Grafana Faro ingesting PII? (Session ID against GDPR Compliance)

grafana / faro-web-sdk

The Grafana Faro Web SDK, part of the Grafana Faro project, is a highly configurable web SDK for real user monitoring (RUM) that instruments browser frontend applications to capture observability signals. Frontend telemetry can then be correlated with backend and infrastructure data for full-stack observability.

https://grafana.com/oss/faro/

Apache License 2.0

688 stars 62 forks source link

Grafana Faro ingesting PII? (Session ID against GDPR Compliance) #599

Closed neillua closed 1 month ago

neillua commented 1 month ago

Description

I head read your documentation on Data Privacy in Frontend Observability, and I see there are no Cookies. But on a separate note, I see on my logs that Grafana Faro creates a Session ID (which I believe is a randomly generated ID that is used to stitch together the data that are being ingested), but what we are worried about is that will this be traceable back to specific users? (as we will end up having this on public-facing sites, so GDPR compliance would be a hard requirement)

cedricziel commented 1 month ago

Hi @neillua ,

Please consult a data privacy specialist that is familiar with your regulatory setting to help you evaluate this in more details.

Faro does not collect any PII out of the box. And the random ID cannot be tracked back to individuals.

Hope that helps :)

neillua commented 1 month ago

Heya @cedricziel,

This is clear. As long as Faro does not collect cookies (as per documentation), and the Session ID on the Faro logs are randomly generated IDs and cannot be tracked back to individuals (as confirmed by you), we should be good so far. (Let me know if I understood anything incorrectly though)

Many thanks! :D