It's been three years. Stop saying your European visitors are important to you
Our European visitors are important to us.
This site is currently unavailable to visitors from the European Economic Area while we
work to ensure your data is protected in accordance with applicable EU laws.
For my European friends, try a link like <www.everythinglubbock.com> or <www.tristatehomepage.com> or <www.khon2.com> or <www.wtrf.com> or <www.wnct.com> or <www.fox46.com> ... or many of the other "local" news sources in the U.S. It's important to note: While these sites cover news in a particular region, we'd need to start calling each McDonald's a local burger joint under this classification.At the bottom of each page: <https://www.nexstar.tv> - If you click this link, you are not geoblocked! In fact, there are a ton of statistics showing just how many resources this media group has at their disposal to address releasing news articles to Europe. Save a click. It's 4 billion USD revenue, over 100 news sites and TV stations, and a reach into two-thirds of American households. This is no mom and pop operation. They just don't---or maybe can't---care.
I only focused on one media group, but there are others. Here's a news article from the same year GDPR began enforcement two years after its introduction in 2016: <https://www.bbc.com/news/world-europe-44248448>
A little has changed, but not much! Chicago Tribune is finally available. NY Daily News? Can't access. Baltimore Sun or Orlando Sentinel? Also, no.
"Why are you complaining?" you might ask. "What is your goal?"
Besides the obvious---I'd like to read about the communities of my friends and former neighbors---I want two outcomes:
First, any giant search engine company with a news subdomain and 100,000 employees could stop suggesting/featuring geofenced articles to European residents. At least weight these results so they aren't the number one, front page feature. (Although in Google's defense, one can usually click the "Cached" button to get the linked story.)
Second, say something else. The people living across the Atlantic (and their pesky differences of opinion on privacy) can't possibly be more than an inconvenience at this point.
You are in Europe. Mind your own business.
---Edit: First post. No idea how to get links to display properly even following "Formatting Options" instructions.
191 comments
[ 2.9 ms ] story [ 231 ms ] thread"Your life is important to us. Therefore we must kill you.“
*With apologies to The Life of Brian
It is, in fact, what people who are far, far gone into conspiracy theory madness think.
Again, this is not a reasonable thing to think. It is bordering on mental illness.
My friend, that couple of sentences you’re so wound up about means more or less exactly what you’ve said at the end. Businesses aren’t in the business of giving a shit about things that don’t affect their business. You’re upset that they don’t word it more bluntly? Really?
Actions have consequences is my response. Sorry you all didn’t get the consequences you wanted. But it’s very frustrating the childish way people on HN approach these issues. Zero material analysis or thinking, always pointedly naive idealism of this type: “well you SAID you care about Europeans”- come on.
I’m begging you all to take the next step and think through the actual forces at play, instead of banging on with the churlishness.
The way this works is very simple- law is introduced, business figures out the easiest way to deal with it and get back to what they were doing, rinse and repeat.
Maybe the European search engines do a better job at this. You could give them a try.
> McDonald’s is never going to check what Brussels says about dairy before they make a milkshake in Spokane. Sorry.
conflicts with this:
> law is introduced, business figures out the easiest way to deal with it and get back to what they were doing, rinse and repeat.
So which is it? If they care about Brussels, then they are willing to go the extra mile. If they don't care, why put up the block anyways?
> Our European visitors are important to us.
> This site is currently unavailable to visitors from the European Economic Area while we work to ensure your data is protected in accordance with applicable EU laws.
So they have to adjust their EU meat supplier for servings in Europe though.
Certainly, this media conglomerate does not need to care about European visitors, but to claim they do on the "Access Denied" page is quite hypocritical.
I hadn't even mentioned the detail, "while we work to ensure..." This would imply they've been doing anything at all for the past three years.
Also, I'm 15 miles away from a Google office, so I guess I've been using a European search engine all along!
Because it's irrelevant, wrong and passive-aggressive belligerent: "Sorry you all didn’t get the consequences you wanted... childish ... Zero thinking ... churlishness".
Someone located in Brussels might easily end up on the website of a Spokane newspaper.
"Our European visitors are important to us BUT vacuuming all your data and selling to multiple bidders is importanter"
You wanna be obnoxious? Sure, go ahead, but I'll dislike your site more (and I have adblock so I have no qualms in accepting). Wanna pretend you're compliant by having an obvious non-compliant "solution" and think that will shield your responsibility? Now I'll just hate you and will probably bounce off your site
Breaking the law is a generally considered a big mistake and regardless of the stereotyping about businesses they can be pretty timid when dealing with governments.
Except when it's about breaching the GDPR. In this case it's considered "business as usual" and Google and Facebook successfully get away with it.
"Accept/Ask me later" is in violation of the GDPR.
--------------
Hypothetical conversation with a Malicious Advertising Website:
MAW: Can I stalk my users without telling them?
