_o_'s comments

Or credit card details ;)

I think that the basic issue here regarding privacy is that only the ones breaking it are writting. There are literally millions that wont give upvote but want it.

Google and Facebook already launched their lobbyists there and are trying to undermine it, I wonder what they will do to Japan.

Silhuette, I am sorry, I have tryed to help you, thank others, maybe you/others will believe a lawyers in following months, but they wont be free. (And special thanks to HN, preventing me to answer with its policy of "answering too fast", I had an explanation for you, but I was unable to answer)

To the morons (no, it is not insult, it is empirical fact) downvoting me, it is not me, it is GDPR, face the reality, it is not my fault that you are too reluctant to understand it and biting people trying to help you out wont help. Downvoting me wont change GDPR or change anything, you will just loose a valuable source of information as you did just now. Go to the first psychiatrist and it will tell you that a reality will be as it is even if you close your eyes (or shoot the messenger =/).

Don't forget to upvote me, when you figure out I was right and you get a warning/fine.

Look, GDPR is not about technical means, it is about a concept. If the ICO proves to you that you are conceptually violating the GDPR by enabling 3rd party to violate it and you don't have your back covered, you wont have much to defend you with. You need to have a proof that you have done everything in your power to defend your users right to privacy and you were cheated by 3rd party. This is why all the fuss about GDPR was in last 6 months, you can't downplay the concept as it isnt saying anything what "script" or "service" (or cookies as an ultimate abuse of "concept of law" and an example why GDPR was written this way) you can use or not, it is just talking about user right to privacy and for you as data contoller, it is your duty to defend it.

Yes there is a guidance, it is called GDPR, it is THE only guidance, just take the concepts, I can give you this link, it is the best I was able to find, it will help understand the GDPR, but for each and every site, owner needs to decide on its own: https://www.youtube.com/watch?v=-stjktAu-7k

You don't understand it. It is your site, your users. If you enable 3rd party illegal tracking of your users by ANY means, it is your responsability too. To cover your back, you need to sign a legally valid contract (or they need to send you conformation) that they respect GDPR and assess their way of doing it (at least in this early stages, as very often, they are just trying to workaround it, which puts you in danger) to be absolutely sure about them. Analyitics, ad providers, CDNs, SaaS... all of them.

Take it as, "I control the door to a bank vault, if I allow robbers in, I will be a complice to a crime as the crime couldn't be commited without your help". Negligence or direct intent, it can be costly. Assess your 3rd party sources very carefully, I have already removed GA and replaced them with local analytics (https://matomo.org/) as I can't trust them, they are trying to downplay GDPR and there is already a complaint written against them (https://noyb.eu not for GA though), and I have read the PDFs, they are right and quite objectively, they are guilty. I dont want to be in a same boat with them.

That is exactly I was afraid of, google will have hard time defending this.

Check my post below, I would be glad if you have some idea, but as far as I am concerned, anonymising IP to keep getting uniform result is tehnically impossible.

Yes, you are right, the opt-out is violating GDPR (unless it is about changing mind after giving opt-in - this is again required and must be as easy as giving consent), you have to be preticked to "not giving consent" and user must actively click to give consent. Also you are missing explanation what giving consent means for the user including what data are used for what purpose.

Watch out with GDPR, this is not cookie law, and on top of it, you can't force it for user as a condition for entering site (like Forbes is doing - they will get a complain, already beeing finalized by some privacy organisation)

May I ask how GA anonymizes ip address? What algorythm do they have in place as doing sha-x over 4 numbers (0-255 with skipping some) separates by dots is reversable in seconds on average pc and I wouldn't call it anonymization, rather obfuscation.

I am asking this as a friend of mine is having hard time accomplishing exactly that and is really a hard nut to crack, anonymization is by default irreversable and making such algorythm for 4 numbers (actually even less due to known ip address ranges for EU users + reserved ranges) is not simple. You can seed it but that key must remain unknown to google, while this is again getting very hard with javascript. The only way I see is sending all the data to local proxy script, anonymizing the data on your side and then sending it to GA.

I thing that if GA is doing just some hashing, this opens all the sites, using it, to a GDPR responsibility as data controllers including HN. And this can't be hidden under capet (imho) as a "I can't offer service without it" (legitimate interest).

In victorian era, asbestos was used as a gods gift. Like plastic today, blooming bussiness. When they figured out that it hurts people, they forbid it. And? What's your point? Business will transform and something else will bring money. This was happening trough whole human history, nothing special.

And anyway, the marketing business was already going down, ads became so invasive and annoying that everyone is using ads filters today.

But I don't know why are we talking only about ads. What about people getting some bad credit rates as bank bought the data from ads network? Or things like Cambridge Analytica. Like the marketing and ads world is everything we know of and GDPR isn't bringing any positive effects as it hurts tracking. Tracking market goes down, human freedom and rights + democracy goes up. Who cares for targeted marketing in respect to that.

That is actually an excelent question!

The high quality news will be gladly paid for, while there will be far less clickbait sites as the ads revenues will drop. We will have less garbage on the internet and this is actually great, on the other side, the real journalism (not news like how to enlarge your penis) will hopefully come back into spotlite.

But there is not going to be a pulic outcry, I was asking people around, also those that were using the "I have nothing to hide" phrase in past and they are all satisfied with the GDPR. People want this, also in US, but there it will take some time to adopt some law like GDPR as US goverment is working in interest of industry, not people.

