]. I have not received an answer since, and I bet they do not even care. I'm sure they are a bunch of hypocrites and now that they've realized they can make a lot of money randomly fining Big Tech, this is just what they're going to do.
[1]: If you clicked on "Password forgotten" on the log in page, they'd just send you your password unencrypted by email.
I've contacted them twice pre-GDRP era, about unsubscribe links not having any effect on some spam emails from French companies, and both time they took actions against the company and reported back to me.
It took some times but they acted on every cases, no matter the company size, I was actually impressed.
That would count clicks, not conversions such as downloads or signups that can require going on another page or doing some other action. Not everything can be put on one page.
Also, Google Adwords counts conversions for visits for 30 days. Which means on the 1st visit from the ad campaign, there can be no immediate conversion (and that's OK). But if the same person returns to the website (not from the ad) and downloads/signs up that would be counted as conversion attributed to the ad.
AFAIK, this could be pretty disastrous for French businesses that funnel conversion data to Google Analytics, which is then used to optimize their Google Search ads.
Switching to another solution for analytics might be ok, but losing the ability to automatically optimize ads based on conversion data is a big pain.
Well, in regards to what the OP said, this whole "we need to track our users" stuff is bullshit. I see those "highly optimized" campaigns too, when something goes wrong and the SEA people start to cry because somebody stepped in their sand castle.
Because FB is a company on the edge of collapsing.
They aren't innovative, the market is saturated, new users in developing countries are not worth as much as those from "first world countries".
As the users in first world countries are getting more and more aware of all the privacy issues, how FB fails to keep their platforms clean (either from spam or fake news) and other companies starting to like the taste of being valued as "privacy-friendly", the business model of FB is starting to crumble.
They have long only made (more) money because they found more ways to put together all the bits and pieces and breadcrumbs and build profiles they could sell to advertisers.
That age seems to be over (soon), so they are done, too.
That's a super interesting question. I suspect it is because Facebook dominates the market for advertising-that-tracks. They're just not as good as other players at advertising-that-doesn't-track.
So when they lost inventory (e.g. for retargetting), that is a direct loss of revenue for them. The question is, what did the company with the budget previously spent on those targetted adverts do instead? Did they buy less well targetted adverts elsewhere? Or up spend on offline marketing? The economic question is, how effective was that - more or less effective?
Obviously losing 10b dollars is bad for Facebook. It isn't clear that it is worse overall for ad spend, or economically.
This just reads like "local commenter says trillion dollar industry is a sham".
Targeted ads pay loads more than untargeted, and you're essentially saying all those companies paying more are in the wrong. Some campaigns even manage 10-25% click through conversions, when well enough targeted.
1,134 comments
[ 0.93 ms ] story [ 387 ms ] threadFrom the article: > "It's interesting to see that the different European Data Protection Authorities all come to the same conclusion: the use of Google Analytics is illegal. There is a European task force and we assume that this action is coordinated and other authorities will decide similarily."
I am really looking forward to seeing how this will play out in the rest of the EU, and which practical consequences it will have.
And, as usual, fellow EU citizens, support NOYB work, if you care about data protection: https://noyb.eu/en/support-us
It's their responsibility to include or not google analytics, though.
https://support.google.com/analytics/answer/2763052?hl=en
>In this context, a unique identifier is assigned to each visitor. This identifier (which constitutes personal data) and the associated data are transferred by Google to the United States.
Google are the ones spying. The aggregate put on GA dashboard are a minute of the personal info they collect.
1. Legal: It's the site owners integrating GA and therefore taking on the liabilities just like they do with every other supplier. When a part in your car fails immediately after you bought it, it's the manufacturers job to fix it even if they acquired the parts from a third party (e.g. Bosch).
2. Practical: A website 100% located in France and catering to 100% french customers is much more likely to fix the problem than the international anonymous machine that is Google.
And the manufacturer can go after Bosch, who is responsible in the end.
> than the international anonymous machine that is Google.
Except the law applies to Europe as a whole, and it's really not that much to ask one of the biggest technology companies in the world to use European servers and anonymize European traffic by default. They just don't want to or don't care. Which both should be reason enough to stronger regulate them.
I think we will see a two pronged approach to the Problem.
On the EU level, the commission and the states will engage Google directly while on a national level individual companies will be "encouraged" to find alternatives.
Uber, Google etc really wants this to be true.
However, it is trivial for a nation state to shut down Google's commercial interest in the country.
Just have the police lock the door to their office and blacklist a bank account or two. If doing business with Google becomes illegal, they will lose almost all revenue except some indirect shell company ads.
Seems way less work to make Google compliant than to figure out which sites in French are actually French jurisdiction.
IMO we should break away Google entirely and trial their execs for crimes against humanity. They're cooperating with USA, China, Saudi Arabia... by helping murderous regimes deploy their techno-police, how many million people have they helped imprison/murder?
Anyone who's concerned about their data being collected can just block Google-or-like-related domains. Rest is just making life of web developers/admins/tech company owners harder.
Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies. (No, I'm not from US as well)
What percentage of the general population do you estimate a) will know enough to want to do this and b) will know how to do it?
My kids cannot opt out of Microsoft Teams - it’s a school requirement. People applying for jobs are gonna have to apply online these days.
Got a grandmother?
If Google can't protect user's tracking data (and they can't - the US law won't let them) then they shouldn't be allowed to hold it.
Also by the EU users losing access to ad-supported free services.
EU bureaucrats are effectively prescribing how the web should work for everyone. Ridiculous.
Says who?! I have zero problems sending my private data to the US. I did it for years and I still think is one of the better places to send my private data to. Definitely better than my own country.
And why the heck would I want to give my data to a bunch of random companies? What's the benefit in it for me, anyway?
Free content and services. What do you lose in exchange?
> Free content and services. What do you lose in exchange?
Privacy. What I do shouldn't really be anybody else's business.
An ad-targeted web. IMO ads are a plague on useful content, because everything is about getting views and clicks. This makes actual content less useful and more annoying to consume. It incentivizes posting low effort, watered down content rather than smaller amounts of great content. It also means content creators are trying to please the advertiser, and not me.
