Some will say "I told you so, they still do not get fined harshly enough to make any difference" while others will say "this is just unfair money grabbing governments" and while everyone argues back and forth with the same arguments as the last ten discussions I sit here on the sidelines, a normal internet user, who by the simple mentioning of GDPR have gotten big companies, like Epic, and powerful people, like a CEO of a pretty big company, to actually do something where they before would totally have ignored me. GDPR is not perfect at all but it does do a heck of a difference already.
It still basically does not differentiate between Epic Games and me. And I can’t handle the fines. The chilling effect this will have on people is being downplayed pretty harshly by people who are basically suggesting you should just pray that you don’t get put into massive debt because you made a mistake on a side project.
For that reason, GDPR will always draw some ire from me.
So basically, you’re in the “No, it’s fine — this will only ever get used against bad guys!” camp. We had 9/11 here in America and the BS that followed and I don’t humor this line of thinking. (Nor humour.)
I’m not claiming something happened — do you understand how chilling effects work? The threat of potentially massive fines with very little legal bounds for not following regulations that individuals basically can’t follow means that people who want to follow the rules but aren’t big enough don’t play anymore.
I can get fined between 0 and €20 million at any moment because I am an individual and have no means to fully understand GDPR nor hire a DPO for my stupid personal websites. I make no money in ads or otherwise, but I am still treated like Epic Games if I collect sign up emails or logs. I only still run this stuff now because I’ve been running it for over a decade. I can tell you right now I am hesitant to run websites anymore.
If you don’t understand how “ambiguous threat of a fine” isn’t calmed by “it hasn’t happened yet,” I can’t help you. What if my site was politically controversial? Should I trust all EU governments to act responsibly and not take advantage of their power ever?
If there is a real danger that EU gouvernments start abusing their power like that, why is it only Americans that are afraid of it? Not EU citizens, who actually are familiar with how their states behave?
Clearly, nobody is afraid by it: I am getting buried insanely any time I criticize GDPR in any way. It is a thing you are not allowed to critique on HN.
So I wouldn’t say americans are particularly more bothered by it. But why shouldn’t we be? I have no representation in EU law.
> Clearly, nobody is afraid by it: I am getting buried insanely any time I criticize GDPR in any way. It is a thing you are not allowed to critique on HN.
Not if your criticisms are entirely unfounded and bordering on paranoia, no.
> But why shouldn't we be? I have no representation in EU law.
What? Do you think only EU citizens have rights in the EU?
> Not if your criticisms are entirely unfounded and bordering on paranoia, no.
I am not a lawyer and I do not have access to a lawyer. I can't afford it. Therefore, I have to assume that I simply do not have the expertise to understand GDPR fully. And unlike most laws, it is not a matter of "do things right and nothing will happen", and it has very vicious teeth on top of that.
So from my PoV, the risk profile of GDPR is HUGE. If I'm running some pre-existing software stack written in the early 2000s, it simply doesn't have the necessary data provenance tracking that is needed to be GDPR compliant.
For what it's worth, I make no money from things I run, not even on ads. Zilch. However, I've spent at least hours processing GDPR requests, and I have absolutely no idea if they are being done correctly, because I'm not a lawyer, and I do not have access to a lawyer.
> What? Do you think only EU citizens have rights in the EU?
I'm talking about representation in the sense of a democracy. I am part of the system in the U.S. - I can vote. I have no representation when it comes to laws made in the EU. The reverse applies too, but as far as I know there's nothing quite as scary as GDPR from the U.S. side.
I live in the US. I care not one iota about their cookie law and I'm not going to nag my visitors about cookies. Of course the site uses cookies. That's how you retain your settings from session to session.
At the same time, I'll happily give you any data I have about you. I don't really collect anything. Your IP address gets logged and you give me an email address if you want to get a newsletter (on most sites of mine). I'll even happily delete your data, such as it is.
I'm in the camp that says if I have your data I have to secure it. So, I'd rather not really collect more than I need. I don't even need to know your real name and you're more than welcome to use a fake email address for many things.
