"Whoops, we can't secretly sell your data anymore! That means you can't control your smart wifi lightbulbs from now on!"
For me, this is a refutation of the "If you don't pay for the product, you are the product." There is no inherent reason why a company would only do that for a free product. If it works for free products, it works just the same for paid products.
Even if GDPR has flaws, and is gonna cause some disruption, I think we really needed something like this.
For sure, GDPR is causing headaches for companies that were secretly selling your data. But it's also a big problem for companies that were (perhaps sloppily) logging & storing data for their own reasons or maybe even for no real reason. I think the latter is much more common than the former.
That one's more interesting because under the new regime, consent means meaningful, genuine consent. Demanding consent for one purpose in return for providing something important but unrelated is one of the big no-nos.
I nominate Slate https://slate.com/privacy for a creative interpretation of GDPR article 7.3 "It shall be as easy to withdraw as to give consent" (the "consent" happens through an uncloseable window with no other options where a single click sets that cookie):
"The Right to Withdraw Consent. If you would like to opt-out at any time, please delete the “gdpr_consent_1” cookie from your browser window. You will have to opt-in again in order to view Slate content."
I'm pretty sure that no European court would accept that. I doubt most users (and most judges) even know how to delete cookies. I don't even know how to do that on my phone (not sure if that's possible?). And not allowing users with mobile browsers to withdraw consent is definitely a violation.
NPR has decided that you either agree to let them do whatever they want with your data, or you're only allowed to see a ridiculously bare-bones plain-text version of the site lacking any functionality beyond links.
Ten minutes later I've got a user style set up and I'm quite happy with the plain version. But it's still a petty response from the organisation and shows that they don't feel they need to spend any time at all trying to help users control their own data.
The Yahoo! one [1] is definitely in violation of GDPR, right? GDPR doesn't cover me as I'm neither in the EU nor am I an EU citizen, so I really hope someone lets the regulators know about this. The first major penalty will be example setting.
Which made me curious: could a service exist where citizens not covered by GDPR submit complaints, so that a GDPR-covered citizen could put the complaint in formally?
Yahoo is bad, especially concerning the opt-in, but by far not the worst. Those are Google and Facebook, which have made all of their services "all-or-nothing". If you don't accept every single bit of data processing, your only alternative is to delete your account. Literally runs counter to everything the GDPR stands for.
> The Yahoo! one [1] is definitely in violation of GDPR, right?
They either made it much worse after the author did the screenshots, or it was already extremely bad --that I could not find the link to open up that huge list of third parties.
I clicked on all the links I could find in that screen except for that huge 'I Agree' button.
> The Yahoo! one [1] is definitely in violation of GDPR, right?
I don't see any obvious reason why it would be. Yahoo! is being transparent about their data sub-processors, and letting you control how and with whom your data is shared. That's what GDPR says on the tin.
If there's an argument to be made, it's around the Principle of Data Minimization. But that's one of those subjective things. And, considering the size and scope of Yahoo!, it's not inconceivable they have legitimate (scare-quotes optional) uses for all those sub-processors.
Of these, the worst are the "embedded" ones: the IoT lightbulbs and the Razer devices. Nobody ever expected their lightbulbs to be processing personal data on behalf of third parties.
The one that might be legitimate is the "cheap flights" one; after all, they require your consent for email marketing, and they can't offer you a discount flight without it.
The Instapaper one - #1 - is troubling for a non-obvious reason. One of the tenets of GDPR is that you have to be told how your data is being used. So the only explanation for this behaviour is that there's some shady shit going down that they want to stop before they have to admit to it.
If I used Instapaper I'd be filing a complaint with my local DPA about this.
> So the only explanation for this behaviour is that there's some shady shit going down that they want to stop before they have to admit to it.
No, it can something as simple as "we cannot guarantee that all your data is deleted with our current storage system". It would be a lot better if people stop being so alarmist.
I think the instapaper one is just they aren't compliant yet, realize it, and are shutting down EU access until they reach compliance. There can be ways they are not compliant without necessarily selling data.
Hey there – Brian from Instapaper here – we have a pretty clear and accurate privacy policy around the data we collect and how we use it, you can find it here: https://instapaper.com/privacy
Hey! I made this, mostly just to poke fun at my inbox being here in Europe and experiencing it first hand. Feel free to fire me a reply with any good ones you've spotted; I'll be actively adding through tomorrow and beyond.
The Endomondo app is a doozy. They require opt-in to two items to carry on using the app, but then also say that by clicking continue, you're agreeing to their privacy policy, which indemnifies them against GDPR. It's slightly clever misdirection, in my opinion. I clicked 'OK' in the end because the EULA appears to be invalid anyway; by borking the consent process they have no legal basis for processing my data.
