Hm, I don't know all the details of those websites, but I think it might have also something to do with the unwillingness to having to comply with foreign law.
The US Military News for example, probably won't need the tracking, as they have other intel and income sources, but they are also on the list. I suspect as a political statement.
A political statement against foreign intervention. A la, if there is a need to protect people, then we make those laws ourself. "But who is the EU to tell our companys what to do!"
But maybe note, that I am explaining the possible point of view for this side, not that I take this side. But since I got downvoted allready apparently, this was intellectually too hard for some to understand.
It's both. The legislation, while based on good intentions, isn't exactly a prime example of an easy-to-implement, consistent set of rules.
There's no excuse for larger players to not implement these rules. Many smaller players however, struggled and in some cases still struggle with this because some of the rules are rather vague (sometimes intentionally so in order to be future-proof) and hence open for interpretation.
There's the rub: While the law is clearly targeted at larger companies - to the extent some have called it Lex Facebook - it's the smaller companies and hobbyists, for whom implementing GDPR is more of a problem. I wouldn't be surprised if, in the long run, companies such as Facebook actually benefited from GDPR, at the expense of smaller competitors.
No, that's not the only requirement. At the very least there are additional record keeping steps, policies and procedures to draft, the appointment of a DPO that responds to requests for access or erasure, and the development of the features to fulfill both of those requests. Not to mention the potential risk of doing any of that wrong and dealing with the fallout if you get called on it.
One of the sites on this list is the Aiken Standard. We're talking a local newspaper serving Aiken, SC - a city of less than 30,000 people. Even if an EU citizen (or someone traveling in the EU) cared about their local news, it's simply not worth it - that's not their audience.
Wait, hold on, do you really need to do any of that if you are keeping zero data on people? I assume that kinda organization is only relevant if you are keeping data.
> At the very least there are additional record keeping steps, policies and procedures to draft, the appointment of a DPO that responds to requests for access or erasure, and the development of the features to fulfill both of those requests.
* "Record keeping steps" are not needed if you don't keep records (which is what you should do);
* "Policies and procedures" are what you should already have, of course, and GDPR didn't change that in any way;
* A DPO must be appointed only if processing the personal data of your customers is your core activity;
* Developing features to fulfill requests for access or erasure isn't necessary if you don't keep records.
A newspaper from Aiken, South Carolina doesn't need to worry about complying with GDPR in any regard what-so-ever, not under any realistic circumstance. It can safely entirely disregard it.
The Aiken Standard doesn't have to worry about GDPR just like a small town newspaper in Spain doesn't need to worry about complying with every privacy law that every US state decides to implement in the coming years (following in California's footsteps).
There is a vast misunderstanding of how jurisdiction works and how it's going to play out in the near future. The vast majority of the world will disregard GDPR and comply with their own local laws instead. Small and mid size sites from any given country are not going to attempt to comply with 407 different privacy laws from every country/city/state/region/zone/province/whatever around the world.
There is no alternative to this future. The sole, sane approach is to disregard Internet privacy laws if they do not apply to you in terms of jurisdiction. You will not be able to comply with the zillions of Internet-focused laws that are going to get created across the globe in the coming decade. GDPR should act as the training wheels for people building online sites/services/businesses to understand jurisdiction.
I don't disagree with your point that nothing is ever going to come of it. In the case of an independently-owned local newspaper the EU can "huff and puff" as much as they want and there's not going to realistically be any impact to them. A lot of these "local" papers are owned by large parent companies though, and that becomes a different story all together.
Even if you are independent and there's nothing the EU can realistically do to you, it's just one more thing you have to deal with. Figuring out WTF is going on, getting a lawyer to verify that there's nothing they can do to you, etc. etc. There are still some hard costs associated and it's going to distract you from what your company actually does for a while.
Even writing an IP address in a web server log is considered "keeping data". Most of these news sites also have some form of "create an account to get updates / comment / vote" system, which would absolutely count as "keeping data".
At the very least you still need a policy to give people telling them what data you keep and who you share it with. Even if that is nothing and no one, you need to be able to tell them that and you need someone who is responsible for handling those requests when they come in.
"Just don't keep anything" is not a sufficient answer.
> Even writing an IP address in a web server log is considered "keeping data"
No it's not. Stop spreading FUD.
If so, every part of every Internet-connected system on earth would be required to be completely redesigned to be GDPR-compliant. Demanding anything like that is not only unreasonable, it's 100% unrealistic.
The GDPR is perfectly reasonable legislation and has legroom for obvious operational requirements, like access logs.
(If you however mine the access log to derive or track users, that is another matter completely.)
If the data was obtained in violation, it follows that any processing, while not technically in violation, wouldn't be looked upon favourably.
Furthermore, although IANAL, I suspect that certain classes of processing fall under different rules, therefore the processing could potentially be in violation even if the collection wasn't.
"I was just dumping data in logs, I don't have to care about privacy concerns. Oh, and now I have all this data on my server, since it's already here I surely deserve to process it without caring about privacy concerns!"
I mean if we can derive enough information about the user from the data that is strictly necessary otherwise, then the privacy is already doomed, and all efforts to protect it with some legislation will be inevitably in contradiction just with how technology works.
Yes, it is. You need to put into your privacy policy what you log (and yes, IP addresses are personal data) and how long your retention policy is. However, it's pretty easy to argue that IP addresses in logs are required (for a reasonable time, like a week) to provide the service.
Might want to talk to a data protection officer before you go around swinging terms like FUD.
It's not a question of size, it's only needed if processing your customers' private data is your core activity, ie. if you operate an ad network that builds personal profiles of people.
There is no exemption for small and medium-sized enterprises (SMEs), which has been reaffirmed by the Information Commissioner’s Office (ICO): "I've heard plenty of people talking about there being a DPO exemption for SMEs - this is absolutely not the case." Peter Brown, Senior Technology Officer, Information Commissioner's Office (ICO)
* you are a public authority or body (except for courts acting in their judicial capacity)
* your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking)
* your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
Imo, those are all pretty reasonable cases where you should have somebody responsible managing your data privacy. DPOs are for people managing very private data, or profiling people at very large scales. For most businesses, DPOs aren't relevant.
I'm honestly not sure about the specifics on who legally has to have a DPO, just that it's a thing and a lot of people do. There's also the weird requirement that there be some EU-resident "responsible person" if your organization is not based in the EU that I'm fuzzy on the details of.