But, no... No, I'm not going to nag my viewers with a cookie notice. I don't care if they come from the EU. I don't like the nag and I'm not going to nag you.
I'm an EU citizen and GDPR is one of the reasons why I'm hesitant to run a website. I don't see how you could look at the risk from GDPR and find it reasonable to run it as an individual. An individual is liable for any fines with everything they own. Companies usually cost something to run, even if they only exist to hold something.
I don't understand. You can contest your fine if it is really too big, but honestly, at my last job we had one client project that got "caught". The CNIL (GDPR watchdog for France) was really helpfull, gave them 6 month to get into shape and proposed them a plan on what to do with the data to meet their goals. The kind of plan that cost a company 5-10k euros to elaborate (2 man/day of a good architect), and 10k (10 man/day of a junior db dev) to implement. So between a third and half the price to make the business legal again was basically paid by the CNIL. I think that's fair tbh.
The point of the comment is that the CNIL handled the part that the "good architect" would have needed to do, thus saving the company 5-10k. The company "only" needed to implement it, the other part was handled for them. The GP didn't mention fines, so I guess none were given out?
You're effectively saying that we don't really need limits on state power until the state has used that power. That's a pretty bold stance considering all the abuses of power modern states engage in. Why don't we just have an absolute monarch? It would make things much easier!
Can you show me one example where there was a "life-destroying" fine?
Not "a big company was fined an amount of money that would be life destroying if I had to pay it for a personal project", because revenue/economic means are a key factor in GDPR fine calculation.
A data breach alone is not a GDPR violation as far as I know. Your data is just as at risk of being exposed no matter what. As far as I can tell the intent of GDPR is to prevent companies from selling or using your data in ways that you did not consent to. However, the bookkeeping requirements quite literally break the internet that existed where one person could run a website. As it turns out, I do not have a Data Protection Officer for my wiki I started in 2008. Does that mean I am not GDPR compliant?
.... hiring an actual Data Protection Officer is only required by the GDPR if you meet one of three criteria:
* Public authority — The processing of personal data is done by a public body or public authorities, with exemptions granted to courts and other independent judicial authorities.
* Large scale, regular monitoring — The processing of personal data is the core activity of an organization who regularly and systematically observes its “data subjects” (which, under the GDPR, means citizens or residents of the EU) on a large scale.
* Large-scale special data categories — The processing of specific “special” data categories (as defined by the GDPR) is part of an organization’s core activity and is done on a large scale.
This is good to know. But while I will admit my mistake, the problem points to a bigger issue, which is, as a layperson and not an expert on European law, I simply do not have the expertise necessary to understand the law and its implications. This is of course true of any website under any jurisdiction, but most laws don’t come with such absurdly vicious teeth, and therefore the risk profile is a lot different. So perhaps my example was misinformed. But that’s kind of the problem: you need to have a lawyer to really be sure of these things. I don’t have a lawyer.
I think the fines/penalty headlines are a big misunderstanding/distraction (which got me too until I had to spend the time on reading the actual law for an actual EU client). They are what happens if you continually, willfully disobey the principal of the laws AND are also proportional to you income (see https://en.wikipedia.org/wiki/Day-fine which are common in some EU countries)
If you are a small operator who messes up AND you are in the EU and you ignore strongly worded letters of warning with instructions on what you need to do to comply then you MIGHT be fined/penalized.
If you are not making money in the EU than you are seriously unlikely to even be noticed messing up.
If you miss-configured the logs on your blog or small non-EU business and kept user ids and IP addresses AND are outside the EU no one will bother you.
If a privacy conscious EU citizen contacts you to close an account they made with you or delete your data you have many weeks (90 days i think ultimately) to respond, negotiate and do your best to get it done (and provide them whatever data you may have collected on them)
If you have any of a dozen legitimate reasons to have personal data and you clearly explained this to the EU citizens you collected data from you are not going to hear from anyone. e.g. a EU company I work with has extensive logs of their employees changes and updates to data (imagine git commit messages). These are required logs for the business, an ex-employee cannot ask you delete that history under GDPR. Same for their b2b customers. The existence of these logs are made clear up front. It's a regulated requirement that they exist etc.