Let me shed some light into this: I am having my own mail server and I am using a separate mail address (and now it will be close to 10 years of doing that) for every registration to any website, lets say [email protected]. As you can imagine, I can track who sent me the email and where it got my address from. 99% of addresses that I get spam on came from registering to small bussinesses, never from large sites. Get it?

So based on that some might argue, that the small bussinesses should be regulated more as majority of violations are comming from them, not well established bussinesses. It is probably not true, but it might also be.

So... binary only is a right way to go.

May I ask what is not clear to you? I can try to help. As I can see it, it very simple, it is same thing as with borrowing someones car:

- personal data (car) are any data that have potential identifying a person

- person owns its data (car). You cant buy them (well this part is different than the car), you cant steal them, you cant sell them, but you can borrow them from. But for that you need to ask (consent), where it is not allowed to trick the owner to give them to you, whithout beeing fully aware what was borrowed and why. And if you are borrowing the data for someone else, you need to ask about that too. And tell when you will return it.

- it is immature and unfair to play grumpy if someone doesn't want to allow to use its data. Or try to force/blackmail them from him. So its not allowed to do that (noyb.eu)

- once you borrow the data (like property, envision a car), behave acordingly, owner can demand them back, demand to see them, demand to know what you are doing with them and if stolen it is completely normal to tell them about that. And if they were stolen due to your fault (leaving keys in a car), they might demand to be compensated. Same goes if you misuse them (let me put some fertiliziers on back seat, forget to return them, giving it to all your friends without asking,...)

- if the data owner asks you to do something that requires his data ("hey, can you please take my car and bring me icecream from the store") you don't need to ask for data, it is expected you can have them.

Did I forget something? I consider it simple, as long as you try to stay genuinly respecting to other persons ownership. Just think about borrowing your car or borrowing car from your best friend and you wont go far wrong.

Yeah but what they actually do is removing themself from market place. If I were looking for a startup, I would check for someone banning EU users, with prospective idea and copy what they have done, but GDPR oriented and voila, I am first on the market, slowly taking over the original site bussiness in EU and later the world. EU is a huge marketplace and you really need to be extremly short minded to avoid it due to some stupi legislation, not to mention that as a US cityzen I would abandon any site not going for GDPR compliancy as they are saying to me, between the lines, "we are bastardising my data". Like seeing a laser pointer on your forehead.

Grace period was for past 2 years and it is over and surely, they will be warned first, but I bet noyb isn't the only one filling complaint.

https://iapp.org/news/a/icos-wood-gdpr-grace-period-no-way/

On first day of GDPR beeing enforcable, non profit organization (where main protagonist organized 25000 class action suit against facebook in 2014, but was rejected by court - now he has legislation to back him up) filled 4 complaints in 4 different countries (looks like a good idea to not overwhelm ICO in 1 country with 4 investigations, probably 5th ICO will join (Ireland).

After reading the complaints, it is directed into common way how GDPR is beeing handled by large companies, showel everything under legitimate interest, update privacy policy and force consent, which is clear violation.

Now this is going to be interesting, maximum posible penalty for all four (combined) is 7.6 Mrd euros.

Well, we can't be much smarter than this, we will see, but I am more concerned about this than GDPR on its own.

Yes, I understood your point, but I think you are struggling with mine, you might not offer goods to EU, but your ads provider might. And by feeding it with GDPR protected data it might sue you, on local courts, just for the PR reasons or something else. I am not saying they will, I am just showing you the justification why they might.

I think that much greater threat is comming from a direction of US companies you use than from EU courts this (again, might) become another "patent trolling"-like action from some US companies.

Exactly this is the problem of GDPR, user can lie, and you have no passive defense against it, you can't even make an excuse, you didn't know. You shouldn't even offer him a choice. The only defense is that the user gives you consent to it (at least GDPR is giving that choice). Everything else is void. Same as with slavery. You can't violate fundamential human rights even if user begs you to do it, except in states like South Korea, China (actually, you don't need to beg there =/)

I think that at the end, world will be better place due to GDPR, but there is surely some rough ride ahead - not due to respect of privacy but due to violating it so often that it became normal to us.

Yes, but doesn't the checkbox you mentioned, does exactly that, force the users to ignore their rights for the sake of using your site? If this would be acceptable, it would put GDPR into position of cookie law nonsense and if I understood ICOs correctly, this doesn't create a consent as user had no free choice. There is a human rights interpretation here, for example, if we create a contract, that I will be your slave and you give me a car in return, it is quite simple for me to sign it, that contract would be void even if you prove, that I signed it.

The ICO put a market of live human organs as example.

In same manner, even if I would click that I agree, that your site is designed for US privacy laws and not for people under GDPR protection, it would be the same as you would warn me, that I will be your slave before signing and that I can just walk away and don't take the car. But if I take the car, the contract would still be void. I don't think that this would fly.

The problem is not in the GDPR requirements but rather in right to privacy as fundamental human right and GDPR is just an advice how to respect it - it is actually a free help.

What you want to avoid is something much bigger than the checkbox on your site or ip blocking, check here "The Bill of Rights":

https://en.wikipedia.org/wiki/Fundamental_rights

This is something you shouldn't even think to violate, not to EU or US users. Or anyone else.