679 comments

[ 3.4 ms ] story [ 356 ms ] thread
> News sites within the Tronc and Lee Enterprises media publishing groups were affected.

> Tronc's high-profile sites include the New York Daily News, Chicago Tribune, LA Times, Orlando Sentinel and Baltimore Sun.

Why would either of these papers be subject to the GPDR? Am I wrong in assuming they’re purely US based companies? Or is there a chain of ownership that includes EU jurisdiction?

If they have readers that are physically in the EU, then those readers would be covered by the GDPR.
As long as there is no business relationship to any EU entity they would not be "doing business in the EU", would they?

I doubt making a website available on the global internet would be seen as "doing business in the EU".

Doing business in the EU is only one path that causes the GDPR apply to you, processing personal data of people located within the EU, not necessarily EU citizens, is another one and probably the one relevant here.

Article 3(2): This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

But what's the worst that could happen? Your site would get dns blocked in the EU?
They are perhaps owned by media organisations that do in some way do business with the EU even if those specific outlets do not.
Maybe they could arrest employees on a visit to the EU? Maybe you could even get arrested at home due to extradition agreements? Or get assets in the EU frozen or seized? But that is all pure speculation, I have no idea what actually can and can not be done or what is likely to happen.
as soon as some of some assets pass through entities in the EU (or even, entities on wich the EU can apply pressure), they would be seized.
It's still unknown how exactly they will enforce the GDPR, but they've got data on Europeans thus need to comply. The US does this quite often as well having their laws applied to foreign companies, without them being physically present in the US.
Foreign laws are not enforceable in the US unless we a) have a treaty saying so and b) have an analogous law here. I see a lot of Europeans and tech bros that don’t seem to get this. They can make a law saying people or corporations must kiss the rings of every EU citizen no matter where they are or face fines... likewise not enforceable here, and hopefully that example makes that clear to you.
Not sure why this is getting downvoted, since it's true. As a thought experiment, why should this have any more relevance to a company that's in the US than the Thai law that prevents criticism of their king.

https://en.wikipedia.org/wiki/L%C3%A8se_majest%C3%A9_in_Thai...

I suspect what we'll see soon is a law protecting US companies from EU overreach, comparable to the SPEECH ACT.

https://en.wikipedia.org/wiki/SPEECH_Act

It would not surprise me if some US companies are holding back, because they expect similar protections from foreign law to be passed here.

I won't miss them. Why would I need to know about local news from places over 5000 km away?

Luckily there is still archive.is and the Internet Archive for exceptional articles that pop up on HN.

For many of us the meaning of the internet itself is being able to access things at 5000 km away.
No one needs that kind of access, crazy thoughts.
Bill gates agrees with you ;)
That's an surprisingly unimaginative viewpoint. Off the top of my head:

  - You have friends/family in that area
  - You actually live in that area, but you are currently travelling
  - You are considering visiting the area
  - You are doing some kind of research about the area, say, how often a certain type of crime is reported in local media
I'm sure the list can be made much, much longer if we spend some time thinking about it...
GDPR hysteria.
I wished everyone who says "GDPR hysteria" would cover legal costs for those who are hysteric.
For a site that shows text and images you have a simple solution change the code

if(isUserInEU())

showBlobkingPopup();)

else

loadAllTrackingScripts();

into

if(isUserInEU())

loadNonTrackingScripts();

else

loadAllTrackingScripts();

Why not directly?

    solveAllGDPRIssues();
If you have a webpage with text and iamges, no user accounts and subscriptions then why you prefer to block the users then load the page without tracking, and show some static ads,better then nothing.

Showing a popup with things like -we have Google analytics that track you in this way -we have FB scripts that do this -we have ad company X script that tracks this -we have Y product that tracks your focus .... would also be good,then I know what "I lost" not getting access to that page

No, it's not better than nothing. In fact, it's worse than nothing. Which is why they're not doing that.

It's extremely difficult for classic news media to make money in the internet-world. They're not tracking you because they hate privacy, they're tracking you because they need to show you ads to earn a few cents to pay for their newsroom.

Many people are using ad blockers and this number is increasing, the tracking business model is doomed with or without GDPR.

Are we sure that targeted ads are better then topic ads or is this a myth created by some big companies.

> They're not tracking you because they hate privacy

They're tracking you because they're indifferent to your privacy, and they can make money by violating it.

The writing has been on the walls for a while ever since ad blockers took off.

Media companies that are still trying to make money by selling their users are deprecated.

No. They are tracking you because they are entirely oblivious to privacy and to the stuff they run on their websites.

A lot of those links and trackers and what-nots come from affiliate networks, or because some marketing manager said it would be better that way. And now they are suddenly alerted to the fact that they run 30+ trackers on their sites, and believe you me they have very vague idea about what those trackers are doing.

That’s just a helper function for:

    process.exit(1);
The problem is ads. Many networks track their users, and the site is responsible for that too. Eliminating all ads means the EU users become only a cost.

They need to integrate GDPR-compliant ad networks to serve to EU users, and they probably didn't do the work.

Exactly, and until they find some EU advertisers they can put some static ads.
There is no need to eliminate all ads. You need consent for the apps though.

"GDPR is very pragmatic on this point: whatever is really necessary for an app is legal without consent, the rest needs a free 'yes' or 'no' option."

http://www.bbc.com/news/technology-44252327

Ads!= tracking Also Ads!= only viable source of income.
I could buy "hysteria" as an explanation for the little startup apps or blogs that have shown up on HN these last few days, but these papers have revenues in excess of $2 billion. I have to assume there was some due diligence involved.
In general, the online site of a newspaper doubtless does a lot of ad tracking. To the degree that readership is mostly local (as it is for most newspapers with relatively few exceptions), geofencing seems like a pretty rational response to potential compliance headaches. More trouble than it's worth is a wholly rational business justification for a case where a geo is currently unimportant and there's no business plan to expand there in the future.
Here's what I get when I try to visit the LA Times:

> Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism.

Blocking access at geographic level across pretty clear signal they don't care about users/readers in those regions (I think it's hard to argue otherwise, the law has been coming for 2 years).

Obviously they cater to people interested in local news in those regions. However, I hope they will rectify and allow access again for EU users at some point soon. It seems to go against the idea of a borderless internet, and I blame the companies for that, not the EU.

Too bad that they would actually have to block EU citizens not territories.
They're trying and it's quite effective. If they're fined (unlikely), their fine will most likely be greatly reduced.
> clear signal they don't care

Or, it could mean they hadn't realised how much work it'd take to be GDPR compliant, and decided to temporarily use geographical blocking until they can be compliant.

It took them 2 years to realise that? That’s the same as not caring.
When you have competing priorities and finite time and budget, people often don't investigate external requirements, assuming that they'll just comply when they no longer have a choice.

That's why the first few audits (SOX, PCI, etc...) for a company new to them, are always such a struggle, people starting to look at the months of work needed the same week the auditors are planned to come in.

edit/PS: Did you notice how many "We changed our policy" emails you've received in the past 2 weeks, including from very large international companies like google, yahoo, etc... Companies for which not being open for business in Europe would have financially impact. Probably a good indication that they ended up with a lot more work to comply that they had anticipated, and still made it just in time. Now imagine the same situation in smaller companies running on very thin resources that cannot afford a sudden increase in staff!

They were not remotely thinking about this 2 years ago.
> However, I hope they will rectify and allow access again for EU users at some point soon.

Honestly, I don't. I don't want this precedent of government overreach to stand. I wish more international companies would stop doing business with US citizens for the same reasons.

> It seems to go against the idea of a borderless internet, and I blame the companies for that, not the EU.

You don't blame border-based rules for harming the traditional borderless approach? How illogical.

> Honestly, I don't. I don't want this precedent of government overreach to stand.

Why is it overreach?

It's literally why we invented government! I, the little guy, couldn't find giants like Facebook or Google. That's why I asked my democratically elected government to work on the problem.

To me it's overreach because smaller measures could have been a better first step, this won't help the problem much, and it hurts the non-targets. I understand it's why you asked your government to work on the problem. We just need to stop pretending that any way they work on the problem is a good one.
> We just need to stop pretending that any way they work on the problem is a good one.

Just because the government does something, that thing is bad? I don't understand your logic...

I quite like what they've done.

No, just because they do something doesn't mean it's good. I don't like it, but then again I don't like the cloud act, some dmca provisions, etc. We can disagree whether the law is good or not, it's just that this topic (not you specifically) causes people to assume being against the legislation means being against its purpose. I think there were many better ways to work on the problem.
Smaller measures were taken. The Data Protection Directive was adopted in 1995 and hasn't worked at preventing EU citizens' human rights from being abused.
So using the law didn't work. What is a rational reaction? To try one of many other approaches? Of course not...draft and pass more laws, but bigger this time. If someone has a hammer and everything looks like a nail, all they are going to do when the hammer doesn't work is tweak the hammer. Instead of stepping back and saying that a provision in the law can be fixed here and there (e.g. requiring regulators to do something as if words are enough to usurp apathy), why not question whether the method in the first place is the problem?
> Why is it overreach?

Because the EU is targeting companies beyond it's own borders, including companies that have no representation in the EU. Google, Apple, Facebook, etc. have the means to affect policy worldwide, making them international. Smaller companies do not.

Ma and Pa's Midwest Quilting Shop is really going to hate it, when they eventually get around to disovering they've got a problem. It sucks for a lot of people who depend on advertising, but imagine how bad it's going to be for niche sellers (quilting supplies, Americana dealers, woodworking tool sellers, etc.) It's an opportunity for someone over here to make a pile of cash, but there's no way it's not going to suck for the little guys.

Nine times out of ten it probably doesn't matter. What happens in France happens in France and that's not really our problem to worry about. This is that tenth time.

I suspect there's more than a few Europeans having a big, fat cup of haterade-flavored schadenfreude with their afternoon tea who wanted exactly this to happen.

You don't have to use Facebook or Google if you don't like them.
Blocking access at geographic level across pretty clear signal they don't care about users/readers in those regions

They can't make money off of you because the ad networks can't operate, so all EU users are a cost.

Things like this will test how much EU citizens value their privacy. Of course there will be some sites they will not be able to visit but time will show if they are okay with that.

These rules are very similar to rules limiting loans. No matter how desperate a person is and how low credit they have, in the US you can't give them a loan for above a certain amount of interest. That could be terrible for a poor person who is about to be evicted if they don't get some money right away. But we as a society are willing to accept that if the result is that more loans will be "reasonable".

If GDPR is enforced as HN people say it will be (in a good way) then the result will probably be that a lot of free websites ban EU users and smaller companies take their place with products that either cost money or will be a bit worse.

If it enforced in a bad way then big companies who can navigate the law will get bigger because their small competitors will be to afraid of the law and shut EU users out.

You can still run a free website and be compliant with the GDPR. The EU/EEA is the largest market in the world, closing yourself for an market that size will hurt more than changing a few thing to be compliant.
>closing yourself for an market that size will hurt more than changing a few thing to be compliant

Only if I make significant money from that market. If most of my revenue/profit comes from the US and it's problematic to "do business" in the EU or China, why wouldn't I want to just cut access off rather than dealing with potential hassles? The fact that it's potentially a large market is irrelevant to me. In this case, any moderately tech-savvy consumers can get to my site anyway using a VPN. But I've sent a clear message that I'm not marketing to European consumers.