Risk of manipulation. Lots of effort has gone into figuring out how to best manipulate people, and when you know who somebody is and how to best tailor any given message to them, you can get pretty far. I'm quite sure that I also have buttons that can be pushed if somebody knows how, and I don't particularly like the thought of that.
But a fundamental issue with freedom is that sometimes freedoms conflict with each other. Here the freedom to do whatever you want conflicts with the right to privacy of others and the EU has decided that in this instance the right to privace takes precedence.
I am not free to use a website and give away "my data" by default without having to click Allow All on a damn cookie popup.
The EU politicians unilaterally decided to steal these freedoms from all EU citizens.
The right to privacy is not a freedom. I am not sure it's even a real right. But it was easily accessible even before the current privacy laws, even if it needed a little technical competence. It wasn't the default though. And the current laws do not provide me the privacy I actually need: from EU government(s).
Those companies are free to not to do business wit you but it is not the EU privacy laws making that decision. Those companies can provide their service in a privacy-respecting way and many will - the EU is not a small market to give up on. You can also use a VPN.
> I am not free to use a website and give away "my data" by default without having to click Allow All on a damn cookie popup.
You think users should need to be technically competent to block cookies but don't want to be technically competent to install an extension like https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-a...
And don't forget that hose consent popups are likely specifically designed to be annoying in order to get you mad at the privacy laws. Don't fall for it - the EU privacy laws do not required websites to be user-unfriendly.
> The EU politicians unilaterally decided to steal these freedoms from all EU citizens.
I am not going to pretend the EU is a perfect democracy, but ultimately, those decisions are made by those elected by the peole - directly or indirectly.
> The right to privacy is not a freedom. I am not sure it's even a real right.
It is a real right that has historically been enforced in many EU countries. The recent laws do nothing more than update that enforcement to the digital age.
> But it was easily accessible even before the current privacy laws, even if it needed a little technical competence.
No, it really wasn't. You can block cookies but you cannot stop companies from tracking you via the 10 million other ways they have available or to trade information about you with third parties. You cannot use technical means to find out what information companies have collected about you. You cannot use technical means to compel companies to delete information they have already collected. THAT is why we have new laws.
Good for Europe, they are just going to law themselves out of the internet. Up to the point were your ISP doing hops to send your TCP packet will be illegal unless you approve them sharing that info with all the shops.
/s
I feel for my European brothers and sisters these days. As an American, I hardly ever see these banners. Went to an EU country for work and... Holy cow. Y'all get these banners every site. How do you tolerate it?
Thanks to GDPR, we have a much more private web. /s
Yes, I think we're in a vastly better place, where there is a cost to doing bad things.
(Also, the GDPR is not responsible for cookie banners)
The market responding to the law with billions of cookie banners was as predictable as prohibition leading to bootlegging.
And now the regulators are responding to it.[0]
[0] https://www.iccl.ie/news/gdpr-enforcer-rules-that-iab-europe...
The predictable outcome from that ruling is a decentralized solution: a few libraries attempting to build frameworks that are compliant, everyone implementing their own one-off versions of permission-granting and cookie consent using those frmeworks as a basis, and the Authority chasing mom-and-pop sites that are out of compliance until the sun goes cold.
In a sense, that may satisfy the goals: the data will be decentralized, stored widely, and harder to aggregate. On the other hand, what we learned from the virus era and the Windows OS monoculture is thousands of nodes running the same software (but not centrally maintained; maintained by people who have a job other than maintaining a website and are therefore slow to patch security holes) will be vulnerable to scripted attacks against frameworks.
My prediction is a net increase in stolen PII and, while individual site-runners will get screwed, the number of sites collecting the data won't go down. It's just too valuable, and the odds you will get hit by a hacker are too low.
In any case, it'll be a hell of a ride.
Collect people's data (and that's what a user analytics system does) and then you're responsible for it, and you have to follow the rules.
Only things like tracking, ads, and sending data to areas without equivalent privacy laws are forbidden. The intent and usage of the collected information is a big part of what is and isn't allowed.
192.168.1.122 - - [10/Feb/2022:11:32:35 +0000] "GET /audio/pop.wav HTTP/1.1" 206 28366 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0" "-"
Web sites are allowed to log data (including visitor requests and IPs) required for the smooth running of the site. It could be argued that keeping logs allows for trouble-shooting so web server logging is probably OK in most circumstances.
However, there is no reason to keep months/years of logs around. Having this data is actually a liability under the GDPR and you should be aggressively deleting logs after a few days.
[0] https://sheep.horse/2018/6/the_eu_general_data_protection_re...
I, for one, would not like to argue this in court. I heard many lawyers advising against storing IP addresses.
And yes, long-term analytics are a no-no. So good luck comparing your website performance year to year or even detecting seasonality.
But if you want to contribute to a privacy-violating network that tracks individual users, then that goes far beyond wanting "just to put up a website somewhere".
They are only tryin to keep their monopoly on government oversight which is reasonable for a governing body (our citizens = our control).
... you also have to ask for permission first.
The main difference is that for a data processor in France it seems possible to get all the right contracts in place, while a US based data processor is incapable of doing that thanks to FISA and similar US initiatives.
While that's not the issue being discussed here, you should by default only collect & process the minimum amount of data needed for the product/service to function. Analytics aren't part of that and would need to be opt-in.
Imagine that you run a workplace where floor space is relatively expensive. To avoid increasing the floor space, you determine exactly how wide each hallway must be, exactly how much space is required, and build everything to that specification. Your hiring decisions take the weight of an applicant into account, so that nobody will be too large for those hallways. Then a law comes along saying that your coal mine is dangerous, and your use of child labor is unethical. "But look at the cost!", you cry, "I can't afford to enlarge every tunnel to accommodate full-grown adults!" But there was no reason the tunnels couldn't have been built larger in the first place.
