[wp-meta] [Making WordPress.org] #7736: Google Tag Manager is called without consent

Making WordPress.org noreply at wordpress.org
Fri Aug 9 01:53:54 UTC 2024 

#7736: Google Tag Manager is called without consent
--------------------------------+---------------------
 Reporter:  psmits1567          |       Owner:  (none)
     Type:  defect (bug)        |      Status:  new
 Priority:  high                |   Milestone:
Component:  WordPress.org Site  |  Resolution:
 Keywords:                      |
--------------------------------+---------------------

Comment (by vikingtechguy):

 **GDPR and Legitimate Interest**
 Under the GDPR, "legitimate interest" (Article 6(1)(f)) can indeed serve
 as a legal basis for processing personal data without obtaining explicit
 consent. However, this is conditional upon the processing being necessary
 for the legitimate interests of the data controller or a third party,
 provided these interests are not overridden by the fundamental rights and
 freedoms of the data subject, especially when the data subject is a child.

 Importantly, the GDPR requires a balancing test to ensure that the
 interests of the data controller do not override the rights and freedoms
 of individuals. This balancing test must consider factors such as the
 nature of the data being processed, the potential impact on the data
 subjects, and the reasonable expectations of individuals regarding the
 processing of their data​​.

 **ePrivacy Directive Requirements**
 The ePrivacy Directive (2002/58/EC), particularly Article 5(3),
 specifically addresses the use of cookies and similar tracking
 technologies. This provision requires that consent be obtained before any
 data is stored or accessed on a user’s device, unless the storage or
 access is strictly necessary for the provision of a service explicitly
 requested by the user. The European Data Protection Board (EDPB) has
 clarified in its Guidelines 2/2023 that this requirement applies broadly
 to various forms of tracking, including the use of cookies, pixels, and
 device fingerprinting​​​.

 **Intersection of GDPR and ePrivacy Directive**
 While "legitimate interest" can justify certain types of data processing
 under GDPR, this does not negate the explicit consent requirements
 mandated by the ePrivacy Directive for activities such as cookie
 deployment or other tracking technologies. The ePrivacy Directive, as a
 lex specialis, takes precedence over the GDPR in matters related to the
 confidentiality of communications, which includes any tracking that occurs
 in electronic communications​​.

-- 
Ticket URL: <https://meta.trac.wordpress.org/ticket/7736#comment:10>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list