Well, you could! We’d be happy for you to make some space for a competitor who doesn’t make his money selling personal data.
They could still make some money from showing non-tracking ads to European users and tracking ads to American ones. Perhaps not as much, but as they have already written the content I don't see why you would just give up on that revenue stream.
The point is that, if I'm not making material money from EU residents today, it may be easier for me to just make it clear that I'm not trying to do business in the EU than figuring out if I need to do anything to become compliant. I may in fact be 100% compliant, but it may take effort to figure that out and there's potentially still some risk.

Personally, I do no tracking on my sites so it's irrelevant to me but I understand why news sites with primarily local readership would decide dealing with the EU is more trouble than it's worth.

This could definitely happen, but would not make sense for the Chicago Tribune and LA Times, which are big corporate entities united as subsidiaries of Tronc, Inc., and could even pool resources to have one compliance office among them from the parent company.

For a large, well-capitalized company to make this choice, it’s an indication of a few possibilities:

- Tronc doesn’t practice anything close to adequate IT practices to even know its compliance status, and pefers not to invest in doing so.

- Tronc can’t remain profitable if displaying GDPR-compliant pages in EU (this seems fleetingly unlikely, given the specific attempts to grow digital subscribership by marketing the papers as more global).

- Tronc is trying to make a political statement, like a boycott, hoping that many companies do this and it puts pressure on mitigating GDPR.

So while I agree with you for some small businesses just not wanting to mess with GDPR compliance or risks, however small, it certainly isn’t aviable explanation for these newspapers.

It's likely that it's just side effect of months of institutional paralysis. The Chairman of Tronc stepped down earlier this year after allegations of misconduct and I believe they were negotiating the sale of the LA Times to an investor and the rest of the company to Softbank.
When you don't a competitor steps in and if the day comes that you want some EU sales, you will have to spend huge sums to establish your brand if you are not a huge brand that's on TV shows and the News all the time.

Geo-locked products are nothing new. I lived in a communist country, few EU countries and a middle eastern country and I can promise you that when a certain brand is not available a local competitor pops up and after the original brand becomes available it stays remain a curiosity unless it's a massive pop culture icon(McDonald's, CocaCola, Amazon, Netflix etc. - stuff that's on American TV shows all time. The TV Shows are also geo-locked but local pirates make them available few hours after the USA. Even in Cuba).

So, it's not a simple problem of if(profit < feel like worth it) then block EU.

I see this 'VPN' argument a lot, but it's wrong. If the Chicago Tribune tracks users accessing their site through a VPN, without informed consent, they are in violation. Art 3 para 2 in b makes the Regulation apply to them and doesn't make provisions about whether the controller or processor has a way to find out if the behaviour of the data subject takes place within the Union. I don't see any reason for a different interpretation in the Recitals, either. Furthermore note that subs a and b in art 3 para 2 are alternative, not cumulative requirements.

Let me rephrase: when you collect data on people with the goal to do behavioral / preference analysis on it, it doesn't matter any more whether or not you're 'marketing' to them, or even that you 'send them a clear message' you don't 'market to them'. The GDPR still applies to you.

So you're saying that if I block my site to EU IPs, and someone uses a VPN to look like they're coming from the US and bypass that, they can then sue me under the GDPR? No way.
No, they can't 'sue' you; they can make a complaint to their data authority who will then decide if and what to do about it. So if your site blocks EU IPs and you then violate the privacy of someone in the EU grossly enough to warrant the data authority to make a case out of it, then yes. (provided everything else also applies, e.g. the things being talked about in the rest of this thread).
Put it in your TOS that European users are forbidden from using your site, and then if they complain to a data authority press charges under the CFAA, and sue them for damages you incurred due to their violation. Then let the courts hash it out.
Such TOS would most likely be 'unduely onerous' or whatever the local term for this concept is in other EU jurisdictions.

I've said this many times here already, but law is not a closed rule based decision tree. Intent matters, and laws are written in a way that they can be interpreted so that their meaning can be adapted to new circumstances or different times. Now, I'm not going to argue about whether that's how it should be (because that's such a trite 1L discussion), but it's a fact that it is.

So no, that's not how it works.

Unduly onerous to say you're not allowed to access the site if you're in the EU?

So the EU regulators can say my TOS have to allow EU citizens to access my site and my site must follow the GDPR.

That seems unlikely, and the fact that there's so much ambiguity around this is why so many websites are opting to block the EU rather than dealing with it.

In many civil law systems, there are limits to contracts. Sometimes these limits are codified, sometimes they're not. Let's take Dutch law here as an example, because well that's what my degree is in. The Dutch civil code has a list of so-called 'black' and 'gray' clauses in terms and conditions; the black ones are always void, the grey ones sometimes (obviously grossly simplifying here, I'm not going to type a paper on a phone). Many catch-all statements are either black or grey, especially when they are designed to absolve one party from their legal obligations. Nobody is saying anything about requiring you to allow EU citizens. What I'm saying is the GP's plan is an obvious scheme to avoid one's legal obligations, and will be treated as such - and hence won't be a defense or obstacle when an authority goes after a non-compliant processor.

Hence my comment up thread - the law is not a closed system you can program like a code wars game, where if you're clever enough a judge will say 'oh you outsmarted me here because your logic is internally perfectly consistent, have a good day sir'.

> Intent matters

So shouldn't the website's intent to block you from accessing it matter?

That point was part of a general observation. When something 'matters', that doesn't mean there cam be other factors. In thi specific case I see no reason why the territorial scope would not extend to processors outside the EU when they monitor user behavior. Taking some limited technical measures to prevent access doesn't absolve them from the law to apply.
The Cambridge Analytica whistleblower is using Facebook and Google for incomplete compliance so yes, you can get sued.
I don't quite understand what you're saying here.
The relevant part of GDPR is Recital 23.

https://gdpr-info.eu/recitals/no-23/

Short version: GDPR does not apply if you happen to collect data on a few EU residents by accident (assuming you're not otherwise based in the EU).

This is only your opinion. It doesn't say that on the page you pasted. To be complaint you probably must clearly state that the service is not for EU resident and ask them to leave. Even that could be too little.
"...the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union [...] is insufficient to ascertain such intention"
This only applies to sub a (of art 3 para 2). So no, this quote does not confirm your assertion.
The relevant language is in recital 24. “Factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”

If the Chicago Tribune doesn't envisage offering goods or services to EU residents, it's not covered. And geofencing out EU residents is a pretty good indicator it's not. (Frankly, it probably doesn't have to--it's unclear why someone would think the Chicago Tribune was actively marketing to EU residents anyway--but geofencing them out certainly eliminates any ambiguity.)Someone can't find their way to a site, fake being outside the EU, yell gotcha, and expect European regulators to do anything about it whatever people may wish.

I've been served ads on US outlets for products which clearly target my home market (Germany). This will make a hard time arguing that you are not targeting that audience. In my opinion, if you serve ads on your site which target EU consumers, you're doing business here. I don't think it matters whether you do that through a third party.

By blocking EU ip-ranges, that may change, I admit that. However, if by other measures like finger-printing the browser you serve EU-specific ads to vpn'd users you may be up to problems.

(comment deleted)
>> "offering goods or services"

IANAL but it would seem pretty obvious that any content a visitor might seek on a website would fall under the rubric of "services." It seems like a tough position to argue that since e.g. the Chicago Tribune doesn't offer subscriptions denominated in Euros, that it isn't offering services ("news") globally.

The only thing that today makes clear is that this law is a mess, and it will take a lot of litigation before anybody really knows what it means.

Sure, that's a criterion for art 3 para 2 sub a. What I am talking about is sub b, for which the question whether one offers goods and services is irrelevant (that's what I meant when I said 'a and b are alternative, not cumulative').

So the question is - does the Chicago Tribune 'monitor user behavior'. The recitals say about that

In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

If I look at the list of tracking scripts, it's rather obvious that this is what their 'data processors' are doing. Hence, the territorial scope extends to them.

If you use a VPN to access a server that does it want you to access it, then you are breaking the computer fraud and abuse act in the United States.

Shouldnt you be the one sent to jail, as you are illegally accessing a computer that you were sepecially told not to access?

Maybe. That's entirely orthogonal to the question whether or not the person who's server it is, is affected by the GDPR though.
But if that person could get sent to jail for that, then I don't see why they would file a complaint.
If they are from poor EU village that could be tempting to get to US jail to learn language and have free food and bed.
I don't even see in the law whether or why the dpa would disclose the identity of the complainant. Maybe there are procedural situations where it would happen, I haven't really thought about it. I think people are too hung up on a specific person making a complaint. It's the dpa that will take action, probably removed a few steps from the initial complainant(s). This is not Law and Order style legal proceedings.
> Only if I make significant money from that market. If most of my revenue/profit comes from the US and it's problematic to "do business" in the EU or China, why wouldn't I want to just cut access off rather than dealing with potential hassles?

Because you would rather grow your market?

There are 6.5 billion non-Europeans, there's plenty of market outside of Europe.
> There are 6.5 billion non-Europeans, there's plenty of market outside of Europe.

The world doesn't have uniform GDP per capita. Potential European customers have more money to spend than most of those other potential customers. If you're looking for a new market, Europe is a juicy one.

If you run a free website that depends on targeted ads to make money, you might want to expand to the EU but now you'd need to totally change your business model to do so. For some that would basically mean inventing a new company because their service is not the type people would pay for. So in this case, it may not be worth it.
> But I've sent a clear message that I'm not marketing to European consumers.

More like, sent a clear message you're not concerned of your user's data.

(Nothing personal, the signal may not necessarily echo the reality)

False. The marginal cost of an EU customer is no longer zero. Why should I put in a bunch of work for GDPR compliance if the cost to implement it exceeds the initial marginal cost of an EU user. There is still the rest of the world.
Good. if you do not value my privacy, I dont want you to do business here. another product will replace your own. And in all likeness an EU one, meaning less euros leaving the eurozone.

I'm all for it.

if you do not value my privacy

False equivalence. You can do nothing untoward with user data and still not be compliant.

Exactly. The most basic/outrageous example: anyone in the EU who installs Apache and leaves it in its default configuration which logs all page visits indefinitely is now a criminal.

Spin up a DO/Linode/etc. instance and apt-get install apache2? You're now theoretically liable for a 20 million Euro fine.

This is the most retarded comment I have read today. Literally everything you say is false
Are you disputing that GDPR disallows you from retaining visitor IPs, especially without explicit consent?
Consent is one basis for gathering personal information. It's only one, there are five others. Consent isn't always needed.

The fine for this would not be €20m either.

Yes. It's fine to retain IP addresses for a reasonable amount of time if you have a good reason to keep them, such as security. Just rotate them as usual, and don't keep them longer than you need.
You might want to actually read the GDPR. IP addresses are PII.
Oh, it's much worse than that :)

Do the same, but from any country in the world, and make sure your welcome page has multiple languages, including some EU ones. Now you're specifically targeting EU users and you're liable for up to $20 million euros.

The response from GDPR fans is that: a) regulators would never levy such a fine, or b) they can't enforce it, or even c) that of course you should be fined because you're a filthy scammer who is stealing people's data and violating their human rights!

