Támogatás

Tudásbázis

Statcounter and the GDPR

Statcounter is an anonymous web tracking service. We don't attempt to identify an individual person . Our focus is on what visitors to your website do, not who that visitor is. Therefore most members who use Statcounter won't need to adapt their behaviour of Statcounter to comply with GDPR. However we have identified two areas where there will be a need to modify behaviour.



IP Labels and Custom Tags



We will no longer allow any personal data to be stored in our IP labels or custom tags.



GDPR and IP addresses



The GDPR makes it clear that an ip address and other cookie identifiers may be considered personal data.



(30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.



https://www.privacy-regulation.eu/en/r30.htm



However, for an IP address and other identifiers to be considered personal information, a user must be able to identify the person behind the IP address. As a regular user of Statcounter is not able to do that, an IP address should not be treated as personal data. There is legal precedent for this in the Irish High Court. They made the eminently sensible ruling that in the hands of an ISP (who controls that ip address range) that should be considered personal data, however in the hands of a record company who can't identify the individual behind the ip address it should not be considered personal data.



Irish High Court Ruling in EMI Records & Ors -v- Eircom Ltd



If an IP address were to be treated as personally identifiable information for all users it would have a number of bad effects.



a) The internet cannot work under GDPR if an ip address is always considered personal data. Under GDPR you can only store personal data with the permission of the user. You can't connect to a website without giving your IP address to the web server. If the web server can't store the IP address without first getting permission, then the initial connection to the website cannot happen.



b) If ip addresses were treated as personal data it would make defending your website and advertising budget from bot networks and click fraud rings extremely difficult. The IP address is the crucial piece of information required to detect, investigate and defend against many kinds of attacks, and a bot network is not going to give you permission to store its IP address.



We would strongly support the argument that in the hands of an ISP who control that ip address range, that is personal data but in the hands of anybody else who cannot relate that IP address back to a person it should not.



We would strongly support the argument that in the hands of an ISP who control that ip address range, that is personal data but in the hands of anybody else who cannot relate that IP address back to a person it should not.



If for your organisation, an IP address does constitute personal data, then you can turn on the "mask ip address" setting available in project settings. This will remove the last octet of the ip address. e.g. 203.102.102.98 would become 203.102.102.*

Answers to the majority of questions we receive can be found here in the knowledge base.