GDPR articles seem to be getting some traction on HN as everyone is trying to figure out: "Do I need to do something for this? Is so, what?"
For a recent project I read (and translated to plain english) [1] every single article in the GDPR legislation and for our purposes it can be summed up as:
"Treat user data like names and emails as if they were credit card numbers"
AKA: be paranoid about keeping them, encrypt them, use SSL on your site, respond to requests from people if they ask if you have them, fix them if they're wrong, don't use them if they say you can't.
Obviously that's not the entirety of it, but as a working mental model I think it goes a long way.
I’d add: Get (documented, active) permission of users to store and use their data, understand that permission is given only for a defined cause/usage (and not indefinitely for everything you right now might not even think of), be prepared to tell users what data you store about them, why and (briefly) how it is used. Be prepared to delete user data on request. Be prepared to show documentation on how you handle the (personal) data. And delete data that is not necessary any longer in regular intervals. And: Don’t share, sell or rent personalized data to any third party without given user consent.
Be careful with hiding everything behind "consent", because consent cannot be a precondition for providing a service. Put differently: if a user does not consent, you cannot refuse them the service if the data you wanted to collect is not strictly necessary to provide the service.
The alternative is to only collect data that is strictly necessary to provide the service. In that case GDPR allows you to collect the data even without explicitly given consent – according to GDPR in that case the user can reasonably expect the data to be necessary to provide the service. (This does not apply to sensitive personal data and biometric/genetic data – then you always need consent.)
Quoting GDPR:
"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement." [1]
"Consent is presumed not to be freely given [...] if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance." [2]
> consent cannot be a precondition for providing a service
IANAL.
This is more nuanced than it appears, as it is balanced against the firm's right to conduct business.
If you're generating leads by providing a whitepaper, then realistically you're not going to be penalised for saying "you need to consent to receive our newsletter to access this whitepaper".
On the other hand, an airline saying "you can only book a flight on our plane by consenting to us sharing everything we know about you with loads of third parties" would be frowned upon.
Our GDPR lawyer at least has advised not to ask for consent, since it is difficult to establish whether it was given, and has not been withdrawn. It's easier to rely on legitimate business use and NOT ask for consent, as long as it genuinely falls into that category.
I think we agree; it seems better to rely on legitimate interest than ask for consent for everything. (Although it does require thinking about and actually having a legitimate interest.)
It raises interesting question. What if some publisher, say, newspaper, can show highly targeted ads for $3 CPM, or generic ads for $1 CPM.
Can such publisher claim that collecting data is strictly necessary to provide the service? With threefold difference in ad revenue, that could be actually the case.
Good question. This would be an appeal to "legitimate interest" as a legal basis for collecting personal data. GDPR explicitly states that if the legitimate interest is direct marketing, then the user may always object to such processing, and this right must be clearly indicated.
IANAL, but most probably not. When thinking about "strictly necessary to provide the service", one should think in terms of technical feasibility, as in "can the service be technically provided without that data?" not in terms of profitability.
How is "strictly" defined? I'm going to guess it's define as "the magistrate knows it when it sees it", so take to be both "don't use the most egregious interpretation", and "don't be a populist punching bad that governments can make hay out of attacking".
Any data you collect that you do not unambiguously need to provide the service would be an appeal for "legitimate interest" as a legal basis for collecting it. There are a number of things GDPR writes about it and of course you cannot be sure how this will play out in practice, but the main points are:
* it must be reasonable from the user's perspective
* there must be alternative; you cannot achieve the goal (your "legitimate interest") without it
* it must be balanced with the rights of the user, and not infringe on their freedom or fundamental rights
* if your "legitimate interest" is direct marketing, the user can always object, and you are required to actively inform the user of this right
If you can provide a service strictly devoid of the PII it means there is no logical necessity for PII.
You can't provide a call-waiting service without a phone number, but you can provide a mail-redirection service without one even though it makes it easier to administer when you have a customer phone number, you can strictly provide (and bill/administer) the service when that information is absent.
Genuine question - What if the service is defined as the publisher letting you read content in exchange for being shown targeted advertising? That IS the business model of most publishers right?
Right, but that means you have to have some mix of legitimate interests and consent, and makes this whole thing an expensive exercise, both in terms of code and legal time. If you have an ad supported service, this is going to be painful.
This sounds no different to current UK data protection laws (which appear to be flaunted widely). I thought the main change was putting teeth behind the legislation?
> "Treat user data like names and emails as if they were credit card numbers"
Most sites' approach to credit card numbers is to not touch them with a barge pole, have a third party receive them instead and never let the business have any sight of them, so it's a bit of a stretch to expect the same treatment for a customer's name and email address.
Hurrah so now sites won't use their own logins and I'll be forced to let Google or Facebook know every site I want to connect to. That's an improvement?
This actually brings up a point that was made in a cambridge analytica post. If personal information is deleted after it has already trained a dimension-reducing model, is it really deleted?
If Google and Facebook see everything because of oauth, we can ask them what data they have and tell them to delete it, but they won't be deleting whatever models they've been training about us.
Most sites are incapable of receiving, storing and handling credit card numbers. This is because the staff building the service either lacks the technical knowhow or the organizational wherewithal to deal with the problem in a successful way.
Why should it be any different for emails, names, usernames or passwords (because end users re-use those).
If everyone starts acting like this data is important (it is) and valuable (it is and that might decrease with the passage of this law) - we might just get to a better place. In the absence of regulation companies will get away with whatever they can - ethics be dammed.
If I have an IRC service that shows quotes from people and has 'last seen' functionality is that covered by GDPR? Some of the users are from EU countries, does that mean those features need to be turned off or have some sort of acceptance exchange with users?
Would filtering out EU IP ranges be sufficient, or does this also apply to EU citizens traveling outside of the EU?
The referenced page says that asking users to provide a birth date isn't sufficient proof that they're over 16 years of age, how should one verify age for something like an IRC bot?
(1) This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
(2) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
(3) This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
---- end quote ----
Based on this, it looks like for GDPR to apply to an establishment in regard to a particular person, at least one of those two parties must be in the Union. An EU citizen traveling outside the Union dealing with an establishment that is not in the Union appears to not be covered.
> 1. A Data Subject under GDPR is anyone within the borders of the EU at the time of processing of their personal data. However, they can also be anyone and anywhere in the context of EU established Data Controllers an Data Processors.
So do American constitutional protections apply to Americans living in France? I am having a hard time understanding GDPR jurisdictional power. US citizens in France aren’t protected by the US Fair Credit Act with French banks, even when those French banks have US subisidiaries because a French company in France isn’t subject to US legal jurisdiction. Even FATCA doesn’t subject a French bank to US law — it subjects French assets in the US to the withholding provisions of US law, meaning, if a French bank has zero US exposure, then FATCA has zero effect.
Are Dutch citizens in Oklahoma protected by Dutch narcotics laws? Of course not. They are subject to the jurisdiction in which they are physically present.
However, a US citizen can be subject to US laws overseas, however, that’s between the American and the US government — the intermediary country has no involvement unless it’s an extradition request.
This idea that EU citizens are protected worldwide is just ridiculous. EU jurisdiction doesn’t extend beyond the EU. The idea that GDPR requests have to be honored by some local ecommerce company in Idaho is just nonsense and not supported by any international legal precedent.
Not the constitution, but certain laws were enacted in a similar way by US. Especially in finance and securities:
- banks all over the world have to ask their customers if they aren't American, when signing up for an account. Even a local bank in rural Poland, which couldn't care less about international markets, has to now ask people to explicitly confirm that they are not American citizens
- if you're doing a security offering, and you happen to sell to an American, even if they live in Europe, and you're blocking IPs from U.S., you have to follow the US regulations as well
And yes - it is kind of shitty, but EU wasn't the one to start a trend of applying the local laws on foreign soil.
> So do American constitutional protections apply to Americans living in France?
I'm no expert, but I thought on the whole the constitution has nothing to do with citizens -- it's a list of rules that the US government must follow. It certainly has no hold over the German government.
> This idea that EU citizens are protected worldwide is just ridiculous. EU jurisdiction doesn’t extend beyond the EU.
If you, as someone who breaks the conditions in the GDPR, have nothing to do with the EU, then you're fine.
However the GDPR applies to you, an American citizen in America who's never been to the EU, just as the DMCA applied to Dmitry Sklyarov, a Russian citizen who had never been to the U.S.
Charges against Sklyarov were dropped due to jurisdiction. Your example proved my point. And actually he DID visit the US; that’s where he was arrested.
So an American can be expected to be arrested on arrival in Paris on holiday because the company they work for ignores the provisions of the GDPR
Sklyarov charges were dropped in a typical american plea-bargain
"Mr. Sklyarov agreed to cooperate with the United States in its ongoing prosecution of Mr. Sklyarov’s former employer, Elcomsoft Co., Ltd. Mr. Skylarov will be required to appear at trial and testify truthfully, and he will be deposed in the matter. For its part, the United States agreed to defer prosecution of Mr. Sklyarov until the conclusion of the case against Elcomsoft or for one year, whichever is longer. Mr. Sklyarov will be permitted to return to Russia in the meantime, but will be subject to the Court’s supervision, including regularly reporting by telephone to the Pretrial Services Department"
I see nothing about jurisdiction there.
The US has pushed the world around for along time, the world is pushing back.
> The idea that GDPR requests have to be honored by some local ecommerce company in Idaho is just nonsense and not supported by any international legal precedent.
This is true. GDPR would only apply there if they were "offering goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the European Union". [1]
This is understood to mean they must be marketing to the EU, for example by offering their site in European languages (apart from English), using European currencies, or using a European domain.