But all that misses the point: in what universe is it reasonable to even make such a claim to begin with? And why should I have to trust that the regulators will be more reasonable than the law requires, or that they won't be able to enforce what they'd like to do? And why should I have to comply because you sent me your info voluntarily??

Is there something that makes the internet different here? If someone in the EU puts some personal info in an envelope and mails it to me and I never get around to opening it and it just sits on a stack with other junk mail, am I now violating their human rights by keeping the info they voluntarily sent to me?

> If someone in the EU puts some personal info in an envelope and mails it to me and I never get around to opening it and it just sits on a stack with other junk mail, am I now violating their human rights by keeping the info they voluntarily sent to me?

Everyone I've tried to make this point to has ultimately said something to the effect of "yes, you're violating their rights by not throwing out the letter." It's baffling.

Your point is that apache default config is horrendous regarding log keeping policy ? I agree.
Nobody would have said this a year ago. How are people getting so swept up in this privacy zeitgeist that they think web admins keeping logs is horrendous?
At my company doing this would be in complete violation of our data retention policy (not GPDR related). Where are companies running production services without handling logging of sensitive information? Regulation or not that kind of data is a huge liability for our legal department.
I know! Just imagine...your (likely dynamic) IP address exists in forgotten log files all over the web. The horror!

One of the most annoying things about the GDPR fandom is the black and white nature it seems to inevitably take. If your log files store IP addresses, you're clearly evil and shady and are violating human rights, just as bad as if you're recording people's conversations at home with the intent to deprive them of insurance or publish their sexual histories or whatever.

What possible "horrendous" harm is there from apache's default config storing IP addresses? Can you give me an actual harm that has befallen someone as a result of this that isn't some freak one-in-a-billion example?

you can log ip adresses. keeping them forever is bad.

It means that any future government, no matter how evil it is, could query your log and know precisely what I am doing on the internet right now. I might not want that.

> another product will replace your own

That's optimistic ... but there is no reason to believe in many niche areas that another equally good product will do that. It is very plausible that in fact what will happen is that EU customers will be significantly delayed in accessing valuable services and products. And in many cases the web sites provide those would be making no meaningful intrusion on privacy in the first place.

Launch in the rest of the world first, if you're successful then think about the EU. Seems like the way to go.
If I run a free website, I have 0 revenue. Why would I care how big the EU market is?
* The EU/EEA is the largest market in the world*

Define "largest" in this context.

Nevermind. I looked it up.

The European Union is 7% of the world's population.

So by "largest" he means "not largest," as in there's still 93% of the world left to do business with.

> The EU/EEA is the largest market in the world

Please don't believe your own propaganda. EU/EEA revenue is a fraction of US revenue for all large multinationals. Small businesses probably make even less from the EU.

So EU citizens will either revolt and destroy EU or read their news from somewhere else? More likely, will do the usual thing people do for geo-locked content: Use proxy or pirate until a convenient solution takes off. That convenient solution will be GDPR compliance by the offender or a competitor.

I mean, mild annoyance is nothing compared to the annoyance of war thorn continent, I wouldn't bet too much on the destruction of EU or even withdrawal of GDPR

> So EU citizens will either revolt and destroy EU or read their news from somewhere else?

Those are the only two options? Now that I know that, instead of what a practical person might deem as an option which is to repeal the law, the EU and GDPR proponents' mindsets make a lot more sense. I often wondered why new legislation was piled on older legislation that wasn't even enforced then, and why other statues wrt cookies and what not cannot be seen by legislators as more bad than good and worth removing. Now I know.

My next sentence is literally a third option, describing what happens with geo-blocked content.
And that it isn't even an option to recognize a bad law and repeal it, even if it had good intentions, speaks volumes.
As an EU citizen, I don't think the law is bad but you are free to be upset about it, of course.

Please respect our laws and privacy or don't do business with us. We will be very sorry if your product is irreplaceable or we will use a competing product that complies with GDPR.

I didn't say the law was bad, I was saying if it turns out to be, repealing it should be an option. Too often there is no going back from these things because it's not considered an option. Instead only options like revolt, go elsewhere or use a VPN are presented.

Obviously the last incarnation of the GDPR didn't work for multiple reasons, the most oft-cited one being non-enforcement. Was the option to repeal and take other approaches to the problem considered? Nope...double down. Since people agree with the intent, the approach often appears above reproach.

Of course, it is an option, the problem is that you claim not to be and you claim that "the EU and GDPR proponents' mindsets make a lot more sense" because I asked a question to emphasize the "test" on the EU citizens.

I see you're in Texas. Don't worry too much about EU, we are doing fine. We will figure this thing out if it turns out to be more bad than good.

Please respect our laws and privacy or don't do business with us.

Stop sending us your data and money? I don’t leave the US to deal with EU customers. You send requests to my server in the US. If you’re unhappy with me, stop doing that.

And it’s pretty rich to complain about companies not complying and leaving the market, while also using VPNs to use their service anyway. Apparently protecting your data isn’t as important as you say?

I haven't been given an option not to make calls to your servers, those websites used to load 20 tracking scripts without asking me. Thanks to the GDPR now I will be able to stop sending requests. What's the problem?

See, how browsers work is that they load this thing called HTML that describes the content and can load other stuff without asking me. Apologies if I accidentally sent any data or money, it wasn't my call. It was in the HTML that I loaded because I was offered to view a free article.

If it’s your right to use an adblocker under the theory that you should control what requests your browser makes from your device, then which requests it makes are also your responsibility.

Regardless, whether you intended to send my server a request is your problem. The fact is that you did, and that hardly gives full control of my business to whatever legal jurisdictions claim you as their subject.

Well, as it turns out, it's your problem. Like, literally :)

Anyway, don't be too upset about all this. The law is not banning you from collecting my data, you just need to be explicit and informative about it so that I can decide if I am going to send a request to your servers.

I'm often disturbed by the mindset that people are some business' god given a right to exploitation. It's the other way around really, that is, if you can find a way to serve me or solve a problem of mine I might choose to do a business with you if I decide that the compensation you demand fair.

If your business is unprofitable when you have to ask me for permission in plain English maybe it simply means that you don't have a profitable Business and you should consider doing something else.

We don't see business people complaining that government regulations are hurting their organ harvesting businesses, right? People decided that they don't want other people to sell their kidneys on open markets, so that business doesn't exist.

People at some point decided that they don't want to get cancer from Asbestos, regulations kicked in and the Asbestos businesses were destroyed.

This time around people seem to be in control of their data, if that makes your business unprofitable or impossible do what others did: Something else.

Well, as it turns out, it's your problem. Like, literally :)

Only if the EU can enforce it, which they can’t. I don’t pay attention to laws from other countries that don’t apply to me and have no teeth, and I’ll ignore this one as well, until there’s some enforcement mechanism. At that point I’ll evaluate. I’d probably just block the EU though; not worth the hassle.

>not worth the hassle

There you get it. If your business is not profitable when you respect the privacy preferences of your users you simply don't do business.

It's not your god given right to violate user's privacy so that you can turn a profit.

In other words, if you can't make a profit by selling 1$ burgers when you meet hygiene requirements just get out of the 1$ burger business.

No need for hard feelings.

If your business is not profitable when you respect the privacy preferences of your users you simply don't do business.

This is a false dichotomy:

1. Fully comply with the GDPR, no matter the cost, even if that's just legal and administrative because you're not actually doing anything in terms of data practices that would violate the law.

2. Go out of business, because you clearly are intending to do shady things that violate user privacy.

if you can't make a profit by selling 1$ burgers when you meet hygiene requirements just get out of the 1$ burger business

Perfect example.

Say I run a burger shop that is perfectly clean and in compliance with all local laws, but the EU passes a law that says I need to fully audit all my food safety practices, publish them in a public place with their format, appoint a food safety rep in the EU, and comply with other vague requirements that they deem necessary, just in case an EU citizen visiting the US comes and eats at my shop.

Now, if I ignore that, am I "breaking the law"? I guess so. Just like I might be breaking some Indian law by serving beef at all (hypothetical). But does it actually matter? Can the law be enforced? Should I care as a matter of civic duty? Very likely not.

Worse, should the entire citizenry of the EU suddenly decide that my small town burger shop in Iowa clearly intends to feed every customer tainted beef and deserves their opprobrium and any fines that can possibly be levied by the EU, just because I didn't fully comply with their law?

And if they do develop some enforcement mechanism to use against small town USA burger shop, how is it not my right to put up a sign that says "Sorry, EU customers, but please don't eat here, as I don't comply with your laws"? Is your argument seriously that I should comply with every law from every jurisdiction in the world, just because a customer from that jurisdiction might wander into my shop, even when I've expressly told them not to?

See, that's not what GDPR does. Maybe In your alternative-facts GDPR, your case may have a point. I don't see why I should argue over a hypothetical GDPR, let's focus on the reality.

About the burger thing, we do not need to assume things here, we can examine the reality and the reality is that McDonald's complies with the EU regulations when doing business in the EU, local American burger shops that don't do business in the EU do not comply with the EU regulations. I hear that you have some amazing burgers in the USA, will definitely try few local shops!

OK, so let's say that hypothetically I run a small business in the US. I just sell access to software (that lives on my server in the US) instead of burgers. An EU visitor comes to my server in my country and buys something. Why should I care about their laws any more than the burger shop owner should?
Is your argument that someone else in the business should care or is your argument that EU visitors should not have rights to their data because it is inconvenient to you? Depending on your arrangement, if you are a reseller for example, you probably are not responsible for what that software does with your customer's data.

Also, burger shops that do business in EU(usually chains, McDonald's and Burger King) do care about the EU food regulations, why shouldn't they and why shouldn't you? You are aware that McDonald's isn't steamrolling in the EU, right? They do follow the EU food regulations. And no, you don't have to be a big company to sell burgers in the EU, we have plenty of local independent burger shops all over the continent.

Burger shops IN the EU are a completely different thing.

My primary argument is that the GDPR's attempt to regulate companies in other jurisdictions because EU citizens go INTO those jurisdictions and do business is a dangerous precedent. If there was an enforcement mechanism for all such laws, it implies that any business or individual anywhere in the world with a website should therefore have to comply with any laws from any jurisdiction that are similarly constructed.

If my website says things about Islam that Saudi Arabia passes a law against, I should be fined.

If my website disrespects the king of Thailand, I should be extradited for imprisonment.

If I encourage NK citizens to revolt against their oppressive regime, I should end up in a labor camp.

After all, those governments have a right to say that if I want to "do business in their jurisdiction", I must respect their laws, right?

(To be clear, I'm not talking about enforcement of these kinds of laws, because all of those countries might do the above if given the chance. I'm talking about what I SHOULD do as a matter of morality or ethics or civic duty or whatever, or what my government should cooperate with those governments on, because it's just.)

But the problem is that they're describing "doing business in their jurisdiction" as a citizen from their country (maybe even one who is currently visiting my country) going online and sending my server requests, data, and money. And apparently explicitly telling those citizens to please NOT do that, or blocking them, is not sufficient. The only way to make the majority of the EU users on HN happy is to comply. Why would that same logic not apply to all other kinds of laws?

So do you argue that businesses that do business over the internet should be subject to the laws where the business is legally based?

So, do you say that EU businesses should be able to operate in the USA but according to the EU laws and without any consideration to the US laws?

Or is your arguments something else, something selfish like all online businesses should operate according to the US laws or something like online businesses should not be bound by any laws whatsoever? Or something else?

