We have designed the solution in line with the GDPR principles of data protection by design and by default (as stipulated e.g. in Article 25). As an implication of this, we do not process personal information of your website users on your behalf and hence you do not need to sign a DPA with us.
The technical explanation is as follows:
- We only process the IP number of the user in-memory during anonymization of the IP. It is never persistently stored. With ”in-memory” we mean the temporary, volatile, non-persisting memory module on the webserver which receives the network request from a user’s device. All network requests contain per standard the requester’s IP number and will only exist in memory until a response has been sent back by the webserver. As soon as the request is received at the webserver and at the earliest technically possible stage, the IP number is anonymized (still only in memory) without ever being persisted.
- We do not consider the in-memory only anonymization of the IP number to fall under Art. 4(2) GDPR, as the IP number is never persisted. If this was the case, all network hubs on the entire internet would fall under this section, which would in practice prevent all network traffic.
- Also worth mentioning that webservers generally maintain a log of all requests, including IP numbers, but Cookiebot’s webservers have specifically been configured not to persist the IP number in the log.
- The anonymization of the IP number is done by removing the last 16 bit of IPv4 addresses and by removing the last 96 bit of IPv6 addresses. The remaining numbers from the IP address (not personally identifiable) will then be stored in our log along with the unique consent ID that we assign each consent obtained. The unique ID is at the same time stored along with the consent-string in a cookie in the browser (with the consent-string in turn informing your website which cookies and trackers are allowed to be set there).
- If a user questions if a valid consent was indeed obtained by you, you can ask the user to visit your cookie declaration on the website in question and share the unique consent ID and consent date with you, which they will find shown on the declaration (this information is automatically fetched locally from their consent cookie). From the consent log, which you can download from Cookiebot, you can then look up the user's consent details with the provided consent ID, date and domain name and thereby prove that valid consent has been obtained.