Comment by littlestymaar
1 day ago
> were great but millions of man hours a year are burned navigating cookie banners on every website
Cookie banner are not, in fact, an obligation under GDPR. All you need to do to be GDPR compliant is “not collect and sell data to partners” and call it a day. Cookie banners are a loophole that the EC conceded to an ad industry that is addicted to tracking everyone all the time.
> All you need to do to be GDPR compliant is “not collect and sell data to partners”
Are you asserting that I can log IP addresses in my Apache logs? Seems like no one can give me a straight answer there.
Of course you can. And you don't need any consent from the user for doing so.
The only thing you need to do is to have some document where you list all the personal information you process and store, for how long and what you do with the said data.
What you cannot do is store data that you don't have a legitimate interest in storing. And this is why you have to document what you do with the data, because if you're not doing anything with it (“I want to store 10 years worth of IP address logs just in case”) then you aren't allowed to (on the opposite “I want to store IP addresses for a month for DDoS protection purpose ” is allowed).
That’s not how the law is structured. You CAN do that no problem but it’s then WHAT you do WITH that which is where the law comes into play. If it’s just for security purposes then there’s no problem I believe.