So, do you say that EU businesses should be able to operate in the USA but according to the EU laws and without any consideration to the US laws?

If by "operate in the US" you mean that they are based in the EU and allow US residents to visit their website and purchase from them, then yes, absolutely. Why would it be any other way?

I just don't see how the alternative works at all. Why couldn't some city in France pass a law that if a citizen of their city buys something from your site based in Hong Kong, you owe that city a tax of $50k. That's obviously ridiculous and not enforceable, but why is it not based on the same underlying legal theory that a business is bound by the laws of jurisdiction where visitors or customers to their site originate from?

Well, "HQ based law" not the case and it's a much larger discussion that doesn't have anything to do with the GDPR or EU.

The USA too is going after foreign companies doing business with Iran or Cuba. The USA is not happy with cryptocurrency ICO's and it's enforcing it. The USA is forcing the world to respect DMCA.

The taxes are also an issue, even within the USA doe to different VAT in different states.

These are topics that have been in discussion since the beginning of the internet and the dust is just settling and the solution is not simple as "You obey to the laws according to the country you're based in". It's a huge huge topic.

Edit: And FYI, many countries do enforce a tax on foreign purchases. For example, Turkey will be forcing American internet giants to charge VAT to its Turkish clients and transfer that VAT to the Turkish government. Countries want to collect taxes, you can't really get away with "I am an American company so I operate tax-free" argument. Politicians will work out an arrangement like "I will make your tax law enforceable on my companies if you let me use your military base and purchase weapons".

You don't have to convince me that the US tramples on the sovereign rights of other countries just because it can.

The tax situation is a good example. Historically, sales tax has not been able to be levied by states against companies just because they have customers in that state. They have to have physical "nexus" in that state as well. There are a number of states trying to do an end run around that right now with "economic nexus", which will probably end up in the Supreme Court at some point.

Many countries try to say that VAT is due, but their ability to enforce is pretty limited. If you run a small business online and you WANT to pay attention to every single global tax jurisdiction and send them whatever tax they say is due, go for it. But if you don't, the practical reality is that there's nothing they can currently do about it.

I do agree that these issues are complicated and that the Internet has thrown a monkey wrench in a LOT of legal precedent in ways that will need to be sorted out.

I just don't think the GDPR is the right framework. Data privacy may be a human right, but so is democratic representation, and having governments all over the world pass laws that they say apply to my company is unjust.

EDIT: looks like economic nexus is being decided now: https://www.journalofaccountancy.com/news/2018/apr/supreme-c...

Let's agree to disagree about GDPR.

Anyway, it boils down to enforceability. EU is a huge entity and probably will be able to enforce the GDPR by forcing payment systems and gatekeepers like Google and Apple that legally operate in the EU not to do business with businesses that do not respect GDPR. Maybe it will be a bargaining point in some trade talks between other countries and the EU and EU will insist that the countries will help with the enforcement of the GDPR in exchange for something that other countries want from the EU.

As long as we don't live in some kind of libertarian anarchy world order, these things will be determined by the politicians.

> So do you argue that businesses that do business over the internet should be subject to the laws where the business is legally based?

Well, duh, businesses are subject to local laws! That is not an argument, but a fact. Don't take my word, ask your friendly lawyer.

What is your alternative? That online businesses are subject to the union of all the laws of all the countries whose citizens can reach them?! That's ridiculous. Do EU businesses follow Iranian regulations?

>Do EU businesses follow Iranian regulations?

Of course, if they want to do business in Iran. The same goes for every company and country. Don't you believe me?

Go to your iPhone's Settings-> General -> About -> Legal -> Regulatory

There you'll see which regulation Apple follows. Despite being an US based company, Apple complies with the regulations of Canada, Europe, Japan, Singapure, Russia etc.

How do you even imagine that a company will be doing business in one country byt will be excepted from the regulations because it's based in some other country? That would not be possible, companies would simply move to the least regulated place with the lowest taxes. Oh and they do that wherever possible(i.e sell to EU from Ireland).

Well they ARE doing business. They are just blocking the EU.
Not when a US site uses a "copy protection" mechanism to ban all EU users, and grants a copyright license giving full access to US users and no access to EU users. Then your EU-based choice to use a proxy becomes a copy protection circumvention under the ECD, and the user is subject to a lawsuit.
(comment deleted)
> the result will probably be that a lot of free websites ban EU users

Good riddance, at least we know what websites we shouldn't have visited in the first place.

> smaller companies take their place with products that either cost money or will be a bit worse.

Or they will be better and still be free.

News companies are dying, news is commodity, if I can't read something on the LA times, I'm sure I'll find that same article on some other news site.

> small competitors will be to afraid of the law and shut EU users out

It's not a complicated piece of legislation, the short version is this simple: only collect data you actually need on your user to offer your service and be prepared to explain why, that's basically it.

> But we as a society are willing to accept that if the result is that more loans will be "reasonable".

The actual reason is that if you don't limit the loans, your economy will collapse.

>News companies are dying, news is commodity, if I can't read something on the LA times, I'm sure I'll find that same article on some other news site.

Or the original news simply ceases to exist as is already happening at the local level in many cases. There's probably a continuing market for some global news organizations that are at least muddling through with subscriptions and other products. (Or not. See story on Time Inc. recently.) But I suspect the non-national/international journalism will continue to decline.

You assume that just because someone doesn’t want to got through all the hassle of being GDPR compliant that the website is somehow bad? Among other things this includes setting up an EU represeneitive—a high bar for a free product..... Obviously you haven’t had to deal with GDPR compliance.
> You assume that just because someone doesn’t want to got through all the hassle of being GDPR compliant that the website is somehow bad?

If they are not collecting any personal data, there is no hassle. Do you think it's somehow bad for a car manufacturer to not want to go through the hassle of making their cars conform to the safety standards?

> Among other things this includes setting up an EU represeneitive

Citation needed.

> a high bar for a free product

The product is not really free because users pay for it with their data, which was unclear before.

> Obviously you haven’t had to deal with GDPR compliance.

Obviously from what? Are you a GDPR compliance expert?

>Obviously from what? Are you a GDPR compliance expert?

You don't need to be a GDPR compliance expert to know that the costs of implementing GDPR are huge and I doubt any GDPR experts actually even exist today.

> You don't need to be a GDPR compliance expert to know that the costs of implementing GDPR are huge

So you don't actually know anything, but you are going to pretend to know that it's "huge".

> I doubt any GDPR experts actually even exist today

Then why be so condescending and pretend that you are actually one?

You only have had to gone through the implementation challenges personally to know that it’s hard and the costs (to do it by the letter) are high. In fact to do it by the letter you’re going to have to hire a law firm to ensure you’re compliant and they’re going to err on the side of caution and take you down a rabbit hole of implementation changes.
Can you give me a concrete example where the GDPR forces you to do a lot of relatively costly stuff that are not worth doing otherwise?
I did. First hire a lawyer to review your GDPR compliance and recommend changes, and also set up an EU representative who can assume liability.
> Do you think it's somehow bad for a car manufacturer to not want to go through the hassle of making their cars conform to the safety standards?

Ah yes, the old "all regulations are equal" argument. It should come as no surprise to you that people view safety regulations on automobiles as vastly different than regulations on what a company can do with data about you.

And there are people that think that seat-belt laws are an affront to human dignity. What's the point?

Safety regulations exist because people wanted them, and the same is true here for privacy and data protections. Unless you can convince EU citizens en mass that they don't want the rights and protections afforded to them by this law then it really doesn't matter what anyone in particular person thinks.

Website could be compliant already, but don't want to spend money on an audit that would still be inconclusive as there is no official interpretation of the law.
> then the result will probably be that a lot of free websites ban EU users and smaller companies take their place with products that either cost money or will be a bit worse.

Availability of quality free content is not a problem, the content will just be available from other source.

The big problem on the ads-monetized web today is ranking high enough, and the site that don't want to apply GDPR will just have to compete with the site that do have the extra push the EU market give them. On the advertizer side, they make direct money from content accessibility so they will upgrade their tracker so it is GDPR compliant for EU-traffic with no work from the content publisher. That is a non issue, this is just day one of a big change.

Let's also not paint a rosy picture of the web either. GEO blocking is a common daily reality for people outside the US. Any valuable and popular content is locked already, despite being monetized quite directly (see Netflix, Amazon Prime, ...)

>Availability of quality free content is not a problem

Only if all content on every web site around the world is equal. Which it is not.

If the quality was the same everywhere, and the same content was available everywhere, then people in Europe wouldn't have to go to web sites in other countries.

There are lots of reasons for companies in Europe to need to read the Chicago Tribune (PR clipping service, for example). But the Tribune's content is no longer available to the E.U., and will not be replicated elsewhere for copyright reasons.

As much as I dislike Tronc as an entity, I don't blame it for this decision. Within hours of GDPR going into effect, the lawsuits started flying. That's exactly why some companies decided it was easier to just opt out of Europe.

The question is - the sites that serve massive amount of content (images, videos, etc) - will they be able to cover their costs in the EU without making their apps paid? What about currently free games which rely on personalized ads?
The response to GDPR is interesting. If they are handling and selling your data in ways that are not compatible with GDPR, then you should seriously consider using someone else for that information.
Essentially every publisher that integrates with google might be out of compliance with the GDPR.

Until that gets sorted out lots of sites are going to start doing this out of desperation.

> If they are handling and selling your data in ways that are not compatible with GDPR

Very few businesses actually sell data the way you are imagining and if all GDPR did was ban that business model I would be happy with the existence of GDPR. GDPR is much more than that and this insinuation that every business that doesn't want to deal with this hassle is somehow evil and selling ultra detailed profiles on you to the highest bidder is highly mistaken.

Yes, exactly. Sorry, I've been pasting this in multiple GDPR related threads, but just want people to get a concrete example of this. Here it goes:

I have a profitable, bootstrapped SaaS business. It's not based on ads or selling data. I don't even have a freemium plan. Only a limited free trial after which you have to start paying. It's a trivial application that stores mostly already public data. Only email is required to login so that I can send password reset and other such communication.

I've been talking to a very well known giant corporation for months. The VP and director love my product and want to start using it right away for their department. But their legal team is scared shitless with 4% fines in GDPR. They are putting some draconian clauses, (various ISO certifications and such) in the contract that I, as a small company, cannot comply. That's their interpretation of GDPR. It doesn't matter whether it's right or wrong.

The VP and Director are really nice people and I've developed very good rapport with them. But I'm afraid their patience will run out soon and they'll go back to using spreadsheets. A lose-lose situation.

This is the side-effect of GDPR.

I'm all up for GDPR. I have uBlock, have blackholed all Facebook domains, etc. But don't assume that GDPR doesn't affect normal business transactions. Anyone who says, "Oh, how hard could it be?" has no idea what they are talking about.

In 1y every website will have a click through EULA with 20 pages that loads before everything else and doesn't store IPS - and which no one is reading - privacy served. Just when they install from the App store or install Microsoft Office.
"Click here to agree to everything we do" schemes are explicitly forbidden by the GDPR. You need to individually opt-in to every single use case, and you need to consent to every transfer to each individual third party as well.
IANAL

No, coupling is forbidden. A 20 page, non-legalese EULA is allowed if you don't couple acceptance to using your site.

