top | item 33561223

(no title)

wusel | 3 years ago

Sorry for the German only link, but this is from today and didn't make the rounds yet. It is not really about Shopify itself, but about the use of CDNs - which would be even more worrisome. Shopify Support couldn't help the shop owner.

discuss

2000UltraDeluxe|3 years ago

IIRC, the Portugese authorities already deemed CloudFlare as non-compliant. Same issue as with Google Fonts, etc.

pvg|3 years ago

You just wait for an English version of the story to appear. From scripture:

re: language

https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

re: from today

https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

scarface74|3 years ago

Safari’s built in translation is surprisingly good. It didn’t even read like a machine translation.

friendzis|3 years ago

GDPR core is pretty simple: You cannot do stuff (process, store, transfer to third parties) with PII unless X condition is met. An internet site, on first visit (being genuine first visit or just cookieless visit) cannot do things with PII, because there is just no way to even tell if X is met, therefore not only data storage (IP address in Apache access logs included) is illegal, but moreso transfer to third party via CDNs and what not.

GDPR is ugly. The only thing it allows you to do before you get confirmation to process PII is to show static page requesting for permissions. That's basically it. You can't do any "cloudy" stuff prior.

iso1631|3 years ago

Storing IP addresses for technical requirements is legal (for example you need to keep the IP address in memory because you have an open TCP session). Likewise a session cookie is fine too.

Keeping those IP logs for security reasons is also legal (assuming you keep them safe for an applicable amount of time)

Using that data for analysis is not legal.

kuschku|3 years ago

How is GDPR ugly? It's easy to build websites, even interactive ones, that comply.

If you build a mobile app, you are also supposed to only ask for permissions once you actually need them.

Replace interactive embeds with a dumb replacement of the actual content and e.g., "we want to show you an embedded tweet here, [allow once] [allow always]".

Don't use CDNs for delivering assets, they've long stopped being useful anyway.

Don't use Google Analytics.

In general, build websites like we used to in the early 2000s.

And yes, you can even do cloud-y stuff like that. You can run k8s on your hetzner dedicated servers, you can run MinIO as your s3 store, none of that is stopped at all by these rules.

You can even run an interactive website like HN without any GDPR violation or cookie prompts at all.

allisdust|3 years ago

GDPR is simple. It's a mechanism to keep foreign tech companies out of EU while not explicitly banning them (as it would result in reciprocal measures) by increasing the cost of doing business in EU. For those that do go all the way and try to follow the laws, periodic flaws found in implementation (which are inevitable given how complex these laws) are penalised heavy enough to make them think twice. If this is not there, software companies in EU which aren't competitive in general will be steamrolled by companies from other countries (but primarily from USA).

China also does this to ensure home grown tech eco system while at least being more truthful about.

dmitriid|3 years ago

> GDPR is ugly. The only thing it allows you to do before you get confirmation to process PII is to show static page requesting for permissions. That's basically it. You can't do any "cloudy" stuff prior.

No, GDPR is not ugly. Yes, you can do "cloudy stuff".

The bullshit narratives around GDPR need to stop, however people driving the narrative are extremely incentivized to siphon and sell all the data they can get your data, so the narrative is always bullshit.