top | item 41587165

(no title)

Sadly the EU doesn't really communicate this very well, and doesn't care to call out outright propaganda from ad tech and surveillance businesses, but the regulation is not actually hard to be compliant with.

It literally just asks that you don't spy on people. That's it. Not spying on users? Great, you don't even have to do anything.

I would be extremely surprised to see any attempt at enforcement against a website that didn't collect PII on some technicality such as not having the right footer or a contact person.

discuss

thayne|1 year ago

It's more than just not spying on people. You have to be able to prove you don't spy on people. And any vendors or contractors you use also don't spy on people, and respond to requests from anyone about all the data you have on them. And delete all of the data you have for anyone who cancels their account. Sure in some cases, that isn't a huge burden, like if you have a website that doesn't handle any customer data. But if you have a non-trivial app where you need to handle a lot of customer data for your app to work, it is a significant burden. And deleting someone's data as soon as they cancel can be really bad if someone accidentally cancels, so you probably want some kind of delayed deletion.

anonzzzies|1 year ago

You don't have to delete as soon as they cancel; you can store it in an encrypted backup which you remove after 90 days (and throw away the key). There are a lot of 'for a reasonable period' things; meaning, you cannot store PII (including IPs) forever and you cannot store it at all in case you do not need it in the first place for your app to function (example; SaaS asking for my home address which they don't ship anything).

dns_snek|1 year ago

It's slightly more involved than this, but not extraordinarily so.

For example seemingly innocuous implementations like loading fonts directly off Google Fonts without consent (i.e. providing Google with information about visitors' browsing habits) would technically be on the wrong side of the GDPR, but I think it's very unlikely that anyone would complain about it, legally speaking.

MaulingMonkey|1 year ago

> would technically be on the wrong side of the GDPR, but I think it's very unlikely that anyone would complain about it, legally speaking.

The American in me says that sounds like "someone will definitely complain about it, eventually, if only because they're hoping for a payout".

skjoldr|1 year ago

There already exist ways to proxy those requests in ways that avoid exposing anything about the visitors to Google. It's in the grey area wrt Google's own ToS, but then, it's that or GDPR.