"You need to individually opt-in to every single use case"

No. But I would be happy for your source on that.

You can't change the usage purpose after collecting, but if you declare what you do before (20 pages EULA) data collection, you're fine.

"and you need to consent to every transfer to each individual third party as well."

Yes, foggy data privacy declaration from the past are no longer allowed, but 20 pages EULA, 10 pages with company listings you transfer data to are.

I'd also add a teaser on top with the most important things, like here https://juro.com/#privacy-popup

If Paypal can do it, so can you.

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX...

> Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

> Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC (1) a declaration of consent preformulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

> In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

I would be happy for your source on that.

It's in the "Guidelines for Consent" document, in "3.1.3 Granularity":

"A service may involve multiple processing operations for more than one purpose. In such cases, the data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes."

And they give an example:

"Within the same consent request a retailer asks its customers for consent to use their data to send them marketing by email and also to share their details with other companies within their group. This consent is not granular as there is no separate consents for these two separate purposes, therefore the consent will not be valid."

http://ec.europa.eu/newsroom/article29/document.cfm?action=d...

Looks like we're both right, if you base your legality on consent, each case needs to be presented on their own.

If you do not base it on consent, which many lawyers in Germany say you should only as a last resort, you can have a large declaration.

Just as I've predicted, the Washington Post implemented a click-through EULA.

IANAL

You do need explicit consent if you're trying to sneak something in the user wouldn't expect. So if you sign up for cat pictures but the service sells off your data to a dating service, that's surprising and requires explicit consent because the user can't be expected to give informed consent to that by just skimming your privacy policy.

And yet, that seems to be the solution most sites are already taking. "Click here to agree to tracking and continue to our site." Concrete example: theverge.com

Hopefully they will be slapped down for it pretty soon.

The way "theverge.com" does is clearly not compliant, because they track/store IP/... before I give consent. I also can surf without consent.
This is the EU, not the US. This law was specifically crafted to prevent the kind of reptilian behavior that you're describing here. I honestly (and perhaps naively) expect you to understand the source material a little bit better if you're going to make blanket statements about it here.
Always a good idea to include a personal attack in your comment, well done!

Second, my point is not about what I'm doing but about what others will do. I have not and will not work for companies who base their business model on selling data without consent, ad networks or in duping people. I've declined several very lucrative CTO offers in large companies due to their privacy stand.

Third, I'm for more data protection and privacy and removed my Facebook and other social media accounts years ago. I would also not click such EULAs as I do not care about "news" sites.

Nowhere do I imply that you are exhibiting reptilian behaviour, I said that you are describing it. What you could take personally is that I said you should not talk about things which you do not understand (unless it is to ask questions, which I could have added), which doesn't sound at all unreasonable to me. Why you assume that was a personal attack is completely outside of how I can read my own comment.
In 1y every website will have a click through EULA with 20 pages that loads before everything else and doesn't store IPs - and which no one is reading - privacy served. Just when they install from the App store or install Microsoft Office.
Except that won’t help them with the GDPR one bit.

They will worsen their experience and not be in compliance because they are unwilling to actually do the simple things needed.

IANAL but after working on GDPR topics for months with a lot of reading I'd say they would work.

Selling data is still hard to argue, I'd not do that for EU citizens ("tag EU citizens to opt out from selling data"). Everything else should be possible. Using Art 6/1(a) and Art. 7 GDPR you can store most of the data from your visitor. You need to make sure they can inform them about your usage, revoke their aggreement and make you delete it. Coupling ("click EULA or else") is a little bit more difficult, but with clever UI most visitors will accept the EULA instead of opting out, no coupling needed.

I'm sure in 1y publishing systems will provide all of this out of the box.

"Clever UI" (read: deceptive) tricks are obviously explicitely forbidden by the GDPR.
No, not a dark pattern, like LinkedIn, just a "yes" & "no", but if you place "yes" to the right side people will more likely click on "yes". If you space them at the bottom of the EULA, "no" to the left border, "yes" to the right border more people will click on "yes".

This is not something I would do, but my salary is not coming from placing ads on a site and selling personal data. But this is what will happen.

Forcing users to accept a 20 page EULA is not compliant, that's what's so great about this directive. If all you have to do to be compliant is add a new clause to your 20 page EULA, then the law would have no purpose - we're already trained to just click accept when presented with any kind of lawyerese. The whole point is to get away from that.
IANAL

I've not said that this is the only thing you need to do. EULAs don't make you compliant. I've said websites will have EULAs (and be internally compliant) and do everything - except selling - with your data that they do now.

The only real benefit of the GDPR for users is that old (e.g. 2y) data needs to be deleted and companies can't keep your personal data 10y for future use cases.

But you can do most of the things you like with consent and if you do not couple it to your offer.

But the GDPR does not prevent any business model or collecting any data as long as there is consent, you are transparent, you can export the data, consent can be revoked and data can be deleted on request.

That's not the only real benefit. The strongest benefit is that all tracking and sharing of collected data is made explicit to all users in plain language and now requires explicit opt-in. Before this directive, companies could just hide that shit somewhere in their EULA. It's this practice that's being regulated.
(comment deleted)
GDPR does not have the full force of law in Iceland but yet I am blocked. Not that I will miss those publications.
That's so strange, in Norway, I can still load LA Times.
(comment deleted)
I wouldn't be at all surprised if they were caught off guard on GPDR. There are some who seem to feel that the pending deadline was universal knowledge, but I don't think it was for many of us in the US. I hadn't heard of it until the recent Monal kerfuffle here on HN.
What else can they do when they have this laundry list of tracking scripts on a front page:

https://i.imgur.com/hKEItPS.png

They obviously have NO idea what's being collected on every user and how it is being used.

That’s the whole point of GDPR, selectively kill the web businesses they want. BBC will never be concerned.
If those businesses are heavy shadow tracking/ads companies which don't even know which user data are they collecting, to who are they sending them and for which final use, man, I am so damn happy.
This reads to me like a warmonger justifying innocent casualties. Surely you don't believe this only takes out the bad do you?
> This reads to me like a warmonger justifying innocent casualties. Surely you don't believe this only takes out the bad do you?

How would it take out GDPR compliant websites? It they're not complaint, they're not exactly "innocent."

Because the risk and costs of compliance are borne by all, not just the non-compliant. I would hope that "but laws only affect the bad guys" or "if you're doing nothing wrong you have nothing to worry about" would no longer be reasonable arguments these days.
> Because the risk and costs of compliance are borne by all, not just the non-compliant. I would hope that "but laws only affect the bad guys" or "if you're doing nothing wrong you have nothing to worry about" would no longer be reasonable arguments these days.

That's like saying that drug regulations are bad, because all opiate producers take on "the risk and costs of compliance," not just the street pushers.

The whole point is to actually raise standards for all of society. What you're criticizing is enforcing higher standards than the current status quo.

If you had used drug laws, e.g. marijuana laws, in your analogy it would make more sense. They think they are raising standards too. It's not about what the point is, it is about the implementation. It's so tough to have reasonable discourse about the topic because if you are against the approach people think you are against the whole point.
Turns out I'm very fond of the selection algorithm. I feel a weird satisfaction of becoming the hunter after years of being prey.
Ironically, imgur shows a wholly non-compliant 'when you click yes here, you agree to all our default opt-in tracking, storing and sharing' popup when you open that link. But I have to give it to them - when you actually go into the scary-looking part, they do spell out in detail in what ways you're being tracked.
Alternatively there's this: https://eu.usatoday.com/

No ads, no tracking, no cookies, not even Javascript. Just plain HTML+CSS and JPEG images. The whole front page is around 650 KByte, and by far most of this is in the image files. As a result the page looks very clean and loads very fast.

This is what all news web sites should look like, not just for EU readers (although I fear that this is just a temporary solution until they've figured out that whole GDPR thing...

And how can be a business sustainable in this way?
People will actually visit the site... so they get traffic. They could then advertise to through more creative, less user-unfriendly ways (besides having giant ad networks that store tons of user data on each person, along with 20 different vendors’ trackers to make sure each department gets the same data about each user in a very slightly different way).
One way to think of it is that “a business” is not “a user tracking, ad targeting website.” Whatever the business is, it’s not equal to the website, which is just one means of distribution of information or content.

If the business was so predicated on user tracking and selling that data or using it to target ads, I think GDPR (in spirit) is saying “that’s not a business” and requiring a greater form of transparency and informed consent before a website can inflict that on a (possibly unwitting) user.

I’m not trying to say this point of view is right or wrong, just that I think there is a spirit here in the intention of GDPR to say “that’s not something we’ll allow to be called a business model.” (Obviously it doesn’t fully go that far, but it’s the idea.)

It’s not that different in spirit than regulating usury or payday loan businesses. If your business model profitably works only because it preys on people, the spirit of the regulation is to say, “that’s not a business model,” and regulate or disallow it. Usury laws in the case of excessive short-term interest rates; GDPR in the case of excessive user tracking and data privacy concerns.

So when you ask, “how can be a business sustainable in this way?” it sort of has the wrong premise.

Instead, if the business could not be profitable without this then it wasn’t actually ever a business— rather it was some other data exploitation entity, and the lack of an alternate way to be profitable in compliance with GDPR is a signal that the entity was unable to determine a way to exist without causing the kinds of harm that GDPR aims to prevent.

Again, I’m just trying to represent what I think the spirit is behind the GDPR choices— not saying they were right or wrong.

And how can be a business sustainable in this way?

By not building their entire business around ads and tracking.

People have tried lots of other stuff in the last 10-15 years, it was not sustainable (micro-transactions never took off, subscription-based newspapers are the exception rather than the norm etc). I'm personally fine with newspapers like the LA Times collecting and selling my personal data as long as I can read articles for "free" on their website, I think it's a pretty fair deal.
Part of the reason for the failure of those other models is their need to compete with an exploitative ad driven model. When you remove the lowest common denominator, you make it is easier for the market to accomplish something better.
i.e. "It's easier for horses to compete with cars if you set the speed limit everywhere to 5 miles per hour."
i.e "It's easier for car manufacturers to build cars if your remove regulations on safety or pollution"

i.e "It's easier for employers to produce cheaper products by exploiting their employees if your protection of labour is on the level it was 1850"

> i.e. "It's easier for horses to compete with cars if you set the speed limit everywhere to 5 miles per hour."

I think that elides pretty important aspects from the equation. In reality, it's more like: "It's easier for Bill-brand horses to compete with John-brand horses; if you ban the steroids, amphetamines, and cruel practices John uses to get his results."

And the other part of that failure is people don't want to pay for content, games, etc. They want it all to be free.
I have never, ever, ever seen a single reputable source to support this claim. As far as I can tell, this is just something that people blindly repeat to justify their exploitative business models.

On the other hand, there's quite a lot of evidence of successful businesses operating on a subscription model because they provide a good value proposition. Which leads me to conclude that your claim is simply false.

Also relevant: https://membershippuzzle.org/about/

I've never felt exploited by advertisers. Nor do most other people, otherwise they would keep their internet usage to a minimum when what we see is the exact opposite.

Please stop attacking services and sites that hundreds of millions or billions of people find useful because of your own over the top histrionics.

There are more histrionics in this reply than the person you’re responding to.