Even if you can avoid both of those you still need a point person who answers GDPR-related requests. Whether you end up calling that person the DPO (with the legal responsibilities and consequences that comes with) or just the "GDPR Guy" (also known as Ted from Accounting...) it's still something new you have to deal with, train for, etc.
> No, that's not the only requirement. At the very least there are additional record keeping steps, policies and procedures to draft, the appointment of a DPO that responds to requests for access or erasure
That only applies if you illegally track users.
You know what a simple solution to that is? Yup: Don't illegally track users. Pure magic, I know!
Or perhaps they've been advised that because they have an email subscription, they'd need to hire a full time DPO, and their outside counsel quoted them several thousand dollars a year.
It's simple arithmetic to decide it's cheaper to block all EU visitors.
The DPO is a major imposition and simply being required to comply with the DPO parts alone is sufficient to make the EU not worthwhile for many businesses.
1. Whilst a DPO can theoretically be part time, a DPO is not allowed to have other roles in the firm that could create a "conflict of interest". This is so vague that in a company that works with data, almost any other role could be argued to create such a conflict of interest.
2. The DPO position has a list of mandatory responsibilities and even qualifications that will be accepted. For example the EU has advised DPOs need "expertise in EU data protection law". Where will foreign websites find such a person?
3. The DPO works for the firm but cannot be told how to do their job. They also cannot be fired or penalised for anything related to their job responsibilities.
In practice these rules mean it's very likely everyone will outsource the DPO role to third parties.
> they've been advised that because they have an email subscription, they'd need to hire a full time DPO, and their outside counsel quoted them several thousand dollars a year.
I think a large part of the scare that can be observed among American companies is due to legal advisers jumping on the opportunity to make big money by misleading their customers into thinking there are enormous, complicated and unlikely requirements for compliance, and huge risks to making any mistake.
There are in fact enormous, complicated and unlikely requirements for compliance and huge risks to making any mistake.
The risk to making mistakes: fines of up to 4% of your turnover, in the worst case. As many companies have margins below this, it means losing all your profit for a year or more.
As for the rest, the vastness and vagueness of the GDPR has been extensively documented elsewhere. Bear in mind the EU Commission itself was immediately found in repeated violation of the GDPR just via their own website once the law activated. Their answer was that they themselves didn't have to comply with it.
If you're running an ad network building profiles of millions of users, then yes, you need a DPO. If you're storing extremely personal medical data, then yes, you need a DPO. If you're running an email newsletter, you 100% do not.
A news website won't build a tracking system themselves, they would rather use ready-made analytics plugins. Making them selective might be a pain (I'm not a web developer, just guessing).
Even after that you need a lawyer with some technical knowledge to assess that you've done everything right. And also a lawyer that would deal with some random complaints that will still land in your message box.
Can be pretty expensive.
Instapaper is sort of the only site where it's an actual problem. I get the feeling that the rest are just running on some common platform, which have the feature of being able to block the EU after some US corporate lawyer overreacted.
Given how US techies here on HN seems to constantly overreact and loudly proclaims how the GDPR means they need to hire 20 new employees and how they all will be suited into bankruptcy anyway...
If they are now stuck in a needlessly rigid legal regime, it's hard NOT to say they brought it on themselves.
If they're doing no business in Europe, they do not need to worry about complying with GDPR at all and can freely track European users any way they see fit.
The EU has no jurisdiction over newspapers in South Carolina. It is that simple legally.
If I visit a random popular Chinese site, landing on a Chinese mainland server in the process, the US Government is not going to get to tell that Chinese site how it can legally use my data in their country. Shouting that I'm an American citizen and that they must comply with US privacy laws, will do no good: the US Government has no jurisdiction over the matter. It works exactly the same way for the US-EU-GDPR as it pertains to a newspaper from South Carolina.
Can you point to some case law that says EU data subjects consuming US based services will not protected by GDPR? Because one of the main points of the legislation is that the EU will use it to protect their data subjects in every jurisdiction. You’re probably right, but you won’t be able to direct me to a lawyer who would be willing to evaluate a business and determine its GDPR exposure for $0.
You might as well apply the same premise to US vs EU vs Chinese (vs any other country) freedom of speech laws.
It's the exact same jurisdiction premise on how rights are governed, whether we're talking about privacy or otherwise.
Just because I'm an American, that doesn't give me US freedom of speech protections when I step foot into EU countries or Brazil or China or North Korea. I'm bound by the local laws on most things, with few exceptions.
I’m asking you to prove a negative to demonstrate that no US company could adequately assess their exposure at present, and they certainly couldn’t do it for free.
You seem to not understand that one of the core principles of the GDPR is that the EU intend to enforce it in all jurisdictions. Which they can do without an armed invasion using trade treaties, and instruments such as the New York Convention. For any entity anywhere in the world that doesn’t do business in the EU, blocking the entire union is the most risk averse and cost sensitive option.
The EU has asserted it does have such jurisdiction.
The risk to local newspapers is low for now, but comes from the possibility of future agreements by the USA to cooperate with the EU on GDPR enforcement (e.g. as part of some trade deal), or their executives going to the EU for a business trip or holiday and coming under jurisdiction that way, or selling or wanting to be sold to a firm with EU presence, etc etc. Lots of ways the EU can end up with leverage over an apparently small and local firm.
It doesn't matter what the EU asserts. They do not have that jurisdiction, unless they're planning a military invasion of the US and plan to rob it of its sovereignty.
Just like the US does not have the ability to dictate to China what privacy laws look like in that country or how US citizen data is managed within that country (eg when I visit a Chinese site).
How could any this possibly be difficult to understand?
If South Dakota comes up with its own crazy privacy laws, that doesn't mean it gets to actually "assert" how EU sites must manage data for people from South Dakota. It doesn't matter how much South Dakota screams about it, that state has no power to dictate anything to the EU. You would only have to particularly worry about it, as an EU site, if you were eg hosting a server in South Dakota, or doing business there.
edit: replying to your comment below, because my replies are throttled
It is in fact how jurisdiction works today and yesterday and always. The exceptions require agreed upon, established laws between the parties that say otherwise, which you just admitted is the case by referencing FATCA as an example.
Look at FATCA. A US law that every financial institution in Europe has to comply with whether they like it or not.
The EU knows it isn't going to invade the USA. Nonetheless, it has explicitly asserted many times that everyone, globally, is expected to comply, regardless of whether they have any EU corporate presence or not. Why do you think they would do that, if they aren't intending to find ways to make it enforceable? And there are certainly many tools available to do that with that aren't military in nature.
