"No need for cookie banners" might be incorrect

[birjj]

I am primarily posting this because I recently wrote a blog post on the topic, and felt it only fair that you got the opportunity to comment. I am not a lawyer, so this is based on my best understanding of the legislation; whether you want to react on it or not is up to you.

The landing page for Plausible advertises "No need for cookie banners or GDPR consent" in a heading. While I believe the latter part is correct, I would argue that cookie banners are still required, even when using a privacy-aware system like Plausible. The ePrivacy Directive simply doesn't have an exemption for anonymized data.

I dive deeper into this in the blog post linked above, but the short version is that not using cookies, anonymizing the collected data, and not storing any data on the user's device, simply isn't enough to be exempt from the ePrivacy Directive:

Not using cookies/not storing data

Although a common misconception, helped by the unofficial "cookie law" misnomer, this actually isn't a requirement. As put by Article 5(3) of the ePrivacy Directive:

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing.

Any form of storing or gaining access to stored information requires informed consent. Even something as simple as reading the User-Agent is covered, as argued in the working group's opinion on fingerprinting:

Use of the words “stored or accessed” indicates that the storage and access do not need to occur within the same communication and do not need to be performed by the same party. Information that is stored by one party (including information stored by the user or device manufacturer) which is later accessed by another party is therefore within the scope of Article 5(3). [...] The consent requirement also applies when a read-only value is accessed (e.g. requesting the MAC address of a network interface via the OS API).

Anonymization

Unfortunately doesn't exempt from the ePrivacy Directive. As summarized by the working party's 2014 opinion on anonymization:

2.2.1. Lawfulness of the Anonymisation Process
First, anonymisation is a technique applied to personal data in order to achieve irreversible de-identification. Therefore, the starting assumption is that the personal data must have been collected and processed in compliance with the applicable legislation on the retention of data in an identifiable format.

In my opinion, this means that even users of privacy-aware analytics like Plausible and Fathom must present their users with a "cookie banner" in order to get informed consent.

Again, I am not a lawyer so I this might not apply legally, but I wanted to give you to opportunity to comment.

[cwbeck]

I've seen this argument before, but the following needs to be considered.

• No data about the user is stored or processed.
• Consent to anonymous data being collected is when you land on the page. It would be unreasonable to expect otherwise.
• The data collected is to used to understand, optimise and enhance experience of the website / service. Therefore regardless of 'your' consent I am going to collect the minimum. Why? Otherwise I'd struggle to predict traffic or general usage. I'd argue this is required for the site to function correctly for all users. That statement is not unreasonable.
• Data collected has absolutely no value to anyone else and could never be used to target that user.

There are plenty of projects operating on this assumption. This is badly written by the EU (no shock!) and needs to be challenged.

[birjj]

I think your points are largely addressed by the legislation:

No data about the user is stored or processed.

Data about the user is accessed and processed - specifically the algorithm creates a fingerprint from things like the Referer header, the User-Agent, the screen size and a GeoIP lookup of the IP address. The simple act of accessing these things is covered by the ePrivacy Directive as argued above, and anonymization is considered a step of post-processing (that's actually required by the Directive as soon as the data is no longer relevant, but that's another conversation)

Consent to anonymous data being collected is when you land on the page. It would be unreasonable to expect otherwise.

It is very explicit in the legislation that you must get informed, explicit consent. Arguing that a user should be aware that their information is used for analytics when they visit a site does not cover this. This is the primary reason we have all these frustrating cookie banners nowadays.

The data collected is to used to understand, optimise and enhance experience of the website / service. Therefore regardless of 'your' consent I am going to collect the minimum. Why? Otherwise I'd struggle to predict traffic or general usage. I'd argue this is required for the site to function correctly for all users. That statement is not unreasonable.

