I was looking at adding a client side option to a (GDPR compliant) server side geolocation plugin; but did not follow up with the 2 you mentioned because I would have had to register to use/test the API; and their privacy policies gave me the impression data that might be considered PII was gathered.
Note: on my visit neither site (despite identifying my EU location) displayed a cookie bar of any kind; let alone asked me to accept cookies.
Ipstack (freegeoip): “Data processed when using the Services is processed by us only as a processor, not as a controller.” I assume this means your site is responsible for obtaining consent if required – which makes sense as the user is unaware they are being connected to the API site.
Under terms for API it says it “collects information, including standard information of the type normally exchanged when accessing any web site or web service” and refers back to Privacy Policy (presumably para 2.1, which includes IP, date time, site from, browser + version, operating system, and language).
To me the information collected is similar to Google Analytics (and the majority view appears to be that GA requires consent).
IPInfoDB privacy policy is even more opaque: “information may be kept in its identifiable form, or in an aggregated form (so that individuals cannot be identified)“; and a right to pass aggregated data to 3rd parties for business purposes.
Under “cookies” the policy mentions “user ID” and “tracking”. I assume this refers to the API service as well as website, as later it refers to turning off cookies in your browser and “you may not be able to take full advantage of IPInfoDB Website & Web Service“.
Based on these policies I decided to assume consent would be required and not to spend more time checking.
My impression may be wrong, a plugin developer considering these APIs should contact the API provider for a definitive answer. Apologies for my original comment which was too categorical, and its mention of CF cookie a red herring (more important is what information the 3rd Party is gathering on its own servers (GDPR relates to collection of PII data on other media, not just cookies).
-
This reply was modified 6 years, 5 months ago by wrigs1.