European languages? That’s absurd. Your product could be targeting US Spanish speakers, African speakers of French or newly arrived German speaking US citizens. Using language as a determinant is without any legal basis. Having your website in French doesn’t mean you are selling to French citizens. Language doesn’t equal location. Language does not impart jurisdiction.
If a small hotel in California had a French language information page, that doesn’t make that hotel subject to an EU law. If I am wrong, then where is the case law? Where is the legal precedent?
> This idea that EU citizens are protected worldwide is just ridiculous. EU jurisdiction doesn’t extend beyond the EU.
You are the only person who has this view. EU citizens are subject to the local laws of whatever country they reside in. However if they are interacting with an EU company then GDPR applies to that company, no matter where they reside. But an EU citizen living in America and using an American service has no GDPR protections. Just like they have no EU right-to-work protections if they decide to work in America. GDPR explicitly states that it (generally) only applies to companies which do business with people who are within the EU's borders (citizenship is not a prerequisite of GDPR protection) or EU businesses.
GDPR explicitly states that it (generally) only applies to companies which do business with people who are within the EU's borders (citizenship is not a prerequisite of GDPR protection) or EU businesses.
There is no jurisdiction if those companies don't have a presence in the EU. None. Show us international law where this would be applicable. As the grandparent was pointing out, any country can now make any law where if any of their citizens access some internet service where ever in the world, somehow their laws magically apply to everybody in the world "doing business over some fiber".
> There is no jurisdiction if those companies don't have a presence in the EU. None. Show us international law where this would be applicable.
If you are doing business with people in the EU, then you have to be incorporated or otherwise have agreements (explicit or implicit) with the EU countries you are doing business with. GDPR applies to you or you will no longer be able to do business with the EU. If a company wishes to not have their ability do business with the EU revoked, they have to comply with GDPR (including its fines) as well as all other EU (and local) laws.
I really don't understand how this concept is difficult to grasp. Countries give you permission to do business with them -- if you break their laws they can revoke your ability to do business with their residents. Most large companies would probably lose much more money breaking off ties with the EU than they would complying with GDPR fines. If you continue to violate a country's laws you could be extradited and so on.
> somehow their laws magically apply to everybody in the world "doing business over some fiber".
If you are providing a service to a group of people, for money, then you are doing business with them. Pretending as though this is not the case just because the process is conducted through under-sea fiber cables rather than mail couriers is ridiculous.
While most of GDPR is common sense and shouldn't be much of a burden on companies[1], I was always confused about jurisdiction. While most larger companies have a legal presence somewhere within the EU that can be held accountable for this, I do wonder how the EU is supposed to be enforce penalties on a company outside of the EU.
[1]: well, the difficulty grows the larger your company/product is, but chances are you have more resources available to dedicate to it anyway
> I do wonder how the EU is supposed to be enforce penalties on a company outside of the EU
Realistically, they can't and won't unless it's a very large scale that's worth pursuing, for a multi-national corporation with enough money to pay a big fine. If a company is not doing business in the EU, not selling into the EU, they can of course entirely ignore the GDPR.
In the case of a large company that sells into the EU, and refuses to obey GDPR, what you'd likely see is the EU pursuing that company on its domestic turf legally. A company out of NYC for example could be pursued in a court there for fines related to GDPR violations. The larger those violations, the more likely it'd be pursued by the EU across the Atlantic. This is how it works already, there's a lot of international business precedence. The stronger the legal system in the home country you're pursuing the multi-national into, the better for the EU's case.
If I set up a business in Germany, dump large amounts of toxic waste and cause very costly environmental damage, and then (somehow) quickly flee the country leaving no assets or business behind - but back in NYC my company has vast assets, you'd find the company pursued from Germany to its home in NYC for those damages. They still have to win the case of course.
The EU fortunately wasn't dumb enough to attempt a global claim on regulating privacy. They pushed the line pretty far, but did not cross their own boundaries. I think they fully understood there was no scenario where the US and China (40% of the global economy) - or frankly most nations - were going to care about EU law projections external its jurisdiction.
It depends. When Canada's anti-spam law was introduced in 2014, the intent was to allow a private right of action effective July 1, 2017. This would theoretically mean US/foreign companies could be dragged into class-action lawsuits in Canada. This private right of action was delayed and is currently under review, but nevertheless anyone marketing to Canadians is subject to CASL laws, regardless of where their business is located. We'll see what happens, but if/when the private right of action is implemented it could potentially be a big deal.
IANAL but I can imagine a similar situation happening with GDPR.
According to art. 27 GDPR, affected data processors outside the EU have to establish a data privacy representative in the EU.
In addition, authorities could for example seize local servers in the case of non-compliance. In many EU countries including Germany, data privacy violations can also be prosecuted as criminal offenses.
But this doesn't answer my question: I'm running a little side project here in Australia but with customers who happen to be in the EU. I have nothing in the EU - no sales office or support in Ireland, no hosting anywhere in the EU. How is the EU supposed to mandate that I do anything?
The EU can (and in fact does) mandate that you comply with the GDPR. It cannot, however, enforce compliance since there is limited legal leverage. The Australian government is unlikely to help the EU to bring a case unless there'd be a treaty or an agreement (Safe Haven laws in the US for example). They could theoretically go via your revenue stream and seize your European customers payments or hold you or any officer of your company liable if you ever set foot on European soil or hold any assets that your company has in or moves via Europe. That's all very unlikely to happen over minor infractions, but some business folks already had their private jets impounded for outstanding payments as for example the Thai Prince learned the hard way: http://www.airliners.de/kronprinzen-boeing-in-muenchen-besch... (sorry, german only, but google translate should correctly translate the gist of the story)
All of this is nothing new, it's been working like that for centuries, back when business correspondence was still on old-fashioned paper.
I have the feeling nobody knows this. To me it seems this part of GDPR is particularly targeted at major companies and they can be held accountable through subsidiaries or branch offices in the EU. It doesn't seem very likely to me that small businesses that happen to sell to EU customers too will be the primary target of enforcement anytime soon.
Last seen is in the grey zone, but I'd say that it can potentially be PII if combined with other data. So I would not store that data for now, until we have some clear rulings on similar topics.
Honestly, the best thing to do if you don’t have a high percentage of EU users/customers is to simply block EU IPs. First it was the completely useless cookie notifications, now it’s GDPR, and nobody knows what the next thing will be - we only know that there will be a next thing (there always is), and that it too will be costly and burdensome to comply with. Unless you derive a significant percentage of your revenue from EU users, it just isn’t worth it to try to keep up with the increasingly demanding whims of a heavy-handed European government.
That sounds ideal. Please make sure you do this, and convince many of your colleagues and compatriots to do the same. Maybe finally give us some breathing space to grow our own popular services in the face of US dominance.
I used to think protectionism was stupid, but after seeing how The Great Firewall[1] is working out for China and their services, I’m not so sure anymore. The big problem with any inbound restrictions is retaliation, but if you can manage to make a country restrict exports themseleves, well, yes please!
I’m looking forward to seeing EU competitors flourish.
[1] Since visiting China I’m convinced TGF is about protectionism as much as it is about filtering. Internet to any non-China service is terrible and unreliable. The result is simply you can’t depend on it, so you choose a Chinese provider. This has clearly worked out very well for some of their companies!
The large US sites you’re worried about “dominating” the EU, who have significant EU traffic, will be able to comply with the GDPR and continue to compete just fine. They have the resources to hire the necessary phalanx of attorneys to advise them on how each feature and tweak to their sites interact with the GDPR, and it is a worthwhile investment for them. I was saying that smaller sites that don’t have internal legal departments and don’t need EU traffic should consider blocking EU IPs.
> Honestly, the best thing to do if you don’t have a high percentage of EU users/customers is to simply block EU IPs.
Could you please block my IP address as well: 192.117.111.61
If you feel that being responsible with my personal information and metadata is not worth the trouble, then I don't want to accidentally ever use whatever service you maintain. Thanks.
What an absurd statement. This isn’t about being able to be “irresponsible with [your] personal data”. GDPR compliance is a difficult, expensive, onerous, and uncertain endeavor. Sites that don’t rely on EU visitors for revenue don’t need to expose themselves to the additional liability that the GDPR imposes.
That doesn’t mean that sites that haven’t gone to the expensive lengths required under it are going to expose or abuse your data. If you are this big of a fan of the GDPR, I imagine that you’ll have to limit your Internet browsing only to sites run by EU-based companies that are large enough to afford scores of attorneys to advise them on how to comply.
I'm a big enough fan of the GDPR and a big enough opponent to SESTA/FOSTA/CLOUD that I have moved almost all my business into the EU. The only remaining US business I depend on my DNS provider.
Why should I trust a US business with my personal data when I can give it to a EU business that will face harsh punishment for doing bad things with my data (the US seems to have no problem with large corporations loosing millions of user data entries as long as the big CEO says "oops, sowwy!")
> If you are this big of a fan of the GDPR, I imagine that you’ll have to limit your Internet browsing only to sites run by EU-based companies
That is a terrific idea, thank you. In fact, for sites that require providing much information (email providers, etc) I'll start doing just that. Though HN does not require much data, I will review how the site intends to deal with GDPR.
>What an absurd statement. This isn’t about being able to be “irresponsible with [your] personal data”. GDPR compliance is a difficult, expensive, onerous, and uncertain endeavor.
Being responsible with someone's personal data is inherently difficult, expensive, onerous and uncertain.
