Comment by y42
3 years ago
> Don't you still have to provide a cookie banner as soon as your analytics are storing cookies, even if it's your own?
You need consent for every kind of storage usage on client side if you create profiles to analyze the them for marketing goals. If not, and no PII is being processed, no consent is required. Eg you could easily aggregate your server logs without a consent.
You generally don't need a consent for gathering data that is required to run the site.
But if you use the data for analytics purposes, you do need the users' consent for that, even if it's the same data that you use for operational purposes.
But that means you shouldn't have IP or user-agent or any unique identifier in the path.
Just to be clear: PII is not the same as personal data as defined by the GDPR. The latter is generally much stricter as it also includes indirect data. Data which would be anonymous by itself but in a collection uniquely links to a single person would still be considered personal data under the GDPR.
> if you create profiles to analyze the them for marketing goals.
That's not correct; if you collect PII, even if you don't use it, you need consent. Actually, if you don't have a legitimate use for the data, you are prohibited from collecting it at all.
GDPR isn't an assault on online marketing; it's about privacy.