There was no reason why the web and the internet could not have chosen to respect privacy by default, and thereby avoid the current costs of changing their software and business models. If it is true that the default apache configurations violate privacy standards, just as any configuration of Google Analytics violates privacy standards, then that is a sign of just how much the regulation is needed.
https://law.stackexchange.com/questions/42438/do-default-apa...
It would appear public IP addresses are PII. Apache (and most web servers) log those by default.
A case can be made, on a site-by-site basis, that those are necessary for providing the functionality of the site. But that's a hard case to make if the logs are never actually read, and then if they're collected for that purpose, timely deletion is important (and unless your host also configures log rotation and disposal, timely deletion isn't happening).
I'm pretty sure all of this has to be declared in a privacy declaration anyway, even if they are collected for site operations purposes and deleted in a timely fashion. With all these constraints, probably safer to run in a privacy-configured Docker in one of the big Cloud hosts than to stand up one's own apache install.
In addition, that there is an exception allowing the collection of personal data for legitimate interests without prior consent. While that has been erroneously argued to enable a business model (e.g. Facebook's ongoing collection), server security by applying IP address bans would be be a more solid case [1].
[0] https://www.whitecase.com/publications/alert/court-confirms-...
[1] https://law.stackexchange.com/questions/28603/how-to-satisfy...
Do virtually any business that involves user registration at some point, and now you need to be sure that you're compliant with all those rules, spending limited resources on that to avoid ridiculous fines.
It benefits only the big players who has lawyers to know exactly what to do and not, and a nightmare for anyone who tries to grow a small business or have a small website.
It's exactly the opposite.
It forces technology to be developed in a way that protects human rights (specifically the right to privacy).
Innovation is not automatically good if you're innovating in the wrong direction. Think of it as a vector, not a scalar.
"Hey Google and Facebook is doing so well let's make harder for everyone using their services."
I neither have sympathy for those companies and never been to US, but adter all these GDPR regulations I actually started to sympathize.
If someone pointed a gun and forced me to go to a website, enter my personal data and give my data to trackers that would be something else (still not website's fault but anyway).
I have a collection of small, US-focused websites.
I'm investigating low-effort ways to geo-fence the EU. At some point it just becomes easier to ban Europeans, rather than keep up with whatever they'll come up with next. I saw in this thread that the Google fonts on my website are now a problem as well!? That's the first I heard of it.
This is the perfect example of why government oversight is needed. You run a bunch of websites and aren’t aware that you are inadvertently involved in violating the privacy of the people who visit your sites. How are non-technical people supposed to deal with this?
A bureaucrat on the other side of the planet comes to a conclusion and I, who never voted for this person or knew about their existence, am legally bound by their decision.
On pain of who knows what fines or penalties. I’m nearly overwhelmed by the amount of work on my core product, I can’t add “keep up with European legal opinion” to my todo list as well.
As I said, it’s simpler to just geofence everything.
If anything, EU competitors to Google Analytics are at a _disadvantage_ because they can't apply the same lassaiz-faire techniques for US-based customers that US-based companies get away with.
I live in America.
> It's protectionism because your tech industry sucks.
I work for a FAANG, in America. "My" tech industry is doing fine, thank you very much. Nice try though.
The decision is here: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62...
And it's all about warrantless surveillance.
"As regards the limits on intelligence activities, the referring court emphasises the fact that non-US persons are covered only by PPD‑28, which merely states that intelligence activities should be ‘as tailored as feasible’. On the basis of those findings, the referring court considers that the United States carries out mass processing of personal data without ensuring a level of protection essentially equivalent to that guaranteed by Articles 7 and 8 of the Charter."
and
"As regards judicial protection, the referring court states that EU citizens do not have the same remedies as US citizens in respect of the processing of personal data by the US authorities, since the Fourth Amendment to the Constitution of the United States, which constitutes, in United States law, the most important cause of action available to challenge unlawful surveillance, does not apply to EU citizens."
So, basically, the US security services can hoover up data about EU citizens, and those EU citizens aren't allowed any legal redress about it. Which, unsurprisingly, they aren't okay with.
Nothing about this stops that. Like I said to the other person this is protectionism. Requiring every US-based tech company to duplicate its infrastructure in the EU, Which in turn gives EU competitors an unfair advantage.
It's not GDPR making life harder for companies, it's the shadowy practices of businesses that are finally being brought to light.
Source: US Citizen, living in EU.
there are hundreds of alternatives to Google Analytics, developers/admin/companies should just choose wisely. That's what the GDPR is about: end of free lunch for everybody at the expenses of people's privacy, choose your shit carefully.
No, Germany is a big leader in the EU. They are very sensitive to issues around privacy, from the DDR era.
They don't want private corporations having DDR-like folders of information on citizens.
There is often no clear dividing line between government and corporations. You give one freedom to abuse privacy and it will be used by the other.
They regularly try to do this, as with working from home monitoring, or insurance companies profiling individuals.
Governments can also be governments in name only, see corporatocracism.
Comparing that with what governments can do with data gathered about me, I know which ones I want to be protected from. Unfortunately they are the ones writing privacy laws and they leave huge loopholes for themselves.
This harms companies, website owners trying to use services, and users (someone using my free site, I need to monetize it, targeted ads was a nice way, now I can't).
I see no upsides of actually protecting privacy.
This requires a level of access and technical skill which most people don’t have. If you have ever tried doing this, think about how many sites break because they have code which assumes GA calls always succeed and then ask what percentage of the population would be able to identify and work around those problems.
Yes, that's happening, and it's a good one. Privacy Shield was cancelled because of Schrems II. The US simply don't care (intentionally?) to protected any data of people not living in the US. With FISA (Foreign Intelligence Surveillance Act) or "Executive Order 12333" they can get every data they want, even silently. Disclosing that a company had to handover any data will get them prison time.
This is against the intention and protection the EU set for european people. So if a company is violating these terms, it's good to take action.
It didn't go that far. But when I saw people plastering Facebook like button everywhere I knew exactly what that meant. That one random corp now can know everything about everybody's behaviour everywhere.
Then Google put out Google analytics and I just switched my sites to this thing. I didn't mind all that much because it was Google and do no evil was still a thing.
