| ▲ | adrian17 2 hours ago | |
> The GDPR is almost trivial to comply with if you’re not harvesting data willy-nilly. I buy a VPS. I apt install nginx. Is it okay that by default, opening http://IP/index.html logs the IP address to /etc/log/nginx/access.log? Maybe yes, maybe no, maybe yes but I need a privacy policy (for an empty index.html). Maybe I need to ask a lawyer (who usually errs on side of caution) because people have been arguing about it for 10 years (and please don't answer here). And in the end, even if I didn't need to do anything, it sure is _some_ nonzero drain of my resources to have think about it at all (completely ignoring whether it's justified or not). | ||
| ▲ | esterna 29 minutes ago | parent | next [-] | |
This hinges on two misunderstandings: - That data processing always requires consent. There are exactly six reasons for storing or processing data: consent, contract fulfillment, legal compliance, vital interests of a natural person, public interest/official authority, or legitimate interest. Collecting IP addresses can be a legitimate interest, but: - The real interesting question is what you do with the IP addresses after they're stored in a file. Securing your server is a legitimate interest. Tracking your users is generally not. Having lawfully collected data is not a carte blanche to do anything you choose with it. | ||
| ▲ | za_creature an hour ago | parent | prev [-] | |
> Is it okay that by default [...] ? Yes. IP addresses by themselves are not PII and may be logged indefinitely. It's only after you start correlating them with other shit that you're collecting that they become subject to GDPR. Same for cookies really. If you *only* operate a shopping cart, you don't have to display a cookie notice for "only technically required cookies". The point of the cookie notice is to dark pattern users into granting more access or just to annoy them enough that they continue not caring about privacy. | ||