Think Google Analytics is the only thing tracking IPs on your site? Hardly!!!
It goes way deeper than you can imagine, and has opened a huge can of worms for anyone doing business online.
Discover how the move to become completely GDPR compliant could tank your biz.
What’s at Issue
An IP address is considered to be personally identifiable information by the GDPR.
For you and me as site owners, it’s pretty hard to trace an IP address to an actual person who we can call by name.
But, if it can be coupled with a known account, tracking and IP back to a person is pretty easy.
GDPR Attacks Google and Facebook Immediately
LOTS of web surfers have both Google (mainly Gmail) and Facebook accounts.
If your site uses Google Analytics and/or Facebook Pixel Tracking, you are sharing the IP address of your site visitors with them.
Those big guns can easily trace IPs hitting your site to one of their account holders.
And that’s why the GDPR brought suit against Google and Facebook immediately.
Both of them use the IP info you share to target ads to that person based on their web surfing history.
You’re Being Tracked this Way Too!
Ever shop for something online and then jump onto Facebook and see an ad for the same thing?
Yep, the IP/account holder identification happens that fast!
Even your browser is in on the game, as it holds your site visit history and all associated cookies.
That’s supposed to be for your convenience with logging in and not showing you things that site owners selected to only display to first time visitors and such.
Can you imagine seeing a pop up you turned off every time you visit your favorite site? How annoying would that be? Aren’t you glad that site knows you are a frequent visitor and keeps it off?
But, the browser makers get something out of all this too.
Keep in mind that when you are given some tool to use for free, YOU are the product!
IP Rabbit Hole
IPs are being tracked on your site WAY more than you can imagine.
IP trackers also include:
- Server logs at your host (for security)
- CDN, like Cloudflare (for security and analytics of the bad bot filtering they do for you)
- Google Fonts (this one is a rumor and I haven’t verified it yet, but betting it is true)
- WordPress
Yep, there are certain cookies you can’t even disable or your whole WordPress site would croak.
You know, things like your login.
That cookie has to persist for you to stay logged into your site as you jump around different admin pages.
And your blog post commenters have a persistent cookie too. That’s especially true for those comments held in moderation.
In fact, that specific cookie is one I had to clarify in my site speed tests with regard to settings in caching plugins. (Here’s the one for WP Fastest Cache. I had to contact the dev of it and WP Rocket to clarify what constitutes a logged in user so I could properly advise how to configure that setting and ensure that leaving it off was correct.)
There are about 5 other essential cookies that WordPress sets too.
Bottom line – you can’t turn off ALL cookies.
And you can bet your bottom dollar that Google and others, including site security providers, will be arguing that their cookies are also essential under the super vague GDPR regulation of “legitimate interest” too.
So Now What?
With trillions of advertising dollars on the line, this part of the GDPR debate will never be over.
And it’s not likely that all sites everywhere will fall into an agreed upon set of what is acceptable compliance.
It is 100% likely that sites will continue to fall along a spectrum of compliance for the next several years.
The main thing is – GDPR is here to stay.
Data privacy is a real concern.
Some site surfers are getting more savvy about protecting their data and how it is used and taking control of it themselves at their browser level.
But the fact remains that there are 4 billion site surfers and the overwhelming majority of the them don’t give a rat’s patootie about any of this and will continue to remain careless with their online privacy and security.
We, as site owners, are the ones sweating all this GDPR stuff, not most of our site visitors.
And, there is only so much we can, or should do, to be GDPR compliant while so much debate is still raging.
Wow. Amazing and scary!!!
Wow! I am right this minute wrestling with the privacy page for my new site. It is all very weird for a non-geek like me. I think I need to get a cup of coffee and chill for a bit, and try and let this all sink in
.
What a headache it would be without your up-to-the-minute appraisal of the ongoing situation. I will keep watching the Blogaid news and tips and do my best to comply with the regulations. The one saving grace for me is that I am not a commercial site. It must be so hard and scary for those whose living is tied up with their online interests.
Not being a commercial site won’t matter. Folks think that same thing with regard to security too.
Yes, I understand what you are saying, MaAnna, and agree.
I simply mean that being a non-commercial site I do not have to worry about my livelihood going down the chute. I will still do all I can to comply with the regulations. But I am heart sore for business people, especially small businesses, for whom the fear of loss of revenue, or even a fine if they are not considered to be compliant, is a real stress.
IP blocking hit me personally this morning. I went to the site of our local newspaper (of which I am a paid subscriber) and was told that because I was in a country blocked under GDPR, access was not allowed. I was on my iPad. I switched to my iPhone and all was well. That proved to me that IP addresses can jump around. We are in for a wild ride.
I’ve had a similar thing happen when logging into my own Cloudflare account from my PC, which is hard wired to my router.
That triggers on IP addresses and obviously it had rotated recently.
Even with recording consent for everyone, you could have an IP for their hard-wired connection, for wifi off the same router, and then anywhere they are accessing via phone on 3G/LTE, etc.
Yep, this will be one wild ride for sure!!!!!!!!!!!!!
Good grief! Thanks for the continuous updates, MaAnna.
This one is the biggie in the whole GDPR hoohaa.
I read somewhere (don’t remember where) that we can make IP addresses anonymous in our Google analytics when not using them for ads. Do you know if that is true and how to do it if it is?
I believe that is the case too, Kelly, but you still have to report using that tracking. And you’ll want to find Google’s instructions for doing it. I haven’t tried it yet.