Companies who are buying into the idea of the GDPR being scary, and who think this sort of thing is a good way to ignore the GDPR, are leaving money on the table.
But those other companies, who actively want to defy the GDPR; who don't want to protect their servers from hacking and think they can ignore my requests to stop calling me or emailing me, those are companies that I don't want any involvement with anyway. This sort of script doesn't protect them, and they deserve what they get.
The script's default message says that you are very sorry, twice.
But you're not really sorry are you? You just install the script rather than address the problem of data privacy.
I experienced the same thing. I wonder if this qualifies as "explicitly blocking EU residents", since someone taking privacy measures (like using uMatrix) wouldn't even receive the message.
If this is the case, then perhaps javascript is not the best place to put the EU blocking functionality.
People keep saying "enforce". That's the wrong word. Enforcement is a last resort. What actually happens is that the regulator writes you a letter asking you to come back into compliance, and points you to latest best practice.
At that point you decide what you want to do. If you have a European presence it's easier for them to impose fines. If you don't I guess they can declare you non-compliant which makes it harder for EU businesses to send you data.
Here's a case where a large firm was handling sensitive personal details and didn't bother with their legal duty to register with the Information Commissioner.
If the fear-mongering about fines is correct they'd get hit with a huge fine.
> The U.K.’s Data Protection Act requires all organizations processing personal information to register with the U.K. data regulator. Although handling sensitive data on recent patients and those needing regular health care, Cera also failed to register with the Information Commissioner’s Office until February this year. The ICO said in a statement that it would only consider “enforcement action” if a company failed to register despite ICO advice.
The entire cookie law seems pointless, by the way. It does nothing but annoys people with useless pop-ups. Every website uses cookies (and more) and everybody knows this. Concerned users just install extensions that remove them automatically.
So, yes and no. These approaches to blocking EU visitors do somewhat protect you from having to comply with GDPR. However, "targeting" can mean a lot of things. If you have global adsense campaigns that advertise your service for EU customers, you're still targeting those data subjects. If you end up sponsoring any events in the EU with your company name where people may be able to draw a connection between your service and it being available in the EU, you're still targeting those data subjects. I mean, if you write a blog post on your branded company blog about a subject you know people in the EU would care about (let's say you're selling $foo_service and you are musing about $foo_field in the EU) and it gets really popular in EU circles, one could say that you were really just targeting advertising to those data subjects (a stretch, but I don't like to leave things up to lawyers).
Something like this needs to be a multi pronged approach - warnings displayed to EU customers, complete non-advertisement to EU sectors, and you should probably include terms of service as well.
A single page insert does not completely cut it. A lot is left open to interpretation in this regulation, and you need to effectively black out any interaction you have with the EU.
Something like this needs to be a multi pronged approach - warnings displayed to EU customers, complete non-advertisement to EU sectors, and you should probably include terms of service as well.
Ironically, likely to be more work than not being an ass with customers' data in the first place.
Well, I imagine in your examples you're considering medium-sized businesses or larger. I'm thinking about smaller ones who will never sponsor an event on another continent.
Even if this was true (and that depend on euroshield implementation), this is not the spirit of the law. You don't even have to take a european lawyer (and those are at least an order of magnitude cheaper than US ones) to win your case (i'm joking, please take a lawyer). European courts don't like bullshit, even when it come from big company, so if you're afraid of trolling (a la patent trolls), please don't be.
New browser extension idea for people outside the EU: automatically spot sites using tools like this, and put enormous great big warnings all over the page.
Seriously, _most_ of GDPR is good practice don't-screw-your-users' personal data steps. Don't store personal data for uses that isn't strictly necessary without their consent. Make sure users can find out what data you do store, and how you'll use it. Have a way they can ask you about it, or ask you to remove it.
If complying with GDPR isn't reasonably practical with your product/business model it's a _huge_ red flag imo, EU or no.
[+] [-] geocar|8 years ago|reply
Companies who are buying into the idea of the GDPR being scary, and who think this sort of thing is a good way to ignore the GDPR, are leaving money on the table.
But those other companies, who actively want to defy the GDPR; who don't want to protect their servers from hacking and think they can ignore my requests to stop calling me or emailing me, those are companies that I don't want any involvement with anyway. This sort of script doesn't protect them, and they deserve what they get.
[+] [-] OnlyRepliesToBS|7 years ago|reply
[deleted]
[+] [-] xchaotic|8 years ago|reply
[+] [-] debeers|8 years ago|reply
[+] [-] tscs37|8 years ago|reply
Or alternatively, operating uMatrix at default settings. Didn't even see anything.
[+] [-] willsinclair|8 years ago|reply
If this is the case, then perhaps javascript is not the best place to put the EU blocking functionality.
[+] [-] djsumdog|8 years ago|reply
If you're not physically in the EU and run a service platform, could you just ignore it until you get hit with a notice?
I'm really puzzled at how the EU realistically thinks they can enforce these types of restrictions on an international scale.
[+] [-] DanBC|8 years ago|reply
People keep saying "enforce". That's the wrong word. Enforcement is a last resort. What actually happens is that the regulator writes you a letter asking you to come back into compliance, and points you to latest best practice.
At that point you decide what you want to do. If you have a European presence it's easier for them to impose fines. If you don't I guess they can declare you non-compliant which makes it harder for EU businesses to send you data.
Here's a case where a large firm was handling sensitive personal details and didn't bother with their legal duty to register with the Information Commissioner.
If the fear-mongering about fines is correct they'd get hit with a huge fine.
https://www.bloomberg.com/news/articles/2018-04-26/u-k-healt...
> The U.K.’s Data Protection Act requires all organizations processing personal information to register with the U.K. data regulator. Although handling sensitive data on recent patients and those needing regular health care, Cera also failed to register with the Information Commissioner’s Office until February this year. The ICO said in a statement that it would only consider “enforcement action” if a company failed to register despite ICO advice.
[+] [-] qwerty456127|7 years ago|reply
[+] [-] pmiller2|8 years ago|reply
[+] [-] SippinLean|8 years ago|reply
[+] [-] foobarbazetc|8 years ago|reply
[+] [-] koverda|8 years ago|reply
[+] [-] chomp|8 years ago|reply
Something like this needs to be a multi pronged approach - warnings displayed to EU customers, complete non-advertisement to EU sectors, and you should probably include terms of service as well.
A single page insert does not completely cut it. A lot is left open to interpretation in this regulation, and you need to effectively black out any interaction you have with the EU.
[+] [-] matthewmacleod|8 years ago|reply
Ironically, likely to be more work than not being an ass with customers' data in the first place.
[+] [-] fiatjaf|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] matthewmacleod|8 years ago|reply
GDPR basically means: "Do all the stuff you should have already been doing to protect user data."
Paradoxically, I suppose it's pretty good as an EU citizen if sites that don't do this are blocked, since it's a massive flashing red flag.
[+] [-] kazinator|8 years ago|reply
[+] [-] timvdalen|8 years ago|reply
[+] [-] orwin|8 years ago|reply
[+] [-] httptoolkit|7 years ago|reply
Seriously, _most_ of GDPR is good practice don't-screw-your-users' personal data steps. Don't store personal data for uses that isn't strictly necessary without their consent. Make sure users can find out what data you do store, and how you'll use it. Have a way they can ask you about it, or ask you to remove it.
If complying with GDPR isn't reasonably practical with your product/business model it's a _huge_ red flag imo, EU or no.