{"id":192,"date":"2020-07-05T23:50:00","date_gmt":"2020-07-06T04:50:00","guid":{"rendered":"http:\/\/sycured.127.0.0.1.sslip.io\/?p=192"},"modified":"2024-01-13T19:46:59","modified_gmt":"2024-01-14T00:46:59","slug":"gdpr-cpra-rethinking-analytics","status":"publish","type":"post","link":"http:\/\/10.42.0.68:8080\/blog\/gdpr-cpra-rethinking-analytics","title":{"rendered":"GDPR and CPRA: rethinking analytics"},"content":{"rendered":"\n

The screenshot is from my laptop with macOS Big Sur using Safari.<\/p>\n\n\n\n

It’s time to be a little hard with the bullshit about analytics and trackers.
Do you need all your trackers?
Do you want to ask your user to consent to a very long list?<\/p>\n\n\n\n

We are living with GDPR and CPRA so\u2026 Let’s start rethinking analytics!<\/strong><\/p>\n\n\n\n\n\n\n\n

Laws<\/h2>\n\n\n\n

California Privacy Rights Act (CPRA) includes all parts of the California Consumer Privacy Act (CCPA) and reinforces it.<\/p>\n\n\n\n

At this time (July 5th, 2020), GDPR and CCPA are effective. So each part where I indicate that it’s from\/included in CCPA, it’s effective right now.<\/p>\n\n\n\n

<\/th>GDPR<\/th>CPRA<\/th><\/tr><\/thead>
effective Date<\/td>May 25th, 2018<\/td>January 1st, 2023<\/td><\/tr>
who is regulated<\/td>Controllers<\/td>Businesses (CCPA)<\/td><\/tr>
who is protected<\/td>Data Subjects<\/td>Consumers (CCPA)<\/td><\/tr>
children get special protection<\/td>\u2705<\/td>\u2705 (CCPA)<\/td><\/tr>
covers Employees<\/td>\u2705<\/td>right to erasure\/right to be forgotten<\/td><\/tr>
what information is protected<\/td>Personal data<\/td>Personal info (CCPA)<\/td><\/tr>
additional restrictions on sensitive data<\/td>\u2705<\/td>\u2705<\/td><\/tr>
exemptions<\/td>\u2705<\/td>\u2705 (CCPA)<\/td><\/tr>
lawful bases to process personal data<\/td>\u2705<\/td>\u274c (CCPA)<\/td><\/tr>
law is protected from watering down<\/td>\u274c<\/td>\u2705<\/td><\/tr>
right to know \/ right to be notified<\/td>\u2705<\/td>\u2705 (CCPA)<\/td><\/tr>
right to access<\/td>\u2705<\/td>\u2705 (CCPA)<\/td><\/tr>
right to correct \/ right to rectification<\/td>\u2705<\/td>\u2705<\/td><\/tr>
right to limit the use of sensitive personal information
(including precise geolocation)<\/td>		\u2705<\/td>\u2705 (CCPA)<\/td><\/tr>
right to restrict processing<\/td>\u2705<\/td>\u2705<\/td><\/tr>
right to data portability<\/td>\u2705<\/td>\u2705 (CCPA)<\/td><\/tr>
right to “Opt-Out” \/ right to say no<\/td>\u2705<\/td>\u2705 (CCPA)<\/td><\/tr>
right to reject automated decision-making and profiling<\/td>\u2705<\/td>\u2705 (provide )<\/td><\/tr>
right to reject automated decision making and profiling<\/td>\u2705<\/td>\u2705<\/td><\/tr>
right to no retaliation\/right to not be discriminated against<\/td>\u2705<\/td>\u2705 (CCPA)<\/td><\/tr>
privacy policy disclosure<\/td>\u2705<\/td>\u2705 (CCPA)<\/td><\/tr>
data protection by design and default<\/td>\u2705<\/td>\u2705<\/td><\/tr>
written contracts with processors, service providers,
contractors, third parties<\/td>		\u2705<\/td>\u2705 (CCPA)<\/td><\/tr>
maintain records of processing activities<\/td>\u2705<\/td>\u2705<\/td><\/tr>
respond to rights requests<\/td>\u2705<\/td>\u2705 (CCPA)<\/td><\/tr>
new homepage links required
(ex. limit use of sensitive personal information)<\/td>		\u274c<\/td>\u2705 (CCPA)<\/td><\/tr>
implement appropriate security measures<\/td>\u2705<\/td>\u2705 (CCPA)<\/td><\/tr>
security breach notification<\/td>\u2705<\/td>\u2705 (CCPA)<\/td><\/tr>
data protection impact analysis<\/td>\u2705<\/td>\u2705<\/td><\/tr>
data protection officers<\/td>\u2705<\/td>\u274c (CCPA)<\/td><\/tr>
adhere to the rules of cross-border data<\/td>\u2705<\/td>\u274c<\/td><\/tr>
dedicated supervisory authority<\/td>\u2705<\/td>\u2705<\/td><\/tr>
penalties (civil fines)<\/td>\u2705<\/td>\u2705<\/td><\/tr>
penalties (private rights of action)<\/td>\u2705<\/td>\u2705<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