No it doesn't. FATCA applies to foreign corporations because otherwise the US financial system will freeze them out, moreover FATCA requires recursive application of this rule, that is part of FATCA compliance involves determining if your counterparties are FATCA compliant and freezing them out. It has nothing to do with bilateral treaties.
So much this. You have a business with an online B2C component and your contract with your suppliers and/or service providers requires you to comply with the GDPR. You are in no position to comply because your primary area of business isn't the EU, sure your website is accessible but no one is realistically going to engage your services from Germany. Meanwhile the GDPR has extra territorial reach and is so broadly worded that you don't know the ways in which you will be impacted. Your legal counsel is telling you "they ain't budging, why not manage it practically, by explicitly not target the EU?"
So you block access to your goods/services/website to EU IP addresses. Your suppliers and service providers are happy, your legal counsel is happy, and your business is not impacted in any meaningful way at all.
I haven't looked at the sites on the list, which may well contain "shady" websites, but bear in mind that these are the entities who have looked at the GDPR and concluded it was somehow or other better to expressly tell visitors that they do not comply with the GDPR.
A shady business wouldn't even bother putting a notice up on their website!
That's just plain old management stupidity; it would manifest the exact same way regardless of the actual content of the regulation, as long as it's in the news.
Interesting that there are quite a few news websites in there.
GDPR is better for users overall, but due to websites not willing to reduce their user tracking practices some news sources become less available.
The page you just linked literally says that.
"One EFTA member, Switzerland, has not joined the EEA, but has a series of bilateral agreements with the EU which allow it also to participate in the internal market."
It's not in the EEA and your own wiki link shows that.
Switzerland is not under GDPR however, unfortunately many American sites assume EU = Europe. This is understandable because so many EU supporters insist on using the word "Europe" when what they actually mean is EU, in order to create this exact impression (and to confer on the EU the sense that it's as large and stable as a continent).
> When the Swiss Federal Council has engaged the Federal Department of Justice and Police to draft a revised DPA, which is expected by end of August 2016, it was the decision of the Swiss Federal Council to draft the revision in due consideration of the EU data protection regulation. The Swiss Federal Council also outlined, that it is economically important for Switzerland to be recognized as a country with an appropriate data protection level for the EU. Hence, the revised DPA is likely to be influenced by GDPR’s principles and will likely include largely analogical rules and provisions. According to the envisaged timeline, the revised DPA should be enacted around the same period as the GDPR, which is beginning of 2018.
Switzerland is for most intents and purposes in the EU, minus a delay of several years of applying the EU acquis (EU body of laws concerning countries part of the single market).
Currently a US citizen living in Spain, I hit these decently often looking up news articles that look interesting about things in the US, but stopped short by the notices about GDPR. I'd be curious if some of the newspapers eventually comply after several court cases defining some details on how it is treated-- seems disproportionately higher for newspapers; anyone know why? other than their audiences don't tend to be in Europe?
A lot of these sites are ostensibly local US news or media (e.g. WPTA - Fort Wayne, IN), and it's hard to see how they fall under the GDPR.
So either it's a political statement, or they somehow are subject to the GDPR, e.g. they are owned by a multi-national conglomerate, or sell data to them.
well, the latter is quite insidious, and something they've likely tried to keep a secret. Weirdly, this could a win for transparency by the GDPR even outside of Europe.
IP addresses are specifically considered to be personal data, so even accepting a page view from an EU citizen and writing the IP to an Apache log file could subject them to it. Same with cookies and any kind of analytics or advertising partners (which most local news sites seem oddly heavy on).
Even if they somehow figured out that they were already completely compliant (and ignoring the work involved in discovering that), there are policies and procedures you need to write to document who you share their data with and respond to requests from EU citizens about their data and the features to support answering those.
They don't want to devote resources to investigate what should they do to comply. It's a business decision. If only a fraction of their visitors come from the EU then it may not be worth it to deal with the GDPR.
no, we've literally been over this a hundred times in other threads about the GDPR. if your business is outside the EU, and you don't target EU data subjects specifically, then how are you subject to the GDPR? there's no legal basis. even the GDPR legislation acknowledges this, for example in section 23:
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.
it's far more likely they aren't "local" news stations, but owned by a multi-national, or selling data to multi-national corporations subject to GDPR.
You're getting downvoted despite being factually and legally correct.
You do not have to comply with GDPR if you are fully outside of the EU's jurisdiction and do no business in the EU.
Every site that gets created does not have to try to comply with every privacy law from every place on earth. At this point it's just belligerent propaganda to try to claim otherwise. It serves no good purpose to lie and pretend that every site on earth with EU visitors must comply with GDPR. That's a non-functioning future: all sites will not be able to comply with all privacy laws from all jurisdictions around the world. It's also legally unenforceable hogwash.
It goes even further however. As an EU citizen not only does GDPR not grant you any new protections in the US jurisdiction, you have very few privacy protections (none?) in the US. Sites with no business in the EU, those that aren't covered by the EU in any manner jurisdiction wise, can do nearly anything they want to with EU citizen data. Lawsuits can be filed against such sites, and they'll be promptly dismissed because the US isn't governed by EU law.
The fact that it’s a “non functioning future” is exactly why people are concerned. It’s entirely possible to regulate a set of activities out of existence if you make the cost of compliance too high. In this case the per user margins are low (FB ARPU is about $25 before expenses).
I stand corrected! Not sure why you're being down-voted for it.
Another point is that the organisation would need some kind of legal presence in the EU, otherwise it would be impossible to prosecute them even if they did violate EU law.
A website that serves people who connect from the EU can easily be argued to be "offering services to data subjects within the Union".
That paragraph really doesn't say what you think it says. But like all such EU legislation it's really so vague that people who support the EU's political aims will read something anodyne into it, and people who are more suspicious will read something more dangerous, and they can both be right depending on the whims of the commission and ECJ.
However I will note that the EU does have an established track record of making surprising and totally unintuitive judgements about laws that appear to be much clearer and more definitive than what you just cited. The wording of the law is really not as reliable as you might hope with the ECJ.
Local and regional news media like newspapers are often owned by large conglomerates that hold dozens, if not hundreds, of titles. These are likely to follow a single guideline with regards to the GDPR.
Because are those that run the most ads, which do profiling and automated decision-making (i.e.: real-time bidding). It's hard to get that GDPR compliant.
I've ran into this a few times through 'normal usage', e.g. I search for something, click the link, and get told off for being in the EU (for the time being).
What I think would also be useful (or more useful) is a list of sites that blatantly don't comply in popular ways such as requiring tracking consent ("By continuing to use …") or assuming consent, often making it hard to opt out ("You need to enable third party cookies and visit these 95 places to opt out").
