Is Umami stil privacy focussed and GDPR compliant (Aug 2024)

[artfulrobot]

GDPR & CCPA

Umami never collects any personal information from your visitors so it is fully compliant with GDPR and CCPA.

Data anonymization

All visitor data is anonymized to protect your visitors' privacy.

Source: https://umami.is/features

and

1. Is Umami GDPR compliant?

Yes, Umami does not collect any personally identifiable information and anonymizes all data collected. Users cannot be identified and are never tracked across websites.

Source: https://umami.is/docs

This has bothered me for a while, but when I came across the latest release announcement #2896 I felt I had to poke around about this claim.

So it looks like Umami provides means for identifying people personally and the data is not, as it would seem, anonymised.

I deployed Umami on the basis that it didn't require cookie consent and that it respected privacy and was suitable for us in a country under the EU/UK's GDPR: are these still tenets of the project? I don't get the divide between the "privacy respecting/focussed" and the docs that are like "hey, here's how you collect someone's email" (via identify() in the new release but also in the event docs). It's left me unclear as to which bits of it are and are not privacy respecting. Clarification would be great as privacy is important!

[seedy]

I permit myself to answer, if it may reassure you, until someone from the umami team gives a more official answer, if need be.
As long as you don't store personal data, umami complies by default to GDPR.

They document collecting someone's email, because in the end, if you wish to collect that data it's your decision, they are not liable on that.
This example feels a bit clumsy, but there are cases where you might want to track custom data worth your use-case, which would still not identity someone specifically.

[artfulrobot]

@seedy thanks for replying.

I feel this leaves the product as not privacy-focussed, but privacy capable, if you don't use some of its built in features, or you use them carefully (as in not following the examples on the website).

I'm not opposed to using it to collect personal information; sure there could be valid, even privacy-respecting use cases.

But I think that while Umami markets itself as privacy-first/privacy-focussed, GDPR + CPPA compliant, its docs need to match. So if you have docs saying Look you can store the customer's PII (personally identifiable informstion) this way then they need to be accompanied by a reminder that this may make your use case non compliant.

e.g. what about something like this in the docs whenever an example/feature exposes PII?

    Warning: Privacy/Compliance risk.
 
    Using Umami to record page views is privacy-respecting, GDPR and CPPA compliant.
    This may not hold true if sending personally identifiable information (e.g. through event data).

[uiii]

I am interested in this topic as well.

I recently found an old discussion on HN (https://news.ycombinator.com/item?id=24201595) where @mikecao wrote he is removing the GDPR compliance claim from the website.

But if I look now, there is a mention about compliance on the website
.

So how is it? Is it compliant or not? Has anything changed in the umami tracking techniques since the HN discussion?

[mindplay-dk]

A lot of people seem to think that being "GDPR compliant" implies you don't need to ask for consent.

When analytics solutions like Matomo, Plausible, or Umami claim to be "GDPR compliant" and operate without cookies, this does not automatically mean you can skip asking users for consent. The need for consent under GDPR depends on what data is collected and how it is processed, not just whether cookies are used.

https://www.perplexity.ai/search/when-cookieless-tracking-solut-QLMVr7uJQFumNm.5Vl1IUA#0

Umami’s server-side tracking is not inherently GDPR-compliant solely due to its technical design. Compliance hinges on:

• Whether the UUID constitutes personal data (likely yes under GDPR Article 4 3).
• Adherence to consent, data minimization, and user rights requirements: While Umami’s anonymization efforts align with GDPR goals, the pseudonymous nature of its UUID and lack of built-in consent mechanisms may necessitate additional safeguards for full compliance

https://www.perplexity.ai/search/umami-claims-to-be-gdpr-and-pe-gRnu0X6HQ6a8SwLjFdIO3A#0

I worked on a cookie consent solution for a few years, and to the best of my knowledge, under GDPR, you always need to inform users about data collection practices.

It's not about cookies or client vs server side tracking - GDPR doesn't regulate the use of cookies, it regulates tracking.

It's interesting to note that none of these services explicitly say in their marketing that cookieless means you don't need consent.

To my understanding, it is easier to be GDPR compliant with tracking solutions like Matomo, Plausible, or Umami - but they are tracking and data collection solutions, and they are not exempt from GDPR compliance just because they create the user/session ID on the server.

If you're a lawyer with GDPR expertise, please feel free to challenge my assertions. 🙂

[mindplay-dk]

The ePrivacy directive is not mapped 1:1 to GDPR, so you need to look at both individually.

This is part of the confusion, and likely part of the reason why the ePR is going away.

The conclusion is that even a cookieless and GDPR-compliant web statistics probably will need user consent.

That was my conclusion, so which part is "misguided"?

Fathom's advertising? Plausible's? Umami's? 😅

They all seem to strongly imply or even directly state that you can "ditch" cookie banners...

[fuzzy76]

What I see as misguided is the hard focus on wehther or not something is GDPR-compliant as a determinator for whether or not you need consent.

[mindplay-dk]

follow the law is misguided? I'm afraid I don't follow.

[fuzzy76]

If the question is "do I need to ask for consent", GDPR-compliance is not the largest hurdle to pass, ePrivacy directive compliance is. Being GDPR compliant is not enough to tell whether you need to ask for consent.

[mindplay-dk]

Well, the ePD section 5.3 is pretty simple.

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing.

You have to ask for consent.

This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network,

Not applicable.

or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

They did not explicitly ask you to collect statistics, so, not applicable.

That's the whole text.

There are no other exemptions.