Yeah, you're putting too much emphasis on consent. It's only one of six lawful bases for processing data, and in fact the one with the most stringent rules.
I used "legitimate interest" as my lawful basis for logging IP addresses and website usage information. From the UK ICO's guidelines [1]:
"It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing."
There's a three part test:
1. Identify the legitimate interest: ensure the security and stability of my systems.
2. Show that processing is necessary to achieve it: need to know when and how the site is used in order to troubleshoot problems and detect abuse
3. Balanced against individuals' interests: We pseudonymize logins so usage information is not obviously related to specific individuals. There is no sensitive data on the site that can be revealed by usage data. The retention period is short which further limits what can be revealed.
Now, people here on HN might nitpick my logic, but fortunately they're not the regulators. I'm confident that, in the very unlikely event that a regulator even notices my little businesses, that I'll be able to correct any mistakes before fines come into play.
> I'm confident that, in the very unlikely event that a regulator even notices my little businesses, that I'll be able to correct any mistakes before fines come into play.
Every business owner in Romania knows two things:
- the IRS equivalent will investigate them periodically, usually every few years
- they will ALWAYS find something to fine the company for
Sure, you will have to correct the something, but that doesn't mean you don't have to pay the fine anyway.
Also, incidentally, the company I was branch manager for has been once investigated by the police for credit card theft (they received a complaint). They couldn't find anything (because we didn't steal any credit cards - we just had a lot of computers because we were programmers, working for the main company in the US) but, in order not to have wasted the raid, they decided to prosecute us for copyright violations (they found a few pirated games).
So, at least in Romania, there is no such thing as "correcting mistakes before fines come into play".
If your business was in the UK, the ICO can and would be able to stop you processing data, and get a search warrant for your business address. This is because they report directly to the government.
I doubt you'd be able to fix any issues before they get involved.
I used "legitimate interest" as my lawful basis for logging IP addresses and website usage information. From the UK ICO's guidelines [1]:
"It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing."
There's a three part test:
1. Identify the legitimate interest: ensure the security and stability of my systems.
2. Show that processing is necessary to achieve it: need to know when and how the site is used in order to troubleshoot problems and detect abuse
3. Balanced against individuals' interests: We pseudonymize logins so usage information is not obviously related to specific individuals. There is no sensitive data on the site that can be revealed by usage data. The retention period is short which further limits what can be revealed.
Now, people here on HN might nitpick my logic, but fortunately they're not the regulators. I'm confident that, in the very unlikely event that a regulator even notices my little businesses, that I'll be able to correct any mistakes before fines come into play.
[1] https://ico.org.uk/for-organisations/guide-to-the-general-da...