Right now ICOs can't even begin to hunt down all the small offenders, but once case law builds up and we have such a list bulk processes can be set up.
A browser extension could be used to ease reporting and even detect popular noncompliant solutions.
The real goal of EDD is for websites to have landing page (assuming you navigate from search engine) that requires no cookies, and does not capture identifying/tracking information (so no asking for consent would be needed at all) before showing the article.
The consent might be asked when you navigate to next article within the website, but majority of people don't.
I'm sure you know this, as you have included a bunch of pop-ups that aren't necessary but websites do anyway. But for other people who love to hate on the GDPR, 1 and 2 are not necessarialy required by EU law either. Just don't have cookies when you don't need them and don't save data the visitor hasn't agreed to.
> But for other people who love to hate on the GDPR, 1 and 2 are not necessarialy required by EU law either. Just don't have cookies when you don't need them and don't save data the visitor hasn't agreed to.
It's this simple, and yet everyone on the internet freaks out like having a GDPR-compliant general purpose website is some massive undertaking.
I can't fathom how people got so used to endless tracking that a non-tracking site now literally seems like a impossibility to them.
So technologically the non-tracking website is very very simple.
Business wise, not so much. How do you monetize such a site? Even a simple commerce site needs to keep tracking of users, and to do any kind of marketing you need explicit user consent.
Exactly. I've been running a few webshops where cookies were used only to keep the session/cart state. It never occurred to me I should irritate my users with cookie/GDPR notices. To quote the famous cookie law [1], the cookies exempt from consent were:
* user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
* authentication cookies, to identify the user once he has logged in, for the duration of a session
* user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration
* multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
* load‑balancing cookies, for the duration of session
* user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
* third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.
This means you could freely use cookies for normal operation. It's only when you start tracking people you needed to ask their consent.
"You don't have to obey this law if you really need to violate it" is a common tactic in EU lawmaking and it's about as helpful as unlimited vacation policies are.
Nobody knows how EU DPRs will define "need" and therefore, to be safe, you just always show the warning. The cost of the warning is low. The cost of being found in violation is high.
Avoiding this sort of outcome is basic stuff, law-making 101, but the EU's output of low quality rule-by-law not rule-of-law regulations makes it seem like they either don't know or don't care.
> "You don't have to obey this law if you really need to violate it" is a common tactic in EU lawmaking and it's about as helpful as unlimited vacation policies are.
That isn't the claim. The claim is that a bunch of cookies are specifically exempt from the law and the law tells you that you don't need to put up cookie banner click-throughs. And also that everyone ignores that, and puts up the banner click-throughs anyway and then moans about EU law.
The proliferation of popups and overlays is the modern scourge of the Web, especially on the desktop. It makes life very hard for those browsing in anonymous mode by default.
We need a combined Decrap extension that kills all this crap and presents a clean browsing experience on a fresh browser.
While the “Accept” button is the only big blue button in the pop-up and the opt-out options are hidden after 2 clicks away on an arbitrary link hidden in the text. Of course, there is no “deselect all” personalized advertising vendors. One by one. Every time! I am thinking they should have made opt-in mandatory, but websites would have found a way. Greed always finds a way.
> 1. A pop-up notifying the visitor on the website's cookie policy.
With a UI that deliberately makes it very cumbersome to opt out and very easy to opt-in with no obvious way (aside from clearing all browser cookies) to later change your mind...
> (required by EU law)
Contrary to what the sites imply, the pop-up is not required by law (I'm guessing you, sshine, are well aware of this, but the general public aren't). It could easily be an in-page (rather than over-page) or interstitial page politely requesting that we agree to the cookies being stored on later page views.
The request to opt-in is required by the law. The pop-up is required by the site's desire to make it inconvenient for you not to.
> (required by EU law)
While we are on the subject of the law: the way many sites implement the consent walls is not compliant anyway. A common issue is storing data in tracking cookies until opt-out rather than not storing it until opt-in. The other common flaw is one is mis-classification of stored content: should that cookie for doubleclick.net really be classed as "essential for site operation"?!
When I see that I simply open the website in private browsing (in Firefox at least no cookies are shared between public/private), consent to all tracking, read what I want and close the window.
That doesn't help if the implementation is bad (as many are) and drops tracking cookies until out-out - your main session still get the tracking nuggets.
> in Firefox at least no cookies are shared between public/private
That is also the case for incognito/private/what-ever-they-brand-it mode in Chrom{e|ium}, IE, Edge, and I assume (though I haven't tested this myself at all) Safari and others too.
Though there are some clues that can leak from normal to private due to known bugs & edge cases in the browsers and common add-ons (like flash), search for "evercookie" to find some references about that, and there are other ways to fingerprint or track you which might be less reliable but still apparently work well enough for people to use them.
One major annoyance is that one of my Firefox extension, either the ad blocker or the "I don't care about cookies" finds and remove the GDPR javascript pop up from CookieBot (which is GDPR compliance as a service for people who don't know what they're doing").
Because I can't see the CookieBot pop up anymore I can't dismiss, but it prevents scrolling from working on a large number of websites.... All news websites interestingly enough.
I'm not familiar with CookieBot, but from the sound of your post alone, it sounds like what's blocking you is a DIV element that is expecting a JS script to remove it once the person clicks the button? If so, the DIV element should be the same for all sites that use CookieBot (I'd assume. JS libraries usually dictate what your DIV should be called), so you should just be able to block that DIV ID in your content-filter-of-choice?
> 1. A pop-up notifying the visitor on the website's cookie policy (required by EU law). 2. A pop-up asking the visitor to consent to its privacy policy (required by EU law).
That is both not required. Just don't collect PII and all is good. Apple for instance manages to run a website that does not involve any stupid cookie warnings.
> 1. A pop-up notifying the visitor on the website's cookie policy (required by EU law).
> 2. A pop-up asking the visitor to consent to its privacy policy (required by EU law).
You never need both. GDPR superceded the "Cookie Law", so the cookie policy pop-up is no longer needed. You may not even need the explicit consent popup.
You do need user consent for storing user personal data, if you gather, store, and process personal data. Even then, you only need explicit consent if none of the other implicit authorizations apply: https://gdpr-info.eu/art-6-gdpr/
I have a solution for this. I don't visit such websites. They want to harvest my data, I won't give them my data. Either comply with GDPR or lose a visitor. Simples.
I can't figure out what i think about it. Most of those are of no use to me anyways as a European citizen.