Could you take another look at Yahoo? I don't see the link you mentioned to walk through the huge list --I couldn't find any link that gets me to those two pages.
The EU Commission's very own website deserves an honourable mention at least.
Last time I looked (just a few days ago) it was the epitome of "What you're not allowed to do anymore according to GDPR.": Tracking and other cookies with no way to opt out, no privacy policy etc.
Then again, GDPR of course doesn't apply to them. The very least they could do in my opinion, however is to lead by example.
My favourite at the moment is sendwithus. They said their service will never be GDPR compliant. But fortunately they have a new "enterprise grade" product called sendwithus dyspatch. Same feature set, new price plus GDPR compliance.
This is a price jump from $79/Month to a minimum of $24.000/year. And this is with discount for former sendwithus users.
I would consider this to be mafia methods.
Why? This seems like good behavior. They're original product is supported by a business model that relies on user data. Now they are offering a similar product that doesn't make money off of user data but instead charges the user. I am all for the GPDR, but the regulations don't say you can't suck up all user data _and_ you still have to provide your service for free/discounted
Could somebody help me understand the criticism in this article of companies like Instapaper blocking EU users? When you face fines of up to 20M EUR, you’re not going to take on that liability if you have a choice.
Most companies outside the EU will eventually block EU traffic. GDPR is just too big of a liability. It has nothing to do with “selling user data” or bad intentions with user privacy. I won’t take EU traffic for the same reason that I don’t drive at 140mph in a 25mph zone - it’s irresponsibly dangerous.
That's not how GDPR works. You're not allowed to make use of your product / service require acceptance of collection of data. You must either offer it without data collection as an option, or simply refuse service.
I defied RSI to click all Yahoo partners, and opening a random sample of privacy policy links I found one that was written in Chinese. So much for consent.
I want to know if credit card companies Mastercard, Visa, etc. are subject to GDPR. They definitely sell or use your purchase data for purposes unrelated to the service.
I believe that they do lots of internal analytics but do not sell identifiable data on a per-person level; the laws regarding nondisclosure of banking data are old, well established and much stricter - for starters, intentional disclosure of confidential banking information outside of certain (though many) particular exceptions is an actual maybe-go-to-jail crime, not just a civil matter with some fines.
Surveillance violates the privacy of common folk and thus is somewhat permitted, but violation of banking privacy threatens the rich and influential people and their (shady?) dealings, so that has always been restricted and actually enforced.
Everything is, there was a big deal here in the Netherlands about the local governments having to be compliant as well. The first thing that the dutch agency will check (no fines, but just make sure) is that each municipality has things set up properly.
On top of that, I don't think there's anything in the GDPR limiting it to internet related things, so brick & mortar stores will have to be compliant as well, afaik.
OK but maybe your website should not use cookies without asking? You don't have a privacy policy either so not clear how u re going to use them. And maybe don't use google analytics without a privacy policy? Or at least anonymize the IP?
Ive been enjoying all the emails from companies and watching them put on a show how they support user privacy and just needs me to continue agreeing to accepting being the product.
I dont think so. There are very few companies I actually use in my life, and less than a handful of them are online. The rest - bugger off.
I've been receiving so many "here is our policy, if you continue your use, you accept it, kbye" emails... I truly hope EU will take the default-opt-in problem seriously.
[+] [-] Drakim|7 years ago|reply
For me, this is a refutation of the "If you don't pay for the product, you are the product." There is no inherent reason why a company would only do that for a free product. If it works for free products, it works just the same for paid products.
Even if GDPR has flaws, and is gonna cause some disruption, I think we really needed something like this.
[+] [-] eli|7 years ago|reply
[+] [-] Silhouette|7 years ago|reply
[+] [-] bo1024|7 years ago|reply
[+] [-] HelloNurse|7 years ago|reply
[+] [-] matte_black|7 years ago|reply
[+] [-] PeterisP|7 years ago|reply
"The Right to Withdraw Consent. If you would like to opt-out at any time, please delete the “gdpr_consent_1” cookie from your browser window. You will have to opt-in again in order to view Slate content."
[+] [-] dx034|7 years ago|reply
[+] [-] spiralx|7 years ago|reply
Ten minutes later I've got a user style set up and I'm quite happy with the plain version. But it's still a petty response from the organisation and shows that they don't feel they need to spend any time at all trying to help users control their own data.
https://choice.npr.org
[+] [-] adtac|7 years ago|reply
Which made me curious: could a service exist where citizens not covered by GDPR submit complaints, so that a GDPR-covered citizen could put the complaint in formally?