If you decided to sell the log data to a third party as part of some profile of the citizen and you didnt say you intended to do that then you ABSOLUTELY would hear from someone. But I would think you very much should and this is the point.
Same principles apply for California Consumer Privacy Act (CCPA) in the US.
> As it turns out, I do not have a Data Protection Officer for my wiki I started in 2008. Does that mean I am not GDPR compliant?
Do you have more than 250 employees? Are you a public authority or body? Are you performing activities that "require regular and systematic monitoring of data subjects on a large scale"? Is your core activity processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences?
No? Then no need to have a data protection officer or data protection impact assessment.
You still need to implement appropriate safety measures and efforts to follow GDPR, where "appropriate" takes the scope of your processing into account. https://gdpr-info.eu/art-24-gdpr/, need a legitimate reason for using the data, etc., but all of this is very doable, and you're probably already in compliance if you care the smallest bit about your user's privacy and follow normal best practices like rotating your logs.
IIUC (there are two directives and I'm less familiar with the other one) you don't even need a cookie dialog as long as you aren't setting any unnecessary cookies.
GDPR fines are set among other things according to the resources of the entity that broke the rules. As a private person making a side project, you won't be liable for millions.
The most recent examples of individuals being fined have been fines around €200 [0]
Getting a maximum fine not only means that your handling of personal data was especially egregious but that you probably didn't cooperate in any ways with the relevant DPA and refused to rectify the problem.
I.e the maximum fine is highly unlikely for anyone to get, and if you get it you have done some very bad things.
Yes, and what the GDPR crowd is telling me is that I should just trust the EU to always act fairly and never engage in any kind of politically motivated subterfuge.
And not only that, my concerns and dissent regarding GDPR piss people off so much, that at this point, every comment I post just gets downvoted immediately. Now I realize it’s against HN guidelines to discuss this, but when I post a comment and the delay it takes for me to return from the post page is enough for my comment to already have a downvote, I feel discouraged. It’s very clear the person who did that had no good faith intent on a discussion nor intent to even minimally read my comment. And I’m supposed to try to argue my points in good faith despite this.
The pro-GDPR crowd may be winning the mindshare but they are inheriting the cancer of something not allowed to be criticized. And if we ever do see an egregious fee driven by political motivations, am I supposed to feel smug for having predicted the possibility or sad that my mere expression that the default maximum fines are so ridiculous that they basically terrorize anyone who is not a multinational corporation turned out to be well-founded?
All I ever asked for was for people to recognize the chilling effects that this regulation can have. The internet used to have so many small websites, forums and wikis, and many of these fall under the umbrella of GDPR. And this is basically the treatment I get for trying to represent this dying breed of website: as some corporate shill worth being buried and not considered.
It’s not like I care that much about being with the mob, but it pains me that as the open internet gradually dies, people flat out just don’t care. GDPR as it is today is just represents a huge amount of risk for anyone that is not a multinational corporation, and it only gets scarier the further down you are. I’m sorry but just telling people to not worry about how the law is written will not work. Some people will ignore it, some people will try to follow it, and some people will just stop trying altogether deciding the risk simply isn’t worth it. And that latter part is most likely to occur for websites that are more objectionable, since they will likely face harsher treatment just due to cognitive biases alone, since we’re talking about considerations that humans make rather than the word of law.
No, you're supposed to hope that the legal system will apply the law fairly and correctly. The law does NOT say that they can fine you 20 million Euro. The 20 million is an upper limit on a fine, but the law also specifies how that fine is determined, which _by definition_ is "something you can afford", because that's literally one of the factors.
Maximum fine is there for large corporations. If it wasn't specified at atleast that range many of them would ignore or knowingly break the legislation. And in general checking for many crimes the upper end of penalty is pretty big. Like DUI here could mean 2 years in prison. Though that is exceedingly rare.