The idea handling personal data wasn't already all of that is exactly the abuse that got us where we are today.
The EU has a population of over half a billion people and a GDP per capita of $41k PPP (although those numbers will shrink a little bit post-Brexit). Ignoring Europe as a potential market ignores half the western world - and it is westerners, for the most part, who have disposable income to spend money on goods and services.
Ignore Europe if you like. Just be aware that you are allowing your competitors to gain an uncontested foothold without having to fight for it. Once they are the incumbent in the European market, they will be hard to unseat, even if you change your mind later.
There are thousands of types of sites, such as geographically focused message boards, local professionals, smaller ecommerce sites, etc. who are exposed under the GDPR but for whom EU traffic is incidental and worth nothing. A US plumber doesn’t need or want appointments in London, but is technically exposed under the GDPR. So for businesses like this, blocking EU traffic should be an easy decision - there is no downside.
IANAL but I believe the GDPR is tolerant of incidental traffic. So if an European accesses a local job board in South Korea, the EU will not go after the Korean company and demand compliance. Now if said Korean company is running a job board for Berlin, in German, charging in Euros, etc. it's a different story.
That shouldn't be an issue. If you offer your services only within the US then you're out of scope. It doesn't matter if EU citizens visit your site, as long as you don't try to get any customers from the EU or target your content towards visitors from the EU you don't have to comply with GDPR.
For most American pubs - and hence producing English language content -- there's very little risk. Most of the EU won't read it anyway, and if the uk privacy regulator wants to complain, let them.
> First it was the completely useless cookie notifications
It was useless in the sense it was trying to play nice. It was a gentle call for the industry to self-regulate. The only problem with that law was how naïve it was.
Go ahead and block the whole European IP range. See if we care.
The cookie law was also largely overblown. It only require notifications for any non-essential cookies and I think the wordpress plugins for this simply put up a blanket banner because the blog author might just be using the Google Anal ytics plugin too.
And then everyone put it up "just in case" or "because the law says all cookies". (Of course some smart people figured out that local storage is not a cookie and the law only covers cookies, atleast what they gather from hearsay instead of checking the actual text)
But tbh, I'd prefer US services IP blocking European users. It'll encourage EU startups to fill the gap and they will have the privacy regulation of the EU as marketing bullet point over any US company, eg "In the US privacy is a pinky-promise, for us privacy is law".
That's because, most of the time, a service is US-only because of some bullshit reason like exclusive region-locking deals or MAFIAA copyright terrorism. I don't think that "this service is unavailable in your country because your law doesn't let us sell your private data to the highest bidder" is going to induce that much ranting.
Once blocking by US websites becomes a little more widespread there will be EU alternatives to fill the gaps. Normally I'm not a huge fan of such solutions, but if the alternative is exposing myself to the wild west of unregulated selling of my personal data that is the US I'll learn to live with it.
Ehhhh, I'd leave it as is. Unless you have business licenses in EU countries, EU laws have no legal authority over you. If you do have such licenses, then you're probably big enough to foot the bill and possibly also can't afford to not foot the bill (due to suspended licenses).
This privacy thing is, like, their option, man. Even if you and I agree with the EU.
I’ve been looking into this, as I run several sites myself, and apparently this isn’t true. They can go after you even if you have no EU presence, and US courts will domesticate any EU judgment against you for fines levied under it.
"Under Article 3 of the GDPR, your company is subject to the new law if it processes personal data of an individual residing in the EU when the data is accessed....the GDPR can apply even if no financial transaction occurs. For example, if your organization is a US company with an Internet presence, selling or marketing products over the Web, or even merely offering a marketing survey globally, you may be subject to the GDPR."
With regard to enforcement....
"...EU regulators rely on international law to issue fines. Written into GDPR itself is a clause, stating that any action against a company from outside the EU must be issued in accordance with international law."
Most US states have adopted the Uniform Foreign Money Judgments Recognition Act (UFMJRA), which allows for judgments issued by foreign courts to be domesticated. Once that is done, the judgment carries the same force and effect as if it were originally issued by a US court.
And since I can't reply to the parent directly, I'll just say that there is no international law that covers this. None, zilch, zero....so anybody says that you're somehow beholden to GDPR when you have 0 presence in the EU is either lying or ignorant of the reality.
It’s not about being able to “mess with [your] users”. It’s about sites that don’t need EU traffic anyway being unnecessarily exposed to fines for even accidental violations of a very complex law.
Btw. same goes the other way around: if you don’t want or need US customers, it might make sense to block people from the US based on IPs, because if you do business with US citizens, they can sue you according to US laws with their ridiculous high fines.
Reasonably protecting user data and complying with the GDPR are two entirely different things. There are many ways to accidentally run afoul of this law while still protecting user data.
I'd like to see a complete and concise list of exactly what needs to be done to comply with GDPR. Everything I've seen so far has been vague legalese open to subjective interpretation. Pretty scary when the punishment for an incorrect interpretation is a 20M EUR fine.
A lot of us who admire what the EU has the courage to do - and wish that the US had half that courage - would rather disappear from everything but European websites. What many US corporates have done, and are doing, is rotten to the core. It is demonstrably destroying the internet that so many of us spent time bringing to life, and had so much hope for.
I suspect that if someone with some balls and power suggested corraling all US trackers and data brokers - along with companies trying to turn the net into a shopping mall - into a single domain outside of which they could not operate - most Americans would applaud. The EU has done some of what it could, and cheers to them for having the courage to serve their citizens. Wish I was among them.
Better yet, comply and get your privacy/data management chops together so that you're comfortably able to navigate a world where this type of legislation is likely to become more and more common. Not to mention the fact that there's an increase in interest/awareness about these matters amongst the general public.
Take the bait? I’m not saying anything controversial. A large percentage of websites are directed at the home country of their owners anyway, and EU traffic is often incidental and worthless to them. A US dentist or doctor likely has no interest in receiving appointments from people in the EU, for example. An online store based in the US, who would have to charge outlandish shipping rates to ship to the EU, is unlikely to get orders from the EU and thus should have no interest in that traffic. An online message board where nurses in a US city talk to each other probably wouldn’t want to spend the money to comply with GDPR even if the occasional nurse from the EU might pop in with an interesting comment every now and then.
So EU traffic means nothing to any of the above example sites, yet all of them will be massively exposed under the GDPR. If I ran a web hosting company, I’d offer EU IP blocking as an optional, free service.
It's a start, but that is only the easy part, where the goal is relatively simple to figure out. You also have to explicitly get legal documents signed if you make a system for companies that "own" the user data.
You need to have new procedures for obtaining, storing, using, and delete customer data. This is known as a "code of conduct". You need sufficient logging to aid incident analysis too.
I also think a lot of companies are entering a bit of panic mode because there is no clear guideline on what is sensitive data. If you make a booking system, then everything you store is potentially sensitive if you have end user data in it. If you're making IoT devices for the home with cloud access, then you have sensitive data.
The conclusion we've reached is fairly simple. If there a even a remote chance that normal day to day use of our systems contains data that can be used to build a profile of a user, then the systems data is considered sensitive.
That's a good thought, right now it's actually a google spreadsheet that I write markdown into the individual cells export as a CSV and then run through a ruby script that turns it into HTML. Which (obviously) sounds insane, but it's significantly better than trying to edit a raw html doc of this size, get feedback, etc.
> some traction on HN as everyone is trying to figure out: "Do I need to do something for this? Is so, what?"
If you are big enough to have to worry about this you are probably a company with plenty of resources to think and comply with this. So it's hard to imagine how many readers of HN are getting their answers on HN (or similar). If you are small time nobody is going to come after you. Sure something could happen and you could also get a traffic ticket going 57 in a 55 zone and a host of other outlier events.
> AKA: be paranoid about keeping them, encrypt them, use SSL on your site, respond to requests from people if they ask if you have them, fix them if they're wrong, don't use them if they say you can't.
One size fits all advice doesn't make sense in this and in other similar cases. You will spend a great deal of time and effort dealing with 'maybe's' instead of the day to day.
>If you are big enough to have to worry about this you are probably a company with plenty of resources to think and comply with this
You'd be surprised. GDPR is vague enough and just open to interpretation enough that there are many different companies interpreting it in many different ways. I'm a consultant and I talk to many multi-nationals and all of them have their own spin on it. Especially around the "except when necessary for security purposes" section. That right there is broad enough that "security purposes" can mean almost anything as long as you make sure your security team has access to that data.
My company is one that everyone on HN has heard of, and they are interpreting it as "don't worry, we don't need to make any changes because _____". It will be interesting to see if they change their tune as May 25 approaches.
If you outside the EU, it really isn’t about “anyone coming after you”. Even within the EU the enforcement actions currently err of the side of a stern warning rather than fine (except in the most deliberate cases). Though that may change.
Either way, you shouldn’t be doing it out of fear. You should be complying for practical business reason
1. This is how you should be treating personal data.
2. In exchange for complying with GDPR, you get access to a market of >700m people. If you’re a service provider, it’s illegal for any EU business to be your customer without GDPR compliance.
I wonder if a significant amount of small businesses/startups are going to simply not do business with the EU because of GDPR. I know I'd probably rather not have to deal with it if I had a small app or something.
In general I agree with your assessment, that being said I do think that the GDPR is a decent set of guidelines for putting in place a system that respects user data in a way that clearly has not been happening.
Why not prevent personal data from leaking in first place? It's a solution applied at the wrong level, a or wrongly drawn system boundary if you will. The damage it causes is psychological, preventing many EU businesses from starting in first place. They're destroying the food chain for startups (small independent businesses).
