Note: I'm not a law professional. Well, not even an amateur. And this article is not a legal advice. However, I believe these examples may be a good practical introduction to the large and complex topic of GDPR-compliance.
GDP... what?
It was a buzzword some time ago, and still is a discussed thing. Very briefly,
- GDPR is a EU law which applies to all websites and apps used in EU
- GDPR prohibits personal data collecting without explicit user consent. Personal data examples:
- Name
- IP address
- Cookie, local storage property, or any other tool to recognise a unique user
- GDPR also prohibits transferring user's personal data outside EU without their consent
Do you have ideas how your site can possibly violate these? Let's see!
1. Google Analytics
Google Analytics is a great tool... which sets cookies to tell apart unique users, and this is impossible to turn off. Which means, to use Google Analytics, you need to show a banner and ask user consent.
What should I do if I don't want to display any banners?
You can switch to a different analytics provider. I have tried several:
All of them are, or can be configured to be, GDPR-compliant. My choice is Telemetry Deck. It’s simple, convenient, lightweight in terms of user bandwidth, and offers the option to upgrade to a paid plan if your app takes off one day.
How can I identify unique users without cookies, local storage, but without showing an annoying banner?
You can't. If you need to recognize individual users for any reason, you must obtain their consent.
2. Google Fonts
What? Is it just a convenient fonts API? Yes, but this API collects user's IP address and may use it for analytics purpose. Some time ago the German court sentenced some site operator to a fine of 100 € for using Google Fonts.
What to do?
If you need several fonts, you may just host them. If you need many, and cannot host them, then you need user consent.
3. Hosting provider
This part is tricky. Much of US-based hosting providers (including e.g. CloudFlare, and GitHub Pages) record your IP-address in their logs. For this, you need a user consent.
However, this example is different from fonts and analytics because, according to providers' statements, this is required for their normal operation and troubleshooting. Unfortunately this topic is not actively discussed on internet, and there is no well-known judicial precedent so far.
What should I do?
- At a minimum, you should disclose the data collection practices of your hosting provider in your Privacy Notice.
- For GitHub Pages, it seems possible to achieve full GDPR compliance with a corporate account.
- Consider using EU-based hosting providers like Statichost.
- If your hobby app suddenly becomes popular and starts generating revenue, I recommend seeking legal advice. The more popular you become, the higher the chance of attracting attention from regulatory authorities.
Is this really a concern for my small site or pet projects?
The law is strict — it applies to any organization or individual running a site accessible in the EU. However, there is no well-known precedent where a hobby project owner has been fined. Overall, it seems the intention is to reduce the use of U.S.-based Big Tech products within the EU to protect residents from being tracked by foreign entities.
That said, complying with the law is always the safest choice. Moreover, protecting user privacy — something we often lack these days — is undoubtedly a worthwhile engineering effort.
Top comments (0)