But GDPR is something that reminds me of how ridiculous things we accepted as if they were normal just because they were technically feasible.
Imagine going into a travel agent to inquire about a flight. The moment you step through the door 50 people attach themselves to you. Some start recording your every action in a notebook, others flash torches in your eyes, two of them start showing you a video at the same time. And the rest follow you around holding up large ads. And they carry on following you around even after you leave the store!
And the current privacy laws in EU make the free services illegal. How is that any better than the scenario where paid services did not exist?
Free services may exist perfectly well:
- They must not invade privacy without obtaining consent
- They must not transfer personal information to jurisdictions with privacy controls which are too lax.
If a business relies on doing either of those two things, it deserves all the problems it has.
So much evil was done in the name of pretending to know what people want better than people themselves.
Seriously? People spend tons money and time to track users. If you want to be GDPR-compliant, simply don't save unnecessary userdata and if you still feel the urge to do so, give users the option to control it. It's that easy. Any problems you get from it are of your own making.
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies
We created the GDPR, but then knee-capped it with safe harbor. Then Schrems sued and the courts dropped it, but the EU simply reinstated it under the name privacy shield. Then Shrems sued again and after having to have a legal battle again, it unsurprisingly turns out that it's still illegal. I can't see how you think of the EU as anything but overly lenient.
I'm not going into anyone's house and force them to give me their data, I'm collection anonymous data from people who, with their own will, visit my website/use my service. Don't want me to collect your anonymous data? Sure, don't visit my site/use my service then. No one forces anyone. Regulating what tech I can use on my own website? This is ridiculous.
The problem is that we made collecting user data the easy task while ignoring privacy protection. The fact that Google spend billions to make spying easy does not mean it should be legal. And it's really easy to be compliant - don't collect data. You don't need it to host your website, you really don't.
> I'm not going into anyone's house and force them to give me their data, I'm collection anonymous data from people who, with their own will, visit my website/use my service. Don't want me to collect your anonymous data? Sure, don't visit my site/use my service then. No one forces anyone. Regulating what tech I can use on my own website? This is ridiculous.
And you're absolutely free to ask people for consent for collecting their data or to simply block visitors from the European union. You can also not collect data or do so in compliance with the GDPR, by the way. All ways are perfectly viable.
But just because I opened a link in my browser does not mean I consent to anything - by that logic, ransomware is perfectly fine, because you visited their website and downloaded their software. This is ridiculous.
Apart from “a natural person in the course of a purely personal or household activity” I don’t know of any size exemptions.
Yes, you can always avoid the bad behavior of corporations by living in a tent in the wilderness. No, that doesn't mean we shouldn't regulate them.
So what ? The right to privacy is more important than a select few having an easier time doing business, end of story.
Google knew they were making an illegal business and still went ahead. IMO they should be charged for being a criminal ring defrauding small businesses for SEO as part of a global scheme... if not for helping genocidal regimes surveil/censor/imprison/murder their population as they have been doing for years.
Anyone who's concerned about salmonella, hormone levels or animal welfare, can just not buy any products that could potentially contain animal products from countries with weak animal welfare or sanitary laws. The rest is just making life of farmers/shops/wholesalers harder.
Especially with these European intentions, I frankly believe that one single country's laws should be universal and no other country may implement or enforce laws that protect their consumers. The onus to protect themselves from harm must lie with the individuals and governments should not dare inconvenience anyone just to protect their citizens' interests.
Well, of course, tech companies, especially Google, Facebook, Amazon (and this one doesn't even respect basic work and union regulations and rights) are getting out of hand, making their life harder (if not dismantling them) is the legislator's job.
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies.
Again, yes, of course, so what ? The US (tech and government) has been prying on the rest of the world with its tech advance and has been using it to spy and gather data it could not get otherwise. France, the EU, are just defending their citizens' rights and their interests, especially economical, against another threat to civil liberties.
I doubt American companies wouldn't comply with American law, European law is no less important than the American one and I don't see a reason why we should be accommodating towards foreign businesses, especially, again, those of a country which is a threat. Big companies shouldn't serve as a model to follow.
A basic example: government of my country requested all data and payments to/from PayPal to be controlled by them, PayPal naturally rejected it, and they got banned from my country.
Now who is affected? Us! The whole world can use PayPal to send/receive money pretty much everywhere, but we can't.
These regulations and "needing to follow local rules" itself is alone a reason for a completely decentralized-countryless web to succeed.
The GDPR is not limited to the internet. So say you go to make a blood test to check your health, GDPR will apply there too, you don't need to go with a fake ID and with a mark on your face, the law protects you from greedy companies so you and your family don't have to use weird workarounds to protect yourself.
IMO it's the other way round: data collection and lack of respect for privacy got out of hand and has been like that for a long time now. It's finally coming under control, albeit slowly. This is not the end of it. And I'm super happy about GDPR.
> Anyone who's concerned about their data being collected can just block Google-or-like-related domains.
Why is it on the victims to protect themselves against illegal practices? We have courts and authorities for a reason.
If it stopped at Google, this would be easy. But GA is just tip of the iceburger.
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies. (No, I'm not from US as well)
I don't believe that at all. But ultimately what I believe does not matter. I'm just happy that right to privacy online is finally becoming a thing.
You might say that it's up to the UK government to fix that, and I agree, but as an individual with no direct influence on the implementation of this service, it's also clearly not the case currently that:
> Anyone who's concerned about their data being collected can just block Google-or-like-related domains
Or at least, they can, but they may be excluded from civic services they are entitled to avail themselves of, which their taxes go towards paying for.
I've already offloaded Google Fonts due to the German ruling. I'm happy to self-host piwik if needed, but could that fall foul of regulators?
1: https://matomo.org/faq/new-to-piwik/how-do-i-use-matomo-anal...
It doesn't have the goal conversion metrics and other advanced features of GA, so obviously not a drop-in replacement for all use cases.
https://www.goatcounter.com/
We even disabled the cookie based tracking inside Matomo at the cost of not linking different visit sessions. Same session visits are fully tracked though. Saves us a cookie warning.