GDPR: No, you must have consent to track users.
MAW: So I can assume I have consent because they're using my site?
GDPR: No, the consent must be explicit.
MAW: Got it, I'll put it somewhere in the fine print of the terms of service.
GDPR: Uninformed consent doesn't count. Fine print doesn't count as informing users.
MAW: Okay, so I'll have a banner with an obvious "accept" button and several hidden steps to opt out.
GDPR: Nope, it must be just as easy to retract permission as to grant it. If it's a single step to accept, then it must be a single step to reject.
MAW: In that case I'll have the "reject" button kick them off the site.
GDPR: Consent must be freely given, and having a service be conditional on consent is coercion. Consent to track may only be given as a gift, and not as an exchange.
MAW: WAAAH!! This is so hard!!
---------
Hypothetical conversation with a Non-Malicious Website:
NMW: I don't track any information about visitors to this site, and only serve non-targeted advertisements.
GDPR: Sounds good, go right ahead.
NMW: Say, I want to make a "To-Do List" site. Do I need to warn users that I'm going to remember the to-do items for them?
GDPR: Nope, no issue there. That's necessary for the service to function.
NMW: Huh, this is really simple.
nice
GDPR: Browser generated information was ruled personal data and falls under GDPR.
MAW: Just let me stalk on my users without their consent, goddamit!
There's a difference between being compliant and being _in compliance_. There's a real cost to the latter. Why should sites that primarily serve non-European readers bother with it? The assumption that they don't because they're all greedily stalking users is a misguided, but popular, cynical take.
It's perfectly reasonable for US media to block European users rather than deal with GDPR compliance, but why not be honest about it?
And I say this as a European myself. It sucks that I have to jump through hoops to access some sites but I can't really blame them.
At a few thousand reads per day, a MB or so per read... this is costing up to FIFTY DOLLARS PER YEAR to just... give our content away for free?!
So what's this about "free"? I mean, you weren't planning to charge me in the first place.
So you want to set a cookie so that you can make your ads more "targetted", and so more valuable? There's no public evidence that ad targetting even works.
But this "free" business - I suspect that some local US paper doesn't make a lot of money from ads served to EU residents. So is it possible that the lost revenue stream is from selling PII to data brokers? Oh dear - that's pretty evil, even if the visitor isn't in the EU.
I know the pervasiveness of the phrase no such thing as a free lunch, but is there really so much revenue lost by not harvesting data? (And yes, it doesn't take an MBA to notice any revenue loss should be avoided, so I understand the reluctance to publish to any market for free.)
Change the text.
"Our European visitors are important to us... but the cost of GDPR-compliance for a US-focused site is high. For your own GDPR protection, we advise you not to access our site. However, if you choose to do so, you agree to waive any and all rights granted to you under the GDPR. [ ] Agree"
> IANAL, but can't they just word a disclaimer and checkbox?
The answer is no, as far as GDPR is concerned, if they want to process and/or sell data of EU citizens or residents they have to follow some rules. I’ve no idea how the EU plans to enforce this regulation outside of the EEA, but it’s beside the point (as in it’s not what you asked)
I will try to do better myself. I'm sure I am sometimes guilty of same.
Maybe you are not a lawyer; but perhaps you should actually read the GDPR before suggesting that it's possible to waive all one's rights under the GDPR.
The Great Firewall of the USA, or maybe The Great American Firewall.
Also the EU is quite tolerant with breaches, as in if you are found in breach they will give plenty of time to address it (which often means removing a tracking cookie you forgot about or add it to your cookie policy).
At this point GDPR is way too tolerant, given that in 99% of cases you get away with a banner that makes it impossible to refuse tracking.
So not being GDPR compliant, which at this point means a bit more than being decent with users, says more about the business model of these companies than about anything else.
As a former GDPR compliance officer for a company managing about 40 customer websites, I can confirm that GDPR compliance is not burdensome or costly, unless you are intent on violating the GDPR. You appoint someone on your tech staff as compliance officer, and as an organisation you make sure that complaints are handled.
Handling complaints is something any business should be able to do, GDPR or not; a business that can't handle complaints isn't a viable business.
[1] https://gdpr-info.eu/art-27-gdpr/
Besides if you don’t have a regular client base in the EEA or you process and collect data only occasionally and on a small scale, you don’t have to appoint a GDPR representative.
In a few words: don’t collect data without permission, don't spy on your users, don’t profile them, don’t process or sell their data without permission, delete all data about them if they ask you to do so, and you’ll be OK.
We're creating a fucking dystopia just to click on more ads.
I hate these dark patterns and in spite I do lose my time to uncheck everything I can, if I can't untick everything in less than 20 seconds I simply close the website, no matter what.
Personally I use the Lockdown app which seems to block a lot, but suggestions about better alternatives are welcome.
