> Doesn't require tracking of individuals.

Only if you maintain your own ad inventory, instead of using Google/Facebook ads like 90% of online advertisers do. And neither of those platforms work without installing their scripts on your site.

Sure, lots of people want to sell my data. That's a choice. You don't need to do that for advertising - it's a pretty recent invention having fully personalised adverts.

And they did it that way because they could. It could be done a different way.

It would be like opening an independent video store when the entire market has moved to streaming. Yeah you could try it, but there are good reasons not to.

The only change needed is to let people default to no.

After all, Google and Facebook still show ads if a user doesn't consent right?

I bet they'd add that option in a heartbeat if people would leave them otherwise.

The scale of this kind of thing is ridiculous. Opening a basic news site and I'm asked to consent to my data being taken and used by 750 companies.

> Doesn't require tracking of individuals.

Building a house doesn't require powertools, but if your company tries to do it with handtools we'll see who goes bankrupt first.

Building a house doesn't require using cheaper but more dangerous materials either but people try to, that's why we have regulations.

Analogies can be pithy but are rarely useful as an argument. Talk about reality.

analogies are even less useful when you make it to a widely regulated sector and seek anti-regulation analogies.

I am sure the construction sector is overflowing with grumpy people who feel like aspestos is the best form for isolation.

Correct me if I'm wrong, aren't but IP addresses are considered to be "personal information" and therefore collecting them is "tracking" under the GDPR?

Yes but it depends what you're doing with them as to whether you need consent. If you're keeping a record of my IP address and what I do on your site to sell me stuff then yes you're tracking me and need my consent for that. If you've got my IP address in your logs because you keep security logs for reasonable timeframes then you don't need my consent - though you do need to handle them appropriately because it's my personal data.

My guess is that they are because ISPs may keep records of them—I think they are required to in some jurisdictions. But you don't have to store IPs in your server logs.

You're also allowed to store IP addresses in your logs, you just have to take care with the data and the reason you're storing them needs to be justified - either because you have a legitimate interest in doing so (e.g. security) or because you have my explicit consent.

If I order something from an online shop, they don't need to have a banner in order to take my name and address to post the item to me - that's fully expected and reasonable. They do need my consent if they want to use that to post adverts to me though.

What else would you need my IP address for?

Uh...DDoS and spam protection?

Then store it for that purpose, don't use it for anything else, and delete it when it's not useful anymore (realistically, for these purposes, after a few minutes to an hour?).

Ok so now a criminal just needs to avoid being detected for an hour and the logs are self wiping. Sounds like a feature they’ll love!

I thought this was about DDOS and spam protection. If you want to move the goalposts, state that explicitly.

How is that misaligned with your DDOS? It’s not moving the goal posts at all you just didnt think of that possibility and now are upset.

How can you DDOS if you can only connect once per hour?

Keep them as long as is reasonable, then delete them.

Reasonable means different things in different countries and industries. Some require 14 years of retention.

Absolutely, and gdpr doesn't get in the way of those legal obligations. The point is that you can do what is necessary or expected to provide the service without consent, and you can do much more with consent.