However were i interested in US local news i'd be sad not to be able to access them.
From the websites point of view, i guess there's not enough money to be made from people located in the European union. They are certainly not targeting a global audience. In the end, they are free to choose.
The GDPR stuff has opened my eyes to just how widespread data tracking and sharing has been.
I went to a small local news site to read a story, I think it was for "Wales Online" and got presented with the options box. After clicking through to look at their advertising 'partners' my data could be sent to, I found a list of probably 200 different entities.
Presumably, for being a local news thing, this means that they have used some sort of advertising and analytics framework that plugs into some middleware system and from there passes out what it knows to these other places. I can't imagine each one is individually in the codebase.
What it exposed was the massive extent of what's going on. To access just a few hundred words of text, my details and activity would be passed on to an unbelievable array of companies. I'm very glad the GDPR has come in.
The majority of these websites appear to be US based local news outlets. They have very little motivation to comply with GDPR.
As a side note, a lot of the comments here suggest that few people are reviewing the list at all before offering their opinion. Yes GDPR is a great step forward for data privacy, but there is little reason to shame "The Pueblo Chieftain" for not complying with GDPR. What is more likely:
1) compliance doesn't matter to them or their audience
2) they are trying to exploit and monetize your data
They don't need to comply with GDPR. They're not doing business in the EU; they're not based in the EU; they're not targetting EU citizens. They're exempt from the regulations.
> but there is little reason to shame "The Pueblo Chieftain" for not complying with GDPR.
People are complaining about the corrupt business model of massive misuse of personal data.
The number I am more interested in is how many websites don't comply with the GDPR but don't block EU residents from viewing. One website I use basically said "We're too small matter, nobody will care if we don't comply" and I imagine there are many other websites like that.
I haven't exactly done a scientific survey here, but what is interesting is to
click the links and see what response comes back (I'm in the UK, still part of the EU). Here are some of them:
* Sorry, this content is not available in your region.
* The precondition on the request for the URL / evaluated to false.
* Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. "
* 451: Unavailable due to legal reasons
* Error code 16. This request was blocked by the security rules
* Apologies! The site you are trying to visit is not available in your area. Please note, to comply with GDPR we have purged our newsletter lists and databases for anyone located within the European Union. Thank you for your interest.
* 403 ERROR The request could not be satisfied.
* We're sorry you’re not able to access the site at this time, but this is a temporary measure to ensure we can best protect your data under new privacy regulations. We value your support; thanks for your patience and we can't wait to have you back!
I find it interesting that some present the problem as a technical problem whereas others explicitly mention a region problem or even GDPR
I also found a couple of places where the sites are in fact accessible, e.g. instapaper.com
The vast majority of the sites seem to be US local news sites, so perhaps to them providing access for EU citizens isn't really a key goal
> The vast majority of the sites seem to be US local news sites
That's even more weird since they are explicitly not covered by GDPR, because their target audience is obviously not based in the EU (and they most probably don't do any business in the EU either, so are completely out of reach as well).
It seems to me like they are the very websites for which this exemption was intended.
> It seems to me like they are the very websites for which this exemption was intended.
That doesn't help much when every US arm-chair lawyer (like the techies here on HN) spends all their time causing paranoia and telling everyone how even access logs are illegal now under GDPR, and how they will be brought into bankruptcy by the EU.
Ofcourse the business-people are going to panic when all they hear are their techies are telling them that EU is going to shut them down.
Whatever crappy legal regime these US techies will be stuck with in the future, one thing is certain: they brought it onto themselves.
I think you're confused about what GDPR requires from companies.
The whole thing is simply about not collecting data you're not supposed to need in order to provide the service, and whatever you do it must be opt-in.
The only reason why a company needs to block a whole continent is that they've based their whole infrastructure on exploiting the user's data to such a level that they cannot provide their service without collecting and retain data they're not supposed to collect.
As for "a lot of resources", Instagram and the L.A. Times should have enough resources to become compliant.
159 comments
[ 2.9 ms ] story [ 214 ms ] threadFixed that for you.
The US Military News for example, probably won't need the tracking, as they have other intel and income sources, but they are also on the list. I suspect as a political statement.
But maybe note, that I am explaining the possible point of view for this side, not that I take this side. But since I got downvoted allready apparently, this was intellectually too hard for some to understand.
There's no excuse for larger players to not implement these rules. Many smaller players however, struggled and in some cases still struggle with this because some of the rules are rather vague (sometimes intentionally so in order to be future-proof) and hence open for interpretation.
There's the rub: While the law is clearly targeted at larger companies - to the extent some have called it Lex Facebook - it's the smaller companies and hobbyists, for whom implementing GDPR is more of a problem. I wouldn't be surprised if, in the long run, companies such as Facebook actually benefited from GDPR, at the expense of smaller competitors.
That is basically the end effect of any regulation: life gets harder for small players and newcomers.
I would offer the opinion that anti-monopoly regulation is a counterpoint to this.
https://news.ycombinator.com/item?id=17099878
One of the sites on this list is the Aiken Standard. We're talking a local newspaper serving Aiken, SC - a city of less than 30,000 people. Even if an EU citizen (or someone traveling in the EU) cared about their local news, it's simply not worth it - that's not their audience.
> At the very least there are additional record keeping steps, policies and procedures to draft, the appointment of a DPO that responds to requests for access or erasure, and the development of the features to fulfill both of those requests.
* "Record keeping steps" are not needed if you don't keep records (which is what you should do);
* "Policies and procedures" are what you should already have, of course, and GDPR didn't change that in any way;
* A DPO must be appointed only if processing the personal data of your customers is your core activity;
* Developing features to fulfill requests for access or erasure isn't necessary if you don't keep records.
The Aiken Standard doesn't have to worry about GDPR just like a small town newspaper in Spain doesn't need to worry about complying with every privacy law that every US state decides to implement in the coming years (following in California's footsteps).
There is a vast misunderstanding of how jurisdiction works and how it's going to play out in the near future. The vast majority of the world will disregard GDPR and comply with their own local laws instead. Small and mid size sites from any given country are not going to attempt to comply with 407 different privacy laws from every country/city/state/region/zone/province/whatever around the world.
There is no alternative to this future. The sole, sane approach is to disregard Internet privacy laws if they do not apply to you in terms of jurisdiction. You will not be able to comply with the zillions of Internet-focused laws that are going to get created across the globe in the coming decade. GDPR should act as the training wheels for people building online sites/services/businesses to understand jurisdiction.
Even if you are independent and there's nothing the EU can realistically do to you, it's just one more thing you have to deal with. Figuring out WTF is going on, getting a lawyer to verify that there's nothing they can do to you, etc. etc. There are still some hard costs associated and it's going to distract you from what your company actually does for a while.
At the very least you still need a policy to give people telling them what data you keep and who you share it with. Even if that is nothing and no one, you need to be able to tell them that and you need someone who is responsible for handling those requests when they come in.
"Just don't keep anything" is not a sufficient answer.
No it's not. Stop spreading FUD.
If so, every part of every Internet-connected system on earth would be required to be completely redesigned to be GDPR-compliant. Demanding anything like that is not only unreasonable, it's 100% unrealistic.
The GDPR is perfectly reasonable legislation and has legroom for obvious operational requirements, like access logs.
(If you however mine the access log to derive or track users, that is another matter completely.)
So under GDPR you're not allowed to process data you've already got? I wouldn't call this reasonable legislation.
Furthermore, although IANAL, I suspect that certain classes of processing fall under different rules, therefore the processing could potentially be in violation even if the collection wasn't.
"I was just dumping data in logs, I don't have to care about privacy concerns. Oh, and now I have all this data on my server, since it's already here I surely deserve to process it without caring about privacy concerns!"
Might want to talk to a data protection officer before you go around swinging terms like FUD.
https://www.itgovernance.co.uk/data-protection-officer-dpo-u...
There is no exemption for small and medium-sized enterprises (SMEs), which has been reaffirmed by the Information Commissioner’s Office (ICO): "I've heard plenty of people talking about there being a DPO exemption for SMEs - this is absolutely not the case." Peter Brown, Senior Technology Officer, Information Commissioner's Office (ICO)
You need a DPO if:
* you are a public authority or body (except for courts acting in their judicial capacity)
* your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking)
* your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
Imo, those are all pretty reasonable cases where you should have somebody responsible managing your data privacy. DPOs are for people managing very private data, or profiling people at very large scales. For most businesses, DPOs aren't relevant.
Even if you can avoid both of those you still need a point person who answers GDPR-related requests. Whether you end up calling that person the DPO (with the legal responsibilities and consequences that comes with) or just the "GDPR Guy" (also known as Ted from Accounting...) it's still something new you have to deal with, train for, etc.
That only applies if you illegally track users.
You know what a simple solution to that is? Yup: Don't illegally track users. Pure magic, I know!
It's simple arithmetic to decide it's cheaper to block all EU visitors.
They don't. They need to designate someone as the DPO, it doesn't have to be full time.
The DPO is a major imposition and simply being required to comply with the DPO parts alone is sufficient to make the EU not worthwhile for many businesses.
1. Whilst a DPO can theoretically be part time, a DPO is not allowed to have other roles in the firm that could create a "conflict of interest". This is so vague that in a company that works with data, almost any other role could be argued to create such a conflict of interest.
2. The DPO position has a list of mandatory responsibilities and even qualifications that will be accepted. For example the EU has advised DPOs need "expertise in EU data protection law". Where will foreign websites find such a person?
3. The DPO works for the firm but cannot be told how to do their job. They also cannot be fired or penalised for anything related to their job responsibilities.
In practice these rules mean it's very likely everyone will outsource the DPO role to third parties.
I think a large part of the scare that can be observed among American companies is due to legal advisers jumping on the opportunity to make big money by misleading their customers into thinking there are enormous, complicated and unlikely requirements for compliance, and huge risks to making any mistake.
The risk to making mistakes: fines of up to 4% of your turnover, in the worst case. As many companies have margins below this, it means losing all your profit for a year or more.
As for the rest, the vastness and vagueness of the GDPR has been extensively documented elsewhere. Bear in mind the EU Commission itself was immediately found in repeated violation of the GDPR just via their own website once the law activated. Their answer was that they themselves didn't have to comply with it.
* you are a public authority or body (except for courts acting in their judicial capacity)
* your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking)
* your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
That's from https://ico.org.uk/for-organisations/guide-to-the-general-da..., which is a pretty good summary generally, from the UK Information Commissioner's Office.
If you're running an ad network building profiles of millions of users, then yes, you need a DPO. If you're storing extremely personal medical data, then yes, you need a DPO. If you're running an email newsletter, you 100% do not.
Given how US techies here on HN seems to constantly overreact and loudly proclaims how the GDPR means they need to hire 20 new employees and how they all will be suited into bankruptcy anyway...
If they are now stuck in a needlessly rigid legal regime, it's hard NOT to say they brought it on themselves.
The EU has no jurisdiction over newspapers in South Carolina. It is that simple legally.
If I visit a random popular Chinese site, landing on a Chinese mainland server in the process, the US Government is not going to get to tell that Chinese site how it can legally use my data in their country. Shouting that I'm an American citizen and that they must comply with US privacy laws, will do no good: the US Government has no jurisdiction over the matter. It works exactly the same way for the US-EU-GDPR as it pertains to a newspaper from South Carolina.
You might as well apply the same premise to US vs EU vs Chinese (vs any other country) freedom of speech laws.
It's the exact same jurisdiction premise on how rights are governed, whether we're talking about privacy or otherwise.
Just because I'm an American, that doesn't give me US freedom of speech protections when I step foot into EU countries or Brazil or China or North Korea. I'm bound by the local laws on most things, with few exceptions.
You seem to not understand that one of the core principles of the GDPR is that the EU intend to enforce it in all jurisdictions. Which they can do without an armed invasion using trade treaties, and instruments such as the New York Convention. For any entity anywhere in the world that doesn’t do business in the EU, blocking the entire union is the most risk averse and cost sensitive option.
The risk to local newspapers is low for now, but comes from the possibility of future agreements by the USA to cooperate with the EU on GDPR enforcement (e.g. as part of some trade deal), or their executives going to the EU for a business trip or holiday and coming under jurisdiction that way, or selling or wanting to be sold to a firm with EU presence, etc etc. Lots of ways the EU can end up with leverage over an apparently small and local firm.
Just like the US does not have the ability to dictate to China what privacy laws look like in that country or how US citizen data is managed within that country (eg when I visit a Chinese site).
How could any this possibly be difficult to understand?
If South Dakota comes up with its own crazy privacy laws, that doesn't mean it gets to actually "assert" how EU sites must manage data for people from South Dakota. It doesn't matter how much South Dakota screams about it, that state has no power to dictate anything to the EU. You would only have to particularly worry about it, as an EU site, if you were eg hosting a server in South Dakota, or doing business there.
edit: replying to your comment below, because my replies are throttled
It is in fact how jurisdiction works today and yesterday and always. The exceptions require agreed upon, established laws between the parties that say otherwise, which you just admitted is the case by referencing FATCA as an example.