Tho I optin analytics usually :)
They clearly don't care, if they did that box wouldn't even be there.
Sites like Imgur are the absolute worst. "We care about your privacy" and presents you with a list of 1200 companies they share information with.
Here's an extension that auto deletes cookies: https://github.com/Cookie-AutoDelete/Cookie-AutoDelete
It's not even lying.
Disappointing.
And pay your own damn defense budgets.
Alas, I have paid and do still pay my country's defense budget---financially, physically, emotionally.
"Don't feed egregious comments by replying; flag them instead."
a.k.a. please don't feed the trolls
https://news.ycombinator.com/newsguidelines.html
If you wouldn't mind reviewing and sticking to the rules when posting here, we'd be grateful.
While I didn't mean for this to blow up and was merely venting, I'd like to think my unreplied vim-regex comments were good contributions and valid content for the HN community.
And just for you: Five years ago, the front page had "House sabotages net neutrality", "lawyers suing over We Shall Overcome", "Haitian cholera epidemic started by UN peacekeepers", "coffee shops signal urban change", "how the law is tracking down prank callers", "Merkel allows lawsuit against German comedian"... oh, and a new minor version of Jupyter and Tera were introduced.
I'm sad that you remember HN being different back then.
Edit: I'm getting downvoted -- just in case it helps to clarify, I'm not trying to say anything anti-GDPR here... I'm just genuinely surprised these ostensibly US-only companies feel obligated to follow it and genuinely asking why? Is there an actual legal risk to non-compliance for them? Given the already low level of effort just to detect an EU-based IP address and show the patronizing error message, it seems like they must have had some motivation to even do that much and I'm just wondering what that was.
And before you say that's crazy, look at US tax laws.
That's a common misconception. GDPR applies to the data of people "in the Union". There is no mention of citizens at all in GDPR.
If someone is not an EU citizen but is in the Union, it applies.
If someone is an EU citizen but is not in the Union, it does not apply.
If an EU citizen accesses a site from inside the USA, the GPDR does not apply. That’s also why these sites can use geo-blocking without knowing who accesses their site (for some definition of ‘can’. Technically they can’t because geo-blocking can’t be perfect. If you access a site from the EU through a VPN in the USA, the GDPR still applies)
Nexstar might not have any European assets, but non-compliance might not be a smart move if they get fined and business executives travel to Europe...
Also, individuals traveling to the EU will never be liable for the fines of their company.
Our company just completely ignores GDPR - and I suspect no one will ever care.
Do you do only your own tracking? Or do you directly or indirectly sell Europeans' personal data to other companies, who in turn may be doing business in Europe?
You can probably see where I'm going with this: those other companies may then potentially be liable in Europe for improperly handling Europeans' personal data. If I was buying personal data from US company as a European, I would make it part of the contract that the seller must comply with GDPR at least for Europeans, to avoid this potential liability.
It doesn't matter where a company is located, only where its products are accessible. If you offer a product/service to EU citizens - for example a globally accessible news website - you have to comply with GDPR. Or you deny access to EU citizens, which is fine too.
It's the 0% APR that virtually nobody qualifies for at the dealership. Don't suggest content I want but can't have.
You don't have to show cookie consent when you use cookies purely for "technical stuff" - e.g cookie based authentication.
>Operational cookies
>There are some cookies that we have to include in order for certain web pages to function. For this reason, they do not require your consent. In particular:
>authentication cookies
>technical cookies required by certain IT systems
https://ec.europa.eu/info/cookies_en
You only "have to" press these because a lot of websites decide they'd rather torture users with popups than stop tracking personal data.
https://github.com/cavi-au/Consent-O-Matic
https://www.i-dont-care-about-cookies.eu/
While this may suck for you personally I don’t think American companies (especially local news companies) should have to comply with invasive and expensive European privacy laws. Especially after forcing the entire world to adopt useless and annoying cookie walls. If you really want to access those articles you can use a VPN like the rest of the world does when they are accessing geo restricted content. GDPR has never really been a reasonable law to begin with.
> At the bottom of each page: <https://www.nexstar.tv>
They can avoid these responsibilities by refusing to serve content in the EU. That's their prerogative (although it is discriminatory, and thefore violates GDPR). And if they think they are out-of-reach for EU law, they can just ignore the GDPR; but watch out, similar regulations are coming to a jurisdiction near you.
Whether the GDPR is "reasonable" depends on your perspective; regulated parties always think that the regulations under which they trade are unreasonable.
[Edit: qualified the "their prerogative" bit]
They aren’t in fact free.
Stop saying banned customers are great.
This is my argument.
* "local American media" WTF. Almost all of you are large corporates.
