GDPR guidance

Last updated:

The General Data Protection Regulation (GDPR) is a privacy and security law, drafted and passed by the European Union (EU). It imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.

We recommend that you read the full text of the GDPR and seek independent legal advice regarding your obligations.

GDPR and your use of PostHog

GDPR requirements differ depending on how your business interacts with personal data. Companies can be data controllers, data processors, or both a controller and a processor. Data controllers collect their end users’ data and decide why and how it is processed. Data processors are businesses instructed to process customer data on behalf of other businesses.

You will be using PostHog in one of two ways:

  1. You are using PostHog Cloud
  2. You are self-hosting and managing a PostHog instance

If you are using PostHog Cloud then PostHog is the Data Processor and you are the Data Controller.

If you are self-hosting PostHog then you are both the Data Processor and the Data Controller because you are responsible for your PostHog instance.

In both cases you are the Data Controller, so this guide identifies some ways in you can instruct PostHog, whether Cloud or self-hosted, to help you comply with GDPR requirements.

Checklist

The following list is based on the GDPR key issues. However, it is not exhaustive and instead identifies some areas relevant to PostHog.

Since PostHog automatically captures some data (for example, the IP address of a user's web browser) which can be considered Personally Identifiable Information (PII), you must provide a mechanism for the consensual capturing of that data.

Court confirms that IP addresses are personal data in some cases

Within the consent you should identify the types of PII that are being processed and what tools are being used to process them. If you are using PostHog Cloud you should identify PostHog as a tool. If you are self-hosting you can either not list a tool or provide a generic description such as "Product Analytics".

Once the user has made a decision around their consent you can start or stop data capturing and processing accordingly. If the user has opted out there are a number of ways to ensure data is not captured by PostHog and how you do this will differ depending on your application setup. Here are some ways PostHog makes this possible:

  • If posthog-js has been initialized, call posthog.opt_out_capturing(). See the posthog-js docs.
  • Ensure posthog-js is configured not to auto-capture and do not make capture calls using the installed PostHog SDK on any client.
  • Do not load the posthog-js SDK. If you do this you should ensure your application logic always performs conditional checks for the availability of the PostHog SDK. This may not be possible in modern JavaScript applications.
  • Do not initialize the posthog-js SDK via the call to init. If you do this you should ensure your application logic always performs conditional checks regarding the initialization state of the PostHog SDK.

Right to be forgotten

A user must be able to request that their data be removed from PostHog. How you facilitate that request is up to you. For example, you could accept requests via email or form submission.

You can remove a user from a PostHog instance via the PostHog user interface. To do this:

  1. Select Persons from the left-hand menu.
  2. Search for the person via their unique ID. For example, their email.
  3. Click view next to the person within the search results .
  4. Click Delete this person to remove them and all their associated data from the PostHog instance. You will be prompted to confirm this action.

Reference