Based on an open issue[0], it's suggested to run a server with 32GB+ of memory to handle hosting Clickhouse but that would mean self hosting Plausible would end up being $160 / month on DigitalOcean which would make it 10x more expensive than hosting my custom app that I want to see analytics for.
I know you can use less memory but it sounds like using less can result in an unpredictable environment where everything can stop working at any given moment depending on what Clickhouse wants to do. This happened to someone who replied in that issue. Their production set up stopped working because it ran out of memory.
Someone else wrote about it using close to 8GB of disk space to track ~8k page views at https://cyberhost.uk/plausible-3-month-review/. That was only written back in March 2021 too. They said they are going to look for an alternative solution because the the storage costs are too high.
[0]: https://github.com/plausible/docs/issues/67
[0]: https://render.com
The production environment that crashed due to Clickhouse OOM was our hosted product a while ago :) After that, we haven't had any downtime on our Clickhouse DB for over a year.
The issue with disk space stems from a bad default configuration. Clickhouse used to have EXTREMELY noisy debug level logging enabled by default with no rotation. This has been fixed in our hosting repo[1] so you get sensible defaults.
If you don't want to worry about downtime, planning disk space or compute capacity, then that's exactly what we offer at https://plausible.io. We process and keep the visitor data on our Hetzner servers in Germany.
1. https://github.com/plausible/hosting
Google has made sure that analytics for Google Ads works best within their own walled garden. Same with Facebook and Twitter with their Pixel products.
Instead of using the Referer header or utm parameters as intended, these large corps send obtuse random IDs (gclid, t.co/<id> links) which only they can correlate to an ad, search query or tweet using their internal database.
So until there is anti-trust action in this space towards more oppenness and competition, you're stuck with the ad provider if you want tight integration between ads and analytics.
Is the EU going to drag them all into court?
This is like saying you never jay walk because you want to avoid the legal hot water. The water isn’t even lukewarm!
> The ruling directs the website to stop providing IP addresses to Google and threatens the site operator with a fine of €250,000 for each violation, or up to six months in prison, for continued improper use of Google Fonts.
So, if you feel brave you can challenge some courts on this.
Why would they need to? Just hand out fines, like you do with traffic tickets, no courts required.
No. What is the EU going to do, besides nothing? If you do business in the EU they will take your business away, and if you don't there's nothing they can do. I'm sure we all break some foreign countries laws every day and there's nothing they can do about it.
I do expect fines to be handed to EU companies and I expect them to pay them though.
> I would venture most of the internet is not hosted in the EU
Most content isn't made in the US, and the US somehow still forced its copyright system on the world.
Not the EU itself... but your competitors, who can not just complain at your respective data protection agency but also file for c&d letters, court injunction orders or penalties.
I'm now wondering if I can scale this for profit.
People don't have to opt in for you to keep the data for technical reasons, for instance if you keep IP addresses for while to find and block abuse, but you can't keep data longer than strictly necessary and can't use the data for other purposes than you declared beforehand.
Write down your policies and put them in an (again, easy to read, understand and find) privacy statement and you should be pretty much GDPR-proof.
I track page view counts as simple sums, and it's not feasible to drop an individual user's page counts because I don't have enough info to identify a unique user. In fact, I put no cookies on the user's machine (but that means I have no way to identify a specific user for opt-out purposes for these aggregated page counts).
> I don't have enough info to identify a unique user
If it is not user identifying information, then it should not be an issue.
No privacy issues to worry about using trackers.
[0]: https://stackdiary.com/open-source-analytics/
It is not really a replacement for GA though, it collects much less data. We've decided it is enough for us.
[0] - https://umami.is/
Well... if you self-host Piwik or Matomo, you're relatively safe and you can avoid a lot of the bureaucracy bullshit that you'd have with external services.
However, check with a lawyer before setting it up, and definitely get user consent for detailed tracking. There are basically two camps of thought how much is allowed without explicit user consent: the more strict camp (which I belong to) believes that it is illegal to even use technically required data (like IP address, browser agent, date/time of visit, URL/query parameters) for analytics of any kind. The other camp is more relaxed and believes that it is OK to conduct basic analytics on that data (justified as "legitimate interest" of the site operator to provide a good experience to the user), but don't set anything like cookies or localStorage that could allow detailed tracking.
It is not yet clear by a supreme court decision which school of thought is going to win out - personally, I follow the requirement of data minimization per Art. 5 Nr. 1 lit c) EU-GDPR. Data that you do not have cannot be stolen, seized, abused or used as justification for fines, after all.
If the web-page's javascript ONLY stores and processes data stored in the client's localStorage to generate the local page, and sends nothing back to the server, so the web-site operator never sees that data, then is the web-site operator processing that data, or is it only the user-agent's operator ?
The web-site operator certainly wouldn't be a "data controller" since it isn't collecting or storing the data. And it's hard to see how the web-site operator would be a "data processor" in that circumstance.
Me: "Effectively, in my case, the user is adding 'post-it' notes of their own devising that remain 'sticky' so the next time they visit the same page they'll see their own notes - but those notes are never sent to the server"
Me: "It's effectively the same circumstance as a classical computer program being downloaded by the user, and then used (locally) to create/save files on their local device. In that case you wouldn't consider the author of the computer program to be the data controller, surely?"
ICO (Flynn): "Flynn: Okay that sounds reasonable." ICO (Flynn): "So if your product/service is not dependant on personal data and you are not processing it then you appear to not be captured by data protection legislation."
They're a US company, so you can't use their cloud service, but it's designed to be self-hosted and they have a list of EU cloud providers so you can do 100% EU-based self-hosting if you want: https://posthog.com/docs/self-host/deploy/hosting-in-eu
(I wonder why they need to collect analytics information for this page at all.)
In the EU/EEA or in a jurisdiction that has adequate level of data protection.
https://news.ycombinator.com/item?id=30135264
Unless your argument is "but how would they know about it", in which case that applies to any other crime.
This is a link I often check before traveling abroad regarding photography, and what is described is indeed illegal in France.