This exemption of "necessary for the service provider, therefore exempt" simply doesn't exist in the legislation. The topic was actually covered in a 2012 opinion on exemptions, which lists first-party analytics as one of the cases that aren't exempted:

4.3 First party analytics
[...]
While they are often considered as a “strictly necessary” tool for website operators, they are not strictly necessary to provide a functionality explicitly requested by the user (or subscriber). In fact, the user can access all the functionalities provided by the website when such cookies are disabled. As a consequence, these cookies do not fall under the exemption defined in CRITERION A or B.

Note that even the working group agrees that such uses aren't really what the legislation aims to block, and that if the legislation is revised later, an exemption might be included:

However, the Working Party considers that first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards. [...]
In this regard, should article 5.3 of the Directive 2002/58/EC be re-visited in the future, the European legislator might appropriately add a third exemption criterion to consent for cookies that are strictly limited to first party anonymized and aggregated statistical purposes. [...]

At the time of writing, I don't believe such an exemption has been added yet.

Data collected has absolutely no value to anyone else and could never be used to target that user.

Which I agree makes the use exempt from the GDPR, but unfortunately not from the ePrivacy Directive. As pointed out above, there simply isn't an exemption for anonymized data. It is the act of accessing the data in the first place, even if it is later anonymized, that requires informed consent.

While I agree with the sentiment that the data collected by Plausible should be allowed without explicit informed consent, that isn't how the legislation currently functions.

[metmarkosaric]

hi @birjj! if you're unsure about our approach, it's best to consult with your legal team. we provide detailed information on how Plausible is built to help you comply with the different privacy regulations in documents such as the data policy and the DPA. by looking at this info, your lawyer can help you decide whether our service allows you to fulfill the legal requirements that apply to you. thanks!

[corneliusroemer]

@metmarkosaric it would be great if you could share your lawyers writing so that we don't need to take your word for it:

We don't really have any additional comments other than what's on our website already. That info was checked by our legal team and we're happy with the approach.

It's not really satisfactory to take your word that some lawyer looked over your docs and said they were fine. Surely customers should get better assurances from you. If you don't share such assurances there's a chance these assurances aren't that good, as if there were good assurances, surely nothing would stop you from sharing them. I realize this is a high stakes question for you: if plausible were to require consent banners, a large selling point would disappear and this might have catastrophic consequences for your business.

[joepagan]

Trying to sell a non-consent tracking service from £9pm where customers are told they need to speak to a specialist lawyer first to see if the service is legal before using it is insane.

[birjj]

@joepagan That's a fairly uncalled for comment. As Marko said, they've already ran the claim by their legal team. Since legalities are open for interpretation, and (afaik) this issue hasn't been tried at any EU courts yet, that doesn't mean that it's definitely legal (I would interpret the ePrivacy Directive differently than Plausible's legal team does) - but it does mean that your comment is completely uncalled for. The recommendation to reach out to your own lawyer has only been presented in the context of doubting Plausible's own legal analysis.

[joepagan]

It does not mean my comment is uncalled for. The fact that this discussion exists in the first place shows the uncertainty. There should be more concrete assurances given they are a bias source trying to sell their service. More transparency about law being down to interpretation should be visible on their website not hidden in a large GitHub discussion if that is what it's coming down to especially when they are claiming it's fine.

[corneliusroemer]

It would be very helpful if the Plausible team shared the legal advice they received to make it more plausible to users what the lawyers said, exactly - rather than getting it second hand.

What makes me uncomfortable is that I used to tell everyone that Plausible was great, convincing others to adopt it. Yet now when I have questions they remain unanswered.

[nu111]

Great and challenging discussion?

The CNIL (French data protection authority) is keeping a list of analytics softwares allowed to track without consent.

It would be great if Plausible.io submits a valuation request, to have the CNIL opinion about the issue!

[birjj]

If I understand that page correctly, it only talks about consent required by the GDPR. The issue discussed here is that the ePrivacy Directive requires consent to even read data from the end-user device, or to use traffic data for non-traffic purposes.
It is possible to be in compliance with GDPR (and be listed on that page), but not in compliance with the ePrivacy Directive (and therefore still require informed consent).

While the GDPR is too complicated for me to confidently argue about, I would assume that Plausible could be argued to be GDPR compliant. It just isn't (in my opinion) ePrivacy Directive-compliant.

