Skip to content

GDPR compliance #582

Description

@simonjnesta

Recently we've been tightening up how we use the gem to make us fully GDPR compliant, and I was wondering if you'd be interested in having any of the following as upstream PRs as additional options for ahoy/ahoy.js to make it more compliant:

Removal of IP and User Agent from database

A user's IP and User Agent together, even when masked, can be used to identify users, so is considered PII under GDPR. To fix, we've just dropped them from the database.

Daily resets of anonymity sets to eliminate/limit PII

Currently, ahoy will take the hash of the user's IP and User Agent to track them across visits. Unfortunately, because this can still be used to identify individual users, it's still considered PII under GDPR.

To fix, we've added a pepper to the anonymity set hash that gets reset daily. This is how a number of other privacy-focused analytics tools do it.

def visitor_anonymity_set
  @visitor_anonymity_set ||= Digest::UUID.uuid_v5(UUID_NAMESPACE, [
    "visitor",
    Ahoy.mask_ip(request.remote_ip),
    request.user_agent,
    anonymity_set_pepper,
  ].join("/"))
end

private def anonymity_set_pepper
  Rails.cache.fetch("ahoy_anonymity_pepper", expires_in: 1.day) do
    SecureRandom.hex(32)
  end
end

Anonymity set opt-out

Using the above method to limit the anonymity sets to a day, we still need to provide a mechanism for the user to opt-out. We are using the statistical purposes exception as defined by the UK's ICO to allow us to store anonymity set hash (which is PII until the pepper expires) so other countries may be different. They state:

As part of relying on this exception, you must provide the user or subscriber with clear and comprehensive information about the purpose, and a ‘simple and free’ means to object.

As such, we've added some functionality to disable the anonymity sets via a ahoy_dnt cookie that will conditionally remove anonymity sets.

Cookie opt-in

Given that anonymity sets only track users across a single day, it would be useful to have the option to use cookies when a user has consented so we can track across multiple days. This isn't something we've done as it's a bit more complex to monkey-patch, but it would exist in an ideal solution.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions