Ask HN: GDPR in 2022 – What do I need to know as a solo founder?

The issue with google fonts is the CDN tracking I believe, not the license or the font itself.

If you need a google (or other) fonts, do self hosting. Simplest way is to build them into your site as a dependency... npm @fontsource for individual fonts is great for this [0] This is also better in terms of HTTPS overhead, and the process of self hosting is good for font file weight awareness due to the affect on your build size, especially when using lots of styles.

Same principle for any other CDNs you use, they all have the potential to track. The risk benefit of CDNs is being reversed, public CDNs disadvantages are: increased HTTPS overhead, increases points of failure, increased risk of users getting arbitrarily blocked by CDN provider IP blacklists, increased risk of tracking. Benefits: small developer convenience, potential advantage of caching (unlikely these days, and unlikely to outweigh the cost of HTTPS overhead especially in terms of total latency).

[0] https://github.com/fontsource/fontsource

I looked into this issue over the last weeks and made a list of other solo founders and how they handle it.

You can find many, many of them when you search Twitter for "buildinpublic".

The sad truth is that most successful solo founders these days:

1) Make it very hard to figure out where the service they provide is located.

2) When you find out, it is usually registered in a country outside of the EU. Crunchbase often helps to find the location.

Apart from the USA, Singapore and Colombia seem to be popular choices among solo founders who know what they do:

https://www.crunchbase.com/organization/nomad-list

https://openstartup.tm/remote%20ok

What the discussion about GDPR usually misses is that GDPR does not only apply to Google Analytics and Google Fonts.

A web business needs a hosting solution, a CDN, a payment processor, an email solution, an A/B testing solution, etc etc etc.

If you try to handle all that inside of the EU, you are cut off from all the good tools that startups usually use.

How about "Don't use Google Analytics and Google Fonts"?

Like, at all?

There are self-hosted alternatives. Plausible Analytics is good. Find web fonts that you can host yourself.

Not only you will reduce your risk exposure, you'll see that it is not that difficult to get rid of Google.

Your users, European or not, will thank you later.

You can use privacy-focused drop-in alternatives to Google Analytics and Google Fonts:

• https://www.growthfyi.com/custom-ga

• https://fonts.bunny.net/

I personally choose to use Plausible Analytics with a custom domain [0] and the default "System Font Stack" [1], which means my sites load fast, don't have a flash of unstyled text, and my analytics script doesn't get blocked by ad blockers.

[0] https://plausible.io/docs/proxy/introduction

[1] https://css-tricks.com/snippets/css/system-font-stack/

Court rulings in the EU have found that US law is not compatible with GDPR: US lets law enforcement have unfettered access to the data of EU residents, with no restrictions or redress mechanisms that satisfy the EU court.

This means that sending data from the EU to a US company is almost always a GDPR violation. There are a few nuances to this which are very important.

- The US CLOUD Act gives US law enforcement access to data stored in other jurisdictions. This means that locating the servers in the EU is not sufficient. Nor is operating via an EU subsidiaries.

- IP address counts as personal data, as does pseudonymized identifiers.

The two of these combined mean that GDPR forbids you from having your users connect to Google servers. This is why Google Fonts is straight forbidden, and why most installations of Google Analytics are forbidden. Also the use of basically anything from Google, Azure, AWS, Oracle, Facebook, Akamai, etc except when routed through an EU proxy which obscures the user's original IP address.

Why do people even use Google Fonts? Just put the woff2 (and the other formats) files with your static assets and if necessary configure the mimetype for your webserver and your done.

Self-host matomo, it is super easy to manage.

You can't easily track every mouse movement of every user but maybe it's for the best

Got a relevant question myself:

What bothers me the most for solo founders with GDPR is that you can't analyse individual user journeys without some kind of consent. I don't care who you are, but I care how you use my product so I can improve it. Aggregated / backend analytics will give me only the most basic insights.

Am I right in that? Is it possible to work around that? I don't track to sell or analyse personal data. I just want to understand how you use my product better.

Even with self hosted stuff you need a consent for tracking if I understand it correctly.

A course platform you say? For reasons, I am very familiar with this.

Aside from fonts and CDNs pointed out already in other comments, there is also actual content:

How will you serve videos for example? You should look for a GDPR compliant option for that as well. It may exist, or you can self-host videos up to some point. (It is possible, done that before and it worked well.)