You've got GDPR super wrong. If you think GDPR was only about cookies, you've got it wrong (but that's where Google et al. focuses your attention to be honest- disinformation about GDPR and focusing on cookies even when cookies is NOT what GDPR is about).
The subject is silly banners. Those are nearly always about cookies, or "We won't serve you because you're in Europe, and GDPR" (and the latter violates the GDPR).
My view is that these banners are partly because some businesses think that by annoying users enough, they can get European users to reverse the GDPR. Ain't gonna happen.
But the axiom is misguided.
Legislation on the safety of cars for instance is not free, but necessary.
You could argue that the makers of go-karts are being priced out of the market: after all, the free market should make people put a price on their own safety.
But the issue is often that people don’t really have a good grasp of what it truly means and you can’t put a monetary number on things like that.
> But the issue is often that people don’t really have a good grasp of what it truly means and you can’t put a monetary number on things like that.
Furthermore, here in Europe everyone pays for health care for everyone to some degree so allowing people to do outrageously stupid stuff ends up increasing the tax for everyone.
Lawmakers and voters would prefer not to have regulations; they would prefer if businesses just did the right thing. But they don't, so they have to be regulated. And nobody wants the cost of that regulation to fall on voters; so it falls on businesses.
Hey, who makes money out of these websites? Voters? Nope. Why should anyone but businesses pay the costs of regulating businesses?
There’s an entire sub-field of economics devoted to studying where the incidence of taxes and regulations fall, but voters don’t care to read the literature. If it sounds like we are sticking it to the people that their oversimplified model of the world has decided are bad guys, they are all for it.
There's a libertarian, anti-regulation line of thought to which some USAians seem to be particularly prone.
Europe, and especially the EU, runs on regulations. Without all kinds of regulations, the EU would fall apart. Most people here understand that. They also understand that imposing costs on businesses results in marginally more expensive products (although GDPR compliance isn't expensive, especially if your gesture towards the GDPR is just a cookie wall).
Everything is working as intended, no?
The GDPR requires sites not to discriminate. It is a violation to refuse to serve users because they are in Europe.
> Then pay.
I don't think it really fits as a response if I had only read the headline.
I do concede that my comment was more terse then necessary and not as constructive as it could have been.
My point was that the links listed looked like small free organizations that don't have the resources, or actually any other incentive. They probably have very few readers outside of their localities.
So pay for a bigger news org that does.
If the link looks like something worth the effort, plug it in to archive.is and read the output there. Or try it via outline.com instead. These tend to work for most text-based articles/sites, and archive.is often breezes right through paywalls, too.
To load one of the Google News links took more than 30 seconds on archive.is but eventually worked.
Outline did not work with the links as-is.
In short, this is not a comfortable workaround, but it is a working alternative.
Simply put, it's a very low margin and low time investment business on my side and I'd rather work on something that can make me more money than to implement the required changes to support Europe's regulatory plat du jour.
Having worked in big businesses, even if they have the money to spend, they may face other organisational issues. Implementing any change in big businesses is not easy and takes significant more time than you would imagine.
As you correctly say, I'm sure they evaluated the cost benefit of EU visitors and concluded it wasn't as high as the cost of getting things done.
For news, that means that people will be able to access less independent content, or maybe just access what is visible behind the walled gardens of social media. For ecommerce (and VATMOSS), stores just moved to Amazon / eBay so they don't have to deal with the complexity.
As usual, regulators screwed all us up pretending to target big business (whether it's privacy or paying sales tax) and dealt a massive blow to all the small competitors of big business.
But it's ridiculous that we have to go to such insane lengths, for privacy or even for access. Noscript, in particular, can be very annoying, but it saves me from a lot of worse annoyances.
This also crosses over to the crawling horror of IoT, where every device maker wants your sweet, sweet data. Oh, sure, we can throw our IoT devices on a carefully-firewalled VLAN - provided we have networking gear with that capability and the knowledge to use it, neither of which is likely for the average consumer.
I never imagined I'd live in a real-life cyberpunk dystopia when I first read "Johnny Mnemonic" in Omni so many years ago, but here we are.
You can't have links in text posts like this. HN stories are a link or text. From https://news.ycombinator.com/formatdoc: "Urls become links, except in the text field of a submission."
To make proper links in comments, just put "https://" in front of them so they're URLs. "<" and ">" are for unusual URLs that get mis-detected with their surrounding text, and they are hardly ever needed.
Thanks; noted for the future.
1. Imagine communist countries blocking access to local news. What would that look like? Well, censorship and maybe ways of hiding the abuse of the local regime to the outside world!
2. GDPR doesn't even ask for much: show us the news, show us your ads, just don't slurp any info about the visit. You know, like a TV station: just print some pixels. But apparently the whole business model can't work like that anymore. Spying is the only way they can make any money.
I don't think they entirely don't care, they just care more about (perhaps need to) making money fast than serving a global audience.