Very interesting link though, thanks for sharing it!

[ihucos]

Hello, I stumbled on this issue when looking into this topic for my own web analytics solution. The blog post @birjj posted is actually a pretty easy read when you consider the complexity of the topic. And it sounds very reasonable and comprehensive to me. Quoting the corresponding legal texts is great. I do understand that fingerprinting still needs consent.

@metmarkosaric I want to ask if plausible actually wants to argue on the basis of the arguments birjj has given. That would be interesting. The answer given in my mind reads like "trust me". Which at least I find insufficient.

[jmbiltresse]

I also came across this issue when looking into this topic for Matomo Analytics solution. @birjj summarized it well, despite the various vendors' claims that one can run their solution without any cookie disclaimer, it's not true, at least not in all the EU member states. I know, for sure, that in Germany you can run Web Analytics (excl. GA) without cookie consent as long as you use passive fingerprinting (only collecting and hashing information from the user agent string). If you were to collect additional attributes like browser plug-in, screen size, you'd need to ask for consent. In France, you can use Web Analytics (excl. GA) without cookie consent if you use first-party cookie. In Italy you can run Web Analytics (excl. GA) without cookie as long as you do not set any cookies - irrespective of using active or passive fingerprinting. In Austria, Belgium and many other EU states, you have to ask for user consent, you have no choice. The only workaround, for those web analytics, would be to fingerprint without using any of the user/device attribute.

[birjj]

@jmbiltresse Thanks for the information (and nice words).

If you have any resources on the implementation of the law in each of the countries you mention, I'd be quite interested - in my blog post I only really analyze the directive, which doesn't necessarily translate directly into law. It'd be interesting to see how that applies throughout the union (or in as many countries as we can find resources for)

[jmbiltresse]

I will definitely share for the countries I know. I've introduced the Matomo solution in our organization and had to make a lots of researches. I've stopped counting all the conversations and back and forth with our internal privacy team on the topic. I will keeo you posted!

[birjj]

@jmbiltresse Just checking in - are you still planning on sharing the information? I'd still be very interested 😄

[jmbiltresse]

Here you go:

Austria: Matomo cookie-less solutions (active or passive fingerprinting) would likely require prior consent of visitors. Austrian DPA considers fingerprinting techniques subject to the cookie rules.

Belgium: Matomo cookie-less solutions (active or passive fingerprinting) would likely require prior consent of visitors. GBA
requires consent for audience measuring cookies and fingerprinting techniques.

France: Matomo cookie-less solutions (active or passive fingerprinting) would likely not require prior consent of visitors.

Germany: Matomo cookie-less solutions (passive fingerprinting) would likely not require prior consent of visitors.

Italy: Matomo cookie-less solutions (passive fingerprinting only) would likely not require prior consent of visitors, as long as the last three digits of the IP address are masked.

UK: Matomo cookie-less solutions (active or passive fingerprinting) would likely require prior consent of visitors. Under PECR any use of device fingerprinting requires the provision of clear and comprehensive information as well as the consent of the user.

[huksley]

I think "fingerprinting" in a broad sense as a server function of analyzing traffic & perforamce and adjusting used resources accordingly (creating new threads, allocating more memory per website or per a section of a website) is a part of every web server. Should EVERY webpage require consent?

I think it is ridiculous. We need to challenge it on a legislation level.

The 21 century called and the same analysis are done at the product level. We are doing it manually by looking at the plausible stats to understand, which part of our website needs improvement. Should we thwart this effort, by prohibiting aggregated analytics?

Following this logic, Cloudflare should have cookie consent on all websites because it fingerprints based on origin, website url and adjust its resources / points you to the different CDN server based on that.

[birjj]

As mentioned in Article 5(3) of the ePrivacy Directive:

[The consent requirement] shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

As long as the processing is done strictly for the purpose of providing the service your website offers, there is no need for consent (at least when it comes to the ePrivacy Directive - I am not knowledgeable enough on GDPR to comment on that).

