Logging vs. excessive logging

Efficient logging is crucial for business users.

So, as a discussion about philosophy / foundational principles:

At what point does logging become excessive?
How do we know if a plugin follows best practices with regards to logging?
What are the resource needs that have to be considered?
What sort of logs do you keep on your sites?

Certainly GDPR is a concern here.

Yes, it is.

However, I am thinking more along the lines of there being an existing contractual business relationship or an employee relationship on an access restricted / members only domain.
(I.e. you’re not collecting their information to market to them.)

In those cases, you would be entitled to log activity.

Not so sure… GDPR is not only about marketing.
Let’s say you are tracking the time spent on the site to address usability. You must tell that to your users and pseudo-anonymize statistics. You must not care if is Mario or Simone spending so much time on it.

Everything about logging must have a lot of options to deal with the different actuations of GDPR in each country and in each policy.

As example, I run a little business - dog trainining - where I want to keep everything easy, so I don’t collect any sort of data other than:

• anonymized web access statistics
• invoices

@Simone

Do you have a store where other people can register accounts? Or do you initiate your invoice process and just keep it online for convenience?
Do you offer an online support channel? E.g. a contact form?
Are you the only user with any sort of back-end access?

Not legal advice, etc. etc. Want to figure out what the perception is about this legislation:

Do you believe that GDPR prohibits you from logging system changes (e.g. changes to plugins), core version updates, creation of new users, changes to user profiles, etc?
(And who initiated them from where, of course?)
Do you believe that you are not allowed to log any attempt at access of a prohibited / restricted page (clearly marked as such)?
Do you think you are allowed to log malicious login attempts, including by bots?

Do you think it is possible for a site with multiple admins to be GDPR compliant without logging?

Tagging @timkaye too if he has an opinion.

My website is just like a brochure. And my second work is much like an hobby. So I’ve preferred to keep administrative/legal tasks as simplier as possible.
So every choice is made in this direction.
I’m the only user, and the system administrator of the server where the site is hosted is me (working in my first job)
My system admin takes care of logging any maliciuos activities and root login are kept in a signed and timestamped file.
I know that I could (and must) do a lot of thing with collected data, even remarketing, but I just don’t want to have the same (huge) DGPR setup as the one I have in my first job!

Another problem is the country I live in. DGPR was “bundled” with our privacy law, resulting in something very complicated and not so clear even for lawyers. We are all waiting legal sentences that will explain some points of the law!

Thanks, @Simone

Edited to fix typo.

In my opinion there needs to be a distinction between collecting data from anonymous users when they access publicly available information on your site, vs anonymous users when they attempt to access restricted information on your site, vs users with whom you have an explicit contractual relationship, like a customer (i.e. where you are using your website to deliver services to the customer, i.e. the service itself is digital) or a contractor / employee (who is consenting to online monitoring on YOUR service in their contract).

@ElisabettaCarrara Simone’s post may be something good to read for the third marketing persona?

Oh. The gdpr Nightmare.
Well… Marketing personas and logged data.
First of all IMHO no user is really anonymous on the net.
One can argue data can (and may) be anonymized by hashing but… Your site logs IPs in the first place.
So, this is the first and most important data you log. Your site connects all the rest to this.
Gdpr states you have to ask explicit consent for every data you collect.
But let’s make distinctions:

• “random” visitor. Arrives on your pages for the first time (you may or may not know the process bringing him there). AT LEAST if he just scrolls homepage you log his IP
• “user with a purpose”. He arrives there because he has specifically searched you. May not be first visit. May perform actions on your site besides just scrolling. Here we have to understand that you collect not just IP and that if your site has a “roles management system” in place you are going to collect/retain/use different sets of data according to his role.
  The interesting thing happens when you do one of the following:
• you offer a third party service on your site (for example the “click to tweet WordPress plugin”) where you transfer their data to this third party, and they need to be aware and agree to that
• you “sell” their data (or better the value of the data) by showing ads and/or directly selling them to advertising companies.
  How much can you log?
  For gdpr as long as you have consent you can log EVERYTHING.
  Is it easy to list every single detail you log? No.
  My policy? Collect as little info get the job done, not more.
  And be upfront about that.
  The real point is not how much you collect, but being fair about it.
  Let’s suppose I run a role based membership restaurant site, I am obliged to profile the eating habits of my visitors, this can go to the extent of installing specific software to track where they go after visiting my site. One may think it’s not permissible according to gdpr, or that it may be unfair. As long as I explain what I collect and why it is useful and give the option not to be tracked, it’s fair and ok.
  That’s why gdpr is a nightmare. That’s why it is scary.
  Not so fair site owners may trick people into giving consent.
  There is no limits to the data one can collect, hence marketing personas and profiling are brought to a level allowing fine prediction of behaviour.
  That’s the hidden trick. The law basically says you can profile as long as you have consent. But people are unaware of what profiling really is and how effective it may be.
  Gdpr was issued to protect big names like fb and google.
  It seems not at first…

I love the way that the distinctions are “random visitor” and “user with a purpose”.
I also love the way that you distinguish between "fair’ and “unfair use”.

