{"id":192,"date":"2020-07-05T23:50:00","date_gmt":"2020-07-06T04:50:00","guid":{"rendered":"http:\/\/sycured.127.0.0.1.sslip.io\/?p=192"},"modified":"2024-01-13T19:46:59","modified_gmt":"2024-01-14T00:46:59","slug":"gdpr-cpra-rethinking-analytics","status":"publish","type":"post","link":"http:\/\/10.42.0.68:8080\/blog\/gdpr-cpra-rethinking-analytics","title":{"rendered":"GDPR and CPRA: rethinking analytics"},"content":{"rendered":"\n
The screenshot is from my laptop with macOS Big Sur using Safari.<\/p>\n\n\n\n
It’s time to be a little hard with the bullshit about analytics and trackers.
Do you need all your trackers?
Do you want to ask your user to consent to a very long list?<\/p>\n\n\n\n
We are living with GDPR and CPRA so\u2026 Let’s start rethinking analytics!<\/strong><\/p>\n\n\n\n\n\n\n\n California Privacy Rights Act (CPRA) includes all parts of the California Consumer Privacy Act (CCPA) and reinforces it.<\/p>\n\n\n\n At this time (July 5th, 2020), GDPR and CCPA are effective. So each part where I indicate that it’s from\/included in CCPA, it’s effective right now.<\/p>\n\n\n\n You have no banner or selector about cookies or consent because I don’t use trackers. You can’t imagine what your browser can tell about you without using JavaScript, it’s incredible.<\/p>\n\n\n\n For a business reason, I won’t give you all information about how I get and analyze metrics but these are the big lines:<\/p>\n\n\n\n I don’t need Google Analytics to know your screen size because I know with which image is loaded, thank you HTML5 and CSS3.<\/p>\n\n\n\n You need to limit the information that you ask\/collect to what you need, thank GDPR to remember it. It’s just an example but please, stop accumulating 5\/10\/20 trackers just to know what you can know just by reading correctly information from the user’s browser and your reverse proxy\/webserver.<\/p>\n","protected":false},"excerpt":{"rendered":" The screenshot is from my laptop with macOS Big Sur using Safari. It’s time to be a little hard with the bullshit about analytics and trackers.Do you need all your trackers?Do you want to ask your user to consent to a very long list? We are living with GDPR and CPRA so\u2026 Let’s start rethinking […]<\/p>\n","protected":false},"author":1,"featured_media":101,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"saved_in_kubio":false,"footnotes":""},"categories":[28],"tags":[11,12],"_links":{"self":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts\/192"}],"collection":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":1,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":193,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts\/192\/revisions\/193"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/media\/101"}],"wp:attachment":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Laws<\/h2>\n\n\n\n
<\/th> GDPR<\/th> CPRA<\/th><\/tr><\/thead> effective Date<\/td> May 25th, 2018<\/td> January 1st, 2023<\/td><\/tr> who is regulated<\/td> Controllers<\/td> Businesses (CCPA)<\/td><\/tr> who is protected<\/td> Data Subjects<\/td> Consumers (CCPA)<\/td><\/tr> children get special protection<\/td> \u2705<\/td> \u2705 (CCPA)<\/td><\/tr> covers Employees<\/td> \u2705<\/td> right to erasure\/right to be forgotten<\/td><\/tr> what information is protected<\/td> Personal data<\/td> Personal info (CCPA)<\/td><\/tr> additional restrictions on sensitive data<\/td> \u2705<\/td> \u2705<\/td><\/tr> exemptions<\/td> \u2705<\/td> \u2705 (CCPA)<\/td><\/tr> lawful bases to process personal data<\/td> \u2705<\/td> \u274c (CCPA)<\/td><\/tr> law is protected from watering down<\/td> \u274c<\/td> \u2705<\/td><\/tr> right to know \/ right to be notified<\/td> \u2705<\/td> \u2705 (CCPA)<\/td><\/tr> right to access<\/td> \u2705<\/td> \u2705 (CCPA)<\/td><\/tr> right to correct \/ right to rectification<\/td> \u2705<\/td> \u2705<\/td><\/tr> right to limit the use of sensitive personal information
(including precise geolocation)<\/td>\u2705<\/td> \u2705 (CCPA)<\/td><\/tr> right to restrict processing<\/td> \u2705<\/td> \u2705<\/td><\/tr> right to data portability<\/td> \u2705<\/td> \u2705 (CCPA)<\/td><\/tr> right to “Opt-Out” \/ right to say no<\/td> \u2705<\/td> \u2705 (CCPA)<\/td><\/tr> right to reject automated decision-making and profiling<\/td> \u2705<\/td> \u2705 (provide )<\/td><\/tr> right to reject automated decision making and profiling<\/td> \u2705<\/td> \u2705<\/td><\/tr> right to no retaliation\/right to not be discriminated against<\/td> \u2705<\/td> \u2705 (CCPA)<\/td><\/tr> privacy policy disclosure<\/td> \u2705<\/td> \u2705 (CCPA)<\/td><\/tr> data protection by design and default<\/td> \u2705<\/td> \u2705<\/td><\/tr> written contracts with processors, service providers,
contractors, third parties<\/td>\u2705<\/td> \u2705 (CCPA)<\/td><\/tr> maintain records of processing activities<\/td> \u2705<\/td> \u2705<\/td><\/tr> respond to rights requests<\/td> \u2705<\/td> \u2705 (CCPA)<\/td><\/tr> new homepage links required
(ex. limit use of sensitive personal information)<\/td>\u274c<\/td> \u2705 (CCPA)<\/td><\/tr> implement appropriate security measures<\/td> \u2705<\/td> \u2705 (CCPA)<\/td><\/tr> security breach notification<\/td> \u2705<\/td> \u2705 (CCPA)<\/td><\/tr> data protection impact analysis<\/td> \u2705<\/td> \u2705<\/td><\/tr> data protection officers<\/td> \u2705<\/td> \u274c (CCPA)<\/td><\/tr> adhere to the rules of cross-border data<\/td> \u2705<\/td> \u274c<\/td><\/tr> dedicated supervisory authority<\/td> \u2705<\/td> \u2705<\/td><\/tr> penalties (civil fines)<\/td> \u2705<\/td> \u2705<\/td><\/tr> penalties (private rights of action)<\/td> \u2705<\/td> \u2705<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n No tracker on my blog?<\/h2>\n\n\n\n
I replaced trackers like Google Analytics, and Matomo (ex Piwik) with a customized web server and reverse proxy.<\/p>\n\n\n\nMy stack<\/h2>\n\n\n\n
\n
Analytics = just what you need<\/h2>\n\n\n\n
Let’s think about what metrics do you need\u2026<\/p>\n\n\n\n\n