As has been repeatedly noted by the EU in various opinions, analytics are not strictly necessary functionality - regardless of whether they're anonymized or not, first-party or third-party, etc.

Your fear-mongering comes from a place of not understanding the legislation you're fear-mongering about. It is perfectly possible to create a website that doesn't require cookie consent. You just need to stick to only processing the data that is needed to offer your product.

[huksley]

Thank you @birjj! I understand the ePrivacy directive, and it is quite straightforward!

I think we need to discuss what "strictly necessary" really means in 21 century - so many websites and online content are disappearing all the time, and maybe having a way to understand in an aggregated way how popular your online service would serve the benefit of encouraging the authors to keep it running?

[birjj]

@huksley Again, the meaning of "strictly necessary" has been explored at length by the EU in various opinions. For example, see the 2012 opinion on exemptions from cookie consent. The conclusion is that the legislation serves the purpose of requiring consent for any data processing that isn't a technical requirement.
If your argument is "we need to process your data to [earn more money|keep our motivation high|know who our audience is|get a dopamine rush from seeing how used our service is]" then that is not exempt. You can still do it, you just need to ask your users whether they're ok with it first.

[logemann]

Late on the topic but my lawyer has checked a competitor with the same value proposition (Fathom) with regards to the cookie banner in the german market a year ago and he came to the same conclusion as @birjj . He said there can't be any analytics software in the world that doesnt require a cookie banner under current legislation.

[corneliusroemer]

You make an interesting argument. There clearly is a need to get some more legal opinions on this. The current state is unsatisfactory: various people saying their lawyers disagree without anyone showing proof that their lawyers actually said so.

I noticed that the Scottish government (https://www.mygov.scot/privacy) uses plausible even if you select "only strictly necessary cookies". Why don't we ask the appropriate UK regulator to look at this case? Surely the government website should be compliant - so I assume the regulator would take it quite seriously.

[birjj]

That would certainly be an interesting analysis, if you could convince them to have a look at it.

Note that (as far as I can google) the ePrivacy Directive/"cookie law" is implemented in the UK as the PECR, which still applies after Brexit.

Under the PECR the argument would be:

1. Under Article 6(1) of the PECR, similar requirements for accessing information exists as under Article 5(3) of the ePrivacy Directive:

   (1) [Except if necessary for technical reasons, or strictly necessary for the service the user requested], a person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless [the user has been given comprehensive information and the ability to refuse]

   This disallows accessing any on-device data without cookie banners/the ability to opt out.

2. Under Article 7(3) and 7(4) of the PECR, similar requirements exists for traffic data:

   (3) Traffic data relating to a subscriber or user may be processed and stored by a provider of a public electronic communications service if

   • (a) such processing and storage are for the purpose of marketing electronic communications services, or for the provision of value added services to that subscriber or user; and
   • (b) the subscriber or user to whom the traffic data relate has given his consent to such processing or storage; and
   • (c) such processing and storage are undertaken only for the duration necessary for the purposes specified in subparagraph (a).

   (4) Where a user or subscriber has given his consent in accordance with paragraph (3), he shall be able to withdraw it at any time.

   This disallows using traffic data without cookie banners/the ability to opt out.

3. The above two points combined disallows even privacy-aware analytics without cookie banners/the ability to opt out.

(at least from a quick reading)

[corneliusroemer]

You should drop the "cookie", as it's clearly not about cookies here. The argument is that there needs to be opt-in and a banner nonetheless. I hope your argument is wrong by the way, just trying to figure out how to get us all to agree that it doesn't apply how you suggest it does.

[birjj]

@corneliusroemer I definitely hope that my analysis is wrong too. In my opinion (and apparently the opinion of the EU working group too) the law should have permitted first-party privacy-aware analytics - but didn't.

As for using the term "cookie", I've tried to be careful to only use it in the term "cookie banner" (as in the colloquial term for the pop-up that satisfies the informed consent requirement of the GDPR and ePrivacy Directive - "cookie banner" is just shorter to say) and "cookie law" (in quotes, as in the colloquial term for the ePrivacy Directive).

