Ask HN: What happens if I don't abide by GDPR and put a banner on my website?
I've noticed that Hacker News and Reddit don't make me click on a banner each time I visit. Neither do Facebook, nor X.
On the other hand, many, many websites do show me an obnoxious banner that I have to acknowledge every time.
Why did they decide to put it up? Does it matter if they aren't an EU based website? What is the consequence of not putting up the banner / pop-up? Has anyone been taken to court for violating GDPR because they didn't put tell their users that they'd be serving up cookies?
17 comments
[ 4.9 ms ] story [ 52.1 ms ] threadIf Norway passed a law saying that all US websites have to include a disclaimer saying Norway is the best country, it would be pretty clear that it doesn't affect me, because Norwegian law doesn't apply to people who aren't in Norway and aren't Norwegian citizens.
I put up a website. If people from the EU visit my website, why does EU law apply to me? Opening a brick and mortar bakery in the US doesn't make me subject to EU food regulations just because somebody from Europe flies over and buys a cake.
- the offering of goods or services
- the monitoring of behavior of data subjects
Offering doesn't mean that it's just available and/or sellable in EU. It's more complicated than that. EDPB has a guidance on this topic: https://edpb.europa.eu/our-work-tools/general-guidance/guide... In short, document shows examples where some services are available in EU, and sellable there but personal data isn't covered by GDPR.
On the other hand, my understanding is that monitoring of behavior is always covered by GDPR.
(I am not a lawyer and this is not a legal advice)
I dispute that they have jurisdiction to actually apply their laws to me, any more than the US can charge somebody with violating FCC regulations for a radio signal sent from Norway.
There are specific things like extradition treaties, trade agreements, and parallel legislation that cover existing areas where this happens. Is there one that covers application of the GDPR in the US?
Nope. Extradition only covers the case where you go to some other country and commit a crime there, then return to the US. If the crime you committed there is serious, and is also a crime here, then extradition can apply. There are other conditions as well, but the key is that it has to be a crime in both places.
Europeans can claim that you must follow their laws until they are blue in the face but it won’t magically become true. You can safely ignore it. Enjoy competing against European businesses without having to pay any of the same costs.
Even if State law doesn't apply - you have have HIPAA, GLBA, SOX etc.
Among other requirements, a participating organization must provide you:
https://www.dataprivacyframework.gov/s/article/My-Rights-und...Not every website is subject to GDPR - applicability is determined by GDPR Article 3[2]. When a site is subject to GDPR - you need a legal basis to process personal data[3] subject to Article 6[4]. Sites which use the 'consent' legal basis, thus get consent with a banner.
If you do not have a valid legal basis (such as consent) to process data, but are found to be - complaints with the relevant Data Protection Authority may be lodged and investigations may be carried out subject to Article 77[5]. In the event of an adverse decision corrective action, including fines may be levied. There are two fine structures in the GDPR, and those can be found in Article 83.[6]
Now, a site can use geofencing, to determine if you are in the EU (or other relevant location) and selectively show you a banner or not based on your believed location as is determined by a reverse IP Address lookup.
You may be re-prompted between visits depending on if the persistence mechanic you select is maintained. Some browsers delete cookies aggressively[7], and if the preference cookie is removed by the browser you will likely be issued a banner on the next visit to re-establish your preferences.
[1]https://gdpr.eu/cookies/ [2]https://gdpr-info.eu/art-3-gdpr/ [3]https://gdpr-info.eu/art-4-gdpr/ [4]https://gdpr-info.eu/art-6-gdpr/ [5]https://gdpr-info.eu/art-77-gdpr/ [6]https://gdpr-info.eu/art-83-gdpr/ [7]https://webkit.org/tracking-prevention/
It can already be quite expensive to make rejecting the cookies too difficult: https://www.bbc.com/news/technology-59909647
After that Google fortunately turned their monstrosity of a UI maze into a single click.