The EU and politcians are anti UX, they have no clue about the effect of their laws on people.
> Why not prevent personal data from leaking in first place?
"The first place" would be not collecting it, an option that companies are seriously considering for nonessential data that they previously collected merely because it was convenient and accepted to do so.
This is totally awesome! Thank you, it has been sent round the office... I too second the idea of putting this onto GitHub so it can live and be updated as understanding of the requirements increases!
That's a fair analogy! I do think having a service like stripe for pii would make things easier. Why would we need first name and email address? As programmer I only need user ID!
I don't think this would be sufficient in many cases. If you store any form of user-generated content, or even a recommendation model generated from a user's past behavior, I'm pretty sure that's also considered personally identifiable information under GDPR, and since it's part of your product, you can't just outsource handling of it. It gets even stickier if that data is intertwined with data from other users, as could be the case in machine learning models or used-generated collaborative projects.
In fact, I think the author is underestimating the impact, right here: "Of course, making this change will have a dramatic impact on your revenue for single-visit traffic, because you basically have to design your ad model to work completely differently from how it works today."
No, it will basically make a newsmedia site unprofitable. I think it is the EU that has not fully thought this through. Most of the news industry is already sickly, financially, and they mostly have no model other than advertising (with a very few exceptions). The reason all this data got collected, was to try to make the advertising valuable enough that they could sell it. It may be that it never really worked, but it sure won't work without it. I think either the EU will backtrack on this once they see that Google and Facebook can easily force people to consent (because people consider those websites too valuable to do without), but most other advertising-supported media cannot; or they will see that the long-term impact of this is that it accelerates the current death spiral of newsmedia, as all ad spending goes to Google and Facebook and almost no one else.
I leave it as an open question as to whether this would be a good or bad thing.
> No, it will basically make a newsmedia site unprofitable. I think it is the EU that has not fully thought this through. Most of the news industry is already sickly, financially, and they mostly have no model other than advertising (with a very few exceptions).
We have publicly funded broadcasters in most EU countries. The ad-supported news sites, on the other hand, are generally doing more harm than good.
News outlets existed before the web, so they're not going to be threatened by breaking the ad-supported website model. If anything, the traditional newspapers will be saved by this, because if free online news disappears, people will start buying newspaper subscriptions again.
> I think either the EU will backtrack on this once they see that Google and Facebook can easily force people to consent
They can't. The consent has to be for a specific purpose.
You don't see the potential problem if the only media that is able to exist is that which is state sponsored?
You may be happy with the state sponsored options now, but will that always be the case? Would you feel the same if you living in the Soviet Union or Germany circa 1940?
How is CNN, Fox News and the sinclair group, working out for you guys?
I trust state paid media in the EU, way more than any US news media.
The reason why most EU countries have state paid media, is so that its non commercial, non partisan, and cant be bought. There are different principles in place, so government has no say, in what is broadcast/not broadcast. This also means that all political parties get the same amount of exposure etc.
CNN isn't great journalism, but it isn't the only source of information.
The problems with Fox News and Sinclair aren't based on advertising, they are based on ownership. State sponsored media isn't going to be any better under an autocrat and will in fact be worse than the situation in the US because there may not be any other options.
I don't read news but I'm sure that GDPR would hurt the smaller, independent news websites or aggregators that people find reputable more than CNN, Fox News and sinclair group. The latter at least have TV advertising. Their website is just horizontal integration for them.
I used to like WP but especially since Trump they've almost become a single-issue publication following every fart of that guy, and a lot of it is way overblown and they leave out "details" and overstate the importance of others. I loved their investigative series such as the one about asset forfeiture, lots of investigation; the Trump reporting instead is more "instigation" than "investigation". And I can't open the comment section any more, it's like the Fox News comment section only the opposite.
What I dislike about all news sites is that they are inconsequential. They throw sooooo many different news items at you that it really does not matter. Today's outrage will be quite forgotten two days later, or two weeks if it was something really bad. They should instead follow a few selected topics long-term and investigate what happens, and point readers to ways to affect a change. That means not reporting on each and every little thing as extensively any more but instead focus on a few things over a very long time. Just being fed thousands of news stories is McNews - you get short term satisfaction and a feeling that you stuffed something into your brain, but it feels hollow quickly because it's not very nutritious.
And don't get me started on all the Russia hype, one would think those guys in their in large parts poor 3rd world country have capabilities far beyond what the orders of magnitude richer West does not (I speak some Russian and was there a few times, also in Ukraine). That all the media jumped so willingly on this wagon is quite amazing. Note that I don't doubt they (Russian) did most of what is claimed, but when, for example, sums of money spent for the campaign are mentioned it's so little that it's obvious it could not have had a significant impact, at least not on the scale fitting the amount and the tone of the reporting. What is also missing is that they take the opportunity to talk about the many ways the US and the West has influenced internal politics of other countries. For controversial topics they usually try to give such views some room, but Russia seems so incredibly overblown and one-sided to me - so impossible, and it all looks like that recent video about Sinclair where they all say the exact same things and one can see not much effort went into that reporting. I don't know, it all feels very weird - and very wrong, like when you put on very strong glasses and the world looks weird.
> How is CNN, Fox News and the sinclair group, working out for you guys?
Not well, and I'd add MSNBC to that list, however much I may be a dirty pinko who agrees with their editorial stance. NPR and PRI do what they can, but I really wish we had something like the BBC here, with non-corporate funding and a remit to report current events.
German public media is not state sponsored. It’s an independent entity which is paid for by public fees (not taxes, the money never goes through the governments coffers). There are some levers that could be used to exert some level of control, for example the height of the fee is set by a commission that is partly under government control and many ex-politicians get elected into high positions, but all in all, public media is fairly well removed from the governments control here. The constitutional court watches over this pretty well, too. The system has been set up in such a fashion exactly due to the experiences under the nazi rule.
I’m currently more concerned about private media having an agenda that promotes the right.
While there is a law (to be precise: one in each state) mandating to pay this fee it is levied by the broadcasters themselves and the money is at no point touching accounts controlled by the government.
(As a sidenote because it's confusing for people from both sides: In Germany we differentiate between taxes which end up in the general budget and can be used for everything and fees which are purpose-bound from the moment of collection, e.g. in this case the levied money must be used for broadcasting. This differentiation is not common elsewhere.)
in german law a tax is general purpose, government can use the money to pay for any of their "services". whereas a fee has a specific purpose and cannot be used for anything else.
That's not the same, though, because it is not mandatory to obtain a passport (at least not for everyone—you may need one if you want to travel abroad, but this is viewed by the government as a non-essential privilege and not a right). Broadly speaking, in the US, a "fee" is something you pay in order to receive some form of optional service, such as the issuing of a passport, and a "fine" is something you are ordered to pay as a penalty for breaking the law. Everything else—any payment required of a law-abiding citizen either for simply existing or as a condition for carrying out law-abiding actions (e.g. owning property, earning income)—is a tax.
Of course, sometimes fees and fines can be seen as "stealth taxes" when they intrude too far into everyday life, particularly when state monopolies are involved. For example, the cost of First Class postage with USPS is technically a fee for an optional service, but the USPS monopoly on First Class letter delivery makes it at least partly a tax, to the extent that another carrier might have provided the same service for a lower price in the absence of the monopoly.
I was going to say driver's license. But I guess that's optional too. There are garbage fees or charges. Sometimes you must pay them, even if you contract with a private hauler. But you need that to get an occupancy permit. Also water/sewer fees. Unless you have a well and septic system.
Right, the line does get rather blurry when a service provider has the power to compel people to purchase their "service" whether they want to or not. Local governments like to position such payments as "fees"—it makes for better PR—but if there are penalties for opting out (such as not being permitted to occupy your own property) then I would consider it a tax. In the cases you mentioned, for example, there really isn't any significant difference between those mandatory utility "fees" and property taxes.
There is a substantial difference between fees and taxes. Fees are tied to something specific. This has two implications: First, they cannot be used for something else. Second: The height of the fee must not exceed the cost of the service and thus is at least in principle something that can be checked. For example, some public health insurance providers in germany had excess money and they had to refund that to their customers. Taxes are under no such regime. It may seem like one is like the other, but it’s really an important distinction.
> Fees are tied to something specific. ... they cannot be used for something else. ... The height of the fee must not exceed the cost of the service....
In Germany that may be true, but I was speaking of the US, where the terms are used differently. There is no expectation here that "fees" can only be used to defray the cost of providing specific services.
What protections are in place to prevent an internal takeover of the organization by a political party? Let's say the Roger Ailes of Germany finds his way to the top of German public media and uses that position to tilt coverage to be more favorable to his own party, what happens?
If all your eggs are in one basket what happens when something goes wrong with that basket?
We have 12 public broadcasters that are independent of each other each with their own board (and on top working under the laws of different states ensuring that no one political institution has power over all them, the federal government is strictly barred of interfering by the constitution). 10 of those cooperate closely, share some resources, and produce a common TV station in addition to their own radio and TV stations. One is a radio broadcaster using resources of the others. The last one is a TV broadcaster that works separately. It's pretty inefficient but ensures that there is no single entity controlling everything.
Newspapers are mostly paid for by advertising; having readers pay is mostly important because paid circulation is a signal of level of engagement that helps sell ads (though there are free papers that are entirely as supported, too.)
> Perhaps in the past, or for local media, but the big newspapers (e.g NY Times) are primarily subscription funded now.
That's a direct result of online advertising eating most of the advertising dollars, making the big papers less valuable advertising venues. Cutoff the things that make online advertising uniquely valuable, like the flow of personal data that enables far more focussed targeting, and that’ll shift back.