Look at FATCA. A US law that every financial institution in Europe has to comply with whether they like it or not.
The EU knows it isn't going to invade the USA. Nonetheless, it has explicitly asserted many times that everyone, globally, is expected to comply, regardless of whether they have any EU corporate presence or not. Why do you think they would do that, if they aren't intending to find ways to make it enforceable? And there are certainly many tools available to do that with that aren't military in nature.
So you block access to your goods/services/website to EU IP addresses. Your suppliers and service providers are happy, your legal counsel is happy, and your business is not impacted in any meaningful way at all.
I haven't looked at the sites on the list, which may well contain "shady" websites, but bear in mind that these are the entities who have looked at the GDPR and concluded it was somehow or other better to expressly tell visitors that they do not comply with the GDPR.
A shady business wouldn't even bother putting a notice up on their website!
What I find interesting is that they took the time to raise a location based 405, so they seem at least aware of it !
The page you just linked literally says that. "One EFTA member, Switzerland, has not joined the EEA, but has a series of bilateral agreements with the EU which allow it also to participate in the internal market."
Switzerland is not under GDPR however, unfortunately many American sites assume EU = Europe. This is understandable because so many EU supporters insist on using the word "Europe" when what they actually mean is EU, in order to create this exact impression (and to confer on the EU the sense that it's as large and stable as a continent).
https://en.wikipedia.org/wiki/European_Free_Trade_Associatio...
> They adopt almost all EU legislation related to the single market, except laws on agriculture and fisheries.
https://blog.kpmg.ch/eu-data-protection-regulation-also-conc...
> When the Swiss Federal Council has engaged the Federal Department of Justice and Police to draft a revised DPA, which is expected by end of August 2016, it was the decision of the Swiss Federal Council to draft the revision in due consideration of the EU data protection regulation. The Swiss Federal Council also outlined, that it is economically important for Switzerland to be recognized as a country with an appropriate data protection level for the EU. Hence, the revised DPA is likely to be influenced by GDPR’s principles and will likely include largely analogical rules and provisions. According to the envisaged timeline, the revised DPA should be enacted around the same period as the GDPR, which is beginning of 2018.
Switzerland is for most intents and purposes in the EU, minus a delay of several years of applying the EU acquis (EU body of laws concerning countries part of the single market).
So either it's a political statement, or they somehow are subject to the GDPR, e.g. they are owned by a multi-national conglomerate, or sell data to them.
Even if they somehow figured out that they were already completely compliant (and ignoring the work involved in discovering that), there are policies and procedures you need to write to document who you share their data with and respond to requests from EU citizens about their data and the features to support answering those.
Again. Knee jerk internet reactions divorced from reality.
Access logs are not illegal under the GDPR. Stop spreading FUD.
You better inform yourself before making incorrect assertions
But it does get tiring, really
If only a fraction of their users come from the EU they don't need to deal with GDPR, they're exempt from it.
Edit: this is incorrect, see comment by guitarbill below.
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.
it's far more likely they aren't "local" news stations, but owned by a multi-national, or selling data to multi-national corporations subject to GDPR.
You do not have to comply with GDPR if you are fully outside of the EU's jurisdiction and do no business in the EU.
Every site that gets created does not have to try to comply with every privacy law from every place on earth. At this point it's just belligerent propaganda to try to claim otherwise. It serves no good purpose to lie and pretend that every site on earth with EU visitors must comply with GDPR. That's a non-functioning future: all sites will not be able to comply with all privacy laws from all jurisdictions around the world. It's also legally unenforceable hogwash.
It goes even further however. As an EU citizen not only does GDPR not grant you any new protections in the US jurisdiction, you have very few privacy protections (none?) in the US. Sites with no business in the EU, those that aren't covered by the EU in any manner jurisdiction wise, can do nearly anything they want to with EU citizen data. Lawsuits can be filed against such sites, and they'll be promptly dismissed because the US isn't governed by EU law.
Another point is that the organisation would need some kind of legal presence in the EU, otherwise it would be impossible to prosecute them even if they did violate EU law.
That paragraph really doesn't say what you think it says. But like all such EU legislation it's really so vague that people who support the EU's political aims will read something anodyne into it, and people who are more suspicious will read something more dangerous, and they can both be right depending on the whims of the commission and ECJ.
However I will note that the EU does have an established track record of making surprising and totally unintuitive judgements about laws that appear to be much clearer and more definitive than what you just cited. The wording of the law is really not as reliable as you might hope with the ECJ.
'Food Network' is one I've hit a few times searching for recipes; it seems several other domains are under its umbrella: https://www.foodnetwork.com/not-available.html
By not available what do you mean?
Right now ICOs can't even begin to hunt down all the small offenders, but once case law builds up and we have such a list bulk processes can be set up.
A browser extension could be used to ease reporting and even detect popular noncompliant solutions.
1. A pop-up notifying the visitor on the website's cookie policy (required by EU law).
2. A pop-up asking the visitor to consent to its privacy policy (required by EU law).
3. A pop-up asking the visitor if they'd like to subscribe to its newsletter.
4. A pop-up telling the visitor that it's run out of "free articles", but that you can sign up at a premium.
5. A pop-up asking the visitor to turn off the adblocker because the site's revenue depends on the ads.
6. A pop-up asking the visitor to participate in an online survey.
7. A pop-up telling the visitor about a unique way to earn money in your underwear.
None of the pop-ups will share UI for closing them, and some of the close buttons will be so hard to press that you accidentally change site instead.
(Clarification: It doesn't have to be a pop-up, but it does have to be annoying.)
The consent might be asked when you navigate to next article within the website, but majority of people don't.
It's this simple, and yet everyone on the internet freaks out like having a GDPR-compliant general purpose website is some massive undertaking.
I can't fathom how people got so used to endless tracking that a non-tracking site now literally seems like a impossibility to them.
All in all, it's pretty sad.
Business wise, not so much. How do you monetize such a site? Even a simple commerce site needs to keep tracking of users, and to do any kind of marketing you need explicit user consent.
Functional cookies like this are exempt from GDPR's opt-in requirement
* user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
* authentication cookies, to identify the user once he has logged in, for the duration of a session
* user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration
* multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
* load‑balancing cookies, for the duration of session
* user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
* third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.