Wrong. Google Analytics (at least v3 by default) tracks IP addresses, which are considered personal information. [1]
[1] https://www.cookielawinfo.com/anonymize-ip-in-google-analyti...
In one of my previous jobs the marketing department complained about Google Analytics not working on one of our pages. GA hadn't been working for about 10 months when they raised the incident. It was such a low priority that it took another 4 months for someone to fix it.
While I get that someone people are slightly foaming at the mouth because of GDPR (and this starts an entire debate about an aging political population that doesn't understand technology AT ALL) going overboard, my question is - do we actually use all the analytics that are provided by GA?
How many marketing teams/sales teams/etc actually use ALL the information provided by these tools. Aren't there other better ways to measure your campaign and product performance? Do you just want to see time on site/page? Abandon rate? I mean, most of these tools feel like they concentrate the Western mentality of "I need an SUV because I might have to put in more than 2 bags in my car".
/endRant
Who are these people foaming about GDPR?
This is different from going on the site of your local company and feeding data into Google analytics involuntarily.
The relevant legislation is about whether or not you agree to data being collected and shared, and the issue is that US companies are essentially data funnels for NSA & co.
They are the same.
But if there's one thing we've learned from the GDPR, what matters is consumer perception, not the underlying tech. A web site isn't a browser.
My way of disagreeing is GA domains in the HOSTS file.
[0] https://metrica.yandex.com
Each jurisdiction is going to be slightly different, depending on what the law regarding data protection is like in each place.
Russia hasn't been deemed adequate by the Commission under the GDPR, but it is a member of the Council of Europe (and is thus bound by the ECHR) and it has ratified Convention 108 (and has signed, but not ratified, the modernised Convention 108).
Of course Russia is a deeply authoritarian regime which has no problem violating human rights and international treaties at will so...
It also happens that the CNIL is notoriously more and more lenient on a lot of things.
Yes I'm a bit pessimistic about this. Let's all hope I'm wrong.
[1] https://news.google.com/search?q=Cnil&hl=fr&gl=FR&ceid=FR%3A...
This other post has more comments: https://news.ycombinator.com/item?id=30284820
I love that the plaintiff in this case is the "NOYB Association", as in None Of Your Fucking Business, Google.
The organisation has been involved in nearly all of the last privacy related rulings in the EU and is a real blessing for consumer rights.
0: https://meta.wikimedia.org/wiki/Data_retention_guidelines
As an EU citizen: Thank you Mr. Snowden, sir! <3
With these various data locality regulations, i wonder if a standard operating approach could be to split tech companies into 3 legal entities, a technology licensing company, a US registered operations company and a Europe registered operations company and hand the shares in all three companies to the current shareholders. This would insulate the Europe entity.
They gain big benefits by having a single pool of datacenters able to serve users from anywhere in the world. If they needed to guarantee that an EU user would always be served with a machine in the EU, I can imagine it would add at least 20% to their operating costs.
They'd need more equipment both inside and outside the EU to handle failover, maintanance, etc. They'd also have more complexity slowing development down (they can no longer have small services 'mastered' in just one region). And there is substantial extra complexity in application design (what when a tweet from an EU user is retweeted by a US user, but then replied to by an EU user. Where will the text of the tweet be stored? How will deletion be handled?).
For example, will HN have to have seperate databases for "comments by EU users" and "comments by US users"? And will they need a process to migrate your account from one to the other?
Yes but they are even more reluctant to lose all EU revenue.
"It would be so easy if companies could just pay their taxes in one country. Think of how much they could scale their finance department."
The same applies for start ups : "book keeping is such a hassle for start ups, why impose that on them? All these financial regulations are really anti business".
Why is everybody working on the assumption that all this data has to sit in the US?
Keep it in a country with the strict-est possible privacy laws, say Switzerland, and noone would complain.
And Switzerland is not part of the EU.
I don't think it's delusion, I think it is literally correct.
When I think "Swiss", "Germany" and "government intelligence agencies" then the things that come to my mind are Crypto AG [0], how the BND started out as a CIA OP [1] and how the very same BND seems to be more interested in pleasing American interests than protecting Germans [2].
Which is btw the same BND who cooperates with the NSA [3] to help them tap directly into one of the world's largest IXP De-CIX, completely legal in Germany [4].
The US made sure of that by pressuring the West German government into watering down the G-10 law [5] during the cold war.
So whatever "delusions" you are referring there to, you have to be a bit more concrete about them.
[0] https://www.theguardian.com/us-news/2020/feb/11/crypto-ag-ci...
[1] https://en.wikipedia.org/wiki/Gehlen_Organization
[2] https://en.wikipedia.org/wiki/ECHELON#Examples_of_industrial...
[3] https://en.wikipedia.org/wiki/Operation_Eikonal
[4] https://www.spiegel.de/netzwelt/netzpolitik/de-cix-betreiber...
[5] https://www.europarl.europa.eu/document/activities/cont/2014...
I’d almost rather just give a French company control over some section of the US warehouse if I’m Amazon.
Yes, this is what will happen with a setup of 3 entities, b/c FANG will not want to miss EU revenue.
So the US needs to move here or it can not happen.
The only problem that I see is that it's hard(er) for US companies to collect data about EU customers. That's hardly a problem for the EU customers; they can just buy from EU importers (if there's no equivalent EU product) or rely on EU service providers.
I don't really see a problem.
Incompatible laws problem
Basically the US can’t be trusted to keep its word, so why make it easy for US companies to operate in Europe?
The EU parliament have the people in mind, so they don't think it works and drove the GDPR. The EU courts look at the law and see it's not possible to create contracts, so shot down Safe Harbour and Privacy Shields. The EU courts say standard clauses could work in principle, but see above.
If you make it a EU based public company and give control to your own shareholders, it's no longer a subsidiary and your shareholders are holding shares in a European company.
In fact this is how most of the companies operate already to cheat on taxes.
The way microsoft did it for a while here in Norway was to license azure cloud stuff to a sub operator (EVRY) that is completely insulated except for the licensing agreement.
E.g. Amazon already bills me through some Norwegian entity of some kind, to get VAT done right etc.
