Maximilian ScholzThere was a solution all along.
Em 
@scholzmx This is the (best) way.
Kieran McGuire@scholzmx caption:
A screenshot of a cookie/privacy policy notice, which says “This website complies with the GDPR by not collecting any personal information, and with the EU Cookie Directive by not using cookies.”
A screenshot of a cookie/privacy policy notice, which says “This website complies with the GDPR by not collecting any personal information, and with the EU Cookie Directive by not using cookies.”
@scholzmx my personal reaction: I bloody love this.
levampyre@kieranmcguire @scholzmx Thank you!
Robin Whittleton@scholzmx this remains my favourite privacy policy: http://deathroadtocanada.com/PRIVACY.txt
Ursidinoj/The Bjornsdottirs
psboyce@robinwhittleton @scholzmx For anybody else who can't load that page because Firefox tries to force TLS 1.2 on a site that doesn't support it;
DEATH ROAD TO CANADA PRIVACY POLICY
We don't do anything with your private info. I don't even think we collect your info. If we do, it's accidental and I don't know anything about it. In that case, we're still not doing anything with your private info.
PRIVACY POLICY OVER
nd@scholzmx nice idea but that is not compliant. You are still at least processing private data in the form of IPs. No need to store them, by accepting connections you are still processing them.
0xC0DEC0DE07EA@nd @scholzmx I don’t think IPs (in isolation) count. Of course, I’m not an expert and I wonder how much granularity you would need in your web server logs before your log becomes private data of your site’s visitors.
You’re also allowed to use cookies as needed for the functioning of the site. Session cookies for logged-in users and such.
You’re also allowed to use cookies as needed for the functioning of the site. Session cookies for logged-in users and such.
🌈☔🌦️🍄🌱🍉@c0dec0dec0de @nd @scholzmx IP's are considered personal information, I won a complaint case over this. (health insurance was sharing IP with google)
Damian Yerrick@wmd @c0dec0dec0de @nd @scholzmx If you aren't making your website in a language spoken mainly in the EU, I doubt that processing IP addresses alone is enough to trigger the obligation to pay a fee to a representative pursuant to article 27.
Sören@c0dec0dec0de @nd @scholzmx courts have interpreted this differently, but some have said that IP addresses are absolutely personal data.
As a result, if you do any kind of request logging, best to disclose it. (And to have processes in place to rotate those logs.)
Marcus Bointon@scholzmx @chucker @c0dec0dec0de @nd any data can be “personal data” in the GDPR sense, such as a colour, the letter B, or 11:36 on a Wednesday morning - but only if it is explicitly tied to an individual. Otherwise it’s just data.
@Synchro @scholzmx @c0dec0dec0de @nd you might find a lawyer who argues a color is personal info, but you may have a hard time finding a judge who takes that argument seriously. With IP addresses, the argument *has* successfully been made. For example:
“a dynamic IP address is personal data if it is legally and practically possible for the website operator to obtain additional data from the ISP to identify the visitor”
I presume your ISP doesn’t log colors.
@scholzmx @chucker @c0dec0dec0de @nd I’m familiar with that ruling, and also that GDPR requires due diligence with respect to security and prevention of abuse. These things are not exclusive. You’re also presenting a common misapprehension. A colour by itself is not personal data. A colour stored as a user’s favourite colour is. There is no such thing as “PII” in GDPR.
👻 Feufochmar@nd @scholzmx technically, you need the IP to send a response, but that something the server hosting the website need, not the website itself.
The hosting server and website may belong to different people or companies, so the owner of the website may not have access at all to the IP of the people reaching the website. Also if your website is behind a reverse-proxy, you will not see the original IP if the proxy doesn’t send it to you, only the IP of the proxy.
So depending on how the website is hosted, it may not have access to any personal information by design.
The hosting server and website may belong to different people or companies, so the owner of the website may not have access at all to the IP of the people reaching the website. Also if your website is behind a reverse-proxy, you will not see the original IP if the proxy doesn’t send it to you, only the IP of the proxy.
So depending on how the website is hosted, it may not have access to any personal information by design.
yuki - queen of the snow
slideman
Andreas, DJ3EI, he/himIP are private data and need to be processed. I was thinking the same thing the moment I read the original statement.
Now, that processing itself is compliant by GDPR 6 (1) b, as it is needed to answer a request by the data subject. But not mentioning it is not compliant. (This is only my opinion, IANAL.)
[Yaseenist] CauseOfBSOD 
@scholzmx The only data that my website collects (excluding the Calckey instance, and probably some other misc web apps running on subdomains I forgot about) is IP address, so data can be actually sent back.
No software I have created uses cookies. Ain't got the time to implement them properly, and I have no reason to use them.
