GDPR articles seem to be getting some traction on HN as everyone is trying to figure out: "Do I need to do something for this? Is so, what?"
For a recent project I read (and translated to plain english) [1] every single article in the GDPR legislation and for our purposes it can be summed up as:
"Treat user data like names and emails as if they were credit card numbers"
AKA: be paranoid about keeping them, encrypt them, use SSL on your site, respond to requests from people if they ask if you have them, fix them if they're wrong, don't use them if they say you can't.
Obviously that's not the entirety of it, but as a working mental model I think it goes a long way.
I’d add: Get (documented, active) permission of users to store and use their data, understand that permission is given only for a defined cause/usage (and not indefinitely for everything you right now might not even think of), be prepared to tell users what data you store about them, why and (briefly) how it is used. Be prepared to delete user data on request. Be prepared to show documentation on how you handle the (personal) data. And delete data that is not necessary any longer in regular intervals. And: Don’t share, sell or rent personalized data to any third party without given user consent.
> "Treat user data like names and emails as if they were credit card numbers"
Most sites' approach to credit card numbers is to not touch them with a barge pole, have a third party receive them instead and never let the business have any sight of them, so it's a bit of a stretch to expect the same treatment for a customer's name and email address.
If I have an IRC service that shows quotes from people and has 'last seen' functionality is that covered by GDPR? Some of the users are from EU countries, does that mean those features need to be turned off or have some sort of acceptance exchange with users?
Would filtering out EU IP ranges be sufficient, or does this also apply to EU citizens traveling outside of the EU?
The referenced page says that asking users to provide a birth date isn't sufficient proof that they're over 16 years of age, how should one verify age for something like an IRC bot?
Honestly, the best thing to do if you don’t have a high percentage of EU users/customers is to simply block EU IPs. First it was the completely useless cookie notifications, now it’s GDPR, and nobody knows what the next thing will be - we only know that there will be a next thing (there always is), and that it too will be costly and burdensome to comply with. Unless you derive a significant percentage of your revenue from EU users, it just isn’t worth it to try to keep up with the increasingly demanding whims of a heavy-handed European government.
It's a start, but that is only the easy part, where the goal is relatively simple to figure out. You also have to explicitly get legal documents signed if you make a system for companies that "own" the user data.
You need to have new procedures for obtaining, storing, using, and delete customer data. This is known as a "code of conduct". You need sufficient logging to aid incident analysis too.
I also think a lot of companies are entering a bit of panic mode because there is no clear guideline on what is sensitive data. If you make a booking system, then everything you store is potentially sensitive if you have end user data in it. If you're making IoT devices for the home with cloud access, then you have sensitive data.
The conclusion we've reached is fairly simple. If there a even a remote chance that normal day to day use of our systems contains data that can be used to build a profile of a user, then the systems data is considered sensitive.
> some traction on HN as everyone is trying to figure out: "Do I need to do something for this? Is so, what?"
If you are big enough to have to worry about this you are probably a company with plenty of resources to think and comply with this. So it's hard to imagine how many readers of HN are getting their answers on HN (or similar). If you are small time nobody is going to come after you. Sure something could happen and you could also get a traffic ticket going 57 in a 55 zone and a host of other outlier events.
> AKA: be paranoid about keeping them, encrypt them, use SSL on your site, respond to requests from people if they ask if you have them, fix them if they're wrong, don't use them if they say you can't.
One size fits all advice doesn't make sense in this and in other similar cases. You will spend a great deal of time and effort dealing with 'maybe's' instead of the day to day.
This is totally awesome! Thank you, it has been sent round the office... I too second the idea of putting this onto GitHub so it can live and be updated as understanding of the requirements increases!
That's a fair analogy! I do think having a service like stripe for pii would make things easier. Why would we need first name and email address? As programmer I only need user ID!
In fact, I think the author is underestimating the impact, right here: "Of course, making this change will have a dramatic impact on your revenue for single-visit traffic, because you basically have to design your ad model to work completely differently from how it works today."
No, it will basically make a newsmedia site unprofitable. I think it is the EU that has not fully thought this through. Most of the news industry is already sickly, financially, and they mostly have no model other than advertising (with a very few exceptions). The reason all this data got collected, was to try to make the advertising valuable enough that they could sell it. It may be that it never really worked, but it sure won't work without it. I think either the EU will backtrack on this once they see that Google and Facebook can easily force people to consent (because people consider those websites too valuable to do without), but most other advertising-supported media cannot; or they will see that the long-term impact of this is that it accelerates the current death spiral of newsmedia, as all ad spending goes to Google and Facebook and almost no one else.