This[1] site seems to track actual fines. I found maybe a dozen fines of individuals. Here is the largest fine of a 'private person' I could find: https://www.enforcementtracker.com/ETid-69. If the database is at all accurate and the description of the violation is correct I would say they were well into Criminal territory and not civil fines.
[1] https://www.enforcementtracker.com
The fines are based on your revenue and the impact. So they do differentiate between Epic Games and you.
And for me as a user, it sucks if your side project leaks my credit card and SSN, because I'll be dealing with the identity theft and fraud. If you're not competent enough to keep them safe, then use a vendor that is or don't process then at all.
If it were only SSN or credit card data, this would be understandable. But I assume you’re aware GDPR is far broader than this.
And as well, GDPR, again, doesn’t guarantee the safety of your data. It just adds fines to some circumstances where your data is misused. But an honest breach doesn’t lead to fines as far as I can tell, so you just have to live with that possibility either way.
As best as I can tell, there is no legally binding texts anywhere that limits the fines. The maximums start at €20 million and go higher if you’re huge. In the mindset of “hope is not a strategy,” this maximum fine being the only legally binding limit is enough to make you go home. Maybe small companies can hope for preferential treatment, but as an individual even small fees could do serious harm.
Vatmoss was so blatantly dumb in its implementation that it makes me wonder whether the MEPs even spent 5 minutes thinking about the implications of it. How can you look at all the VAT systems and not realize that almost all of them have a minimum threshold?!
It is a bit ironic that it's probably a good idea for an EU service to not serve EU customers.
I actually made a GDPR request to my insurance company. Turns out that not only did they have documents about me before I had ever signed a contract with them, they had documents about me before I was even born.
Turns out that my parents took on some kind of a life insurance policy in an insurance company that no longer exists in the strict sense but the documents have carried on through fusions and when a couple of decades later I got car insurance, a bunch of old medical records and contracts were linked with my account.
Well, hopefully the prospect of fines if they're caught. I'm hoping that the local data authorities won't be lenient if a company is caught outright lying.
And Google for the whole Doubleclick Ad Exchange, they're sharing lots of user details with hundreds of bidders on every pageview that has ads. As well as storing all of that information in Google Cloud as part of their Ads Data Hub product. All without permission.
1. Every single web site that uses dark patterns that make not saying yes impractical. Start with the ones that required more than 3 clicks, then clarify that "the request must be clear, concise and not unnecessarily disruptive" means "equally sized, equally highlighted buttons for 'accept all' and 'reject all'".
2. Every single company that knowingly processed data based on such invalid consent.
3. Every single website and company that processed data for advertising based on "legitimate interest"
> 1. Every single web site that uses dark patterns that make not saying yes impractical. Start with the ones that required more than 3 clicks, then clarify that "the request must be clear, concise and not unnecessarily disruptive" means "equally sized, equally highlighted buttons for 'accept all' and 'reject all'".
The French ICO, CNIL, just announced that refusing should be as easy as accepting, so they agree
Yes, if the organizations are targeting consumers in the EEA (EU + a few extra countries). It's part of the reason why these companies are required to have an Article 27 EU Rep resident in the EU: to interact with regulators.
I'm surprised there is no standard for this yet. Just build it into the browser like all other privacy-related requests (location, webcam etc.) are handled. If sites don't implement it, don't accept their cookies. That way I can also manage a blanket yes/no list without getting an obtrusive popup every time.
I don't believe that you can sue under the GDPR. I've always understood it to be something that you can lodge a complaint against someone with your local authorities. No idea about the CCPA but I wouldn't be surprised if you could considering how lawsuit-happy Americans are.
> I don't believe that you can sue under the GDPR.
I don't believe that either, I just think that flags like these can only be taken seriously if all actors have maximum incentive to take these seriously.
Do Not Track didn't work because (1) it was not enforced at the browser level, (2) it had no legal backing and (3) it was not granular enough to be useful. With GDPR, CCPA etc. in place the online privacy landscape is very different, and a new standard is very much possible today. Why did every site in the world implement all the consent popups in the first place when they could have continued to do nothing?
Why? The browser has access to it at all times, and you can still ask for it anywhere. So Google (via Chrome) isn't losing anything.
In fact, everyone else (including Google via analytics) is probably get more data; make it so that in the same way the browser form fills address and phone number and things automatically based on past fills, have a standard API in the browser to handle that. Now users just have to click "okay" to share all that data, rather than enter it in.
Well seeing as a lot of sites use dark patterns to confuse users into accepting more liberal tracking, I'm not sure I would agree that this would lead to more data collected
The problem is that sites will just pretend that any such standard doesn't actually exist. All of these sites could suppress cookie popups for clients that send a do-not-track header, but choose not to.
They did. It was called Do-Not-Track and Microsoft had the bright idea to pull an iOS 14 and turn it on by default in IE. At that point the few ad companies that had supported it basically told the browser vendors to pound sand and it became entirely useless for anything but fingerprinting.
Do not track should have been on by default. But the idea that anyone would ever obey it without the legal force was always a fantasy. If 90% of people checked "do not track" do you think they would have started to follow it? Of course not. They would just have some other reason.
They should fine organizations for providing a worse experience while people choose what settings to accept
Basically I see a quick experience for accepting everything, and a degraded experience for not clicking that but getting a list of what to accept or denying all
The worst is that it punishes the most privacy conscious of us, who clear cookies on every session, and are forced to click and reclick again on the same popups. I think the law should have been enforced at the browser level, mandate browser makers to prompt for authorization and once it has been refused, to never ask again.
This what happens when people who don't know how to use the internet make laws for those who do.
I'm implying every politician involved in the decision, or at least the majority, uses a couple or sites and had to approve cookies and data handling only on a handful of sites, once in their life. I shouldn't generalize but, even as an able bodied internet user, I find it extremely cumbersome to surf.
> Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
I take this to mean that you cannot rely on consent that a user has given you to process their personally identifiable information if they did it in order to access a service you wouldn't let them have access to otherwise.
But the provision of the service is not made dependent on the consent if you can alternatively pay the monthly subscription.
So I would assume, “accept all cookies or enter paid subscription” is Gdpr compliant.
> Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
I think having to pay a monthly subscription, or losing access to a service when you withdraw consent and don't pay a subscription should be regarded as a detriment.
I ban the domains that do these kinds of things, and forget about them forever. It's at the cost of my experience online and convenience, but freedom is never convenient.
What about having a law that makes it clear that an popup does not create informed consent, and then have companies decide to ignore that part of the law because it would be super inconvenient if they had to actually get informed consent.
Maybe EU should write a new law by copying the GDPR text that defines consent and make it bold, all in caps, and underlined.
Cookies are somewhat out of scope of the GDPR. The GDPR was designed to have a twin who should regulate somethings like Cookies, Email and Telecommunications; it is now stalled for 3 years and everyone hopes it will come out next year.
I'd be curious of a detailed analysis of the cost of GDPR to EU consumers. There are websites that shut down or no longer servicing European customers because of the concerns around GDPR.
I know that's only anecdotal and no evidence at all, but the only time I encountered a website that is not serving European users anymore was a link here on HN.
I think most users didn't even notice and for the people who do and are really bothered, there are workarounds such as VPNs
I've only anecdotally ran across half a dozen local US news sites that claim how their EU visitors are very important (clearly they're not) and also a Japanese lyrics site.
A local US news site that doesn't care about its few EU visitors obviously doesn't fall under GDPR. I wonder if one that targets them by putting up a non-compliant popup does?
>In most cases, it just blocks or hides cookie related pop-ups. When it's needed for the website to work properly, it will automatically accept the cookie policy for you (sometimes it will accept all and sometimes only necessary cookie categories, depending on what's easier to do). It doesn't delete cookies.
2) Accept our cookies and let us track you! (with a delay for choosing anything that's not accept all)
3) Surprise! There might be a paywall whether subscribed via email or not! Schrodinger's paywall
4) Oh hey! I saw you paused scrolling or moved your mouse in the general direction of the back button, check out this other thing!
