Sadly the EU doesn't really communicate this very well, and doesn't care to call out outright propaganda from ad tech and surveillance businesses, but the regulation is not actually hard to be compliant with.
It literally just asks that you don't spy on people. That's it. Not spying on users? Great, you don't even have to do anything.
I would be extremely surprised to see any attempt at enforcement against a website that didn't collect PII on some technicality such as not having the right footer or a contact person.
It's more than just not spying on people. You have to be able to prove you don't spy on people. And any vendors or contractors you use also don't spy on people, and respond to requests from anyone about all the data you have on them. And delete all of the data you have for anyone who cancels their account. Sure in some cases, that isn't a huge burden, like if you have a website that doesn't handle any customer data. But if you have a non-trivial app where you need to handle a lot of customer data for your app to work, it is a significant burden. And deleting someone's data as soon as they cancel can be really bad if someone accidentally cancels, so you probably want some kind of delayed deletion.
It's slightly more involved than this, but not extraordinarily so.
For example seemingly innocuous implementations like loading fonts directly off Google Fonts without consent (i.e. providing Google with information about visitors' browsing habits) would technically be on the wrong side of the GDPR, but I think it's very unlikely that anyone would complain about it, legally speaking.
As someone that knows next to nothing about it, I was curious and googled how to adhere to the GDPR, and read through the top recommended article. Here's some choice quotes:
"Complying with the GDPR is a huge undertaking"
"GDPR compliance (occupies) a huge amount of IT time and resources"
"Moving your organization into GDPR compliance is a process you ideally started long ago"
The article links to some ICO GDPR data processing checklist, which is a list of 18 different processes you need to have put in place.
"The GDPR is made up of 99 articles that provide a detailed description of the regulation". <- 99 different articles to understand and adhere to ...
"[I]t is impossible to provide an exact prescription that will guarantee your organization is in compliance"
"One of the most onerous obligations of the GDPR is to provide “Data Subjects” – the people whose data you are processing – with access to the data that you hold about them (Article 15)",
"They can also request rectification or completion of data if it is inaccurate or incomplete, and they can request that you delete their personal data"
"This is onerous because Data Subjects can make requests in writing or verbally, and you need to be able to comply with the requests “without undue delay"
^-- All that seems to go against your assertion that you just have to "not track them", if you have to build out a system for everyone to access all data you hold about them, rectify it, delete it, verbally or in writing, without delay.
I'm not even half way through the article and I'm skipping over tons of what it's saying needs to be done, with all the security measures that need to put in place, whether or not encrypted data is needed, breach notification, and so on.
It seems like a heck of a lot more than just "not track people", or a trivial amount of work.
sum the amount of "you simply <x>" in this thread, then account for the fact that we're talking about running afoul of a regulation if you don't understand it, and you end up with a hassle. I'm not weighing in on whether or not it's bad, I'm just saying what I said. If you aren't accounting for a significant portion of revenue to justify it, you're going to get blocked because you represent a liability.
literallycancer|1 year ago
It literally just asks that you don't spy on people. That's it. Not spying on users? Great, you don't even have to do anything.
I would be extremely surprised to see any attempt at enforcement against a website that didn't collect PII on some technicality such as not having the right footer or a contact person.
thayne|1 year ago
dns_snek|1 year ago
For example seemingly innocuous implementations like loading fonts directly off Google Fonts without consent (i.e. providing Google with information about visitors' browsing habits) would technically be on the wrong side of the GDPR, but I think it's very unlikely that anyone would complain about it, legally speaking.
Dylan16807|1 year ago
thegrim33|1 year ago
"Complying with the GDPR is a huge undertaking"
"GDPR compliance (occupies) a huge amount of IT time and resources"
"Moving your organization into GDPR compliance is a process you ideally started long ago"
The article links to some ICO GDPR data processing checklist, which is a list of 18 different processes you need to have put in place.
"The GDPR is made up of 99 articles that provide a detailed description of the regulation". <- 99 different articles to understand and adhere to ...
"[I]t is impossible to provide an exact prescription that will guarantee your organization is in compliance"
"One of the most onerous obligations of the GDPR is to provide “Data Subjects” – the people whose data you are processing – with access to the data that you hold about them (Article 15)",
"They can also request rectification or completion of data if it is inaccurate or incomplete, and they can request that you delete their personal data"
"This is onerous because Data Subjects can make requests in writing or verbally, and you need to be able to comply with the requests “without undue delay"
^-- All that seems to go against your assertion that you just have to "not track them", if you have to build out a system for everyone to access all data you hold about them, rectify it, delete it, verbally or in writing, without delay.
I'm not even half way through the article and I'm skipping over tons of what it's saying needs to be done, with all the security measures that need to put in place, whether or not encrypted data is needed, breach notification, and so on.
It seems like a heck of a lot more than just "not track people", or a trivial amount of work.
menacingly|1 year ago
anonzzzies|1 year ago
razakel|1 year ago
unknown|1 year ago
[deleted]