> Anyhow, newspaper advertising isn't personally targeted by tracking readers
No, instead it's targeted by every business decision of the paper ultimately being made against a backdrop of how it impacts the papers size and demographics of readership, which is how it sells itself as an advertising venue, which ends up with the major media all being crafted to narrowly appeal to the most valuable advertising audience.
Ad supported publications aren't immune from this though, if anything they are just as susceptible.
To get the most ad revenue they need to cater to the majority. See e.g. clickbait. For stable income, finding a group and catering to their opinions/narratives is also an option, and is also not independent news. See e.g. infowars. Finally, to get any ad revenue, they need ads. Unlikely many corporations will run ads on anything that is perceived even slightly controversial nowadays. See e.g. YouTube.
I don’t think ownership structure is the key factor. More important is robustness of institutions that protect freedom of expression and freedom of the press. The Nazi government had little patience for critical private media either.
Strong emphasis that I'm not equating those to your examples. Rather, pointing out that even a subtle version of undesirable or extreme politics can lead to a similar concern.
Given the wild political swing going on in about half of Europe, it's a legitimate concern today, no need to look back 80 years. Not to mention persistently growing censorship and criminalization of speech in more liberal countries such as France.
Publically funded TV is prone to become a propaganda tube of the government. In some cases it already has (in Poland for example). Relying on it as the only news source would be silly (relying on a single news source in general is usually silly, but even more if the government directly handles the staffing).
You should never rely exclusively on domestic media. There's always too much conflict of interest. In state media this is obvious, but it's there for private media as well.
His argument wasn't that all state-funded news media is a propaganda machine. His argument was that it easily can become one, and you won't have a better option, since all the other news media would be choked out of existence.
> since all the other news media would be choked out of existence.
There are other private TV outlets in those countries in EU and this legislation will not change it. Lets stop being paranoid and portraying legislation that should protect our privacy as something that will destroy democracy.
Let me tell you how it works in central/eastern europe - ad-supported sites are financially sick, but more and more 'info' is spread out by well funded russian propaganda sites (imo they carry the ads only to seem 'legit').
Is there anything that can be done about this? The whole situation is surreal. Surely it must be possible to decrease these sites impact without having to resort to censorship. It's just 21st century propaganda.
Fun fact: oligarchs in Greece have been doing this to their own country for financial gain for decades. Most Greek newspapers are mouthpieces for the interests of the great families.
> News outlets existed before the web, so they're not going to be threatened by breaking the ad-supported website model. If anything, the traditional newspapers will be saved by this, because if free online news disappears, people will start buying newspaper subscriptions again.
We're also seeing very concerning trends in the readerships and profitability of print media (because of the Web, many think). So I don't think you can use the "News outlets existed before the web" line, without much more justification.
I do not think it is bad, I think that is evolution. Ads only content is total crap. We have to teach people to pay for content. Second part is we have to teach publishers not to be greedy. Just like iTunes with music, easy small payments, not subscribtions no one wants. Maybe they could make actually some use of crypto currencies but there would have to be strong player like apple to press for consensus. Otherwise each one would like to have its own payment system and charge others for using it.
Print news media was dying for decades before online media came online, and was almost entirely paid for by ads (many local publications were and are free of charge, and many of the paid ones charged primarily to have paid circulation numbers and shape the socioeconomic demographics of their audience, both of which were and are mechanisms to boost advertising revenue.)
It may not have been the case in Europe; the decline in circulation in the print media in the US was widely discussed as long trend in the late 1980s and early 1990s, and attributed to a number of factors, most notably (but not exclusively) the wave of mergers and associated cuts in local newsrooms and non-wire-service content in the preceding couple of decades.
It's concerning in relation to the gp's post. Online media is having existential problems. The gp's response to this (in part) is that we have had print media for a while. My response is that it is unclear we'll have print media for much longer, so we should still be concerned about online media (otherwise we might end up with no media).
I think you could find a lot of pro Putin people in EU. Some of my family members are pro Putin while I live in probably the most anti-Putin country in EU. I could elaborate more about reasons for that but I don't want to digress too much from original discussion.
We have publicly funded broadcasters in most EU countries. The ad-supported news sites, on the other hand, are generally doing more harm than good.
Why am I not surprised that a European is saying that the government-backed "broadcaster" are all so good, and evil private American new sites are bad.
this pretty much sums up the real agenda behind GDPR.
It would be better to call the bluff of these EUrocrats and see what they'll really do. Other countries can retaliate.
> Why am I not surprised that a European is saying that the government-backed "broadcaster" are all so good, and evil private American new sites are bad.
You are not surprised because you have a gigantic filter in your head that turns everything into exactly what you already expect regardless of what it is. The second part of that sentence makes it quite clear what your mindset is.
Why am I not surprised that a European is saying that the government-backed "broadcaster" are all so good, and evil private American new sites are bad.
Nowhere in that comment I can find a reference to American (evil) news sites. There are more than enough private news sites based in Europe, so I wonder why you are so hell-bent on making this an EU vs US thing.
Most EU residents will read news in their own language (which in most cases isn't English).
Why am I not surprised that an American is crying over potential harm to unethical business practices of some of its most darling corporations by an EU rule to protect its citiziens.
Every time the EU implements some law or regulation regarding control of personal data and privacy, someone (an American) has to dismiss all the problems those laws are intended to address entirely, and go on to post some defensive, nationalist spiel about it being an attack on US companies.
Perhaps the problem is that these companies make their money in an incredibly unethical way that an increasing number of people are very uncomfortable with?
Stop turning this into something it isn't. All you are doing is poisoning the debate.
Privacy first, profit second. I think that is a wise decision the EU makes (disclosure: I'm an EU citizen). 'The media' surviving on a distorted revenue model is not healthy and I will not believe it is necessary to break your customers privacy in order to make a profit.
I completely disagree with this. Firstly, the media currently are too lucrative for my taste and thats why we have everyone being a journalist and publisher. By cutting down on the easy money, only those worth surviving will probably stand. This will seriously cut down on more than just ads, ie fake news and unverified sources. An alternative I'd love to see is sponsored articles as the main source of income for these. Let the corporations have to pay bigger bucks to have their posts published. This will hopefully reduce the clutter, force the media outlets to provide quality content to keep a certain level of trust and quality to attract businesses as well as a good targeted audience.
Personally I'd live to have most media completely in the dark about visitors to solely speculate on the quality of their own content. Only metric they need is daily visitor count. Everything else can be shaped by type and quality of content. A great example is HN where we have a very targeted audience due to the content it serves. It obviously also has some sponsored articles but also the indirect benefits it has on new startups and so on. Just treat it as TV marketing and not a per person customized monetization strategy.
> Firstly, the media currently are too lucrative for my taste and thats why we have everyone being a journalist and publisher.
As someone who works in media: I'm sorry, what? Publishing is certainly not more lucrative than ever, and publishing online now is a far worse business than publishing a physical newspaper pre-cable TV. The proliferation of outlets is due to lower barriers to entry and less need for capex. Plus a little bit of VC optimism.
Depends how you look at it. You are an employee in the media space, I guess you're in an ok situation but also not swimming in cash. However I thought more in the line of media companies and solopreneurs.
Everybody seems to be joining the race to the bottom by delivering more questionable content for 2 more clicks per day instead of relevant articles and real journalism.
Also not to step on anyones toes, this obviously doesn't apply to every individual, however a large majority seems to be doing it. This also makes it hard for the good guys to prevail I guess.
>This will seriously cut down on more than just ads, ie fake news and unverified sources.
Why do you think so? I don't see clickbait industry seriously affected. They churn out a ton of crappy content which costs almost nothing to produce (at least if compared with reputable journalistic work), monetize it with low quality ads for shitty CPM rates, but as long as part of their content goes viral, tons and tons of pageviews allow to balance everything.
There has to be some limit to how low they can go cost wise in delivering crap. Also as it becomes harder to get big bucks, people will shift to other lines of crap work.
GDPR in my mind influences this indirectly in the long run. It's not like it will kill fake news the week after.
Nothing about ads on the internet implies tracking.
The most simplest solution is that newspapers host the ad on their own server as a .png or .jpg that gets shown to all visitors. It's tracking free and GDPR compliant.
I don’t think the EU has thought it through. I work in a municipality in Denmark, one of the most digitized public sectors in the EU and we’re not anywhere close to being ready.
None of the hundreds of suppliers we use are truly ready, and how would they be? It took 45 years to build this tech, you can’t just replace the innards in a few years. Estonia is the only country that is close to ready, and that’s mostly because they’ve build their entire system with a focus on sharing and securing data. Nobody else has anything close to it.
It’ll be interesting to see how this plays out in the courts. I mean, keeping privacy data safe should be an important concern, but do we really want to close hospitals and schools because we can’t afford to pay the fines when it fails?
> In fact, I think the author is underestimating the impact, right here: "Of course, making this change will have a dramatic impact on your revenue for single-visit traffic, because you basically have to design your ad model to work completely differently from how it works today."
To add to this, the quote paints complying with the legislation as a simple redesign. It would require much more than a redesign. The technical, administrative and legal costs of implementing the new system from scratch would be magnitudes higher than implementing the current system from scratch. And add on changing requirements as the legislation is in its infancy.
Or it could go the other way. If all media outlets decide to put up a paywall it forces people to actually pay for reading the news. Currently there are a few news outlets who plead for ad blockers to be turned off while still offering content for free. And since ad blockers allow you to add exceptions this doesn't create a level playing field between those outlets that advertise and those that are locked behind a paywall. GDPR might end up forcing the outlets reliant on advertising to also shift to paywalls effectively creating the level playing field that was lacking earlier.