5) Okay lol, here's the article. Maybe. Depending on the deal we cut with the creators of your specific browser and geographic location and how many other articles you've read this month.
and thats with adblock
Europe and California, we are counting on you to fix the internet!
It remains somewhat, ah, interesting that the biggest GDPR fine is for not being able to withstand a targeted attack by a motivated attacker. The British Airways compromise seems to have involved someone getting access to their systems (which basically just requires one employee screwing up, once) and hiding malicious code in their website so custom-tailored to them that an uninvolved outside expert in the malware family involved had trouble ientifying where it was after he knew it was there due to the news coverage. That's the kind of "gross negligence" that leads to a record fine and I don't think IT security as it currently stands is even remotely capable of preventing it.
The watchdog argued that there where security measures that could had been in place that would have prevented the breach.
I guess BA saw this the same way or they had gone to court and appealed the fine
If you're surprised there haven't been many big fines against large tech companies yet, that may be because there's a large backlog of cases that are bottlenecked by the budget of Ireland's DPA: https://www.euractiv.com/section/data-protection/news/europe...
107 comments
[ 4.8 ms ] story [ 193 ms ] threadEdit: Downvotes, really? :/
For that reason, GDPR will always draw some ire from me.
If you don’t understand how “ambiguous threat of a fine” isn’t calmed by “it hasn’t happened yet,” I can’t help you. What if my site was politically controversial? Should I trust all EU governments to act responsibly and not take advantage of their power ever?
So I wouldn’t say americans are particularly more bothered by it. But why shouldn’t we be? I have no representation in EU law.
Not if your criticisms are entirely unfounded and bordering on paranoia, no.
> But why shouldn't we be? I have no representation in EU law.
What? Do you think only EU citizens have rights in the EU?
I am not a lawyer and I do not have access to a lawyer. I can't afford it. Therefore, I have to assume that I simply do not have the expertise to understand GDPR fully. And unlike most laws, it is not a matter of "do things right and nothing will happen", and it has very vicious teeth on top of that.
So from my PoV, the risk profile of GDPR is HUGE. If I'm running some pre-existing software stack written in the early 2000s, it simply doesn't have the necessary data provenance tracking that is needed to be GDPR compliant.
For what it's worth, I make no money from things I run, not even on ads. Zilch. However, I've spent at least hours processing GDPR requests, and I have absolutely no idea if they are being done correctly, because I'm not a lawyer, and I do not have access to a lawyer.
> What? Do you think only EU citizens have rights in the EU?
I'm talking about representation in the sense of a democracy. I am part of the system in the U.S. - I can vote. I have no representation when it comes to laws made in the EU. The reverse applies too, but as far as I know there's nothing quite as scary as GDPR from the U.S. side.
At the same time, I'll happily give you any data I have about you. I don't really collect anything. Your IP address gets logged and you give me an email address if you want to get a newsletter (on most sites of mine). I'll even happily delete your data, such as it is.
I'm in the camp that says if I have your data I have to secure it. So, I'd rather not really collect more than I need. I don't even need to know your real name and you're more than welcome to use a fake email address for many things.
But, no... No, I'm not going to nag my viewers with a cookie notice. I don't care if they come from the EU. I don't like the nag and I'm not going to nag you.
By not being paranoid.
Not "a big company was fined an amount of money that would be life destroying if I had to pay it for a personal project", because revenue/economic means are a key factor in GDPR fine calculation.
.... hiring an actual Data Protection Officer is only required by the GDPR if you meet one of three criteria:
https://gdpr.eu/data-protection-officer/If you are a small operator who messes up AND you are in the EU and you ignore strongly worded letters of warning with instructions on what you need to do to comply then you MIGHT be fined/penalized.
If you are not making money in the EU than you are seriously unlikely to even be noticed messing up.
If you miss-configured the logs on your blog or small non-EU business and kept user ids and IP addresses AND are outside the EU no one will bother you.
