The article does have a quip about how society teaches _boys_ about consent, which does imply that they read the article even though their next sentence re “whole EU cookie thing” seems completely out of place
Is there any really good guides on how to be gdpr compliant as an engineer?
I want to know what I need to implement in my software so that should I need to respond to a gdpr request, I can action it as required. Someone else can deal with third party notifications etc, but I want to know how to create a ‘nuke this user’ function, but I don’t even know what data a user can supply for identifying purposes (their name? email address? IP?) nor what data I must destroy (name? email? Ip?)
I’ve had the exact same gdpr training at two jobs (word for word it didn’t change in 3 years!) and it never ever covers the details, it’s all geared to in-office environments and skips over the fact that some systems might need to have these export tools built for them or that they have export but not all the fields.
I have had to use gdpr to get data a few times now and while it’s amazing that we can so easily do that now 30 days is never enough because i can tell that the export is being done manually then converted to pdf. Which means my data is no longer inside the system its in bits and pieces in someone's (usually non technical) downloads/desktop folder which feels way less safe to me!
Seems like it would be easy to fix this situation even without changing the law.
- Forbid browsers from sending the DNT header automatically. They may ask the user.
- Consider the DNT header valid consent or withdrawal of consent.
- Forbid websites from asking for consent if the header is set.
It doesn't matter where you are as long as you serve someone in the EU.
So, if you are in the USA, but your website is serving cookies / collecting logs for the visitors, and one of your visitors is in the EU, you must comply with GDPR. GDPR also requires explicit consent to collect information such as IP addresses (logs) or tracking cookies.
I have seen sites just banning all the EU IPs, but I don't think that would work anymore, as California & India have similar laws. I am sure a bunch of other jurisdictions have it by now, as well.
The EU doesn’t have jurisdiction over American companies, there’s no way to enforce this. If your company has a European legal presence, that legal entity may see enforcement, but if you’re an American site operating under American jurisdiction, the EU cannot compel you to do anything. America is a sovereign nation that is not subject to EU laws.
Bear in mind that a case that isn't really clear are advertiser networks who work in the EU. Them collecting EU citizen data w/o explicit permission is illegal, and punishment is enforceable. Candy advertising network push girl the cookie banner?
But they can't. Because if the user doesn't consent, the advertising network is not allowed to even be involved.
And most sites don't just use one tracking network but they use many (see some of the convoluted cookie banners where you have to turn off data sharing with several hundred "partners")
> So, if you are in the USA, but your website is serving cookies / collecting logs for the visitors, and one of your visitors is in the EU, you must comply with GDPR.
You need to heavily asterisk this because this is not true in all cases.
The problem is not GDPR. It’s that websites are addicted to Google Analytics and things like it. Like the article states, the cookie banner is not in the GDPR law. The banner is malicious compliance.
The only way to explain it is mass hysteria. Someone did the banner first and everyone thinks that’s what you need to do to comply and everyone copied.
> Someone did the banner first and everyone thinks that’s what you need to do to comply and everyone copied.
I don't think so. Most sites have teams big enough to know what they are doing, and they know this is the only way to "comply" while still being able to continue business as usual.
20 comments
[ 1.8 ms ] story [ 67.7 ms ] thread> The only thing that matters is that if an entity wants to track people, they have to let them know in a way that is clear and request their approval
The author does say that it's not about cookies either. It's about tracking.
I want to know what I need to implement in my software so that should I need to respond to a gdpr request, I can action it as required. Someone else can deal with third party notifications etc, but I want to know how to create a ‘nuke this user’ function, but I don’t even know what data a user can supply for identifying purposes (their name? email address? IP?) nor what data I must destroy (name? email? Ip?)
I have had to use gdpr to get data a few times now and while it’s amazing that we can so easily do that now 30 days is never enough because i can tell that the export is being done manually then converted to pdf. Which means my data is no longer inside the system its in bits and pieces in someone's (usually non technical) downloads/desktop folder which feels way less safe to me!
- Forbid browsers from sending the DNT header automatically. They may ask the user. - Consider the DNT header valid consent or withdrawal of consent. - Forbid websites from asking for consent if the header is set.
Other than that yes this would be the solution.
I have seen sites just banning all the EU IPs, but I don't think that would work anymore, as California & India have similar laws. I am sure a bunch of other jurisdictions have it by now, as well.
The EU doesn’t have jurisdiction over American companies, there’s no way to enforce this. If your company has a European legal presence, that legal entity may see enforcement, but if you’re an American site operating under American jurisdiction, the EU cannot compel you to do anything. America is a sovereign nation that is not subject to EU laws.
And most sites don't just use one tracking network but they use many (see some of the convoluted cookie banners where you have to turn off data sharing with several hundred "partners")
You need to heavily asterisk this because this is not true in all cases.
The only way to explain it is mass hysteria. Someone did the banner first and everyone thinks that’s what you need to do to comply and everyone copied.
I don't think so. Most sites have teams big enough to know what they are doing, and they know this is the only way to "comply" while still being able to continue business as usual.
That must be why https://gdpr.eu has a cookie banner /s