[1] Hidden opt-out is non-compliant, but Yahoo! went ahead and opted you in to a hundred different ad services automatically: http://gdprhallofshame.com/content/images/2018/05/ouch.jpg
[+] [-] detuur|7 years ago|reply
[+] [-] zamazingo|7 years ago|reply
They either made it much worse after the author did the screenshots, or it was already extremely bad --that I could not find the link to open up that huge list of third parties.
I clicked on all the links I could find in that screen except for that huge 'I Agree' button.
[+] [-] lmkg|7 years ago|reply
I don't see any obvious reason why it would be. Yahoo! is being transparent about their data sub-processors, and letting you control how and with whom your data is shared. That's what GDPR says on the tin.
If there's an argument to be made, it's around the Principle of Data Minimization. But that's one of those subjective things. And, considering the size and scope of Yahoo!, it's not inconceivable they have legitimate (scare-quotes optional) uses for all those sub-processors.
[+] [-] pjc50|7 years ago|reply
The one that might be legitimate is the "cheap flights" one; after all, they require your consent for email marketing, and they can't offer you a discount flight without it.
[+] [-] xmodem|7 years ago|reply
If I used Instapaper I'd be filing a complaint with my local DPA about this.
[+] [-] dingo_bat|7 years ago|reply
No, it can something as simple as "we cannot guarantee that all your data is deleted with our current storage system". It would be a lot better if people stop being so alarmist.
[+] [-] bryanrasmussen|7 years ago|reply
[+] [-] bthdonohue|7 years ago|reply
[+] [-] eli|7 years ago|reply
[+] [-] owenwil|7 years ago|reply
[+] [-] bencollier49|7 years ago|reply
[+] [-] vorpalhex|7 years ago|reply
[+] [-] zamazingo|7 years ago|reply
Thanks! :)
Edit: Thank you for making this!!
[+] [-] BjoernKW|7 years ago|reply
Last time I looked (just a few days ago) it was the epitome of "What you're not allowed to do anymore according to GDPR.": Tracking and other cookies with no way to opt out, no privacy policy etc.
Then again, GDPR of course doesn't apply to them. The very least they could do in my opinion, however is to lead by example.
[+] [-] jannemann|7 years ago|reply
[+] [-] lovich|7 years ago|reply
[+] [-] Sholmesy|7 years ago|reply
They won't be able to sell the non-compliant version right?
[+] [-] chrisper|7 years ago|reply
[+] [-] downandout|7 years ago|reply
Most companies outside the EU will eventually block EU traffic. GDPR is just too big of a liability. It has nothing to do with “selling user data” or bad intentions with user privacy. I won’t take EU traffic for the same reason that I don’t drive at 140mph in a 25mph zone - it’s irresponsibly dangerous.
[+] [-] umbrellaman|7 years ago|reply
[1]https://www.ghacks.net/2018/05/24/ccleaner-update-introduces...
[2] https://forum.piriform.com/topic/51913-ccleaner-5436520-cann...
[+] [-] letsgetphysITal|7 years ago|reply
[+] [-] cift|7 years ago|reply
After the GDPR hype has died down, hopefully new tech companies will think twice about data privacy
[+] [-] Arwill|7 years ago|reply
[+] [-] cift|7 years ago|reply
EDIT: Updated with new post
[+] [-] mtgx|7 years ago|reply
http://gdprhallofshame.com/5-techcrunch-engadget-and-oath-co...
Great idea for a site. I'm sure it won't lack content for quite some time.
[+] [-] HelloNurse|7 years ago|reply
[+] [-] bo1024|7 years ago|reply
[+] [-] PeterisP|7 years ago|reply
Surveillance violates the privacy of common folk and thus is somewhat permitted, but violation of banking privacy threatens the rich and influential people and their (shady?) dealings, so that has always been restricted and actually enforced.
[+] [-] Kpourdeilami|7 years ago|reply
[+] [-] ohtwenty|7 years ago|reply
On top of that, I don't think there's anything in the GDPR limiting it to internet related things, so brick & mortar stores will have to be compliant as well, afaik.
[+] [-] kgwgk|7 years ago|reply
[+] [-] chrisper|7 years ago|reply
[+] [-] zerostar07|7 years ago|reply
[+] [-] pit2|7 years ago|reply
[+] [-] SmellyGeekBoy|7 years ago|reply
[+] [-] gerbilly|7 years ago|reply
Man what a nice thing we've built.
We have turned the internet into a network where people snitch on each other to marketers for fractions of a penny.
[+] [-] some_account|7 years ago|reply
I dont think so. There are very few companies I actually use in my life, and less than a handful of them are online. The rest - bugger off.
[+] [-] zamazingo|7 years ago|reply
I've been receiving so many "here is our policy, if you continue your use, you accept it, kbye" emails... I truly hope EU will take the default-opt-in problem seriously.
[+] [-] ToastyMallows|7 years ago|reply