No software I have created uses cookies. Ain't got the time to implement them properly, and I have no reason to use them.
Billy O'Neal@scholzmx That doesn't make the cookie banner any less stupid
Brennan Stehling@malwareminigun @scholzmx The cookie banner needs to be replaced by browser support which uses my settings and enforces them. All the clumsy banners are terrible.
http 
@scholzmx "Not using cookies" means you cannot even have a session, so no login mechanism and not using any linked resources. If you just include jquery.js from any CDN, you're already using cookies. Only static sites with no real functionality can do this.
Farshid Hakimy / فرشید@scholzmx @farshidhakimy Technically not, I guess, but for the law? No idea. I haven't seen that being used yet though.
@scholzmx @farshidhakimy @http GDPR doesn’t mention the term “cookie” at all. The law that covers that is the EPD from 2002, and it’s implementation-agnostic, as the law should be. You’d have thought that 21 years was enough to figure this out, but apparently not.
Derick RethansTo this blanket statement as it stands, I disagree.
EU allows you to set session cookies if you have a good reason. They are illegal if you don't and have not acquired consent either.
E.g., I'm on my way to the Hamradio Faire in Friedrichshafen. There are two web sites offering browsing the program: One from the faire company and one from #DARC. The DARC https://talks.darc.de/hamradio-2023/schedule/ serves the program without cookies. I'm not sure the faire company version is legal.
Mark von Übelgarten@scholzmx @vonubelgarten Yes, but you can't lie and say "not using cookies" when you use session cookies, even if you don't violate GDPR.
You can host your scripts, including jquery.js, on your own server. No need to set a cookie to provide scripts to your users.
You can also do a lot of processing in the browser, and get specific info from the server as requested by the user, for a very "non-static" look, feel, and functionality - all without ever setting any cookie.
On the other hand, cookies are the way to go when personal identification is needed by the servier. E.g.: Online banking, web mail, ... .
@dj3ei @scholzmx Yeah, I know how this works. But maybe you don't want to set up a globally diverse CDN and just use an existing cloud provider. Try limiting your browser of loading non-same-domain resources and pretty much everything is broken. But yes, theoretically you could. And yes, any data you need to persist over many pages (like login-status) you would put into a session and pass the id as cookie.
@scholzmx
Policies
This websites complies with the GDPR by not collecting any personal information, and with the EU cookie directive by not using cookies.
Policies
This websites complies with the GDPR by not collecting any personal information, and with the EU cookie directive by not using cookies.
Sindastra 
🩷@scholzmx If taken to the letter: This is actually quite difficult to do in practice unless you have a static website with no user accounts, no comments and nothing to input at all. :D
In fact, under GDPR, even IP addresses count as personal information, and those get logged by default by most web servers. :D
The Doctor@sindastra @scholzmx "Static website." "Difficult to do in practice."
Um.
@drwho @scholzmx Or, in other words, it's easy to not use any cookies if you run a static website and don't embed third-party scripts.
But if you're building an application which uses a login system, you need a cookie or some other way to store data in the browser.
I was taking the "no cookies" quite literally, hence the beginning of my toot "if taken to the letter".
Of course, mere login cookies are no problem under GDPR, but again, I was taking it literally. (:
@sindastra @scholzmx My bad. I'm sorry.
@sindastra @scholzmx I hope I didn't come off the wrong way!
@sindastra @scholzmx I kinda did. I didn't sleep last night.
Sorry.
@sindastra @scholzmx I hope so, too. Not landing until 2200 hours UTC-4.
@sindastra @scholzmx Yeah, had to get up way early to catch a flight.
wb x64@drwho @sindastra @scholzmx I run an online store, it's very hard to accept credit cards securely and prevent fraudulent/spammy orders without cookies and some level of tracking (IP/browser tracking, basically)
Tane Piper ⁂@scholzmx @networkexception yep. In the next week or so the video from OntoCommons should be up and I can show the demo PoC on IKEA.com we built that provides recommendations via our Knowledge Graph, without tracking or third-party data.
The next thing is to look at things like datapods for in-session data and the right to share or remove any data.
We've got some realtime and scale issues to fix but hope it'll be soon.
Stuart Rance@scholzmx What site is this from?
Marginalia Search
search.marginalia.nu is a small independent do-it-yourself search engine for surprising but content-rich websites that never ask you to accept cookies or subscribe to newsletters. The goal is to bring you the sort of grass fed, free range HTML your grandma used to write.
snowyfoxPolicies: This website complies with the GDPR by /not collecting any personal information/, and with the EU Cookie Directive by /not using cookies./
More information link.
More information link.
@scholzmx I've been reading the replies - I love how EVEN THIS is a controversial stance.