Personally, I'll activate anonymization of ip addresses in my logs coming next week. There are various solutions for that available.

I think you can also log the ip, you just have to get your user's explicit consent.

I will also remove Google Analytics, and switch AdSense to contextual ads. I am a bit worried about the latter step, but if the losses are too great I can still try to get consent from my visitors and switch to personalized ads again. As for Google Analytics, I never did get that much out of it, but perhaps I should have used it more. I never activated the "deep personalization" options in GA to begin with.

It bothers me to pester my visitors with consent popups. On the other hand, looking at what Google proposes for compliant AdSense, it also bothers me that apparently multiple companies get to track my users if I enable personalized ads. I wasn't really aware of that, and just accepted Google as tracking because they know everything anyway.

So much as I dislike the new privacy laws, at least the made me reconsider my AdSense settings.

It's fine to collect this information in your logs as it's part of the normal operation. I log them for security reasons and the logs do not persist for more than a week or two, which is less than the month I'd have to comply within. Provided you're not logging IP addresses for non-legitimate reasons and you're not keeping the data for longer than you reasonably need to, you have nothing to worry about.

`tail /var/log/nginx/access.log` Oops.

Also the section of the GDPR that talks about pseudonymization using a token how should my user DB table be GDPR compliant? Contains ID (primary key), username, password hash, email, etc and the ID is also in other DB tables for obvious reasons (such as user posts/actions).