If they had servers in Norway, I suppose it would have been possible to proxy everything - not just billing - in AWS Norway through this sub operator?
https://jnslp.com/wp-content/uploads/2020/05/Defining-the-Sc...
More like the European Commission did this in an attempt to protect European citizens from having their personal data exfiltrated against their will to the US on order of US law enforcement agencies.
According to Wikipedia, it was struck down by the CJEU, not by a US court:
"The EU-US Privacy Shield for data sharing was struck down by the European Court of Justice on the grounds it did not provide adequate protections to EU citizens on government snooping."
https://en.wikipedia.org/wiki/EU%E2%80%93US_Privacy_Shield#L...
[1]: https://nextcloud.com/blog/microsoft-and-telekom-no-longer-o...
As it stands, the US part can be owned by a EU company. Or, probably more realistically, both EU and US parts could be owned by a mail box in the Caimans.
Is this true for ownership by individuals too?
If I, an American citizen & resident, owned and operated a company registered to a European nation to serve my European customers (with European hosting), does that make me compliant? Does an American solo founder have a path to compliance at all, or would I be required to collaborate with a completely separate workforce that has no ties to America?
As a private individual I suspect you would not have much to stand on if the NSA knocked on your door.
Another way to be compliant is to not collect PII.
The GDPR extends far beyond the US notion of PII. As I understand it, it covers basically all user-submitted or user-related data if it's possible for that data to be hypothetically tied to an individual in the EU (even if that can be done without your service holding traditional PII).
> As a private individual I suspect you would not have much to stand on if the NSA knocked on your door.
Yeah, a federal agent with a wrench can do anything they want to me (https://xkcd.com/538/), but I'm trying to figure out my options.
That's a good thing. The US notion of PII is ridiculously naive.
Just like your name is personally-identifying information and (usually) required to provide medical service.
But being required for service doesn't automatically mean that it can be shared with third parties. You can't share names with third parties. Why would you share IP addresses?
And the act of connecting to a server hosted in another jurisdiction (e.g. America) would require sharing your IP. This could be directly (the entire web service hosted in the USA), or indirectly (some of the web service's assets are hosted in the USA).
If you put a CDN in-front of your web service, then that CDN will most likely be sharing your IP with the host server too. Especially if the web service wants to do something non-cacheable that they can't offer from behind the CDN.
The internet has multiple visits too. They're just called packets instead.
If someone is running a global web site and wants analytics, which of the 2 entities, or both, would he reference in HTML? Even if we're going to region-lock Europe to the European Analytics servers, analytics today often involves some computation done over the entire data set, including both US and the EU, done on the backend. Which backend would that be?
The privacy aspect has become something of a "think of the children" reason for a sort of "Internet xenophobia", as well as creating huge barriers to entry for small companies which cannot comply.
It's easy to do things online as a company of any size, post-GDPR: Don't scrape user data. Done - no compliance required, because the law is not about you in that case.
And let's be explicit here: The entire purpose of the CLOUD Act is to bypass EU data protection laws. The incident that led to the creation of this law is that Microsoft didn't hand data over to the FBI because the data was on a server in Ireland. This isn't an unintended consequence, this is what the law is supposed to do.
It doesn't matter that the third party storage provider is not under US jurisdiction because the US government isn't trying to compel the third party storage provider to do anything. They are trying to compel the US company to access its own documents that it stored with that third party, using the same mechanisms the US company normally uses when it wants to access its data.
From the third party storage provider point of view there is no difference between the US company retrieving the data because it wants to do something with it itself or the US company retrieving the data because they are being compelled to by law enforcement.
This is really just clarifying that the rules for electronic documents are not very different from the rules for physical documents. If I am in the US and own a document that a US court orders me to produce a copy of I'm not going to be able to get out of that by telling them that the document is in a filing cabinet in a storage unit I rent in Canada or Mexico. No, they are going to order me to either go get that document or have someone go get it for me and give it to the court.
If it didn't work this way every US company that has any documents they think might get them in trouble if they are ever investigated would rent some storage space outside the US, physical space if the documents are on paper and cloud storage space if they are electronic, and store everything there. Boeing for instance would have all its information about the 737 MAX outside of the US. Tesla would have everything related to full self-driving outside the US. Everyone would keep HR records outside the US to make it harder for plaintiffs if the company is ever sued over alleged discrimination.
US law doesn't distinguish these scenarios very much because of the Third Party Doctrine, where data given to a third party has no expectation of privacy. But this is a view rather particular to the US not shared by much of the rest of the world, and certainly not by GDPR (or its predecessors). One way or another, the CLOUD Act is still basically saying that US legal doctrine applies to data stored in other jurisdictions. And GDPR is stating, correctly, that this doctrine is not compatible with EU data privacy obligations. EU policy is very much the opposite of the Third Party Doctrine (and the winds are slowly turning against it in the US as well), and third-party data controllers have positive obligations to safeguard the privacy of data given to them.
Given this scenario, I don't see the nightmare scenario you're posing actually manifesting. EU data protection laws do nothing to curtail Microsoft handing over Microsoft's data. There's just data that Microsoft physically stores which they is not legally theirs.
I mean CNIL does not exactly have a reputation of helping/protecting users... they more have a reputation of being a watchdog who sees no problem with government surveillance programs and does not react when you send them reports of illegal activities surrounding personal data. For their defense, their budgets and prerogatives have been cut so many times they probably couldn't investigate/fine anyone if they wanted to.
IIRC, They got massive funding with GDPR
Quite the contrary, those associations have to survive on 'donations', and probably not very high salaries for their staff.
If you're rich enough, be sure to donate some money to LQDN/EFF and others to protect human rights in the digital realm.
We have a very different view of the CNIL.
Every time I hear about them, they're either giving GDPR fines or signalling illegal government activity, eg: https://www.vie-publique.fr/en-bref/278140-drones-de-surveil...
They don't have political power in itself, but they do use what power they have enthusiastically.
