top | item 16518076

(no title)

mziel | 8 years ago

Looking forward to May (when GDPR officially comes into force). Provided that it doesn't end up like the cookie law (and there are explicit provisions in GDPR and ePrivacy to avoid that) this might shake up the ad industry:

* Explicit consent for non-essential data use, you always need to provide opt-out without degrading the service

* Opt-in/out separately for every activity (no more "research purposes")

* Data deletion and takeout. Maybe in the future EU will also introduce some standards for the takeout, which will allow us to migrate between services much easier (as we now can switch between banks or telcos in a semi-automatic way)

discuss

nrjames|8 years ago

What we are seeing is that the ad providers are considering themselves "controllers" under the GDPR and the tracking of device ad identifiers as critical to their business. Hence, their plan is to inform of the collection via a privacy policy but not to offer users the opportunity to affirmatively consent to allowing their advertising ID to be tracked. It's dispiriting.

zaarn|8 years ago

I'm pretty sure that this kind of behavior will be shot down by EU or Local courts. The GDPR contains parts where it explains what kind of reasons might lead to overriding of legitimate or critical interests.

throwaway2048|8 years ago

their interpretation isnt nessiarily going to hold up.

lbarrow|8 years ago

Can you elaborate on what you mean by "doesn't end up like the cookie law"? I'm an American and don't have much awareness of this other than I've noticed that sites in the EU like the Guardian tend to have annoying banners saying they use cookies at the bottom of their splash screens.

mziel|8 years ago

You can read more about the cookie law here: https://www.cookielaw.org/the-cookie-law/

Basically EU wanted sites to obtain consent to use users' cookies (and for the users to give/take away that consent). However, pretty much all the sites just decided to provide you with a banner saying something like "if you're using this site you agree to our cookie policy". Therefore the law became ineffective and just a nuisance to the users.

This notion of "implied consent" is being actively fought with GDPR. You have to provide explicit consent to the usage of your data. And more importantly you can revoke it (at any point) and the site can't deny or degrade the service (unless the data is strictly necessary for a specific action related to the service).

With ePrivacy this will go one step further. Right now you only need to provide opt-out, which means most people will likely leave it as it. Going forward those additional services (marketing purposes, ad tracking) will need to be strictly opt-in (and there's already internal research done in some companies showing that marketing/ad opt-in rates will be 10-12% at best).

TeMPOraL|8 years ago

TL;DR: sites were obliged to provide information and ask for consent when using marketing cookies. That is, cookies required for the site to work (e.g. session) were fine, but tracking/analytics were not. Everyone started to show banners saying "we use cookies [OK] [what cookies?]", users just got used to clicking OK on them, and almost nobody has any clue what this was all about.

You could see the cookie law as a gentle request for Internet businesses to self-regulate and limit unnecessary tracking. It didn't work (I don't know of any case when businesses decided to self-regulate themselves out of potential extra profit), so now GDPR is meant to force companies to stop their user-hostile data abuse.

dalbasal|8 years ago

Explicit consent is the principle I'm most curious (and pessimistic) about. It's one of those things that are very easy to describe in everyday terms, but almost impossible for legal enforcement to work with.

There are rules about things banks have to inform you of, or pharmaceuticals. On the academic side, this can be effective. Disclosure and making information public. On the consumer side it is almost always disingenuous. Small print meticulously written by compliance officers and reviewed by regulators. No one seems capable of stepping back and asking "are consumers better informed."

When internet service X wants you to know your card is about to expire, they make sure that you are informed. When a regulator wants you to be informed about cookies.... we get small print, and a nag screen making us promise that we read it.

Ra1d3n|8 years ago

Its pretty easy: The law says, that you always have to set a willing action to opt in. There can be check-boxes, but they need to be unchecked by default ("privacy by default"). Simple. I have already received multiple communications from Banks and credit card companies, and they are all very explicit about it and it was very easy to see the choices and the effect of the law.

tzs|8 years ago

Note: the following questions are not because I'm trying to figure out how to work around GDPR. They are to help figure out just what the meaning of it is. Imagining hypotheticals that try to work around a law is a common method in legal circles for clarifying the law. My employer does not keep any data that would be problematic, and compliance looks like it will be pretty easy for us [1].