Does your platform offer mentoring? How will course participants talk to mentors? Look for a GDPR compliant option here. Don't use services of Google, MS or others that just suck. Probably look for something like Jitsi Meet hosting, or get capable engineer to set that up on your own infrastructure.

How will people inside your company communicate? Look for options for that. Zulip is easy to self-host for example.

That social icon on your website? It better not be loaded directly from FB, insta and the like!

You want to know what visitors do on your website? Well, self-host a matomo or similar. Don't do the usual reach for Google Shnanalytics.

Don't employ dark patterns in your cookie consent popup. Remember: Rejecting tracking and cookies must not take any longer than accepting it. Highly suggestive colors of the buttons are also a no-go. Be honest.

In general, if anyone suggests using any Google services or MS services, look for other options to avoid trouble and pain later. If you cannot do so now, keep book about all the things you still need to fix, to become actually GDPR compliant.

If you can't afford a lawyer, pay for a service like OneTrust or Ketch. You will have so much peace of mind that you are following some sort of best practice. And there will be safety in numbers.

Setting up solid required legal docs as you did is a good first step. In general, don't save data about your users. If you need to, minimize the amount. Don't use non-essential cookie, this allows comes with the benefit of not needing to show an annoying a cookie banner.

As an alternative to Google Analytics, I recommend Plausible. If you need more event-based tracking (like Mixpanel), have a look at my app Fugu (https://github.com/shafy/fugu). It doesn't track unique users and is therefore compliant with GDPR. It's hosted in Germany, and you can self host it for free if you want (it's open-source).

This is not very clear yet, but it might well be possible that using US companies as hosting providers might also become illegal under GDPR, even you use their EU data center. This is because the US government can access all US companies customer data, even if it's not hosted in the US. There are already precendences where this was ruled by a court. So, to be safe, I would also pick a EU provider, such as Hetzner, Clever Cloud or Scalingo.

The idea behind/the backbone of the GDPR is: Whenever you want to process personal information, you'll need the consent of your users and protect the data accordingly.

It's easy as that. You can absolutely use ANY tool or service you want (really), but if it processes personal information (and even IPs count as that) you'll need to ask for consent and inform the user what data is processed and where and how it is processed and how you plan on protecting that data.

That has to happen BEFORE anything is processed if it's not technically ultimately necessary. Hint: Passing user and browser information to Google because your site looks nicer with an external font is technically not necessary. ;-)

With these requirements in mind, you'll find that it's easier to self-host your fonts, run a local Matomo instance with high privacy settings for analytics etc.

It sure is a different approach on "how to do internet", but you'll get the hang of it and it's not that hard after all.

Also: If you don't use any external services that process private information, you don't need a cookie notice after all. ;-)

> A user told me they know of people who got fined because of this.

Yes, some people in Germany are currently running around and try to fine websites that use Google Fonts. It works and is legal, but the morality... That won't stop such people...

Self-hosting fonts can easily help you with that, even Google has a page on that: https://fonts.google.com/knowledge/using_type/self_hosting_w...

This thread comes at a fortuitous time: I’m exploring a product idea around making a toolkit for reasoning about how schemas and tables are inter related across an organizations database systems.

The near term is to make it easier for organizations to maintain the various gdpr style mandated user data export and deletion capabilities without it getting in the way of / blocked by continuously evolving software systems efforts.

The same sort of tooling could also be used to help data analysis folks navigate the huge sea of tables in various datalake setups organizations are so eager to setup (it can be tricky seeeing which things are usefully joinable among many many evolving datasets that might be in that setting.

This of course isn’t really aimed at solo engineer sized application Systems such as the original poster, but is it something folks would find useful?

If I was starting a startup today. I'd probably just block Europe and focus on other markets initially. Loop back on Europe once you have product market fit and the resources to deal with GDPR.

As a small, bootstrapped one person startup, the part of GDPR that seems impossible for me to comply with (I am not lawyer nor am I European, so maybe I am wrong, but everything I have read about it indicates I am right) is the appointment of a Data Protection Officer. I do the duties of the DPO myself, but from what I have read, this is not in compliance with GDPR, which requires the DPO to be "independent". See https://edps.europa.eu/data-protection/data-protection/refer...