Yes, now think about all the times we don't hear from/about them. It seems that they are doing more as time goes, but they have done little to stop dragnet surveillance, racial/religious/political profiling by the authorities, the deployment of CCTV all across France, (il)legal ⁽⁰⁾ obligations for ISPs to track their users, school restaurants requiring fingerprints to get a meal (yes that's a thing), public services using Google Analytics / Zoom / Microsoft / Doctolib, stingrays operated by police for political repression, and the list goes on and on...
In "digital freedom" (LQDN, FFDN, April, Framasoft, etc) the CNIL is (or at least used to be) rightly regarded as a joke when it comes to human/user freedom, despite having very noble goals. The fact that the press only talks about them when they're doing their job doesn't change that they've clearly failed their mission to protect civil rights in the computer era, despite very good and reasonable legal guidelines dating from 1978.
⁽⁰⁾ French data retention laws are illegal by european standards.
By getting their companies off GA, European governments are weakening their industry.
This probably holds true for many SAAS products. Many of the best are from the USA. Forbidding European companies to use them is a desaster for the European internet industry.
Depending on your userbase, the regular traffic data can be off by significant proportions. I've seen pages where the number of logged-in interactions are higher than the number of Google Analytics hits.
We use server-side stats and for last month I get 30.1% Chrome, 28.8% FF. Now when I compare that to GA: 40% Chrome, 16% FF…
Yes, if you only want to count visits and don't have a problem having all bot traffic included. For everything a bit more advanced you need a proper analytics tool.
Isn’t it the other way around? FF by default blocks GA.
There are many niche systems that fit specific purposes. Sure GA can benefit from scale and existing profiles with user data gatherer in other context, which a self-hosted solution would not have acces to. But does it address every need better than specific systems? And is the added benefit worth sacrificing your users' data to google?
From my experience, there are several thousands of people/companies using UXWizz and so far no one has requested this feature yet.
But now that you mentioned, it seems like a pretty useful feature, especially if you can see top performing pages/articles.
I think one reason why people don't care about the specific analytics for a page is that they usually write pages/articles for SEO purposes. To see how well a page is performing SEO-wise, you usually go to Google Search Console (or Bing Webmasters) and see search terms/click-through-rates for that page.
Also, time spent on a specific page is not that useful, typically you want to see: if people are buying stuff, where do people that buy stuff come from and what page do they land on.
I did try to click on the top page lists, but those weren’t links. I found "Add segment" eventually, but at least on the demo page it’s not working (for the pages I tried, eventually I found a page with stats), and the interface is atrocious [0] for finding anything and breaks the site [1].
Our website is not posting articles to get people to buy other stuff, but the actual main part of the website (articles, and free or paid product tests; money is made both by selling tests and ads, with the ads not just being generic but specifically bought by companies with often contextual targeting). So my boss usually wants to know what articles do well (and not just from SE’s, we have a lot of repeat visitors), how soon interest drops, etc.
[0]: https://i.imgur.com/Buf0Vgd.png
[1]: https://i.imgur.com/wIO0d2B.png
I will add the per-page stats to the Roadmap, as I think it's a useful feature.
I agree, the UI can be greatly improved, and it is something that I will be working on soon, especially making sure all the edge-cases are covered.
Regarding the screenshots, the long page-name indeed breaks the UI, but normally you wouldn't search for a specific page including all the query parameters, you would add something like "/pricing*" (so it matches all visitors that visited the pricing page, regardless of the query parameters). I am still not sure whether I should separate query parameters from URL path, I did consider it but many pages use query parameters to display a different page/content (e.g. /article?id=5, where changing the id of the article leads to a completely different page, maybe I could by default exclude all query parameters and then have the option to keep custom an allow-list).
You can already see sessions count for a specific page using the current segment feature, just add that page name to a new segment, and you can see the count of sessions that saw that page and the referrer (for that specific visitor though, not necessarily that specific page).
To give a concrete example, a such query would be, which would show all pages and the average time-on-page, ordered descending by time:
[1]: If you clicked on "Password forgotten" on the log in page, they'd just send you your password unencrypted by email.
I guess it's a matter of luck.
Send you ad traffic to a unique form per campaign so you know what campaign is generating leads.
This isn't rocket science.
Also, Google Adwords counts conversions for visits for 30 days. Which means on the 1st visit from the ad campaign, there can be no immediate conversion (and that's OK). But if the same person returns to the website (not from the ad) and downloads/signs up that would be counted as conversion attributed to the ad.
Track hits on a post-download URL
> signups
Count signups in your DB with a source from a hidden field on the form
> Also, Google Adwords counts conversions for visits for 30 days
This stuff is mostly meaningless.
It will be mixed with downloads that come from organic search.
>This stuff is mostly meaningless.
I disagree.
Use a different page/form to track the two separately.
Switching to another solution for analytics might be ok, but losing the ability to automatically optimize ads based on conversion data is a big pain.
You mean what the SEA people tell you? Yeah, we'll all probably be out of business tomorrow, if we don't run the whole Google stack.
You don't need any of that.
They aren't innovative, the market is saturated, new users in developing countries are not worth as much as those from "first world countries".
As the users in first world countries are getting more and more aware of all the privacy issues, how FB fails to keep their platforms clean (either from spam or fake news) and other companies starting to like the taste of being valued as "privacy-friendly", the business model of FB is starting to crumble.
They have long only made (more) money because they found more ways to put together all the bits and pieces and breadcrumbs and build profiles they could sell to advertisers.
That age seems to be over (soon), so they are done, too.
So when they lost inventory (e.g. for retargetting), that is a direct loss of revenue for them. The question is, what did the company with the budget previously spent on those targetted adverts do instead? Did they buy less well targetted adverts elsewhere? Or up spend on offline marketing? The economic question is, how effective was that - more or less effective?
Obviously losing 10b dollars is bad for Facebook. It isn't clear that it is worse overall for ad spend, or economically.
https://www.linkedin.com/pulse/advertising-does-create-deman...
Targeted ads pay loads more than untargeted, and you're essentially saying all those companies paying more are in the wrong. Some campaigns even manage 10-25% click through conversions, when well enough targeted.