I found a handy site for taking notes, but everything it says about the privacy of this one:

“Anonymous by default, no adverts. We offer a high level of privacy for both writers and readers. You don’t need to create an account to post something. There are no adverts on the entire page and we don’t use any social media scripts. You can rest assured that information about your activity on the site will not be used by advertising companies or social media.”

This is in the “About” section.

There is no information about what information the site collects about the user.

  • @[email protected]
    link
    fedilink
    3211 months ago

    Legally, it should mean no personally identifiable information is collected, since they are not accurately described. In practice, I’d expect at least IPs to be logged, but not used meaningfully. This is of course if the site services the EU.

    • 𝘋𝘪𝘳𝘬
      link
      fedilink
      311 months ago

      If the site services the EU and does not have a privacy policy it’s downright illegal according to the GDPR.

      Art. 14 GDPR, “Information to be provided where personal data have not been obtained from the data subject”:

      Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information […] the identity and the contact details of the controller […] the purposes of the processing for which the personal data are intended […] where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation …

      https://gdpr-info.eu/art-14-gdpr/

      • @[email protected]
        link
        fedilink
        1411 months ago

        Is it just me or does this not make sense? It says you must declare the purposes of the processing for which personal data are intended, but this is under the section for when no personal data is collected. How does that work?

        • @sudneo
          link
          311 months ago

          personal data have not been obtained from the data subject

          Reads to me like data that I (data subject) did not provide myself, but that the processor collects. I guess an example could be IP address.

          • Max-P
            link
            fedilink
            411 months ago

            That’s what we’ve been taught at work, and also my general understanding of it.

            You don’t need a policy or a banner if you don’t need to inform and gather consent from the user. It’s just that nearly everyone does, so nearly everyone needs one. And big companies can’t even begin to imagine one would not collect any data at all. So Google and Apple both require a policy to publish an app, even if it just says “we don’t collect anything”.

            It may reassure users however to be explicit that you don’t collect anything, since now people assume the worst about everyone, especially when there’s some form of company involved.

            But if your site is just static HTML, there’s no user accounts and you don’t collect any statistics and have server logs turned off, you’re not collecting or processing any personal data. So you’re good. You can’t be sued for processing data you don’t have.

            Companies also tend to prefer to side with caution: you’re better off doing more than is strictly required than risk a lawsuit. The GDPR is pretty vague, so you might as well have one to cover your ass.

            • 𝘋𝘪𝘳𝘬
              link
              fedilink
              211 months ago

              IP addresses are seen as personal data. So if you’re a sane person who does logging and analyzes the result, you need a privacy policy.

              If you embed external fonts/scripts/images/etc. you also need one.

              • @[email protected]
                link
                fedilink
                English
                111 months ago

                Are they? I would have thought that the IP address of someone accessing a site is public information.

                • 𝘋𝘪𝘳𝘬
                  link
                  fedilink
                  2
                  edit-2
                  11 months ago

                  IP addresses are considered personal data.

                  The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier […]. Since the definition includes “any information,” one must assume that the term “personal data” should be as broadly interpreted as possible. This is also suggested in case law of the European Court of Justice, which also considers less explicit information, [such as] IP addresses.

                  https://gdpr-info.eu/issues/personal-data/

                  The whole article is a great read, btw.

                  “Personal data” (and thus the protection of it and how organizations servicing EU citizens have to handle them) is much, much, much, more than just your name.

          • @[email protected]
            link
            fedilink
            111 months ago

            More generally any personal data obtained from a third party. E.g. if you’re generating a credit score you might contact someone else with a record of financial transactions.

            • @sudneo
              link
              211 months ago

              Yeah, that sounds even better.

          • @[email protected]
            link
            fedilink
            511 months ago

            Found someone salty that their site didn’t comply and is big angy about having to clean it up and stop being shady 😏

                • @[email protected]
                  link
                  fedilink
                  English
                  111 months ago

                  To be fair, depending on your interpretation of “shady” I’m pretty sure you can find a lot of laws most people wouldn’t describe someone ignoring to be doing anything shady. ( I think that sentence should make sense)

      • @[email protected]
        link
        fedilink
        511 months ago

        That section is only applicable if personal data has been obtained by some means other than from the data subject. If a site doesn’t collect or process any personal information, period, then that section (and the rest of the GDPR) isn’t applicable.

  • @nnullzz
    link
    1011 months ago

    Sounds like either they’re just being lazy and trying to avoid generating a privacy policy, or they’re up to no good and trying to be vague on purpose. I lean towards the former.

    If they don’t have ads, that means there would be no cookie tracking which is what I think they’re trying to explain. But if they have login available, they might still use cookies to remember who you are.

    Privacy policies can be generated in a few minutes online. And nowadays with GDPR, you would think it’s a no brainer to properly let your users know what you’re collecting.

  • Big P
    link
    fedilink
    English
    1011 months ago

    It’s probably made by one person or a small group of people in an unofficial capacity meaning they’re not doing eveything they should. So it could mean anything really.

  • @[email protected]
    link
    fedilink
    English
    111 months ago

    I believe the GDPR doesn’t require quite a few of the things in that law unless the company is above a certain size. May have something to do with that.