Let's face it, despite social media being a great enabler for realtime news the quality of news is sub-par. The biggest bane of social media is the transfer of responsibility of filtering real news from a firehose of fake news, to the end user. Until that issue is solved people are going to probably pay for news. This is just my speculation of how things might go after GDPR.
Television and newsPAPERs were viable businesses before the advent of the internet. And on the internet, the need to spy your reader is also quite new.
What makes privacy-sensible internet newsmedia nonviable might very well be the much more profitable spying on the client. If regulation makes that competition illegal, and demand for news is unaffected by GDPR (and why wouldn't it be), then it becomes more difficult for advertising companies to find newsmedia that provide tht extra illegal profit-taking sugar, so they will go back to more traditional advertising plans. This, in turn, will make newsmedia's lives easier in regards to finding advertiser's that do not demand spying on their readers.
At the end, sellers still need to advertise, providing ads supply, and readers still demand free newsreading, providing ad demand. The market still exists.
Publishers are getting squeezed out of the web by various forces. There is this GDPR, then there is also the web giants Facebook and Google squeezing them with their algorithms and in-app browsers. However, I'd say the net effect is positive because I'm seeing the lowest quality aggregator type blogs getting squeezed out and the only ones that are standing strong are the well funded publishers, which means better content.
I thought about it before. Yeah it will make analytics driven journalism unprofitable. But why this is a bad thing anyway? The old subscription model works and the quality of the content is high.
> No, it will basically make a newsmedia site unprofitable.
Good. We don't need that much "news" anyway. And I think my need would be more than covered by national TV which is sponsored by taxpayers money and BBC, which also has no advertising.
There really won't be much of the value lost if we won't have sensationalized and invented news any more.
Another point to consider is that need for news or just for some brain filler: I am puzzled by appareant inability of many today to be alone and in silence. As if then some thought that they cannot be comfortable with start to be loud enough to be heard.
Ok, care to share why you personally need to be fed news 24/7. What's so important and fulfilling to know about the latest antics of some celebrity, or some crime blown out of the proportion so much that you will think a killer is waiting for you on each corner, etc.
What value does it add apart from creating more anxiety?
Not to mention that news tend to misreport things a lot. (https://www.goodreads.com/quotes/65213-briefly-stated-the-ge...)
> Today, for instance, we see that a majority of people who install an ad blocker don't actually do it to block ads (that's just an added bonus). They are actually doing it to block tracking.
No, and I would say that statement is laughably wrong.
Users install ad blockers to prevent annoying stupid things from monopolizing their time and space.
Telling a person "if you install this they'll stop tracking you in some abstract way" is way less effective than "install this and you wont have to wait to watch youtube videos."
> install this and you wont have to wait to watch youtube videos
Exactly the reason I installed an ad blocker. If YouTube had released their Red subscription in the UK I might never have installed the blocker (actually probably would have eventually, but later than I did)
I don't think so - I think blocking goes for both annoying and dangerous ads, _and_ blocking trackers like facebook/google's invisible pixels. At least I run ublock origin, adguard, scriptsafe and privacy badger for maximum protection.
Here's #2 running a pretty similar cocktail (ublock origin, umatrix, privacy badger, httpseverywhere, cookie autodelete and decentraleyes).
There's dozens of us! Dozens!
But more seriously, there's actually lots of us. You don't hear about us because we don't narcissistically post about it on facebook. We just block shitty software and move on with our lives.
I have no stats for you though, because stats are usually collected through third party trackers, and I block them all, so I'm never represented on anyones metrics. Based on some rough stats like these[1] and my own experience, I'd guess something like 1-3% of the population in western countries.
But the statement wasn't "many people block tracking", it's "the majority of people using ad blockers are doing it for tracking and not for ads". That's a far different statement that is far harder to back up.
Yes, I do it too - I have ublock orogin, privacy badger and httpseverywhere. I do it because the web is faster without ads and trackers. Just look at devtools and see how much time is saved by blocking requests.
I did some research on this last year. ABP still has the largest install base and about 50% of users click the 'block trackers' option when installing.
uBlock origin is 2nd and rising in popularity and it blocks trackers by default.
Both they (and others) depend upon the EasyList collection of urls/regexes, etc. to block out sites and includes
I don't believe the majority of people do not understand what 'tracking' entails even after the major outlets have talked about it. Most people do hate intrusive ads though so I do find that very hard to believe
Not evidence, but a portion of the users install blocking software to speed up browsing, and and tracking blocking will often be the first target (it can be under “block third party script”, same effect)
One of our mobile apps, Firefox Focus, pointedly targets users who want to block tracking but don’t care about advertising otherwise. I’ve personally heard a pair of unprompted non-tech people in a non-tech city discussing it over beer after work. I submit the existence of our app and my personal experience as sufficient to meet the terms of your question. “is there any evidence at all”: yes!
your anecdote - not evidence - supports a claim that some people care about blocking trackers more than blocking ads. Which is a lot less contentious a claim than "a majority of people who install an ad blocker don't actually do it to block ads"
Indeed. If you’re truly in need of proof of the original claim, search advertising industry news for their various survey results of real people. The ad industry is pretty convinced that people are generally anti-trackers and not as much anti-ads. (They could be wrong, as could their surveys — but if you trust nothing, then no point can be proven.)
Every person I know that uses an ad blocker (5, including myself) does it to prevent tracking.
In fact, I want to white list certain websites (a dozen or so) to continue seeing ads, but I don’t want to because I know that they are likely using Google for their ads and I don’t want Google’s little grabbling hands tracking me.
So 5 people out of how many million? Just Adblock Plus on Chrome has over 10,000,000 installs, and "most" of 10,000,000 is a big number. Even bigger when you say "not using it for ad blocking"
Personally I do it for both, but I also run pretty locked down on my daily driver Firefox (less so on Chrome, which I use for sites that Just Won't Run without a bunch of dependencies that I don't want to individually whitelist).
For users I deal with, I do it as a preventive measure - I worry about phishing/spearphishing and other email vectored attacks, compromised websites, and the risk of a compromised ad network where even if something malicious is killed in minutes it could still reach tens of thousands of people.
And I still get AV alerts at least a couple times a month where the AV has blocked access to something that's recognizably part of a remote access scam.
"If you look at what is happening around us, you can see very clear signals that the public has had enough."
No, outside of a few echo chambers, no one cares about privacy or knows what GDPR is. Until GDPR shows everyday on the evening news for weeks it will not be well-known, and there are many things more important to most people than online privacy. Heck, Cambridge Analytica was only a scandal because the "bad guy won".
While concern about privacy may indeed remain a niche thing, GDPR is intruding into the European public consciousness. In recent weeks I have received a number of e-mails from hotels I once stayed in, associations I am a member of, my old university, etc. to alert me to the fact that they have my personal data and under the GDPR I have rights regarding it.
> Until GDPR shows everyday on the evening news for weeks it will not be well-known
I think we've crossed that point few months ago in Europe. Last year I felt I was probably the only one of my real-life friends who even knew what GDPR was. These days, I see streams of articles about it on social media, aimed at non-technical people. Hell, last week my SO told me she started receiving GDPR-related e-mails at work from companies that are in business with her place.
I feel people do know. Unfortunately, I also fear they only think of it as yet another random EU regulation thing, and not realize the benefits it'll bring.
In which EU? :)
Over here (Belgium), there has been a lot of talk in business fore (which are only frequented by a specific minority of companies), but in the general press I can't even recall seeing a single article. Even with those 'in the loop', the attitude is mostly 'wait an see', 'who is going to work on enforcement (the regulators haven't expanded), and 'maybe it will be another cookie-law (meaning a much hyped 'the sky is falling' regulation which turned out to be we'll install a component that handles the implicit 'ok' click and be done) and 'you never get a fine the first time, so why be proactive?'.
This is all anecdotes but I've had some (non tech) family members ask about the facebook privacy scandal and they wanted to review their privacy settings.
There is a huge long tail of SME 'website owners' that have no idea what they are in for. These sites are often developed/maintained by very cheap labor (students/off-shored etc) and sprinkled liberally with all sorts of 3rd party analytics/counters/share-buttons etc etc.
Not only do the site owners not even know that the site contains these things, if they do, they don't even realize the extent of data collection going on. I had a chat this morning with an owner like that. The site runs GA (they didn't know), the site runs ShareAholic (which they said wouldn't be a problem as they only use it to see in aggregate where their site visitors come from).
They never made a distinction between what data their site provides to these services through scripts or cookies, and what they themselves then get/use through the service provider.
This is not a special case. There are probably millions of these little business sites out there.
It's even bigger than that. It's been mentioned on HN before, but see the "GPDR Letter."[1] Anyone in the EU can send you such a letter, and you have 30 days to reply.
Please confirm to me whether or not my personal data is being processed. If it is, please provide me with the categories of personal data you have about me in your files and databases.
a. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store.
b. Additionally, please advise me in which countries my personal data is stored, or accessible from....
c. Please provide me with a copy of, or access to, my personal data that you have or are processing.
2. Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of my personal data.
3. Please provide a list of all third parties with whom you have (or may have) shared my personal data.
Then, once you've replied, they can request deletion of any or all of that.
You should note that lots of what that letter suggest it has rights to, are not rights granted under GDPR. Or at least would be subject to legal clarification.
If you send that letter, expect to receive a standard response/report of data with a form response that politely & legally amounts to “piss off”.