The parent makes an excellent point: it’s easy to argue the other models (micro transactions, subscriptions, paywalls) failed because they were in competition with an industry that has safely operated with little to no regulation for a decade or two.

The ad industry in this situation has an insane advantage because it can make money from end-users without them even being aware that they are involved in a transaction. They don’t have to see a banner ad in order for dozens or hundreds of other businesses to learn about them.

There is no explicit contract between the website and the user in the way that there is when you agree to pay the business money in exchange for the value it offers.

So GDPR levels the playing field by removing that advantage. If an advertiser or another business runs above board they don’t have a problem. More to the point, if they can convince a user to opt in, then they have a serious value proposition to the user too.

Advertising itself is an easy and almost fallacious target. People know about adverts so they use Adblock. People have no idea what a business will do with all of the data that reaches their servers without any JS required.

Most users on the internet are completely incapable of understanding what tracking even means. Those users, therefor, can not consent to that tracking in an informed way.

Those users need to be protected.

If payment is optional then you are only likely to hand over money out of principle, or your own personal values.

I don’t think it’s as simple as finding the same news elsewhere for free though, or accepting this level of data collection, or subscribing to every site with micro transactions.

I would pay to use HN if the articles I clicked through to (or upvoted, or engaged with in the comments) got a piece of the pie. I’d pay a fair amount because I get a lot of value out of the aggregation and community HN offers. There’s no obvious allegiance to a particular perspective on life so one day I can enjoy a spiritual read and another I can learn about baking bread. I’m not only challenged, my curiosity is being piqued. It may be that HN works this way because there is no direct profit motive in HN itself except to point budding startups to Y Combinator.

I’m unlikely to pay an individual publication (say, The Guardian) because such publications have a specific editorial viewpoint, and more often than not it’s going to be the point of view that supports my own. My money is wasted on an echo chamber that makes me mad about the state of the world.

Neither am I likely to pay a publication that I persistently disagree with because our values are incompatible. I might read them if they have something profound to say but I’m not going to commit to them for that.

So maybe there’s something in a co-operative effort where the community collectively funds the content it engages with. But rather than it being an individual thing like with Patreon or individual subscriptions, it’s a pool you contribute to in order to participate further in the community.

I might be exaggerating, but you can say the same thing about environment protection laws, anti-slavery laws, worker protection laws etc. They made some businesses unsustainable too.
Everything's fine if they add generic, non-targeted ads that are completely under control of the news publisher, hosted on their servers, don't track users, don't use cookies. Just like print media and TV does since forever.
The problem is that those ads could not be pay-per-click because you need cookies, javascripts and other tricks to combat clickfraud and impression spam.

If that USA Today site sticks around and adds advertising, it will presumably be low quality inventory like the internet used to be flooded with - casinos, punch the monkey etc.

Ohh I didn't know the EU just outlawed internet ads, TIL I guess. /s

I can't stop laughing at the stupidity among americans

Is it reasonable to attribute ignorance of laws on another continent with stupidity?

Is nobody outside of America ignorant of these laws?

Also, how much of the internet technology and content you use and consume was created by Americans? Probably quite a lot.

Why so rude?

Cookie & javascript aren't forbidden...

You can have sensible context-sensitive advertising without problem with GDPR. You just can't target a specific reader using its behaviour

As I understand, you still can use cookies and IP addresses, but you should not keep them for long time and should not give those data to Google and Facebook. Do you really need to track user across all the Internet (like Google and Facebook do) and keep that data forever, buy and sell them to data brokers? Definitely not.

I don't want data about me to be someone's asset. I want an Internet shop to delete data about me as soon as possible after I made a purchase. That's why I want GDPR in my coutry too.

No it will be high quality, like an astronomy magazine negotiating a deal with a telescope producing business.

The shitty early-web ads were already a result of shady 3rd-party ad networks selling private data.

Does a paper magazine need to run unsavoury ads? Because they don't have pay-per-click. They don't even record impressions, they have to negotiate the deal beforehand with the advertiser.

I have no answer to this, but the targetted ad business has driven traditional news outlets/traditional ads out of the market almost completely, so I think it has no good standing to ask for protection. In fact, I think GDPR proponents will welcome the collateral damage to targetted advertising.
Media businesses can introduce or grow subscription revenue, reducing reliance on ads.
You can still have ads under GDPR. You can even continue to track people, you just have to ask consent and not doing it behind user’s back.
And as I understand it you can't punitively restrict access to the service for not consenting to that tracking.
And then you can still have ads, just not track them.
Replace ads with sponsored content. They still will get money for ads, but they even will save money because they get free content. /s
By hosting non-tracking ads. Like they used to be before Google started this whole profiling menace.
They can even be dynamic. Filter on location, uplink/computer speed, screen size, browser etc. None of it requires storing data.

Adtech might move to correlating all these things + the website visited to target particular demographics.

They can also be quite smart. What was your referrer, what's your user flow through the site, what do similar users do when arriving from the same pages and searches? What time of day is it for the visitor?

ie: figure out why they are doing what they're doing and direct them to ads that capture that intent.

I'm not certain but much of that sounds like the kind of information GDPR doesn't let you use like that.
The only reason that IP address logging is a problem is that ISPs could theoretically cross reference with subscribers leases and identify them.

I think this much vaguer stuff will be fine.

Why? None of it requires saving info on an individual server-side. As long as you don't do that the GDPR doesn't even apply to you.
Did you use the internet back then? Do you remember what online ads were like before AdSense?

My god. They sucked so hard! AdSense was a revolution.

AdSense was definitely a revolution in many fronts, especially because it enabled small sites to start earning a decent income. And for that we'd be eternally grateful to Google. On the other hand Google back then didn't have the variety of products they have now so profiling was much less intrusive.
It wasn't privacy invasions that made the ads better, it was Google making the process easier. Instead of dealing with shady smaller networks, or individual sites (which only businesses that extracted high value from online presence could afford, e.g. gambling,) any business could then easily and safely publish their ads widely. That is not going away, and advertising in the EU will still exist.
of course not, there will be more ads. EU developers are not going to just shut down their websites, and there arent any better european ad solutions.
I have used an ad blocker for the last 10+ years. I don't know how Adsense has improved my internet experience, and I suspect it has had no effect.
adsense ads have not changed much since 10 years go. it had a huge effect compared to 20 years though.
I keep seeing this argument. But the reason I don't see this happening is the giant amount of fraud out there. Sure ad fraud is an arms race, but if you can't do js fingerprinting, cookies, etc it would be impossible to verify ad impressions are real humans, not bots. And actual clicks from real humans would be impossible to differentiate - not coming from the same bot clicking over and over again (can't store ip, cookie, etc I'm not sure how you'd distinguish).
Sure you could store IPs, as you can also use cookies. I think there's a hysteria regarding GDPR. It won't break the web. Perhaps we need to give it some time to settle in and then draw our conclusions.
To fight fraud you can use some short-term temporary tracking without saving data for a long time, without linking cookies and IP to email or real name, without exchanging data with other companies (like Google), without buying or selling data to data brokers.

To show ads you don't have to report about all of your site visits to Facebook and Google.

Hopefully what will happen is that it will be more expensive to advertise and publishers will earn more on dumber ads

Obviously if ads are less targeted then they may be less effective so advertisers will make less on ads that cost more. This will hurt their bottom line, which in turn will make the products we buy more expensive. But that's exactly the end goal. I want to pay for things (information, products) with more money rather than with slightly less money and all my integrity.

That's a sad outcome.

I remember the tedium of non-targeted advertising---it's what ultimately pushed me away from most traditional print and broadcast media and online. Targeted advertising occasionally brings me information I actually want; non-targeted advertising feels like such a waste of everybody's time.

I hope someone takes on the experiment of opt-in GDPR compliant ads.

Targeted advertisement can be done if the user is entirely in control of the data and the consent process. No one would be against that. This is a technical problem that can be solved, there was just no incentive to do it. Now perhaps there is.
It would be nice to give people the option. I personally would love everything to be free, and show me ads instead. I don't see how my integrity has anything to do with it.
>Obviously if ads are less targeted then they may be less effective so advertisers will make less on ads that cost more. This will hurt their bottom line, which in turn will make the products we buy more expensive. But that's exactly the end goal. I want to pay for things (information, products) with more money rather than with slightly less money and all my integrity.

I'm sure you considered all the poor people across the world that are subsidized by the ad driven model we use today. What we truly need on the internet is data gated behind pay walls to protect important information such as which facebook groups you clicked like on.

I'm sure you considered all the poor people across the world that are subsidized by the ad driven model we use today.

A lot of them are poor, because we don't want to pay a decent amount for the products that we consume and instead rely on people working in sweatshops in third-world countries.

You don't solve poverty by giving them 'free' products that require them to give you all their private data. You solve poverty by giving people a decent wage, so that they make these decisions themselves.

This is a false dilemma. There's no reason we can't both work towards better wages for everybody and support cheaper services for poor people in the meantime.
So us having our right to privacy using paywalls, means that we deprive those less well off of valuable information. Or everyone forfeits their right to privacy for free stuff. I'm sure there's a middle ground here.
Probably not sustainable as an ad supported business. We may see a bigger push to a subscription based model—-one many people have come to hate, but was one twenty years ago people paid $10-30, mo. for the subs to their favorite daily.

Now sure those prices were subsidized by ads. But they can still use utargeted ads, in addition, cost of the “medium” and distribution is much lower.

> And how can be a business sustainable in this way?

There are millions of businesses around the world that don't give a fig about European customers or the E.U. Hurts to hear it, but it's true.

They manage to survive an thrive without any interaction with anyone in the E.E.A.

It's a very European thing to think of the E.U. as the indispensable center of the world.

It works both ways.
You are correct. That's what makes visiting another country/region fun for many people. They like to explore and encounter things they don't have available to them where they live. Otherwise, why leave home?
Decide if you talk about not giving a flying toss doing business or visiting for fun and leisure.
> It's a very European thing to think of the E.U. as the indispensable center of the world.

Huh? Culturally, that has absolutely not been my experience - quite the contrary.

In the case of the GDPR, it's simply a matter of "if you can't respect our citizen's basic rights, then we don't want to be doing business with you".

That has nothing to do with considering the EU to be the 'center of the world', and everything with setting the conditions for trading with it. You can either take or leave those.

There is no fundamental right for a business to be "sustainable" if it hinges on being able to sell off my personal data to 3rd parties. That is almost literally what this law is about.

You sound like the other people complaining "you know how much money I have to spend on lawyers to ignore this law??".

US users who want the same, lovely, experience can route via Europe (for now).
I just did and it's such a fantastic user experience.
(comment deleted)
There are ads. Just above the footer - 'Ad Content by Taboola'. I am accessing it from India.

Edit: There many other ads as well not just from taboola.

Those ads are on www.usatoday.com, not eu.usatoday.com.
Right, but it seems Americans (and probably everyone outside the EU) are being redirected like the parent. I was, which is a shame since I’d love to see that version of the site. It’s almost like a good unintended consequence of the regulation.
That looks fantastic, I would actually read USA Today if this lean site sticks around.

If they want to monetize, publishers should control their own generic ad inventory (like they used to in old pre internet days) and ask for opt-in if you want customization.

Easy on paper but hard in reality.

I call BS on this. You’re going to read a publication because of the relevance and quality of the content. USA Today Europe will no longer have metrics to sell advertising which may then force them to dial back on their writers salaries.
You're right that people don't read publications because of the layout, it's all about the content.

