14

A couple of months ago I've read that hosting google fonts on your own server is a better but maybe slower solution as loading content from google servers is already something that the users must be informed about due to submitting your IP to google.

Now I am realizing that basically the same thing is true for consent services that host the entire experience on their servers and give users only the service, am I right? They all claim they are safe to use, but I fail to understand how so.

I was testing a consent service that requires me to basically load their cloud hosted javascript code:

<script type="text/javascript" charset="UTF-8" src="https://cdn.cookie-consent-provider.com/<SOME-ID>.js"></script>

Now I can't get my head around whether this is already some sort of non-compliant GDPR behaviour because even if this provider would do everything to protect the data and be compliant, etc, I still would have to establish a connection to their servers first, in order to be able to inform the users because in some cases self-hosting this service is not possible due to a paywall or not-available at all.

So basically

  1. loading my website
  2. script loads cookie consent from remote server
  3. cookie consent is displayed

would be invalid because the user could not decide, nor decline step 2? He or she would send their IP to the remote address without consent.

The fun part is: What if the consent banner has no way of declining step 2.? I mean, this is weird because you would decline consent to access the consent servers.

§6 https://gdpr-info.eu/art-6-gdpr/ states that consent is required and if this is true, then no consent service unless self-hosting would actually be compliant?

Where am I wrong?

Samuel
  • 243
  • 1
  • 5
  • Is an IP address considered PII for GDPR? Seems unlikely when home IP addresses are generally ephemeral and can't easily be traced back to individuals without sub-poenaing their ISP. – ScottishTapWater Feb 13 '23 at 23:00
  • IP addresses are present in all IPV4 and IPV6 packets. And they are sent, received, and stored by all clients and servers that use IPV4 and IPV6 packets. For someone to even see a webpage their browser must establish an HTTP connection to a server hosting the page, and that involves the server storing the recipient's IP address for as long as the connection remains open. So, you can never even get to the point of consenting until your address is already stored on the server. Storing an IP is justified because it's necessary for the technology to operate. – user4574 Feb 14 '23 at 06:44
  • 2
    @ScottishTapWater Article 4 (https://gdpr-info.eu/art-4-gdpr/) states that it might be. Google Fonts was an issue, because with additional information obtained by google the IP might be "true" PII, or something. – Samuel Feb 14 '23 at 09:24
  • @user4574 I agree, but I don't know whether the GDPR agrees :/ . As stated in Article 4 https://gdpr-info.eu/art-4-gdpr/ it may become a personally identifiable information. And declaring it a basic element of the internet does not prevent laws of making things more complicated :D – Samuel Feb 14 '23 at 09:26
  • 1
    @ScottishTapWater "My" lawyers think it is - or at least it is not obviously not PII. GDPR does not really care who has the information necessary to make the connection. If a connection can be made - even an imperfect one - it is PII. That said "it's PII" doesn't automatically mean "you can't do anything with it". – Jacob Raihle Feb 14 '23 at 09:27
  • @JacobRaihle - I think you need a new lawyer. An IP address fundamentally does not identify a person so it's not "information relating to an identified or identifiable natural person" – ScottishTapWater Feb 14 '23 at 10:00
  • 3
    It’s worth correcting “PII”. That’s a USism not mentioned in GDPR where the atomic level of PII can identify an individual. GDPR talks about “personal data”, which is information that in aggregate with other personal data can identify an individual. – Robin Whittleton Feb 14 '23 at 10:18
  • @ScottishTapWater Virtually everything about the GDPR is absolutely insane; why should it surprise you that they consider IP addresses to be PII? – Mason Wheeler Feb 14 '23 at 16:57
  • 2
    @MasonWheeler - GDPR isn't insane, it's a useful piece of legislation to try and wheel back some of the ridiculous shit that tech giants have been doing with our data for years. It would surprise me that IP addresses were covered under GDPR because I've been writing software in a GDPR compliant way for years for various companies, and we've never had any issues with IP addresses being considered PII. I've been through several audits of our GDPR compliance too. – ScottishTapWater Feb 14 '23 at 17:08
  • @RobinWhittleton - An IP address can't be used to identify a person with any level of confidence, even in aggregate with other data, unless you're the ISP of that person. IP addresses are dynamic, they're reassigned regularly, it's impossible to disambiguate between the devices on a network, let alone the multiple users that a device has – ScottishTapWater Feb 14 '23 at 17:10
  • @ScottishTapWater IP addresses in a lot of contexts probably fall under (b) or (f) but not if you just send them to a third-party for no real reason. Note that it is trivial to just put a font file on your own server instead of Google's! – user253751 Feb 14 '23 at 20:00

1 Answers1

23

The critical part is the nature of the relationship between you, the website provider, and the provider of the material you embed.

If the embed-provider acts as your data processor, then things are generally fine. The GDPR does not really distinguish between personal data processing activities that you perform yourself versus activities that you've outsourced to third parties. However, you would remain responsible for compliance. This also means that per Art 28 GDPR, you will need a contract with that embed-provider (sometimes called a “Data Processing Agreement”, DPA). This contract stipulates that the processor will only use the personal data as instructed by you, but not for their own purposes.

With the Google Fonts case, it must be highlighted that Google does not act as a processor for this service. Google does not offer a DPA that covers the Fonts CDN. While Google promises that it doesn't use the personal data collected in this context in any nefarious way, there are zero contractual guarantees for website providers.

So we have to consider the scenario when the embed-provider is an independent data controller. We as the website provider have no control over what the embed-provider does with the collected data, our control only extends to whether or not we cause the website to disclose data to that third party. But this is still processing as personal data (see also the CJEU Fashion ID case), and we need a legal basis for this data sharing.

In the Google Fonts case, the court in Munich found that there was no legal basis for using Google's CDN. There was no consent, no contractual necessity, and no necessity for a legitimate interest. After all, these fonts could all be self-hosted.

(Technical remark: and given how modern browsers enforce cache isolation and provide HTTP/2, serving fonts from your main domain is probably faster anyway).

Consent management services will typically act as your data processor. You don't need a legal basis for “sharing” data with them, because the processing remains under your control. As far as the GDPR is concerned, loading a script from your processor's servers is equivalent to loading a script from your own servers (which you're probably hosting via a another data processor anyway). Sometimes, the necessary data processing agreement is already part of the standard terms of service, sometimes it's a separate document that has to be signed. Figuring this out is your responsibility as the data controller, before deploying the service.

Art 6 GDPR doesn't say that you always need consent. It says that you need a legal basis, for which paragraph 1 enumerates six choices. For a lot of use cases, a “legitimate interest” will be appropriate, though it requires a balancing test. Sometimes, other laws mandate that you use a particular legal basis. For example, the ePrivacy Directive says that you must get GDPR-consent when accessing or storing information on the user's device (such as cookies), unless that access/storage is strictly necessary to provide a service explicitly requested by the user.

amon
  • 23,930
  • 3
  • 44
  • 76