I leave it as an open question as to whether this would be a good or bad thing.
> No, it will basically make a newsmedia site unprofitable. I think it is the EU that has not fully thought this through. Most of the news industry is already sickly, financially, and they mostly have no model other than advertising (with a very few exceptions).
We have publicly funded broadcasters in most EU countries. The ad-supported news sites, on the other hand, are generally doing more harm than good.
News outlets existed before the web, so they're not going to be threatened by breaking the ad-supported website model. If anything, the traditional newspapers will be saved by this, because if free online news disappears, people will start buying newspaper subscriptions again.
> I think either the EU will backtrack on this once they see that Google and Facebook can easily force people to consent
They can't. The consent has to be for a specific purpose.
Privacy first, profit second. I think that is a wise decision the EU makes (disclosure: I'm an EU citizen). 'The media' surviving on a distorted revenue model is not healthy and I will not believe it is necessary to break your customers privacy in order to make a profit.
I completely disagree with this. Firstly, the media currently are too lucrative for my taste and thats why we have everyone being a journalist and publisher. By cutting down on the easy money, only those worth surviving will probably stand. This will seriously cut down on more than just ads, ie fake news and unverified sources. An alternative I'd love to see is sponsored articles as the main source of income for these. Let the corporations have to pay bigger bucks to have their posts published. This will hopefully reduce the clutter, force the media outlets to provide quality content to keep a certain level of trust and quality to attract businesses as well as a good targeted audience.
Personally I'd live to have most media completely in the dark about visitors to solely speculate on the quality of their own content. Only metric they need is daily visitor count. Everything else can be shaped by type and quality of content. A great example is HN where we have a very targeted audience due to the content it serves. It obviously also has some sponsored articles but also the indirect benefits it has on new startups and so on. Just treat it as TV marketing and not a per person customized monetization strategy.
Nothing about ads on the internet implies tracking.
The most simplest solution is that newspapers host the ad on their own server as a .png or .jpg that gets shown to all visitors. It's tracking free and GDPR compliant.
I don’t think the EU has thought it through. I work in a municipality in Denmark, one of the most digitized public sectors in the EU and we’re not anywhere close to being ready.
None of the hundreds of suppliers we use are truly ready, and how would they be? It took 45 years to build this tech, you can’t just replace the innards in a few years. Estonia is the only country that is close to ready, and that’s mostly because they’ve build their entire system with a focus on sharing and securing data. Nobody else has anything close to it.
It’ll be interesting to see how this plays out in the courts. I mean, keeping privacy data safe should be an important concern, but do we really want to close hospitals and schools because we can’t afford to pay the fines when it fails?
> In fact, I think the author is underestimating the impact, right here: "Of course, making this change will have a dramatic impact on your revenue for single-visit traffic, because you basically have to design your ad model to work completely differently from how it works today."
To add to this, the quote paints complying with the legislation as a simple redesign. It would require much more than a redesign. The technical, administrative and legal costs of implementing the new system from scratch would be magnitudes higher than implementing the current system from scratch. And add on changing requirements as the legislation is in its infancy.
Or it could go the other way. If all media outlets decide to put up a paywall it forces people to actually pay for reading the news. Currently there are a few news outlets who plead for ad blockers to be turned off while still offering content for free. And since ad blockers allow you to add exceptions this doesn't create a level playing field between those outlets that advertise and those that are locked behind a paywall. GDPR might end up forcing the outlets reliant on advertising to also shift to paywalls effectively creating the level playing field that was lacking earlier.
Let's face it, despite social media being a great enabler for realtime news the quality of news is sub-par. The biggest bane of social media is the transfer of responsibility of filtering real news from a firehose of fake news, to the end user. Until that issue is solved people are going to probably pay for news. This is just my speculation of how things might go after GDPR.
Television and newsPAPERs were viable businesses before the advent of the internet. And on the internet, the need to spy your reader is also quite new.
What makes privacy-sensible internet newsmedia nonviable might very well be the much more profitable spying on the client. If regulation makes that competition illegal, and demand for news is unaffected by GDPR (and why wouldn't it be), then it becomes more difficult for advertising companies to find newsmedia that provide tht extra illegal profit-taking sugar, so they will go back to more traditional advertising plans. This, in turn, will make newsmedia's lives easier in regards to finding advertiser's that do not demand spying on their readers.