My comment was mostly to help relate my analysis of the ePrivacy Directive to the UK-specific implementation of it (which is the law you'd reference when writing to the Scottish government).

[ihucos]

@metmarkosaric is there any official comment from plausble at all on this? From my perspective the title of this issue seems to describe a real issue.

[olljanat]

@fjsousa I had long discussions about these with ChatGPT. Even when cannot expect it to be 100% correct, the 4o version looks to be very well up to date about topic and it definitely much cheaper than discuss with laywer.

First of all it confirmed my expectation that ePrivacy laws differs between countries because EU has given just Directive. Most strict laws based on it are in: Germany, France, Netherlands, United Kingdom and Italy.

My conclusions from those discussion is that purpose of analyzing logs definitely matters. Here is some direct quotes:

1. "If you are analyzing server logs for purposes such as security, troubleshooting, or ensuring the proper functioning of your website, you can typically rely on "legitimate interest" as your legal basis under GDPR."
2. "IP addresses are considered personal data under GDPR if they can be used to identify an individual, either directly or indirectly."

Usage of Plausible can be argued to be under first case which why user consent (cookie banner) is not needed. However, GDPR still apply so they need to make sure that those logs are processed in EU and their customers need explain in privacy policy that they use Plausible service for this purpose.

As side note, based on my analysis, most of the web pages which has implemented cookie banner are doing it incorrectly.
If web page uses analysis technologies which requires user consent, those must be disabled by default and only activated after user actively opt-in to tracking by clicking button (like it is done in https://europa.eu ).

[birjj]

@olljanat Note that the response from ChatGPT relates to GDPR, not the ePD. The ePD doesn't really have a concept of "legitimate interest" -- it only has a concept of "necessary usage for a service explicitly requested by the user" (which they have repeatedly affirmed doesn't cover "but we need this to earn money, otherwise there would be no service").

LLMs are unfortunately fairly useless unless you verify their claims.

You are entirely correct that the ePD is a Directive, and the exact implementation therefore depends largely on how it has been implemented in the different member countries. That is a big weakness in my analysis -- it would be amazing to analyse the implementations. See the related comment from jmbiltresse above.

@fjsousa I don't believe the mention of "advertising solutions" affects the analysis. Since the ePD doesn't really discern different types of usage (other than things that are required for a service requested by the user), it should apply equally to advertising and analytics.

The important part is that they consider the outgoing IP address to (potentially) originate from a terminal equipment, and therefore be covered by Article 5(3). As I read their guidelines, that's very explicitly saying that processing the end-user IP requires consent (which is the first time they've been so explicit about it! It was definitely one of the weaker points of my article, so it's great to finally have their explicit opinion on it).

[olljanat]

@birjj Sure LLMs needs fact check like use humans. You asked about analysis about implementations. I checked Finland law and it talks only about storing data to client and using that. Official version is only available in Finnish but for mapping purposes to Directive they have made this document available. Section 205 is most interesting for this topic.

When it comes to that EDPB guideline, responsible authority from Finland has responded with this. Most interesting is this part:

Section 3.3 (Tracking based on IP only, paragraphs 54-55): Referring to the discussion above, it might be argued that the scope of Art. 5(3) ePD does not cover the collection of IP addresses when they are data that a device actively transmits about itself as part of the normal functioning of the internet, such as in connection with requests for web content.

So perhaps we need to wait that updated version of EDPB guideline is available which covers all the feedback they got.

[fjsousa]

it might be argued that the scope of Art. 5(3) ePD does not cover the collection of IP addresses when they are data that a device actively transmits about itself as part of the normal functioning of the internet

While this is true about any HTTP connection, 3rd party service providers introduce an important distinction. After all, what we're arguing is if you can run the analytics script and establish that connection in the first place, without user consent.

[corneliusroemer]

I just posted this to hackernews in the hope that there's some people there with some extra insights: https://news.ycombinator.com/item?id=41298241