Still it's hard to deny that the (presumably temporary) EU site is a much nicer experience. It's certainly faster.

They have plenty of metrics on the ads still, just not on the users. It's not going to be an issue to see how often an ad is shown, they just don't know if it's relevant to the reader. The good thing is that no they have a way of measuring the effectiveness of targetted ads, because the entire EU is available as a control group.

For a newspaper, like USA Today, I honestly doubt that targetted ads convert much better than random ones. EDIT: Random or based on the content of the article.

This is, I think, a great illustration of the problems with a lot of economic reasoning.

Sure, maybe that's exactly what would happen, but changing one variable in a toy model is not proof that it will.

There are successful news sites that do just fine without becoming relentless clickbait optimization mills - and in fact, those are exactly the sites I tend to read. Two examples, so we're talking about something specific: talkingpointsmemo.com and techdirt.com are both daily reads for me.

TPM is, for want of a better term, the more advertiser-friendly of the two, but it intentionally works fine with ad blockers. Techdirt is probably well-known to most folks here.

The other commonality is that both of them work hard to not be enslaved by the adtech surveillance machine - they both have non-ad revenue streams.

And I think that is the real trick missed by overly simple reasoning - even when it is correct (and it is, frequently), it obscures more than it helps. And somewhat more nebulously, I think it trains people into a way of thinking that blinds them to options. After all, if you "know" you can't reduce your surveillance metrics below industry-average intrusiveness, you won't look at possibilities involving doing so. Instead, you'd look at additional non-ad revenue as "more and better" and do both - thereby losing me as a potential customer.

Is that a good tradeoff? I don't know - and that's the point. These are much more complicated questions than econ 101 will guide you through.

> it trains people into a way of thinking that blinds them to options.

It's also a dilemma of sorts. If you stop running ads, then there is one less outlet for them, which means rates for all the other outlets are likely to grow. If enough people do it, the few players left will make very good business. Would you rather move out, risking your livelihood on experimental business models, or stay in with the devil you know, ensuring nobody is going to do better than you?

To demonstrate the way it blinds people to options:

What you mean is running 3rd party ads via ad networks.

It's perfectly feasible to show an image that links to some advertiser's site for a negotiated fee. This is the equivalent of a paper magazine with advertisements. Not renting out injection points to executing whatever foreign code on their visitor's devices.

My ad blocker won't even block it (well not by default, and only as long as you play nice, it's not like online advertising has any goodwill left over, or ever acted to deserve it).

"This site does not collect personally identifiable information or persistent identifiers from, deliver a personalized experience to, or otherwise track or monitor persons reasonably identified as visiting our Site from the European Union. We do identify EU internet protocol (IP) addresses for the purpose of determining whether to direct you to USA TODAY NETWORK’s EU Experience.

This site provides news and information of USA TODAY NETWORK. We hope you enjoy the site."

Colour me impressed. I sincerely hope it catches on.

I was surprised when my adblocker didn't bleep once. This is like looking what the internet could be. It could've been great.
Of course, that vision of what the internet could be never really answered the question of where the money was coming from to pay for the servers that are delivering that content.
Or how to pay the people who create the content
It seems many people think content worth enjoying is somehow created and delivered freely.
It always was.

In the 90s, the N.Y. Times was $1 in my city and the local paper was $0.30. That covered paper, distribution and ink.

The ads paid for it, and I think the ads were more effective. IMO online ads are mostly fraud and bullshit.

Mmmm... and what about non-targeted ads ?

I mean: GDPR didn't forbid money. Not even advertising. Only using personal informations without explicit consent... Please, don't be too ridiculous and stop watching FoxNews :-D

There's not even anything wrong with targeted ads!

Behavioural targeting is fine!*

Contextual targeting is fine!

*In many circumstances.

Look at it: that's an RSS feed, basically. They could have had paywalled feeds with a standard payment system that people could write clients and aggregators for. No ads, just subscriptions.

The irony is that we'll get there, eventually: Apple and Google are slowly agreeing a payment system and then they will push it into the browser, and everyone will use it.

If the payment system allows for microtransactions (and, ideally, allows for ads or alternative payment methods for people who don't have the cash to be micro'd), we get a worldwide web somewhat shaped like the one we have today. That seems similar to what Google is pursuing with Contributor (https://contributor.google.com/v/marketing).

If we just do big-dollar monthly or daily subscription paywalls, we end up with a Balkanized web where I can't read the article you're reading unless I pay for it. That'll significantly change the way interactions happen on the worldwide web.

USA Today originally distributed their advertisements on paper without any user tracking. I don't see why advertising without tracking is so unthinkable today.
People paid money for USA Today, and people looked at more advertisements in print papers.
I'm of the opinion that at some point USA Today had demographic data on it's users. Maybe polled directly, or based on a list of names in their subscriber database cross referenced with some other database.

The idea that "user tracking" is now happening on the internet and not in print isn't true. Yes, internet tracking can follow you specifically, but that's because the systems have gotten faster and more connected.

This was true for a huge number of newspapers - user data was an enormous part of the ad business in the print days as well, and has some striking similarities to what happens today online.

Back then it took the form of the subscriber database as you suggest, and was used to help target and sell ads in the paper. The print industry often "sold" the subscriber list in detail to prospective advertisers to demonstrate the potential reach.

Losing detailed subscriber data was one of the primary objections many papers expressed to Apple's app store distribution model which can effectively render readers anonymous, as this was apparently one of the most valuable things they had.

Because it is two orders of magnitude less effective. Putting an ad for a blender in front of someone recently searching for blenders is 100x more effective than putting it in front of a random person.

This means the revenue they can charge for that ad is 100x less, which means that any sites without massive, massive user bases will perish, and those that survive will do it on a pittance.

Servers are pretty cheap these days, and always getting cheaper. It's the staff salaries that are the real cost.

I think Patreon has the only good answer so far. There are multiple people on there that make top quality content and earn good money from it.

It's probably not an answer for every industry.

It takes many more servers to deliver a 200mb page than it does a 600kb page
You're aware that this is precisely how the web (successfully!) worked before it was taken over by marketing interests, right?
And it was funded by universities and a defense department project. Once we got the private sector into the experiment, it needed to pay for itself. Bandwidth isn't free, and neither is content creation.
Apparently, WashPo prefers a more coercive method: https://www.washingtonpost.com/gdpr-consent/

Either pay or sell yourself.

A gamble they might lose if people just stop sharing and click Washpo articles, but a possible route if others follow suit.

Meanwhile, NPR goes more hardcore than even USA Today: https://text.npr.org

I wonder, does that mean EU users are just a nuisance costing traffic, or that all graphics are tracking visitors?

What it means for me personally is that The Washinton Post as well as the NPR can't be relied upon for reporting news, since they are apparently unable to even marginally interpret a legal document aiming for clarity and instead channel their incompetence into snarky behaviour that still isn't compliant with the GDPR.

To wit (washpo):

"You consent to the use of cookies and tracking by us and third parties to provide you with personalized ads"

Where is the "No I don't. Just give me regular/random ads" button?

and,

"Premium EU subscription" "No on-site advertising or third-party ad tracking"

There's nothing specifically EU about that, in fact, it sounds like a good service to offer to all your readers. But still, there's a big difference between on-site advertising and third-party ad tracking, and that difference is at the heart of the GDPR. A half decent journalist could have figured that out. Maybe that's their real problem.

But most importantly, and frighteningly, instead of these two stunts being knee-jerk backlash reactions, maybe they're serious and most data-peddlers aren't shady figures in smoke-filled backrooms, but simply the fourth estate en large.

What's NPR doing wrong? Are they redirecting to the text-only version for EU IPs or something?
I looked at it with an EU proxy, it gives you the choice to either consent or go to the text-only version.
They may have just done that as a cheap and easy way to comply with the new regulations while they wait for the dust to settle. Especially since the text-only version already existed.

Also, I wonder how much of Washington Post and NPR's revenue comes from Europeans. It might not even make sense for them to spend resources to be more precise in their compliance.

for what it's worth text-only npr has been around for a while now
> Either pay or sell yourself.

What is your preferred third option for content that costs money to make?

(comment deleted)
There are a ton of great business models for financing content that do not require smart ads or the kind of tracking we see today. They are not as exciting but ... tough cookies.
Yes.. it’s called charging money... Which some are mad about which is ridiculous.
I did not judge what method they need to employ. I merely dubbed what they chose as coercion.

That said, ads in general do not require personal information, only targeted ads do. But trackers also trade in such data, collect it, build profiles as a service, etc.

We will see whether their choice pays off or whether the competition like the NYT will gain some new regulars.

How exactly would one expect this to stick around with no way to monetize it?
Why exactly would you want it to stick around if it can't sustain itself without selling my personal data to shady 3rd party ad networks?

Just because it's been useful doesn't give it some unqualified right to exist.

If you view that from the US, it redirects to the US site, full of Facebook crap.
Glad you like the ad-free, high quality content. How would you like to pay for that?
Nah, this works the same way pharmaceutical drug development works: US citizens pay and everyone else gets the benefit.
In the mid-term I'm glad to be subsidised by American users who forego their privacy and are willing to get served a lot of ads.

In the long term I would be happier if we'd all be treated with equally high privacy standards and pay for the content we consume. For that to happen we only need one thing, Americans and their legislators need to start valuing their privacy too.

>https://eu.usatoday.com/ is fantastic, loads instantly, no clutter, smooth experience, I love it.

I am willing to believe it to be someones idea of sarcasm, lets strip our website of all the "goodies", give viewers poorer experience and watch the cries!!1 Except its actually better, and I wouldnt be surprised if it vanishes really quickly once they realize it backfired by reminding users how fast and clean web once was.

It force redirects me to www. on mobile for me :(
Same. But with adblock the USA version is a light page anyway.
Safari on iPhone in private browsing seem to work here..
Sure, it's great until the whole thing is shut down because there's no funding.
Surely the greatest innovators in Silicon Valley could focus on creating sustainable business models that don't rely on data harvesting? Necessity is the mother of invention.

Might be a little more lucrative than juice bag startups.

They already know the answer to that: direct charges and subscriptions.
But it's also great if the whole thing gets shut down because it finds itself to be unsustainable without harvesting my personal data and selling it off to third parties.
(comment deleted)
I forgot that websites can load this fast, this is incredible. Not on mobile though
The most interesting part of that website is its certificate. It includes 342 different news websites domains. There are many duplicates for the wildcards, but even 171 is a big number.

This just shows us how big and influential the media giants are becoming.

Wow, you just made my day. It's so fast. I don't think I've ever experienced such a fast latency in a nontrivial website. I was around since the NCSA Mosaic times and I remember a much simpler Web than today, but at that point computers and connections were rather crappy so it wasn't that fast either.

A pity I'm not from the US so most of the news aren't that interesting to me, I hope some European news outlet follows suit (although it won't happen).

>No ads, no tracking, no cookies, not even Javascript. Just plain HTML+CSS and JPEG images.