No tracker on my blog?<\/h2>\n\n\n\n

You have no banner or selector about cookies or consent because I don’t use trackers.
I replaced trackers like Google Analytics, and Matomo (ex Piwik) with a customized web server and reverse proxy.<\/p>\n\n\n\n

You can’t imagine what your browser can tell about you without using JavaScript, it’s incredible.<\/p>\n\n\n\n

My stack<\/h2>\n\n\n\n

For a business reason, I won’t give you all information about how I get and analyze metrics but these are the big lines:<\/p>\n\n\n\n

    \n
  • database with homemade functions<\/li>\n\n\n\n
  • homemade module for reverse proxy and web server<\/li>\n\n\n\n
  • message broker<\/li>\n\n\n\n
  • workers to parse each message and send it to the database<\/li>\n\n\n\n
  • dashboard to analyze and get alerts if needed<\/li>\n<\/ul>\n\n\n\n

    I don’t need Google Analytics to know your screen size because I know with which image is loaded, thank you HTML5 and CSS3.<\/p>\n\n\n\n

    Analytics = just what you need<\/h2>\n\n\n\n

    You need to limit the information that you ask\/collect to what you need, thank GDPR to remember it.
    Let’s think about what metrics do you need\u2026<\/p>\n\n\n\n

      \n
    • URL<\/li>\n\n\n\n
    • number of views<\/li>\n\n\n\n
    • number of errors like trying to go to a restricted page or trying to brute-force<\/li>\n\n\n\n
    • user’s country (easy with your IP) but I don’t need to save this IP, just the country, It is so easy and a lot more privacy-friendly<\/li>\n\n\n\n
    • screen size<\/li>\n\n\n\n
    • the language accepted by the browser<\/li>\n<\/ul>\n\n\n\n

      It’s just an example but please, stop accumulating 5\/10\/20 trackers just to know what you can know just by reading correctly information from the user’s browser and your reverse proxy\/webserver.<\/p>\n","protected":false},"excerpt":{"rendered":"

      The screenshot is from my laptop with macOS Big Sur using Safari. It’s time to be a little hard with the bullshit about analytics and trackers.Do you need all your trackers?Do you want to ask your user to consent to a very long list? We are living with GDPR and CPRA so\u2026 Let’s start rethinking […]<\/p>\n","protected":false},"author":1,"featured_media":101,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"saved_in_kubio":false,"footnotes":""},"categories":[28],"tags":[11,12],"_links":{"self":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts\/192"}],"collection":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":1,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":193,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts\/192\/revisions\/193"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/media\/101"}],"wp:attachment":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}