If a privacy conscious EU citizen contacts you to close an account they made with you or delete your data you have many weeks (90 days i think ultimately) to respond, negotiate and do your best to get it done (and provide them whatever data you may have collected on them)
If you have any of a dozen legitimate reasons to have personal data and you clearly explained this to the EU citizens you collected data from you are not going to hear from anyone. e.g. a EU company I work with has extensive logs of their employees changes and updates to data (imagine git commit messages). These are required logs for the business, an ex-employee cannot ask you delete that history under GDPR. Same for their b2b customers. The existence of these logs are made clear up front. It's a regulated requirement that they exist etc.
If you decided to sell the log data to a third party as part of some profile of the citizen and you didnt say you intended to do that then you ABSOLUTELY would hear from someone. But I would think you very much should and this is the point.
Same principles apply for California Consumer Privacy Act (CCPA) in the US.
Do you have more than 250 employees? Are you a public authority or body? Are you performing activities that "require regular and systematic monitoring of data subjects on a large scale"? Is your core activity processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences?
No? Then no need to have a data protection officer or data protection impact assessment.
You still need to implement appropriate safety measures and efforts to follow GDPR, where "appropriate" takes the scope of your processing into account. https://gdpr-info.eu/art-24-gdpr/, need a legitimate reason for using the data, etc., but all of this is very doable, and you're probably already in compliance if you care the smallest bit about your user's privacy and follow normal best practices like rotating your logs.
IIUC (there are two directives and I'm less familiar with the other one) you don't even need a cookie dialog as long as you aren't setting any unnecessary cookies.
The most recent examples of individuals being fined have been fines around €200 [0]
[0] https://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_...
I.e the maximum fine is highly unlikely for anyone to get, and if you get it you have done some very bad things.
And not only that, my concerns and dissent regarding GDPR piss people off so much, that at this point, every comment I post just gets downvoted immediately. Now I realize it’s against HN guidelines to discuss this, but when I post a comment and the delay it takes for me to return from the post page is enough for my comment to already have a downvote, I feel discouraged. It’s very clear the person who did that had no good faith intent on a discussion nor intent to even minimally read my comment. And I’m supposed to try to argue my points in good faith despite this.
The pro-GDPR crowd may be winning the mindshare but they are inheriting the cancer of something not allowed to be criticized. And if we ever do see an egregious fee driven by political motivations, am I supposed to feel smug for having predicted the possibility or sad that my mere expression that the default maximum fines are so ridiculous that they basically terrorize anyone who is not a multinational corporation turned out to be well-founded?
All I ever asked for was for people to recognize the chilling effects that this regulation can have. The internet used to have so many small websites, forums and wikis, and many of these fall under the umbrella of GDPR. And this is basically the treatment I get for trying to represent this dying breed of website: as some corporate shill worth being buried and not considered.
It’s not like I care that much about being with the mob, but it pains me that as the open internet gradually dies, people flat out just don’t care. GDPR as it is today is just represents a huge amount of risk for anyone that is not a multinational corporation, and it only gets scarier the further down you are. I’m sorry but just telling people to not worry about how the law is written will not work. Some people will ignore it, some people will try to follow it, and some people will just stop trying altogether deciding the risk simply isn’t worth it. And that latter part is most likely to occur for websites that are more objectionable, since they will likely face harsher treatment just due to cognitive biases alone, since we’re talking about considerations that humans make rather than the word of law.
And for me as a user, it sucks if your side project leaks my credit card and SSN, because I'll be dealing with the identity theft and fraud. If you're not competent enough to keep them safe, then use a vendor that is or don't process then at all.
And as well, GDPR, again, doesn’t guarantee the safety of your data. It just adds fines to some circumstances where your data is misused. But an honest breach doesn’t lead to fines as far as I can tell, so you just have to live with that possibility either way.
As best as I can tell, there is no legally binding texts anywhere that limits the fines. The maximums start at €20 million and go higher if you’re huge. In the mindset of “hope is not a strategy,” this maximum fine being the only legally binding limit is enough to make you go home. Maybe small companies can hope for preferential treatment, but as an individual even small fees could do serious harm.
