Is Umami stil privacy focussed and GDPR compliant (Aug 2024)

[artfulrobot]

GDPR & CCPA

Umami never collects any personal information from your visitors so it is fully compliant with GDPR and CCPA.

Data anonymization

All visitor data is anonymized to protect your visitors' privacy.

Source: https://umami.is/features

and

1. Is Umami GDPR compliant?

Yes, Umami does not collect any personally identifiable information and anonymizes all data collected. Users cannot be identified and are never tracked across websites.

Source: https://umami.is/docs

This has bothered me for a while, but when I came across the latest release announcement #2896 I felt I had to poke around about this claim.

So it looks like Umami provides means for identifying people personally and the data is not, as it would seem, anonymised.

I deployed Umami on the basis that it didn't require cookie consent and that it respected privacy and was suitable for us in a country under the EU/UK's GDPR: are these still tenets of the project? I don't get the divide between the "privacy respecting/focussed" and the docs that are like "hey, here's how you collect someone's email" (via identify() in the new release but also in the event docs). It's left me unclear as to which bits of it are and are not privacy respecting. Clarification would be great as privacy is important!

[seedy]

I permit myself to answer, if it may reassure you, until someone from the umami team gives a more official answer, if need be.
As long as you don't store personal data, umami complies by default to GDPR.

They document collecting someone's email, because in the end, if you wish to collect that data it's your decision, they are not liable on that.
This example feels a bit clumsy, but there are cases where you might want to track custom data worth your use-case, which would still not identity someone specifically.

[artfulrobot]

@seedy thanks for replying.

I feel this leaves the product as not privacy-focussed, but privacy capable, if you don't use some of its built in features, or you use them carefully (as in not following the examples on the website).

I'm not opposed to using it to collect personal information; sure there could be valid, even privacy-respecting use cases.

But I think that while Umami markets itself as privacy-first/privacy-focussed, GDPR + CPPA compliant, its docs need to match. So if you have docs saying Look you can store the customer's PII (personally identifiable informstion) this way then they need to be accompanied by a reminder that this may make your use case non compliant.

e.g. what about something like this in the docs whenever an example/feature exposes PII?

    Warning: Privacy/Compliance risk.
 
    Using Umami to record page views is privacy-respecting, GDPR and CPPA compliant.
    This may not hold true if sending personally identifiable information (e.g. through event data).

[uiii]

I am interested in this topic as well.

I recently found an old discussion on HN (https://news.ycombinator.com/item?id=24201595) where @mikecao wrote he is removing the GDPR compliance claim from the website.

But if I look now, there is a mention about compliance on the website
.

So how is it? Is it compliant or not? Has anything changed in the umami tracking techniques since the HN discussion?