Are we viewing the same page? Not only do I see JavaScript in the EU page, but I also see this in the code:

"trackingServer":"gannett.hb.omtrdc.net"},"market":"gpapermobileapp","trackingServer":"repdata.usatoday.com","trackingServerSecure":"srepdata.usatoday.com"},"ads"

it certainly does not like it if you attempt to visit with ublock or some other combination of what I run, all *.usatoday sites only come as

found an invalid character in header value

for me

The speed of this EU site is refreshing.. reminds you of using cable modem for the first time.
I'm in the UK atm. I just took a look at CNN.com, and uBlock is still blocking dozens of trackers there. I disabled it to see if I would get a GDPR consent popup, but all I saw was an accept cookies notification, nothing about the dozens of third party trackers on the site, other than some sparse information. There is no way to opt out of them, and there is only an “I accept” option on the accept cookies box. So CNN is not GDPR compliant, even though they've been running stories about it recently?
What about EU citizens residing outside the EU? Banning visits from EU aren't avoiding the GDPR problem.
I don't think they are protected outside the EU.
The GDPR is about EU residents, not citizens. You don't need to be a EU citizen but you do need to be in the EU at the time.
...and little of value was lost. American news sites are overwhelmingly filled with nonsense.

But really, I’m surprised they even bother to block EU users. Not like the GPDR can really be enforced in the US.

Well we still have HN, even if non-compliant.
Why is HN non-compliant?

They use Cloudflare which has gone out of their way to be compliant (to the point of offering US citizens and the rest of the world the same protections as EU citizens), and nothing else is included on the page that could track you (check it if you don't believe me).

You can anonymize your profile, you can edit it and you can use one of several services to get your data out. On the whole it is pretty good.

AFAIK you can't delete all your messages on HN, nor even delete your profile. They also do fingerprinting, or else how can they detect people with multiple accounts?
> AFAIK you can't delete all your messages on HN

Not in an automated way. Have you asked the moderators to remove all your messages?

> nor even delete your profile.

You can anonymize it.

> They also do fingerprinting, or else how can they detect people with multiple accounts?

Who says they do?

Or is that written from personal experience?

Note that 'for the purpose of running the service' is a lawful basis for processing.

> Why is HN non-compliant? > They use Cloudflare

Just the fact that you use some GDPR-compliant service doesn't mean that your product is GDPR-compliant. Because your product has to make sure that it stores, processes, removes, rotates etc. personally-identifiable data in a GDPR-compliant way.

E.g. HN doesn't offer a way to request the data they have on me, or to delete my account. This is not GDPR-compliant.

It only "doesn't offer a way" if you write an email to HN and they refuse to do it, or don't answer. I haven't requested that myself, so I don't know what answer you'd get. But I think, unless there's evidence that someone's got such an answer from them, it would be wrong to assume they won't/can't do it.

Deleting data etc. doesn't have to be automated i.e. with a button to do it. Writing to them and them doing it is sufficient.

Spot on. That's exactly how it is. It would be nice if the GDPR mandated automated procedures for all of the above that are no more complex than it is to sign up and post in the first place. But that's not quite how it works. There are such requirements in some of our laws with respect to signing up and cancelling paid services.
Do they have an EU representative? Then non compliant.
they have a public api/funnel to random services, can't edit data / can't download / delete my archive. their privacy policy is not updated, no cookie notice. i was fairly sure they used google analytics but it seems they removed them

Some people say that their use of <table>s and inline styles is a punishable offence, i beg to differ.

Is blocking a legal way to comply with gdpr? Surely you can’t identify all Eu-ians? Does the law just care that you made an effort to block them?
Yes. Intent matters. The website is showing that they do not want EU visitors as they don't want to deal with the high cost of GDPR. If an EU visitor manages to bypass this restriction in some way like a VPN then they lose their EU protection as they are hiding their identity as a EU citizen.
Its almost like they didn't try, due to making so much money selling user data. And blocking EU users is a childish attempt at protest. Places that DID respect user data to begin with have not had to do this. Which makes me actually wonder what horrors are going on with data we dont know about.
I am worried regulations will make the Internet more geographically fragmented. The best thing about the Internet is how it captures the long tail. A random person in Slovenia can read a local news site in Kansas if they wish. Even if spending just one minute of effort making itself available in Slovenia would be a loss for said news site. The Internet is by default global and everything is available to everyone. It takes extra effort to block regions, but I'm afraid regulations will make people spend that extra effort.
There's no scenario where the 'open' Internet doesn't rip apart.

Globally there will be dozens of GDPR type regulations, and that's just covering privacy. There will be a lot more for economic rules, cultural rules (eg governing speech), etc.

Want to operate a service in 100+ countries? You'll have to comply with thousands of rules. Only giant companies will be able to do it. It's already extremely difficult to do. In the physical goods world, generally only very large companies can operate in 100+ countries; that's exactly how it will be for Internet companies in the near future.

In the case of the US, there will be an immense advantage for tech services & sites. I can make a lot of money on ads just in the single large US market, far more than necessary to support a global operation. I can then project out into the rest of the world, without concern for complying with everyone's individual rules (unless it makes economic sense). For those localities to stop me, they all have to implement draconian Chinese-style repression of their people and what they can see online (which most will not do).

I really think the EU guaranteed US tech dominance with this law. How many months of work did the EU just add to getting out an MVP? How are EU startups even going to do AB testing to improve their product without collecting user data?
I suggest you actually read the GDPR (for legislation it's actually quite readable) before spouting off nonsense like this.

>How many months of work did the EU just add to getting out an MVP?

None.

>How are EU startups even going to do AB testing to improve their product without collecting user data?

The same way they always have.

Huh? Seems the opposite to me. US startups are the ones balkanizing, meaning home grown solutions to the EU will come about, ending US tech dominance.
Explain to me again how this won't functionally turn into the EU version of FOSTA?
Honest hypothetical question... my website is in the US, my servers in the US, why would I care about the GDPR?
Does your website serve users from EU region or do you intend to block incoming traffic form EU? If you serve them then you might want to collect some data points about them. It is like being on the internet you are by default given a chance to operate business (website in this case) in whatever country a user access your website from. You are not going to open a franchise in Germany and not abide by their local laws concerning about German shoppers right?
This is an insane argument. So now by having a blog, I’m under the jurisdiction of 200 countries and countless other small jurisdictions? What happens when they all contradict each other? Or when I can’t tell what jurisdiction a user belongs to? Or when they pass crazy laws like anti-blasphemy or demand half my revenue, or whatever?

I don’t think you’ve thought this through.

> So now by having a blog, I’m under the jurisdiction of 200 countries and countless other small jurisdictions?

Guess what? You already are. For example, if you insult the Thai king on your blog and you visit Thailand you can be prosecuted. This has happened.

Of course, you can't be extradited for this. But if you are a notorious online controversialist you should be careful where you travel.

There’s a difference between actually being under the jurisdiction of a government and them claiming that you are. My contention here is with so many people claiming that I should care as a matter of morality or something. That the EU’s claim here is right and just. Under that logic, so is Thailand’s. Is that really the world we want?

Obviously if the EU has some enforcement mechanism, I should be cautious, even if they’re in the wrong (like Thailand). But they don’t have any actual enforcement mechanism, so this just seems irrelevant to me.

So, you're saying if someone from Saudi Arabia sees a German website that shows a woman's bare knees, that the German site will have to pay Saudi fines?
The fans of this law seem incapable of separating its intent from the practical realities of the underlying principle it introduces. Namely, that every website on the internet is now subject to any laws by any jurisdiction in the world (down to the city level) because some subject of that jurisdiction might visit their site. It’s insane.
Fast Forward 10 years: "and that's how decentralized internet was born"
Did you just compare a data privacy law with some hypothetical obscure privacy law? Amusing. Per your analogy, if German website still wants to be shown in SA then either they get SA govt on board with w/e content they are serving (bare knees in this case) or they stop traffic coming in from SA altogether or they simply comply with SA local laws and censor content (bare knees). You should do some research on how US based website show content in Chinese region.
By any means I am not a fan of GDPR.
That's China doing the blocking... You're saying I should have to perform custom work for a legal case that I'm not under jurisdiction of.
The US and EU have a good relationship. The EU can (probably will) use international law to hold you accountable and the US is likely to comply.

EDIT: you is the hypothetical you. If the EU targets you then they will use international law to do so.

Ha. You’re insane if you think that the US Congress is going to start letting 28 agencies in the EU start fining small businesses that have no EU presence whatsoever. The political ads write themselves.
I guess the question is what does the EU value more, privacy or their relationship with the US?

I don't have an answer but I suppose we'll find out soon enough.

I have an answer: no way is the EU going to cut ties with the US over this, and no way is the US going to let the EU trample their national sovereignty by letting regulators start fining small businesses with no US presence because some EU citizen sent their data INTO the US. That’s ludicrous.
Enforcement in practice is almost certain to be "at the edge" with things like payment processors and ad networks that have direct business operations in the EU and are easy to demand third-party compliance from.

If you literally don't do any business with EU entities, even at arm's length, enforcement is going to be impractical and unlikely.

I also believe this. If you run a side project by yourself and you don't target EU users directly, but might have a few, it most likely won't be worth the effort to actually follow through on enforcement.

However, that seems like a very arbitrary line and governments love to waste money.

If you plan on doing business with EU entities at any point in the future there could be risk
yeah.... that's gonna happen
(comment deleted)
Look at it this way: "my website is in the EU, my servers are in the EU, why would I care about DMCA?" The truth is that if a company had a way to discriminate their EU users without any possibility of failure they could only apply these things to them but that approach has proven to not be cost effective.
I'm not aware of all the details, but is the answer to your question "you wouldn't"?
You shouldn't, unless you plan on doing business in the EU.
if you don't deal with EU customers (like if you don't sell ads to EU advertisers), you don't have to.
You should ask an attorney, not take random advice from the internet.

But since you asked, here’s some random advice that HN will hate but can’t refute: you should ignore it. You shouldn’t misuse user data, but that’s always been true. But you shouldn’t worry about the latest laws or regulations from any countries that have no effective jurisdiction over you, even if they claim to. If New Zealand sees a blog post of mine that they dislike and sends me a bill for a $100 fine, it’s going straight in the garbage. There’s nothing they can do. Same with the GDPR.

Don’t misuse user data, ask an attorney, you’ll be fine.

Frankly, I don't really collect user data that isn't effectively public... I've run a telnet BBS and thinking of throwing it up again, and like most developers have a few ideas on creating something. I don't do metrics tracking, but might throw up something like google analytics, or even adds in a game/web-app.

In the end, I frankly don't even like using passwords, I'd rather just have users use SSO from one of so many provider options. One of my criticisms early on of FB is they didn't have an early option to JUST get the real name and email address of their users. That's all most of these identity providers should give... enough to shoot a notification email and know the name of the person.

In the end though, who knows... working on something now, I may comply as much as possible just to be nice. Exported data will only have hashed IDs of "friend" accounts, with everything else effectively public.

I generally try to do the right thing in what I do always. It gets harder in a politically charged society at large.

Honest hypothetical question... my file hosting website is in New Zealand, my servers are in New Zealand. Why would I care about US laws?

Asking for a friend.

Because the US will strong-arm the NZ govt into arresting you for piracy.
I think you mean that the NZ and US have both signed on to treaties governing copyrights.
I thought that's what I said - NZ being strong-armed by the US.
Strong-armed would seem to imply something other than "uphold your end of the treaty we both signed".
Can you explain to me the point of this comment? I'm too dense.
Look up Kim Dotcom/Megaupload.