Escape to Mexico in the worst scenario.
South America is anyway becoming more and more appealing the more the West progress.
That said, not that it changes much but I stopped taking EU customers (I take businesses and not customers) because of vatmoss and gdpr.
It is a bit ironic that it's probably a good idea for an EU service to not serve EU customers.
Can you elaborate?
This needs some explanation.
Also, what's stopping them from just lying?
Well, hopefully the prospect of fines if they're caught. I'm hoping that the local data authorities won't be lenient if a company is caught outright lying.
Also, can't we just agree that "Legitimate interest" is noncompliance and fine BBC too while at it?
And Google for the whole Doubleclick Ad Exchange, they're sharing lots of user details with hundreds of bidders on every pageview that has ads. As well as storing all of that information in Google Cloud as part of their Ads Data Hub product. All without permission.
2. Every single company that knowingly processed data based on such invalid consent.
3. Every single website and company that processed data for advertising based on "legitimate interest"
The French ICO, CNIL, just announced that refusing should be as easy as accepting, so they agree
That’s not making opt-out the default choice.
If multimillion fines were given to just a few hundred of these sites things would change pretty quickly.
I don't believe that either, I just think that flags like these can only be taken seriously if all actors have maximum incentive to take these seriously.
In fact, everyone else (including Google via analytics) is probably get more data; make it so that in the same way the browser form fills address and phone number and things automatically based on past fills, have a standard API in the browser to handle that. Now users just have to click "okay" to share all that data, rather than enter it in.
https://www.cnet.com/news/apache-web-software-overrides-ie10...
Privacy is nuanced. It's' really hard to encode all ways you may or may not want your data used into a few boolean questions.
https://stackoverflow.com/a/16475093
We already had do-not-track in the browser, why do you think companies refuse to honour it?
and prohibit showing an obtrusive popup.
https://en.wikipedia.org/wiki/Do_Not_Track
Basically I see a quick experience for accepting everything, and a degraded experience for not clicking that but getting a list of what to accept or denying all
I'm implying every politician involved in the decision, or at least the majority, uses a couple or sites and had to approve cookies and data handling only on a handful of sites, once in their life. I shouldn't generalize but, even as an able bodied internet user, I find it extremely cumbersome to surf.
1) accept advertising/tracking cookies
2) pay a monthly subscription
I've seen this on AlloCiné (French IMDB), and "aufeminen" which is a random forum that a Google search led me to.
> Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
I take this to mean that you cannot rely on consent that a user has given you to process their personally identifiable information if they did it in order to access a service you wouldn't let them have access to otherwise.
https://gdpr.eu/Recital-42-Burden-of-proof-and-requirements-...
I think having to pay a monthly subscription, or losing access to a service when you withdraw consent and don't pay a subscription should be regarded as a detriment.
Maybe EU should write a new law by copying the GDPR text that defines consent and make it bold, all in caps, and underlined.
I think most users didn't even notice and for the people who do and are really bothered, there are workarounds such as VPNs
>In most cases, it just blocks or hides cookie related pop-ups. When it's needed for the website to work properly, it will automatically accept the cookie policy for you (sometimes it will accept all and sometimes only necessary cookie categories, depending on what's easier to do). It doesn't delete cookies.
2) Accept our cookies and let us track you! (with a delay for choosing anything that's not accept all)
3) Surprise! There might be a paywall whether subscribed via email or not! Schrodinger's paywall
4) Oh hey! I saw you paused scrolling or moved your mouse in the general direction of the back button, check out this other thing!
5) Okay lol, here's the article. Maybe. Depending on the deal we cut with the creators of your specific browser and geographic location and how many other articles you've read this month.
and thats with adblock
Europe and California, we are counting on you to fix the internet!
Then there you go, no popups, no consent to ask for, job done.
https://europa.eu/
If it's so easy to do then surely an organization with a bottomless pit of money and no accountability on it should be the first to manage it?
It’s a fine paid in time and focus by billions of people and its cost is probably staggering.