Until you are big enough to have lawyers look over everything for you, I think the only reasonable course of action is to exclude EU nationals from your service. There are a lot of armchair HN lawyers (including in this thread) who will say "just don't track, it's easy," but what the word "track" means to a normal person and what it means to GDPR enforcement are not the same. As a market, it's not worth the risk until it's worth the legal advice.

Sorry, not an anwser, but curious if others can relate.

Is there any gotcha related to Admob/GDPR in 2022?

I think the truth is that we don't know. There have been rulings that seem to go as far as saying that an American company can be compelled by the US government to share information against GDPR rules so no American company can ever be compliant - not even if they set up an EU subsidiary which nominally controls the data and all the data is hosted in the EU because that American company could simply override their EU subsidiary. Even if you're hosting in the EU, is the company an American one that might be compelled to use their control of the servers to hand over your data?

Yes, if you're using Google Analytics and Google Fonts, you'll need to get permission from each user before loading any of that. Those services are used to track users around the internet and for marketing/ad purposes within Google.

I actually think it's near impossible to make something "GDPR compliant." For example, let's say that you try to do all the right things - trying to be as strict as possible. You put up a cookie banner that has both "accept" and "deny". Molly presses "accept". Two days later, Jane is using the same computer. Jane didn't accept. You're now tracking Jane who did not consent.

I think showing a good-faith approach and genuine caring about user data will go a long way with regulators (but IANAL so don't take that as advice). Things like Google Fonts/Analytics are easy targets because we know they leak data to Google. If you're hosting a MySQL database on Azure, theoretically the US government could get a search warrant and serve it to Microsoft and get access to your database. I personally think regulators should be focusing on the rampant bad-faith compliance targets rather than "well, technically maybe the US government could do X." Websites are putting up "Accept all" and "Manage choices" buttons where you'd have to spend an hour opting out. C'mon, that shows such a blatant disregard for user's rights. Having a database hosted on Azure that the US government could technically get a warrant to search your database and because Microsoft is a US company they'd have to give them access is certainly something that could happen, but such an unlikely vector compared to someone embedding GIPHY and now Facebook knows all the page views.

Realistically, if the EU pushes too far, the US is going to say "you can't ban US companies from the internet in Europe." If the EU seriously said that you couldn't use Azure because Microsoft is a US company (or any other US company), I'm guessing the US would take it to the WTO (World Trade Organization) and it'd likely be considered in violation of trade treaties. There's a certain amount of local rules and regulations you can put in place and some might have a protectionist impact on foreigners, but outright banning foreign companies wouldn't fly.

Plus, the US's reach often extends to EU companies. Hetzner and OVH both have a US presence. I don't know, but I'd guess that people on-call in the US can access a lot of their EU presence. Why wake up someone in Germany or France at 3am when it's 9pm in the US? The US presents their US subsidiary (or US employees) with a warrant and the warrant expressly forbids them from disclosing to anyone so the European parent doesn't even know to restrict access from their US employees, etc. At some point, one needs to be realistic about the threat vectors.

On a practical level, stop using third party services where you (and your users) are the product. Google Fonts is free because you're paying for it with user data. An Azure-hosted database costs money because Microsoft doesn't get access to what you're storing in that database. Do get DPA agreements from your third parties and give them a look over to make sure they seem reasonable. Do genuinely care about your users' data. That does take a bit of effort (not just good feelings). For example, you need to know that Google Analytics feeds the data into Google's larger marketing machine rather than being private storage for you.

On perhaps the most practical level, check what third-party stuff you're serving on your site - javascript, images, fonts, etc. People don't know where your database is stored unless you tell them. They can easily see that you're loading a Facebook tracking pixel since that's in the page you're serving to them. That gives them an easy way to see if going to your website is loading something that's tracking them without their consent - even if you're not wanting that third party to do that tracking. Your users complained to you about the things they could see. I think those are often the most likely ways that GDPR violations will happen too - companies haven't really built their businesses around backend data stealing (err, sharing) because they'd need to make an SDK for Java, C#, PHP, Python, Ruby, etc. JavaScript lets them write once and even push updates without you needing to update dependencies. Focus on the front-end stuff that users can see - both because it's the most likely place you'll have compliance issues and because it's probably the most likely place you'll be caught with compliance issues.

Again, I am not a lawyer and none of this is advice.

Someone should build GDPR-compliance-as-a-service.