This means you could freely use cookies for normal operation. It's only when you start tracking people you needed to ask their consent.
[1] http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm
Nobody knows how EU DPRs will define "need" and therefore, to be safe, you just always show the warning. The cost of the warning is low. The cost of being found in violation is high.
Avoiding this sort of outcome is basic stuff, law-making 101, but the EU's output of low quality rule-by-law not rule-of-law regulations makes it seem like they either don't know or don't care.
That isn't the claim. The claim is that a bunch of cookies are specifically exempt from the law and the law tells you that you don't need to put up cookie banner click-throughs. And also that everyone ignores that, and puts up the banner click-throughs anyway and then moans about EU law.
https://github.com/ryanbr/fanboy-adblock/blob/master/fanboy-...
We need a combined Decrap extension that kills all this crap and presents a clean browsing experience on a fresh browser.
With a UI that deliberately makes it very cumbersome to opt out and very easy to opt-in with no obvious way (aside from clearing all browser cookies) to later change your mind...
> (required by EU law)
Contrary to what the sites imply, the pop-up is not required by law (I'm guessing you, sshine, are well aware of this, but the general public aren't). It could easily be an in-page (rather than over-page) or interstitial page politely requesting that we agree to the cookies being stored on later page views.
The request to opt-in is required by the law. The pop-up is required by the site's desire to make it inconvenient for you not to.
> (required by EU law)
While we are on the subject of the law: the way many sites implement the consent walls is not compliant anyway. A common issue is storing data in tracking cookies until opt-out rather than not storing it until opt-in. The other common flaw is one is mis-classification of stored content: should that cookie for doubleclick.net really be classed as "essential for site operation"?!
> in Firefox at least no cookies are shared between public/private
That is also the case for incognito/private/what-ever-they-brand-it mode in Chrom{e|ium}, IE, Edge, and I assume (though I haven't tested this myself at all) Safari and others too.
Though there are some clues that can leak from normal to private due to known bugs & edge cases in the browsers and common add-ons (like flash), search for "evercookie" to find some references about that, and there are other ways to fingerprint or track you which might be less reliable but still apparently work well enough for people to use them.
Because I can't see the CookieBot pop up anymore I can't dismiss, but it prevents scrolling from working on a large number of websites.... All news websites interestingly enough.
That is both not required. Just don't collect PII and all is good. Apple for instance manages to run a website that does not involve any stupid cookie warnings.
> 2. A pop-up asking the visitor to consent to its privacy policy (required by EU law).
You never need both. GDPR superceded the "Cookie Law", so the cookie policy pop-up is no longer needed. You may not even need the explicit consent popup.
You do need user consent for storing user personal data, if you gather, store, and process personal data. Even then, you only need explicit consent if none of the other implicit authorizations apply: https://gdpr-info.eu/art-6-gdpr/
Not always required by EU law, but always always blamed on EU law.
> 2. A pop-up asking the visitor to consent to its privacy policy (required by EU law).
Not always required by EU, but always always blamed on EU law.
However were i interested in US local news i'd be sad not to be able to access them.
From the websites point of view, i guess there's not enough money to be made from people located in the European union. They are certainly not targeting a global audience. In the end, they are free to choose.
I went to a small local news site to read a story, I think it was for "Wales Online" and got presented with the options box. After clicking through to look at their advertising 'partners' my data could be sent to, I found a list of probably 200 different entities.
Presumably, for being a local news thing, this means that they have used some sort of advertising and analytics framework that plugs into some middleware system and from there passes out what it knows to these other places. I can't imagine each one is individually in the codebase.
What it exposed was the massive extent of what's going on. To access just a few hundred words of text, my details and activity would be passed on to an unbelievable array of companies. I'm very glad the GDPR has come in.
As a side note, a lot of the comments here suggest that few people are reviewing the list at all before offering their opinion. Yes GDPR is a great step forward for data privacy, but there is little reason to shame "The Pueblo Chieftain" for not complying with GDPR. What is more likely:
1) compliance doesn't matter to them or their audience 2) they are trying to exploit and monetize your data
> but there is little reason to shame "The Pueblo Chieftain" for not complying with GDPR.
People are complaining about the corrupt business model of massive misuse of personal data.
The may have a parent company that does have an EU presence making the parent company liable in the event of a violation.
* Sorry, this content is not available in your region.
* The precondition on the request for the URL / evaluated to false.
* Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. "
* 451: Unavailable due to legal reasons
* Error code 16. This request was blocked by the security rules
* Apologies! The site you are trying to visit is not available in your area. Please note, to comply with GDPR we have purged our newsletter lists and databases for anyone located within the European Union. Thank you for your interest.
* 403 ERROR The request could not be satisfied.
* We're sorry you’re not able to access the site at this time, but this is a temporary measure to ensure we can best protect your data under new privacy regulations. We value your support; thanks for your patience and we can't wait to have you back!
I find it interesting that some present the problem as a technical problem whereas others explicitly mention a region problem or even GDPR
I also found a couple of places where the sites are in fact accessible, e.g. instapaper.com
The vast majority of the sites seem to be US local news sites, so perhaps to them providing access for EU citizens isn't really a key goal
That's even more weird since they are explicitly not covered by GDPR, because their target audience is obviously not based in the EU (and they most probably don't do any business in the EU either, so are completely out of reach as well).
It seems to me like they are the very websites for which this exemption was intended.
That doesn't help much when every US arm-chair lawyer (like the techies here on HN) spends all their time causing paranoia and telling everyone how even access logs are illegal now under GDPR, and how they will be brought into bankruptcy by the EU.
Ofcourse the business-people are going to panic when all they hear are their techies are telling them that EU is going to shut them down.
Whatever crappy legal regime these US techies will be stuck with in the future, one thing is certain: they brought it onto themselves.
That was mine!
https://en.wikipedia.org/wiki/HTTP_451
I have made a few sites GDPR-compliant, and honestly unless your business practices are based on exploiting people's data, it's not that hard.
It often comes down to advertising. No one (and I include Google and others in this) has properly figured out GDPR compliant advertising IMHO.
The effort of disabling ads for EU visitors is higher than just blocking EU visitors if you don't have a lot of resources.
The whole thing is simply about not collecting data you're not supposed to need in order to provide the service, and whatever you do it must be opt-in.
The only reason why a company needs to block a whole continent is that they've based their whole infrastructure on exploiting the user's data to such a level that they cannot provide their service without collecting and retain data they're not supposed to collect.
As for "a lot of resources", Instagram and the L.A. Times should have enough resources to become compliant.