Large organizations have considerable resources set aside to make sure their “piss off” letter is legally defensible & GDPR compliant.
That letter is likely only a problem when selectively used by a malicious actor against a small organization. Frankly not the kind of org that is systematically tracking personal data.
> That letter is likely only a problem when selectively used by a malicious actor against a small organization.
Which is what is so annoying and economically destructive about regulations like these that are broadly applied to all companies, especially on the internet where single person companies are very popular. They are designed in a vindictive way against large companies like Facebook or major online retailers who burned customera due to minimal information security investment.
But they so often ignore the reality of the burden it places on small firms who account for 90% of businesses and 50% of employment, who cant afford lawyers or the legal risks of a 'piss off' letter.
The western economic environment countinually gets more and more structured favouring large firms, encouraging large scale merging, which usually generates the type of large oligopoly companies who most often does the things that cause regulations to get created, then imposed on smaller firms.
If Japan's economy is any indication we do not want to state heavy economy where big companies are the only sanctioned winners and smaller companies are heavily disincentived by the state (whether indirectly, by side effect, or overtly).
If not having these laws created isnt an option (seemingly impossible in an administrative heavy org like EU), I then hope someday these regulation start being structures like progressive income tax using size minimums or are contained to specific industries where it's clearly a problem (both of which would apply well to minimum wage laws for example). So laws are pinned directly to a specific problem area justifying the heavy-handed state intervention, not just blanket laws on everyone.
For most smaller businesses there is no real reason to do all that much as long as you can answer such questions on an ad-hoc basis. Although of course we still have to see how widespread it will become in practice.
Basically you need to make sure you 100% know what data you collect (including any third parties) and make sure you have a good reason to collect it.
Honestly most of GDPR should be considered "common sense". It's just that many corporations actively act against the interest of individuals they collect data on, and it's precisely these practices that GDPR tries to correct.
Unfortunately even if you're already handling personal data responsibly, the GDPR still also requires that you be able to provide various documented policies to your regulator on demand, still contains lots of ambiguity about how far subject rights can go in practice, still imposes obligations to include lots of extra detail in privacy policies or otherwise provide lots of information and active warnings to data subjects, etc.
Maybe these things shouldn’t be collected as a matter of course. Should web servers log client IP addresses by default? Why? Does my mail server need to log email addresses of incoming mail by default? “Logging all the things” as default behavior really needs to be a thing of the past.
If anyone wants to get their feet wet in open source, there are thousands of high profile projects out there that could use a patch to scrub PII from their logging, and these are probably simple diffs.
“Logging all the things” as default behavior really needs to be a thing of the past.
Maybe, but logging useful things is reasonable. We investigate problems with our systems using server logs. We diagnose various security threats, fraud risks and ToS violations using server logs.
We're generally respectful of users' privacy, but we also have a legitimate interest in knowing how our systems are being used and preventing people from doing bad things with them. Those legitimate interests may take precedence over a visitor's right to privacy in some cases, in the same way that you can't tell a government to forget your criminal record or a bank to forget that you owe them money.
Presumably it would, but since approximately 0% of businesses that actually do anything could make such a statement truthfully, that doesn't help very much.
> The western economic environment countinually gets more and more structured favouring large firms, encouraging large scale merging, which usually generates the type of large oligopoly companies who most often does the things that cause regulations to get created, then imposed on smaller firms.
This is where socialism differs from communism - in socialism you have big privately owned companies, whereas in communism these are state owned. Everything else is more or less the same. Europe is currently under transition from group of mostly free mostly capitalist countries into full retard socialist authoritarian regime.
Regardless of that, GDPR is a very good thing, shame it has only been introduced now and not 10 years ago.
While I agree with your opinion about the GDPR, your analysis of Europe is otherwise plainly wrong. You would be aware of this if you actually followed EU politics (there is currently a strong trend towards right-wing / center politics. Left-leaning parties are moderately out of favour), which you definitely do not have to do. Just try not to spread misinformation on the internet: There is plenty of it to go around already.
Not true; GDPR explicitly grants a large number of rights to the data subject. [1]
These rights include:
* the right to be informed about what data is processed
* the right to access all data gathered about them
* the right to rectification of incorrect data
* the right to receive an export of the data in a common format
* the right to object, to have all data removed, and to restrict processing until further notice
GDPR also requires a data controller to respond within a month, and not charge any fee for this unless the requests are excessive (because they are repetitive). [2]
The letter is a nice mix of asks that are specifically covered, rights that might be covered & things that are not covered at all.
In that sense it’s a great way to rattle someone without specific GDPR guidance. But all things being equal, the large orgs that are capable of systematic data collection, are not at all troubled by it & certainly won’t be answering it with direct point by point answers.
I’m not a GDPR lawyer or auditer, do nothing in this reply should be seen as advice.
My general feel is that if he didn’t cite a specific article it was on purpose. He took implications or broad interpretations for anything not explicitly cited.
A couple that jump out immediately are the requests for server locality information, retention periods & specifics about security policies are the ones that are likely to get a very polite “we conform to industry best practices piss off” replies.
Article 13, to my reading, provides no basis for requiring locality information or security policies. The retention declarations I’ve seen have been legal niceties that don’t answer the question in a way that makes it clear what the retention policy is.
I’m not suggesting that the letter won’t get a response. I’m suggesting there isn’t anything in it that would cause a large organization to send any different a response than if they got a letter written in crayon that said “gives us the GDPR data”.
In that way it’s not a “nightmare” letter. It’s the default thing you pay lawyers for.
Is there anything stopping these letters from being abused like DMCA Takedowns? Just one of these look like they'd tie up a human worker for days. How much personal information are you going to have to provide to ask for such data? Especially for ".. provide me with a copy .." Does any of this apply to "anonymized" data?
You can charge reasonable administrative fees or refuse to act if the request is "manifestly unfounded or excessive, in particular because of their repetitive character". [1]
I think GDPR intends to protect businesses from "denial of service attacks" through sending many repetitive or bogus requests. A single, legitimate request is definitely not excessive.
How do you automate checking if person requesting the data is the person claims to be.
How do you automate reading an email and giving meaningful response?
I admit I'm not sure how the verification part is supposed to look like. For the rest, I assume that if you have a standardized data flow (and don't randomly resell people to different parties), you could automate the part that writes responses, and only have humans read the original mail and check appropriate checkboxes to generate a standardized reply covering all the relevant points.
Precisely this. Once you’ve dealt with sensitive data where authentication is required (real life, signatures with witnesses and all), the surface area for attack when it comes to data request is huge if the burden to reply is based simply on an email. Sending an email request is practically free with automation, which provides a nice way for phishers to know where targets store their information. Anyone know of how some companies are authenticating requests?
Im Germany you generally need to send a real letter (or a fax) and it needs to contain your signature.
"Authentication" for this is provided by harsh penalties on signature forgeries. Also, you'd only get one single data point and everything really sensitive has address data and they will* send their response to a known address.
If all information you have about a person is their email (and usage data) then this won’t make a difference though... The GDPR considers even an IP address personal data, even if you have no way to correlate it with a real person. So where does this leave you if you have to respond?
Imagine I’m sending a request for information from a given IP address, requesting all the personal information you hold on that IP. I kinda proved that I’m using this IP and it’s part of my private data... but providing all information on this IP is likely to leak data on other people and there’s no way legitimate the requester
An IP address is only personal data in combination with a timestamp or similar time-related information. I don't see an attack scenario where an attacker would gain anything useful.
Note that he's propably still risking jail time over this.
German courts have ruled that IP addresses are personal data. EU courts so far agree. The timestamp is irrelevant.
The GDPR makes anything that can be potentially traced back to a person personal data, it's a much wider definition than PII.
It also means that constructing data sets may lead to personal data being generated out of non-personal data. So even if you only store IPs without timestamp, if you stored timestamps elsewhere and you could reconstruct the IP of the user, you're up for grabs.
That's exactly what GDPR is for - I can be somewhat sure they'll delete it, and and if I'm wrong and they do what you described, I'll laugh hard as they bleed money when discovered.
Yeah, the companies I know of who are implementing "right to be forgotten" because of GDPR are taking it 100% seriously and going through, in some cases, significant pains (dealing with legacy systems) to ensure compliance.
> we see that a majority of people who install an ad blocker don't actually do it to block ads (that's just an added bonus). They are actually doing it to block tracking.
This line severely damages the credibility of the article. I found the article interesting up until I read it. I stopped reading once I read it because I couldn't trust anything else the author says.
I highly doubt this statement is true. It may be true in very privacy-focused circles and amongst some circles of IT professionals, but I highly doubt it is true for the population.
If you make a statement this left-field, you've got to back that up with credible research and I highly doubt that statement was based on any credible research.
While I agree with you that the given statement is nonsense, I don’t think the reasoning to stop reading is sound. It’s safe to say that every author has an agenda of some sort, be it personal, business or otherwise, and you can’t and shouldn’t inherently trust them. But at the same time I don’t see that as a reason to not read what they write – healthy scepticism goes a long way.
My takeaway from the whole GDPR craze is that if you respect your users and have some ethics as to how you process their data then you don't have much to worry about to begin with.
If you are an asshole that's trying to get as much data off your users in order to resell them to the highest bidder, share it with "partners" (partners in crime that is), or to advertise/spam them with shit they don't need, then frankly you (or your industry) asked for this themselves.
The only downside I see to GDPR is that we've now opened the gates for a new breed of "GDPR consultant" that's gonna charge hundreds an hour just to rehash what the law says in a slightly different way and defraud businesses that way by pretending to be a valuable service (and no doubt there will be clueless execs that'll actually believe it and pay for that).