At the end, sellers still need to advertise, providing ads supply, and readers still demand free newsreading, providing ad demand. The market still exists.
Publishers are getting squeezed out of the web by various forces. There is this GDPR, then there is also the web giants Facebook and Google squeezing them with their algorithms and in-app browsers. However, I'd say the net effect is positive because I'm seeing the lowest quality aggregator type blogs getting squeezed out and the only ones that are standing strong are the well funded publishers, which means better content.
I thought about it before. Yeah it will make analytics driven journalism unprofitable. But why this is a bad thing anyway? The old subscription model works and the quality of the content is high.
> No, it will basically make a newsmedia site unprofitable.
Good. We don't need that much "news" anyway. And I think my need would be more than covered by national TV which is sponsored by taxpayers money and BBC, which also has no advertising.
There really won't be much of the value lost if we won't have sensationalized and invented news any more.
Another point to consider is that need for news or just for some brain filler: I am puzzled by appareant inability of many today to be alone and in silence. As if then some thought that they cannot be comfortable with start to be loud enough to be heard.
> Today, for instance, we see that a majority of people who install an ad blocker don't actually do it to block ads (that's just an added bonus). They are actually doing it to block tracking.
"If you look at what is happening around us, you can see very clear signals that the public has had enough."
No, outside of a few echo chambers, no one cares about privacy or knows what GDPR is. Until GDPR shows everyday on the evening news for weeks it will not be well-known, and there are many things more important to most people than online privacy. Heck, Cambridge Analytica was only a scandal because the "bad guy won".
While concern about privacy may indeed remain a niche thing, GDPR is intruding into the European public consciousness. In recent weeks I have received a number of e-mails from hotels I once stayed in, associations I am a member of, my old university, etc. to alert me to the fact that they have my personal data and under the GDPR I have rights regarding it.
> Until GDPR shows everyday on the evening news for weeks it will not be well-known
I think we've crossed that point few months ago in Europe. Last year I felt I was probably the only one of my real-life friends who even knew what GDPR was. These days, I see streams of articles about it on social media, aimed at non-technical people. Hell, last week my SO told me she started receiving GDPR-related e-mails at work from companies that are in business with her place.
I feel people do know. Unfortunately, I also fear they only think of it as yet another random EU regulation thing, and not realize the benefits it'll bring.
There is a huge long tail of SME 'website owners' that have no idea what they are in for. These sites are often developed/maintained by very cheap labor (students/off-shored etc) and sprinkled liberally with all sorts of 3rd party analytics/counters/share-buttons etc etc.
Not only do the site owners not even know that the site contains these things, if they do, they don't even realize the extent of data collection going on. I had a chat this morning with an owner like that. The site runs GA (they didn't know), the site runs ShareAholic (which they said wouldn't be a problem as they only use it to see in aggregate where their site visitors come from).
They never made a distinction between what data their site provides to these services through scripts or cookies, and what they themselves then get/use through the service provider.
This is not a special case. There are probably millions of these little business sites out there.
It's even bigger than that. It's been mentioned on HN before, but see the "GPDR Letter."[1] Anyone in the EU can send you such a letter, and you have 30 days to reply.
Please confirm to me whether or not my personal data is being processed. If it is, please provide me with the categories of personal data you have about me in your files and databases.
a. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store.
b. Additionally, please advise me in which countries my personal data is stored, or accessible from....
c. Please provide me with a copy of, or access to, my personal data that you have or are processing.
2. Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of my personal data.
3. Please provide a list of all third parties with whom you have (or may have) shared my personal data.
Then, once you've replied, they can request deletion of any or all of that.
You should note that lots of what that letter suggest it has rights to, are not rights granted under GDPR. Or at least would be subject to legal clarification.
If you send that letter, expect to receive a standard response/report of data with a form response that politely & legally amounts to “piss off”.
Large organizations have considerable resources set aside to make sure their “piss off” letter is legally defensible & GDPR compliant.
That letter is likely only a problem when selectively used by a malicious actor against a small organization. Frankly not the kind of org that is systematically tracking personal data.
Is there anything stopping these letters from being abused like DMCA Takedowns? Just one of these look like they'd tie up a human worker for days. How much personal information are you going to have to provide to ask for such data? Especially for ".. provide me with a copy .." Does any of this apply to "anonymized" data?
