GDPR on information only websites

JasonM · 27 Aug 2018 at 15:36

Hope this is the best section for this.

I have an information only website, and looking for advice on GDPR law. The website stores no personal data other then the IIS server that can store client data (IP's, browser details) in event logs. The only other information that's stored is the site connects to google analytics.

I have searched for advice, but main advice on GDPR is related to web-sites that collect data.

Could anyone offer any advice, or link to other information only websites that have covered this.

touch · 27 Aug 2018 at 16:02

You'll need to give visitors an opt-in for tracking cookies used by google analytics.

IIS logs should be ok because they are strictly necessary to the security of the website. IP addresses are considered to be personal data though.

edit: here's a link which better explains why IIS logs dont need permission - https://terabyteit.co.uk/the-gdpr-and-personal-data-in-web-server-logs/

Hyburnate · 27 Aug 2018 at 16:45

touch said:
You'll need to give visitors an opt-in for tracking cookies used by google analytics.

IIS logs should be ok because they are strictly necessary to the security of the website. IP addresses are considered to be personal data though.

edit: here's a link which better explains why IIS logs dont need permission - https://terabyteit.co.uk/the-gdpr-and-personal-data-in-web-server-logs/

This is bang on, and a privacy policy.

JasonM · 28 Aug 2018 at 15:36

Thanks for the information, especially the link the ISS logs.

For time being I'm considering removing the google analytics, they were not really used anyway as it's such a basic website.

I presume I will still require some form of privacy policy.

ChroniC · 29 Aug 2018 at 19:07

Hyburnate said:
This is bang on, and a privacy policy.

It's not bang on. You don't have to give an opt out for analytics. It's only advertising cookies that require it.
You'll notice on a lot of opt outs that you cannot opt out of the tmfirst option.
You do however have to have a pop-up or fixed position CTA showing your cookie policy outlining your intended use of analytics information.
If you have a contact form or any form of subscription you must link to your privacy policy outlining your usage of their information and how long you intend to keep it. How long you keep it for varies based on your line of work. I. E if you have 10yr warranties etc you can prove you need to keep it for that long, etc etc.

Rroff · 29 Aug 2018 at 19:35

I pulled down a couple of long abandoned information sites (but using WordPress) as I just CBA with getting my head around GDPR stuff :s it seems more of a pain in the rear than actually achieving anything.

Hyburnate · 29 Aug 2018 at 21:36

ChroniC said:
It's not bang on. You don't have to give an opt out for analytics. It's only advertising cookies that require it.
You'll notice on a lot of opt outs that you cannot opt out of the tmfirst option.
You do however have to have a pop-up or fixed position CTA showing your cookie policy outlining your intended use of analytics information.
If you have a contact form or any form of subscription you must link to your privacy policy outlining your usage of their information and how long you intend to keep it. How long you keep it for varies based on your line of work. I. E if you have 10yr warranties etc you can prove you need to keep it for that long, etc etc.

You're right, I completely misread it to be honest. The privacy policy I wrote for the company I work for entirely contridcts what I quoted.

Admitadly I went a little overboard however you can see an example here @JasonM https://nenedata.com/privacy-policy/

JasonM · 30 Aug 2018 at 00:17

Hyburnate, thanks for your link. I have actually used a website called RocketLawer to create a free GDPR complaint privacy policy. I have just had a quick scan of yours on nenedata.com and it's very similar to the RocketLawer generated one.

Hyburnate · 30 Aug 2018 at 21:47

JasonM said:
Hyburnate, thanks for your link. I have actually used a website called RocketLawer to create a free GDPR complaint privacy policy. I have just had a quick scan of yours on nenedata.com and it's very similar to the RocketLawer generated one.

Haha, maybe I shouldn’t pursue a career in law.

Admittedly it went ridiculously into detail, but the way I saw it is I don’t want any come back and if the ICO see best efforts they’ll be more lineant.

antijoke · 4 Sep 2018 at 21:26

ChroniC said:
It's not bang on. You don't have to give an opt out for analytics. It's only advertising cookies that require it.
You'll notice on a lot of opt outs that you cannot opt out of the tmfirst option.
You do however have to have a pop-up or fixed position CTA showing your cookie policy outlining your intended use of analytics information.
If you have a contact form or any form of subscription you must link to your privacy policy outlining your usage of their information and how long you intend to keep it. How long you keep it for varies based on your line of work. I. E if you have 10yr warranties etc you can prove you need to keep it for that long, etc etc.

Are you sure about the opt out thing for analytics?

I thought they had to be not set to start and only allowed to be set by specifically opting in.

This is from the civic cookie control website we use for managing cookies

https://www.civicuk.com/cookie-control

edscdk · 4 Sep 2018 at 21:54

antijoke said:
Are you sure about the opt out thing for analytics?

I thought they had to be not set to start and only allowed to be set by specifically opting in.

I hate those stipud opt in / out cookie questions,

Option 1 get 50 million web sites updated and waste billions of man hours over the next 50 years clicking on deny or accept

Option 2 get 10 or 15 bits of software (browsers) updated to ask the question once .

Option 3 don't do anything cos anyone that's going to abuse they system is hardly likley to take any notice of what you selected

ChroniC · 5 Sep 2018 at 00:09

antijoke said:
Are you sure about the opt out thing for analytics?

I thought they had to be not set to start and only allowed to be set by specifically opting in.

This is from the civic cookie control website we use for managing cookies

https://www.civicuk.com/cookie-control

Yep analytics alone doesn't record or take any personal identifying information from you. There are options in it to link it to Adwords which would invalidate this but with the basic settings it uses random identifiers. It can be covered by a basic use of cookies policy.

antijoke · 5 Sep 2018 at 07:26

ChroniC said:
Yep analytics alone doesn't record or take any personal identifying information from you. There are options in it to link it to Adwords which would invalidate this but with the basic settings it uses random identifiers. It can be covered by a basic use of cookies policy.

Ok, thanks. Got any articles on it?

I’m sure I had read all analytics needed it, this makes my job a little easier.

ChroniC · 5 Sep 2018 at 07:40

https://www.peakdemand.co.uk/blog/the-impact-of-gdpr-on-google-analytics/

This has a little snnipet is about as quick as I can show with trawling the actual regulation.

The so called “cookie provision”, which has resulted in an overload of consent requests for internet users, will be streamlined. New rules will allow users to be more in control of their settings, providing an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks. The proposal clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history). Cookies set by a visited website counting the number of visitors to that website will no longer require consent.”

antijoke · 5 Sep 2018 at 09:00

Excellent, thanks.