I wasn’t specifically pointing out Simone’s post because of GDPR though. (It was a pleasant bonus!)
I meant that the description of what she does with her site (using it like a brochure) fits in well with the third marketing persona of a casual/blog user (the other preliminary two being developer and “semi-corporate” early-adopter users).

Actually, just been teaching a class on GDPR! It applies to the collection and storage of any personal data unless that’s for purely household purposes.

Other reply addressing instead the other side.
What if I have a site where I need people to log in as let’s say admins or employees and perform actions?
What if I manage an online translating platform like babelcube?
Here it goes: as far as gdpr is concerned (at least in Italy) I can profile those people too.
I have to clearly inform them that in their position they are allowed to perform such and such and as a result of this I am going to store their logs history.
And as long as they consent…
And I may also use those data.
The afore mentioned babelcube logs translators and their habits to propose them authors to translate, or to introduce them to authors. And also to sell them cat tools (assistive translation software) or proofreading services.
However one may think as a translator I have been informed while signing in? Not quite. This info was hidden in a paragraph stating some crap along the lines of “translators are profiled because we need such data to make their experience better”. For real? Oh, BTW… That line is totally legal. As long as the sheeps accept it with no questionning whatsoever.
So yes, basically if you have consent you may even log the color of my eyes using the camera of my device.
Like if you have a drunken girl not able to refuse you may take advantage of her. (Sorry for this bitter line, it happens in Italy… And summerzises pretty well what gdpr is all about).

@timkaye
What constitutes household purposes for you though?
Does that include error logging to make sure that the user has a smooth experience?
Does it include security? So, if someone tries to access a restricted part of the site?

I would say household purposes for me means anything I need to do internally with the information other than marketing to someone, or selling their info (which I don’t do anyway).

@anon71742606, Household purposes means literally that: things like managing the family photos. So that exception is not applicable to the sort of sites you’re discussing.

Now, let’s say a “catalogue” is more of what an “user” makes of CP against a dev or early adopter.
Can be true, or not.
A dev may be a user of CP when he builds a software catalogue.
The distinction IMHO is among:

• I pay someone to build the site with CP. Hence I am a mere user of a software.
• I do my site on my own. Here I am a dev.
  It’s not the use I make of CP. Is my involvement level.
  And this links to gdpr
  Who’s responsible?
  The owner or who coded the site?
  That is why the two topics on gdpr.
  It’s not what you log, nor if you have consent.
  It’s “are you the one responsible? Are you aware you are? What are you doing about it? Are you protecting yourself, the data AND the visitors?”

The Gdpr says that responsibility is on the data controller. The data controller is the one who decides what data to collect and how. The controller is not necessarily the same as the processor.

Yes @timkaye. Right.
Here in Italy however site owners are not so aware of this.
I declined two jobs when I discovered the site owners were thinking I as a dev was responsible for their data collection. First I explained they were responsible. But when they were stutborn in telling me the law clearly indicated me as such I backed away…

@ElisabettaCarrara I don’t think many people are aware of what Gdpr says, irrespective of which country they are in.

For example, I keep seeing people say that Gdpr always requires a user’s consent. That’s not true. Gdpr specifies several types of case where consent is not required.

Yes. That is exactly my point.
It all books down to user understanding of a law that is written to be foggy to say the best compliment…

Some components of the GDPR is also incorporated in our local privacy legislation.
Plus, I have always believed in informed consent, so I would disclose the sort of information collected and what it is used for even if I didn’t need to.
I don’t allow any third party ads on sites and I don’t sell any information to anyone else.
Other than one (marketing) domain, I don’t allow any third party cookies either, and then only to allow the user to share the link to their chosen platform and only after reading the plugin’s privacy policy which states that they are GDPR compliant and do not store any personally identifiable info.

Now, just using myself as an example, but there is a large user-base that this applies to.

But if you are running an access-controlled site for any reason (whether it is a membership site or serves as a sort of intranet), logging comes with the territory and we need to accept the privacy implications that come with that as an inherent part of doing business. It is unavoidable to a large segment of users.

All that is true. But you still have to inform your users of what you will be logging about them. That’s the principle of transparency.

After that, the question is whether what you are logging is necessary for the legitimate interests of your business. If it is – and necessary means no more than is necessary, so don’t store that data for too long, for example – then you don’t need users’ consent.

If you go beyond what is necessary, you do need their consent.

But, either way, you must still tell them what you are logging about them.