> we see that a majority of people who install an ad blocker don't actually do it to block ads (that's just an added bonus). They are actually doing it to block tracking.
This line severely damages the credibility of the article. I found the article interesting up until I read it. I stopped reading once I read it because I couldn't trust anything else the author says.
I highly doubt this statement is true. It may be true in very privacy-focused circles and amongst some circles of IT professionals, but I highly doubt it is true for the population.
If you make a statement this left-field, you've got to back that up with credible research and I highly doubt that statement was based on any credible research.
My takeaway from the whole GDPR craze is that if you respect your users and have some ethics as to how you process their data then you don't have much to worry about to begin with.
If you are an asshole that's trying to get as much data off your users in order to resell them to the highest bidder, share it with "partners" (partners in crime that is), or to advertise/spam them with shit they don't need, then frankly you (or your industry) asked for this themselves.
The only downside I see to GDPR is that we've now opened the gates for a new breed of "GDPR consultant" that's gonna charge hundreds an hour just to rehash what the law says in a slightly different way and defraud businesses that way by pretending to be a valuable service (and no doubt there will be clueless execs that'll actually believe it and pay for that).
The author claims that for one-time visitors you're not supposed to have any 3rd-party tracking code but uses Google Analytics which Ghostery counts as a tracking code. How's that going to work out for practically every site in the world?
I've had to deal with this at work (anticipatory only so far), but what I can't seem to figure out is what the inquiring European needs to provide to us to prove that the data we have is actually theirs. We don't capture pii data in most instances, so if someone requests their info under GDPR and provide us an IP and a time do we take them at their word?
> I have yet to see any publisher who is actually changing what they are doing. Every single media site that I visit is still loading tons of 3rd party trackers. They are still not asking people for consent...
I’m pretty sure the reason for this is that they know that the day they switch over to GDPR compliance, their ad revenue from EU will take a nosedive, and they don’t want to throw away that revenue for the sake of being early.
<quote>
One-time users includes all one-time visits and all the visits where people have not done anything to give you their consent. This means you cannot load any 3rd party tools. All your ads have to be delivered via 1st party means (so no 3rd party ad code) and it cannot contain any personally identifying information.
</quote>
That is one weird claim. Let's count "one-time user" as someone completely anonymous -- no cookie, no login name, nothing. Let's say someone browsing in incognito mode from the freshly installed PC.
By definition publisher has no personal data about this person, so GDPR doesn't apply here, IMHO, and it's quite fair. Why can't publisher load some 3rd party tool?
So pretty much every page is going to get a "loading page" again where users have to confirm if they will allow Google Analytics, etc. to be used? And probably a warning about cookies? That's how this is going to play out, yeah? At least for sites that fall under it.
Not sure that really accomplishes the intent... seems like it'll just be an annoyance to all non-cookied users.
For ex. you can track anon visitors fine if you generate an ID identifiable ONLY on your DB. So if you store only an ID in the DB(awaiting to be matched when a conversion is made with consent given) is totally fine because even if someone hacks your DB can't be able to match that ID to any person, even if they have other data from Facebook, Google etc.
In case of an IP it's a different thing. If you get an IP, you can actually identify a person if you have a DB with the IP+other personal information about it.
nobody realized how much big of a deal GDPR is going to be. if you digitized your partner business card, if you store their number on your phone etc that's personal data and that all need to be renegotiated and you need a database to hold track of their informed consent.
This article focuses very one-sidedly on the consent aspect but this is not the whole story. The basic principle behind GDPR is not "getting consent" it is "if you want to collect or process data you need a justification" [1]. The justification should and will be in most cases some other law or regulation. Only if you can't find that justification elsewhere you will need to get consent.
A good example for this is the Cookie under GDPR. The original plan was for both the GDPR and the ePrivacy Regulation [2] (not to be confused with the ePrivacy Direcive) to come into effect on 25 May 2018. The ePrivacy Regulation would have had given the justification for using analytics Cookies without consent. Now that ePrivacy Regulation is delayed some argue that national laws can provide that justification until we have a EU-Regulation.
[1]
>In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law [..]
