I recently gave google analytics 4 a shot. I actually had the thought that I had more access to information, and my analytics were better in 1998. Its a disaster.
Nah a lot of it is weird UI decisions. Like to view what browser versions your users are using, in UA you just go to the browser page and click the browser and it lists the versions and number of users. In GA4... good fucking luck, you need to make some weird custom report where you need to select the right parts of your data and tell it whether they are "metrics" or "dimensions" or "rows" or "columns" or "values" or "filters" or "segment comparisons". It's a nightmare. And it's like that for basically everything other than the premade UIs, which feel like they are oversimplified and targeted more towards apps than websites. Generally it feels like I'm using a product made by people who hate the Internet and wish all their website users would go away, but hey it's free...
Most GDPR experts will tell you that traditional log files aren't compliant. They contain personally identifiable information (IP address), and you didn't get consent from the user before collecting it, nor are they required to provide the service the user requested.
CNIL disagrees and says you can need them to secure your service. Legitimate interest (art. 6(1)f) is applicable (recital 49). You can also be required by law to keep them for some time, so legal requirement is applicable (art. 6(1)c). Other uses may require consent.
Exactly. It's not just about what you collect and store, but also about what you do with the information.
You can freely collect data as a legal requirement, or for "legitimate interest" purposes such as fraud prevention. But you can't use the data you just collected for analytics without proper consent.
Contractual basis too, is often the easiest way to collect and store PII. Eg if you have a contract with someone you can often store a lot of their data to fulfil the contract.
There is meant to be a sense of proportionality, but as many things with privacy laws it's subject to interpretation and intentionally left vague.
Storing the log files (or IP addresses in general) is not a problem IF you're using them only with a legitimate interest basis.
For instance, you can use this stored IP address to help identify whether your user has had their account breached, and prompt for extra verification before letting them log in. You can also do a full browser fingerprint for this purpose, this is all covered under legitimate basis.
However, once you use any of this data to market to the user then you are in breach of the GDPR as you did not have a consent basis for it. The storage was never a problem, it's the use of it that becomes a problem.
Depends on the product, payments products generally use fingerprinting and present extra prompts if you're using an unknown device – that is kind of one of the main problems of the GDPR though, there are nuances and it's usually not white and black what can be done without specialised legal counsel (and sometimes, even then...)
Sounds like there could be an opportunity here for a GDPR noncompliant analytics product. Personally, my customers are in the United States and I don't want ambiguity in my analytics because of Lawyers who reside outside of my jurisdiction.
Technically correct, but arguable... There are lots of UK and EU-based companies that blatantly breach the GDPR and get away with it as the regulatory bodies don't have the resources to chase after every breach at home, let alone abroad.
Unless you are a huge company or have a significant amount of customers in the UK/EU it's probably okay to ignore the GDPR.