> Explicit consent for non-essential data use, [...]

This raises a bunch of questions. Anyone know the answer to any of these?

1. Suppose that the data is used to pay for keeping the site afloat? Does that make it essential?

> [...] you always need to provide opt-out without degrading the service

2. Suppose my site is presented as a site that has basic and premium content. The premium content is behind a subscription paywall.

On the paywall, it offers to waive the subscription fee if you consent to non-essential data use. If you either do not consent, or, after consenting later change your mind and opt-out, is it "degrading the service" if I no longer let you have access to the material behind the paywall?

3. In #2, does it matter if that's how my site works for people that I can identify as being the EU, but works different for people elsewhere (e.g., for people in the US it collects data on everyone and does not offer the option to pay)?

4. Suppose I just say "the hell with this...I don't want to deal with GDPR", and have my site ask first time visitors if they are in the EU or EU citizens.

If they say that are not, I set a cookie that records this, and they get my normal site, which only follows whatever data collection rules my country imposes.

If they say they are, I just send them to a page that says EU people are not allowed to use my site.

What's the situation if someone inside the EU lies and tells me that they are not in the EU? Am I in violation of GDPR for keeping forbidden data on them, or does their lying to me count as consent?

[1] In fact, most of the data we keep on EU customers is data that we don't even want to keep, but the EU is requiring us to keep it for VAT MOSS reporting. Before VAT MOSS, all our EU sales went through a UK entity, and we paid UK VAT on all of them, which required much less information for reporting.

tscs37|8 years ago

>1. Suppose that the data is used to pay for keeping the site afloat? Does that make it essential?

If you use the data for bank transactions or paypal subscriptions it's essential.

If you sell the data for profit, it might be essential but it falls under "opt-in only" of the GDPR. So in this part; not essential in the above sense.

>2. Suppose my site is presented as a site that has basic and premium content. The premium content is behind a subscription paywall.

Subscription paywall is fine. What isn't fine is degrading the service if the user opts out of having trackers included in the website when they visit.

>3. In #2, does it matter if that's how my site works for people that I can identify as being the EU, but works different for people elsewhere (e.g., for people in the US it collects data on everyone and does not offer the option to pay)?

GDPR only applies when you target people currently in the EU (citizen or not) and EU citizens outside the EU.

>4. Suppose I just say "the hell with this...I don't want to deal with GDPR", and have my site ask first time visitors if they are in the EU or EU citizens.

If they say no, I would say that is okay to believe considering the GDPR also requires a "Are you 16" question. Ask a lawyer.

yardstick|8 years ago

> What's the situation if someone inside the EU lies and tells me that they are not in the EU? Am I in violation of GDPR for keeping forbidden data on them, or does their lying to me count as consent?

I don’t know the answer (interesting idea though). One thought came to mind: If you do it this way, you can only monetise your EU customers indirectly. As soon as you bill them, you’ll probably need to capture their address info at which point you know for sure they are in the EU. Yes you could argue it’s a non-EU citizen using an EU address while not being physically within the EU at the point of the transaction, but I wouldn’t think that would get a free pass in court.

xg15|8 years ago

> 1. Suppose that the data is used to pay for keeping the site afloat? Does that make it essential?

IANAL, but intuitively, I'd say no.

In a technical sense, it's not essential: Even if your whole income is based on data reselling, your site wouldn't instantly become unusable the moment you can't collect any user data anymore. (Unless you deliberately make it so, but then that's your decision and not a technical necessity)

Yes, you will operate at a loss, but that is your problem as a business. It doesn't have anything to do with your ability to perform the service.

In a more general sense, basing your business model on data collection is your decision. There are other ways to make money on the internet. So if you have the option of finding other sources of funding, it's not "essential".

unknown|8 years ago

[deleted]