
The screenshot is from my laptop with macOS Big Sur using Safari.
It’s time to be a little hard with the bullshit about analytics and trackers.
Do you need all your trackers?
Do you want to ask your user to a consent with a very long list?
We are living with GDPR and CPRA so… Let’s start rethinking analytics!
Laws
California Privacy Rights Act (CPRA) include all parts from California Consumer Privacy Act (CCPA) and reinforce it.
At this time (July 5th 2020), GDPR and CCPA are effective. So each part where I indicate that it’s from/included in CCPA, it’s effective right now.
GDPR | CPRA | |
---|---|---|
effective Date | May 25th 2018 | January 1st 2023 |
who is regulated | Controllers | Businesses (CCPA) |
who is protected | Data Subjects | Consumers (CCPA) |
children get special protection | ✅ | ✅ (CCPA) |
covers Employees | ✅ | ✅ not until: - January 1st 2021: CCPA - January 1st 2023: CPRA |
what information is protected | Personal data | Personal info (CCPA) |
additional restrictions on sensitive data | ✅ | ✅ |
exemptions | ✅ | ✅ (CCPA) |
lawful bases to process personal data | ✅ | ❌ (CCPA) |
law is protected from watering down | ❌ | ✅ |
right to know / right to be notified | ✅ | ✅ (CCPA) |
right to access | ✅ | ✅ (CCPA) |
right to correct / right to rectification | ✅ | ✅ |
right to erasure / right to be forgotten | ✅ | ✅ (CCPA) |
right to restrict processing | ✅ | ✅ |
right to data portability | ✅ | ✅ (CCPA) |
right to “Opt Out” / right to say no | ✅ | ✅ (CCPA) |
right to limit use of sensitive personal infromation (including precise geolocation) | ✅ | ✅ (provide ) |
right to reject automated decision making and profiling | ✅ | ✅ |
right to no retaliation / right to not be discriminated against | ✅ | ✅ (CCPA) |
privacy policy disclosure | ✅ | ✅ (CCPA) |
data protection by design and default | ✅ | ✅ |
written contracts with processors, service providers, contractors, third parties | ✅ | ✅ (CCPA) |
maintain records of processing activities | ✅ | ✅ |
respond to rights requests | ✅ | ✅ (CCPA) |
new homepage links required (ex. limit use of sensitive personal information) | ❌ | ✅ (CCPA) |
implement appropriate security measures | ✅ | ✅ (CCPA) |
security breach notification | ✅ | ✅ (CCPA) |
data protection impact analysis | ✅ | ✅ |
data protection officers | ✅ | ❌ (CCPA) |
adhere to the rules of cross-border data | ✅ | ❌ |
dedicated supervisory authority | ✅ | ✅ |
penalties (civil fines) | ✅ | ✅ |
penalties (private rights of action) | ✅ | ✅ |
No tracker on my blog?
You have no banner or selector about cookies or consent because I don’t use trackers.
I replaced trackers like Google Analytics, Matomo (ex Piwik) by a customized web server and reverse-proxy.
You can’t imagine what your browser can tell about you without using javascript, it’s incredible.
My stack
For business reason, I won’t give you all information about how I get and analyze metrics but this is the big lines:
- database with homemade functions
- homemade module for reverse-proxy and web server
- message broker
- workers to parse each message and send it to the database
- dashboard to analyze and get alert if needed
I don’t need Google Analytics to know your screen size because I know it with which image are loaded, thank you HTML5 and CSS3.
Analytics = just what you need
You need to limit information that you ask/collect to what you really need, thank you GDPR to remember it.
Let’s think about what metrics do you need…
- url
- number of view
- number of error like trying to go to restricted page or trying to bruteforce
- user’s country (easy with you IP) but I don’t need to save this IP, just the country, so easy and a lot more privacy friendly
- screen size
- language accepted by the browser
It’s just an example but please, stop to accumulate 5/10/20 trackers just to know what you can know just reading correctly information from user’s browser and your reverse-proxy/web server.