"Today, for instance, we see that a majority of people who install an ad blocker don't actually do it to block ads (that's just an added bonus). They are actually doing it to block tracking"
[+] [-] michaelbuckbee|8 years ago|reply
For a recent project I read (and translated to plain english) [1] every single article in the GDPR legislation and for our purposes it can be summed up as:
"Treat user data like names and emails as if they were credit card numbers"
AKA: be paranoid about keeping them, encrypt them, use SSL on your site, respond to requests from people if they ask if you have them, fix them if they're wrong, don't use them if they say you can't.
Obviously that's not the entirety of it, but as a working mental model I think it goes a long way.
1 - https://blog.varonis.com/gdpr-requirements-list-in-plain-eng...
[+] [-] mstolpm|8 years ago|reply
[+] [-] hanoz|8 years ago|reply
Most sites' approach to credit card numbers is to not touch them with a barge pole, have a third party receive them instead and never let the business have any sight of them, so it's a bit of a stretch to expect the same treatment for a customer's name and email address.
[+] [-] srj|8 years ago|reply
Would filtering out EU IP ranges be sufficient, or does this also apply to EU citizens traveling outside of the EU?
The referenced page says that asking users to provide a birth date isn't sufficient proof that they're over 16 years of age, how should one verify age for something like an IRC bot?
[+] [-] downandout|8 years ago|reply
[+] [-] hvidgaard|8 years ago|reply
You need to have new procedures for obtaining, storing, using, and delete customer data. This is known as a "code of conduct". You need sufficient logging to aid incident analysis too.
I also think a lot of companies are entering a bit of panic mode because there is no clear guideline on what is sensitive data. If you make a booking system, then everything you store is potentially sensitive if you have end user data in it. If you're making IoT devices for the home with cloud access, then you have sensitive data.
The conclusion we've reached is fairly simple. If there a even a remote chance that normal day to day use of our systems contains data that can be used to build a profile of a user, then the systems data is considered sensitive.
[+] [-] Dylan16807|8 years ago|reply
[+] [-] aldoushuxley001|8 years ago|reply
[+] [-] iovrthoughtthis|8 years ago|reply
Could you make it a git repo so we can field alterations, additions and discussion?
[+] [-] gist|8 years ago|reply
If you are big enough to have to worry about this you are probably a company with plenty of resources to think and comply with this. So it's hard to imagine how many readers of HN are getting their answers on HN (or similar). If you are small time nobody is going to come after you. Sure something could happen and you could also get a traffic ticket going 57 in a 55 zone and a host of other outlier events.
> AKA: be paranoid about keeping them, encrypt them, use SSL on your site, respond to requests from people if they ask if you have them, fix them if they're wrong, don't use them if they say you can't.
One size fits all advice doesn't make sense in this and in other similar cases. You will spend a great deal of time and effort dealing with 'maybe's' instead of the day to day.
[+] [-] andy_ppp|8 years ago|reply
[+] [-] noway421|8 years ago|reply
[+] [-] thomastjeffery|8 years ago|reply
Fixed that for you.
Usually commas aren't important, but that specific sentence really suffers in readability without it.
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] gregorymichael|8 years ago|reply
[+] [-] rossdavidh|8 years ago|reply
No, it will basically make a newsmedia site unprofitable. I think it is the EU that has not fully thought this through. Most of the news industry is already sickly, financially, and they mostly have no model other than advertising (with a very few exceptions). The reason all this data got collected, was to try to make the advertising valuable enough that they could sell it. It may be that it never really worked, but it sure won't work without it. I think either the EU will backtrack on this once they see that Google and Facebook can easily force people to consent (because people consider those websites too valuable to do without), but most other advertising-supported media cannot; or they will see that the long-term impact of this is that it accelerates the current death spiral of newsmedia, as all ad spending goes to Google and Facebook and almost no one else.
I leave it as an open question as to whether this would be a good or bad thing.
[+] [-] beojan|8 years ago|reply
We have publicly funded broadcasters in most EU countries. The ad-supported news sites, on the other hand, are generally doing more harm than good.
News outlets existed before the web, so they're not going to be threatened by breaking the ad-supported website model. If anything, the traditional newspapers will be saved by this, because if free online news disappears, people will start buying newspaper subscriptions again.
> I think either the EU will backtrack on this once they see that Google and Facebook can easily force people to consent
They can't. The consent has to be for a specific purpose.
