How does Real User Metrics effect user privacy and GDPR compliance

I’m interested in knowing if Netlify uses it’s RUM script tag to track users and store personal information or IP addresses?

It’s a pretty simple question, but there doesn’t seem to be any information on how the tracking effects the privacy of our site’s visitors.

Many Thanks

Netlify already collects IP addresses and probably some PII as mentioned in our privacy policy: Privacy Policy, so the script or not won’t make much difference with that.

Hi @hrishikesh, thanks for your response.

Are you saying that Netlify collects PII on every visitor to my websites?

Or that Netlify collects PII on users of Netlify, e.g. customers of the netlify platform?

If it’s the former — i think that would be a major problem. If it is the latter, then I’d still like to have some information on how Netlify RUM tags effect user privacy.

Many Thanks

IP is listed as PII in GDPR, I suppose. So yes, Netlify collects IP of all requests made to Netlify. Most, if not all the servers around the world do that, there’s no surprise about it.

What other PII are you worried about?

You can also read:

Thanks again for the reply — I think it may be down to whether or not Netlify is collecting and processing the data for reasons other than serving a webpage.

If everyone who visits my website has their IP address stored, and then saved along with every other website they visit or that data is sold to data brokers — that would be an issue.

The privacy policy and privacy commitment seem to be related to customers of Netlify, not people who visit a site hosted by Netlify.

I think it would be handy to have another document outlining what Netlify does with the data from site visitors — or just extending the privacy policy so it’s made clear that it isn’t just for Netlify account holders.

Thanks again

Netlify cannot define a privacy policy for the sites served by Netlify. We don’t know the nature of site, what data they collect and what they do with it. We saying “all sites hosted on Netlify will have their data securely stored” would be incorrect as someone can easily deploy a site that collects user data and sell it somewhere.

We can only talk about Netlify - not the sites hosted on Netlify.

I think that’s the heart of the issue, but the otherway round. I can’t tell my users that their data is secure, because there’s no clear guarantee that Netlify is not collecting or selling their data through my site.

I think Netlify just needs to make it clear that the Privacy Policy doesn’t just refer to customers of Netlify — e.g. people who have a Netlify account — but to visitors of sites on Netlify. I don’t think that means Netlify needs to guarantee every site is not collecting data, just that Netlify is not collecting data from visitors to the site.

The nature of data collected by Netlify from users’ sites is listed on the first link I shared. Towads the the bottom of the page there’s a Netlify DPA that says all that.

1 Like

Thank you, that’s very helpful.