HACKER Q&A
📣 aliswe

GDPR might mean we cannot request any 3rd party service in the US?


The rules and regulations of GDPR are sending shockwaves through the Data & Analytics community with rulings such as the austrian news site vendor who was convicted for using Google Analytics without consent, and just now a german website was fined 100EUR for using Google Fonts on a website without consent.

If the GDPR is in fact to be interpreted in this literal way, and assuming Google Analytics doesn't take any measures to become compliant, we will need to replace Google Analytics on our platform with a self-hosted, open source analytics tool like for example Motomo.

If this includes other tools like Google Tag Manager, those tools will need to be replaced as well.

Should we assume that Google is on top of this and will "publish a fix" in order to become compliant? It's not a small actor so it surprises me that we have so little official guidance and/or assurance that they are on top of this. Are they paralyzed?

What should we do here? What are you going to do?

Worst case for us, I guess, is to go back to 90's style web programming where everything is self hosted, which is fine I guess, but quite far from how the world commonly works right now.

I don't even want to think about the fact that GDPR might even ban the usage of Azure and other cloud vendors, because of the simple fact that the CPs (and any hosting company) will definitely get the IP address of a web visitor regardless.

  👤 foxfluff Accepted Answer ✓
> Should we assume that Google is on top of this and will "publish a fix" in order to become compliant?

Powerful as though they may be, I don't know if Google is powerful enough to fix the US laws. I think the problem here is that if US laws do not guarantee privacy protections for people abroad, then it doesn't matter what a US company does. They can't publish a fix.

The only surefire fix may very well be to stop using services run by companies in a hostile regime.

Yes, it's quite the shock. I'm not going to do anything because everything I run is already fully hosted in Europe by European companies.

👤 phillipseamore
Google Fonts is specifically created and maintained to collect more data points for Google. Just an IP and user-agent is enough to fully identify a user that is known to them - and then they use referrer/origin headers to monitor the usage of a site using Google Fonts.

Azure's primary business isn't to collect data about users, Google's is.

Hosting providers and CDNs are legally very different from third-parties that you insert into a website.

Having all resources under the same domain is a great boost to performance. Self-hosting fonts can speed up website loading anywhere from 250ms to 1s.

👤 XCSme
I think the future is indeed self-hosted. Nowadays, it is so easy to set up your own server running your own apps (e.g. your own blog instead of Medium, Nextcloud instead of Dropbox, etc.).

Not sure how big your company is, but if you don't serve millions of users monthly, you could check out the self-hosted analytics platform I'm building: https://www.uxwizz.com/

👤 marssaxman
Sounds like the law is working as intended. I'm glad to hear it.