[+] [-] GijsjanB|8 years ago|reply
[+] [-] Arqu|8 years ago|reply
Personally I'd live to have most media completely in the dark about visitors to solely speculate on the quality of their own content. Only metric they need is daily visitor count. Everything else can be shaped by type and quality of content. A great example is HN where we have a very targeted audience due to the content it serves. It obviously also has some sponsored articles but also the indirect benefits it has on new startups and so on. Just treat it as TV marketing and not a per person customized monetization strategy.
[+] [-] tscs37|8 years ago|reply
The most simplest solution is that newspapers host the ad on their own server as a .png or .jpg that gets shown to all visitors. It's tracking free and GDPR compliant.
[+] [-] eksemplar|8 years ago|reply
None of the hundreds of suppliers we use are truly ready, and how would they be? It took 45 years to build this tech, you can’t just replace the innards in a few years. Estonia is the only country that is close to ready, and that’s mostly because they’ve build their entire system with a focus on sharing and securing data. Nobody else has anything close to it.
It’ll be interesting to see how this plays out in the courts. I mean, keeping privacy data safe should be an important concern, but do we really want to close hospitals and schools because we can’t afford to pay the fines when it fails?
[+] [-] home_boi|8 years ago|reply
To add to this, the quote paints complying with the legislation as a simple redesign. It would require much more than a redesign. The technical, administrative and legal costs of implementing the new system from scratch would be magnitudes higher than implementing the current system from scratch. And add on changing requirements as the legislation is in its infancy.
[+] [-] shripadk|8 years ago|reply
Let's face it, despite social media being a great enabler for realtime news the quality of news is sub-par. The biggest bane of social media is the transfer of responsibility of filtering real news from a firehose of fake news, to the end user. Until that issue is solved people are going to probably pay for news. This is just my speculation of how things might go after GDPR.
[+] [-] harperlee|8 years ago|reply
What makes privacy-sensible internet newsmedia nonviable might very well be the much more profitable spying on the client. If regulation makes that competition illegal, and demand for news is unaffected by GDPR (and why wouldn't it be), then it becomes more difficult for advertising companies to find newsmedia that provide tht extra illegal profit-taking sugar, so they will go back to more traditional advertising plans. This, in turn, will make newsmedia's lives easier in regards to finding advertiser's that do not demand spying on their readers.
At the end, sellers still need to advertise, providing ads supply, and readers still demand free newsreading, providing ad demand. The market still exists.
[+] [-] majani|8 years ago|reply
[+] [-] tanilama|8 years ago|reply
[+] [-] rimliu|8 years ago|reply
Another point to consider is that need for news or just for some brain filler: I am puzzled by appareant inability of many today to be alone and in silence. As if then some thought that they cannot be comfortable with start to be loud enough to be heard.
[+] [-] mlinksva|8 years ago|reply
Is there any evidence for this at all?
[+] [-] gonmf|8 years ago|reply
No, outside of a few echo chambers, no one cares about privacy or knows what GDPR is. Until GDPR shows everyday on the evening news for weeks it will not be well-known, and there are many things more important to most people than online privacy. Heck, Cambridge Analytica was only a scandal because the "bad guy won".
[+] [-] Mediterraneo10|8 years ago|reply
[+] [-] TeMPOraL|8 years ago|reply
I think we've crossed that point few months ago in Europe. Last year I felt I was probably the only one of my real-life friends who even knew what GDPR was. These days, I see streams of articles about it on social media, aimed at non-technical people. Hell, last week my SO told me she started receiving GDPR-related e-mails at work from companies that are in business with her place.
I feel people do know. Unfortunately, I also fear they only think of it as yet another random EU regulation thing, and not realize the benefits it'll bring.
[+] [-] martin-adams|8 years ago|reply
[+] [-] PeterStuer|8 years ago|reply
Not only do the site owners not even know that the site contains these things, if they do, they don't even realize the extent of data collection going on. I had a chat this morning with an owner like that. The site runs GA (they didn't know), the site runs ShareAholic (which they said wouldn't be a problem as they only use it to see in aggregate where their site visitors come from).
They never made a distinction between what data their site provides to these services through scripts or cookies, and what they themselves then get/use through the service provider.
This is not a special case. There are probably millions of these little business sites out there.
[+] [-] Animats|8 years ago|reply
Please confirm to me whether or not my personal data is being processed. If it is, please provide me with the categories of personal data you have about me in your files and databases.
a. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store.
b. Additionally, please advise me in which countries my personal data is stored, or accessible from....
c. Please provide me with a copy of, or access to, my personal data that you have or are processing.
2. Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of my personal data.
3. Please provide a list of all third parties with whom you have (or may have) shared my personal data.
Then, once you've replied, they can request deletion of any or all of that.
[1] https://www.linkedin.com/pulse/nightmare-letter-subject-acce...
[+] [-] kasey_junk|8 years ago|reply
If you send that letter, expect to receive a standard response/report of data with a form response that politely & legally amounts to “piss off”.
Large organizations have considerable resources set aside to make sure their “piss off” letter is legally defensible & GDPR compliant.
That letter is likely only a problem when selectively used by a malicious actor against a small organization. Frankly not the kind of org that is systematically tracking personal data.
[+] [-] jasonkostempski|8 years ago|reply
[+] [-] captain_murdock|8 years ago|reply
This line severely damages the credibility of the article. I found the article interesting up until I read it. I stopped reading once I read it because I couldn't trust anything else the author says.
I highly doubt this statement is true. It may be true in very privacy-focused circles and amongst some circles of IT professionals, but I highly doubt it is true for the population.
If you make a statement this left-field, you've got to back that up with credible research and I highly doubt that statement was based on any credible research.
[+] [-] Rjevski|8 years ago|reply
If you are an asshole that's trying to get as much data off your users in order to resell them to the highest bidder, share it with "partners" (partners in crime that is), or to advertise/spam them with shit they don't need, then frankly you (or your industry) asked for this themselves.
The only downside I see to GDPR is that we've now opened the gates for a new breed of "GDPR consultant" that's gonna charge hundreds an hour just to rehash what the law says in a slightly different way and defraud businesses that way by pretending to be a valuable service (and no doubt there will be clueless execs that'll actually believe it and pay for that).
[+] [-] mgiannopoulos|8 years ago|reply
[+] [-] asadkn|8 years ago|reply
It's not fun seeing a popup on every site you visit. This should have been a brower-based implementation globally that every site must adhere to.
Even worse for me, I browse exclusively in private/incognito mode and this is going to make that unusable with consent popups on sites on every visit.
[+] [-] borne0|8 years ago|reply
[+] [-] p49k|8 years ago|reply
I’m pretty sure the reason for this is that they know that the day they switch over to GDPR compliance, their ad revenue from EU will take a nosedive, and they don’t want to throw away that revenue for the sake of being early.
[+] [-] nopriorarrests|8 years ago|reply
That is one weird claim. Let's count "one-time user" as someone completely anonymous -- no cookie, no login name, nothing. Let's say someone browsing in incognito mode from the freshly installed PC.
By definition publisher has no personal data about this person, so GDPR doesn't apply here, IMHO, and it's quite fair. Why can't publisher load some 3rd party tool?
[+] [-] dbg31415|8 years ago|reply
Not sure that really accomplishes the intent... seems like it'll just be an annoyance to all non-cookied users.
[+] [-] notimetorelax|8 years ago|reply
[+] [-] whataretensors|8 years ago|reply
Nobody seems to care that government organizations sit outside of regulation and tell us we need to regulate everyone else. It's simply a power play.
[+] [-] going_to_800|8 years ago|reply
For ex. you can track anon visitors fine if you generate an ID identifiable ONLY on your DB. So if you store only an ID in the DB(awaiting to be matched when a conversion is made with consent given) is totally fine because even if someone hacks your DB can't be able to match that ID to any person, even if they have other data from Facebook, Google etc.
In case of an IP it's a different thing. If you get an IP, you can actually identify a person if you have a DB with the IP+other personal information about it.
[+] [-] LoSboccacc|8 years ago|reply
a little exaggerated for fun here https://www.brandexpublishing.co.uk/the-new-procedure-for-ex...
[+] [-] weinzierl|8 years ago|reply
A good example for this is the Cookie under GDPR. The original plan was for both the GDPR and the ePrivacy Regulation [2] (not to be confused with the ePrivacy Direcive) to come into effect on 25 May 2018. The ePrivacy Regulation would have had given the justification for using analytics Cookies without consent. Now that ePrivacy Regulation is delayed some argue that national laws can provide that justification until we have a EU-Regulation.
[1]
>In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law [..]
http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=146243980...
[2] https://en.wikipedia.org/wiki/EPrivacy_Regulation_(European_...
[+] [-] jotm|8 years ago|reply
No, it's the other way around.