Do you have any citations for this belief? The law is pretty explicit that you need consent to collect data from users, they need to be able to view what you collected and they need to be able to delete it.
Are you hoping that nobody notices that you aren’t complying?
Please read the grand parent comment. If you collect data that can be tied to the user using your app/site (e.g. create a session and store the id as a cookie), you need to get consent for that. On top of that, the user should be able to view and remove the data you have collected for them.
The author claims that for one-time visitors you're not supposed to have any 3rd-party tracking code but uses Google Analytics which Ghostery counts as a tracking code. How's that going to work out for practically every site in the world?
You just do what google does and ask for consent before providing access to the site. The user doesn’t need to log in to consent. Once consented, the site can set a cookie. Then that user becomes part of your “Full interaction users” bucket.
Sounds good to me but that would be only needed if you’re sending personal data (like usernames) to Google Analytics, right? If you’re anonymising IP and have no personal data in your URLs, there is no need for consent for GA tracking I think.
What if they don't consent? Will you have not do analytics for that user? You can't block that user as per GDPR if they are simply answering no to the consent.
Its going to work out that if they are under the coverage area for GDPR (have EU customers / EU nexus) -- they have to have visitors opt in to be tracked by GA, unless they can guarantee it cant be used to tie the user to any other PII.
In order to gain insight into how users interact with your website. This allows improvements to user experience. GA is definitely not only useful for marketing.
They shouldn't have to feed information to Google -- they just need to look at the logs on their servers. Y'know... the way we did it before Google Analytics came along.
There's an entire industry around parsing logs though. Even "big data" companies outsource their log parsing.
Requiring every website to create graphs and stats from log files is not practical, especially with websites that don't have a constant developer on it. Think blogs, recipe websites, restaurants. Google Analytics provides an insanely good value for them and it's a good thing.
It's not like pre Google Analytics we had a golden age of website stats.
It's not like your webmaster is load-balancing your cluster using Google Analytics feed. Let webmasters use tools for webmasters, and get rid of the marketing crap.
The numbers are hugely valuable for small businesses in particular. It enables A-B testing of pages/posts, insight into which external platforms are providing the most traction, etc.
Essentially, it enables you as a small business to determine where you should be focusing what's probably a very limited budget in order to connect with audiences who are actually interested in your product/service. There's no exploitation or sale of data or misuse of private info involved.
I'm not bothered by it. If websites see their engagement fall due to so many popups, maybe they'll stop asking for so many things that require consent. Come to think of it, maybe that's the point.
A few weeks ago the internet was on fire because the abolishment of net neutrality law would kill the small startups who were trying to compete with giants. It's interesting to see people supporting the exact opposite situation now.
> This should have been a brower-based implementation globally that every site must adhere to.
This. if EU actually cared enough, they 'd go to the browser vendors to enforce some basic prompts on tracking and forms, and it would be better than gdpr because it would work for everyone from day 1. This law will bring a few more prompts and not much else (because most services can be provided with slight changes like hashed ips).
Cookie prompts on every site you visit on your slow-ass phone connection are really really annoying and should go away. But americans don't protest about them because they don't see them and europeans are , well, sheepish.
That's exactly one of the things that might happen with the ePrivacy Regulation: "By centralising the consent in software such as internet browsers and prompting users to choose their privacy settings and expanding the exceptions to the cookie consent rule, a significant proportion of businesses would be able to do away with cookie banners and notices, thus leading to potentially significant cost savings and simplification."
Or the tech industry could decide that'd be useful to have and implement it. They could put it in a HTTP header with a nice name, maybe "do not track", and don't bother people activating that with tracking or prompts. Oh wait...
How many websites are doing that? How many choose "let's bother our users" over respecting their stated preference?
I've had to deal with this at work (anticipatory only so far), but what I can't seem to figure out is what the inquiring European needs to provide to us to prove that the data we have is actually theirs. We don't capture pii data in most instances, so if someone requests their info under GDPR and provide us an IP and a time do we take them at their word?
> I have yet to see any publisher who is actually changing what they are doing. Every single media site that I visit is still loading tons of 3rd party trackers. They are still not asking people for consent...
I’m pretty sure the reason for this is that they know that the day they switch over to GDPR compliance, their ad revenue from EU will take a nosedive, and they don’t want to throw away that revenue for the sake of being early.
<quote>
One-time users includes all one-time visits and all the visits where people have not done anything to give you their consent. This means you cannot load any 3rd party tools. All your ads have to be delivered via 1st party means (so no 3rd party ad code) and it cannot contain any personally identifying information.
</quote>
That is one weird claim. Let's count "one-time user" as someone completely anonymous -- no cookie, no login name, nothing. Let's say someone browsing in incognito mode from the freshly installed PC.
By definition publisher has no personal data about this person, so GDPR doesn't apply here, IMHO, and it's quite fair. Why can't publisher load some 3rd party tool?
Ok, let's say I, as a publisher, don't set user cookie if user hasn't registred/logged in, and don't store IP in logs, and don't do browser fingerprinting.
Why can't I load some 3rd party tools?
What author is claiming, essentially, that in a mere 2 month from now, you can sue almost any European publisher for data privacy breach. Outrageous claim require outrageous proof.
You can, you just need assurance that they're also GDPR compliant if you want to be GDPR compliant.
If the third-party violates GDPR, but requires your website to run on (e.g. third-party JS, other types of beacons), I think judges are going to have a dim view on that, and so you can't simply claim that it's them, not you. (There may be mitigations, e.g. if you have a contract with them that spells out GDPR compliance, but then they break that - but how many people have contracts for the JS they embed?)
Edit: One way this argument could be laid out is that by including such third-parties in your website, you're instructing the browser to load them, and therefore effectively forwarding GDPR-related data to them. Technically, this isn't really too different from a REST API call you'd perform on the server, or an AJAX call (although the server call doesn't necessarily forward e.g. the IP).
Interesting. I personally use uBlock and "cookie autodelete", which deletes cookies for all sites except the white-listed ones each 5 minutes, automatically.
So if your interpretation is correct, and GDPR affects even completely anonymous users, I'll be seeing and clicking "consent box" each time I go read a newspaper or just do general browsing. Like the "we use cookies" stuff, but on steroids.
EDIT: but still, I find this hard to believe, tbh. It means no ads served to anonymous users, and this has consequences I can't even imagine.
Of course you can serve ads, they just can't use any personal information or tracking unless people have consented. Ad blockers will still be a thing.
As for consent, you have to be able to refuse. A consent box popping up each time would be the dumbest way to do this, but not that different than those full-screen email/newsletter begging boxes we have now.
If we agreed that even incognito browsing contains the traces of PII, publisher has to get my consent, explicitly, that's the whole point of GDPR. I see no other option than to do popup window for each new visitor (where new == has no associated cookie). What are other options?
You can display ads, just not personalized ones. Might even lead to more static image or text based ads, which have a higher chance of not being blocked by users
Well, it's 2018, and most publishers rely on some 3rd party ad-tech to serve the ads. They don't have direct contracts with advertisers, and definitely has no tech in house. If 3rd party calls are prohibited, their ad revenue disappears overnight.
Also user can require the service to remove his personal information and that means that service provider has to notify services he uses to stop using and remove that PI.
How will this work with Google Analytics and things like that? Will random e-shop be required to notify Google to stop using/delete PI for random persons upon request?
Because almost assuredly the 3rd party tools collect that information and you are responsible for what you put on your website. The article specifically mentions this when talking about data processors and data controllers.
Noob question How is that person-identitifying information?
Seems like it's machine-identifying information. You can't tie it to a real-world name and email (which the top voted comment claims is the essence of GDPR).
GDPR does not concern itself only with person-identitifying information, it concerns itself with "personal data" which is defined as "any information relating to an identified or identifiable natural person". [1]
The GDPR definition of personal data is VERY broad, and it explicitly includes things like:
* name, email, date of birth, etc (probably no surprise here)
* any user behaviour (what you look at, what you click on)
* uploaded content (what you write, your uploaded avatar etc)
* ip addresses, device ids
* beliefs, ethnicity, sexuality, health data (additional restrictions apply here)
* biometric data, genetic data (additional restrictions apply here)
You can tie such visit to a real person. For example, if this is a Facebook user, and your site includes resources from facebook.com, Facebook will know exactly which real person visited your site, and the user did not give you consent to share such info with Facebook.
If you embed a Facebook like button and Facebook loads their scripts into YOUR site then it is YOUR responsibility to make sure Facebook is compliant with the law.
The same goes for ad networks. YOU are responsible for making sure the ad network is compliant. If you include a non-GDPR complaint ad network script on your site and somebody complaints, then you are in for it because you were ultimately responsible for that network being able to track the user on YOUR webpage.
If Facebook is GDPR compliant and has consent from the user then you are in the clear. If Facebook is not GDPR compliant and tracking people who aren't users then a EU or local court will set up a campfire under their asses (German courts already have).
IP addresses are definitely personal data (PII and Personal Data are different, the GDPR defines and cares only about the later, PII is mostly an US term used interchangeably with PD on the internet) German and EU courts have ruled that since an IP can be traced back to a person, it's personal data. Unless you have a good reason to log it (hint: firewall and webserver logs) then you need consent for it.
No, since you are the controller of your site hosting the Facebook component. Facebook is in that workflow 'merely' a data-processor.
Advertising companies have lobbied long and hard to drive an interpretation of the GDPR in which they would be considered a 'controller', resulting in 'nothing changes for the business, realy'. AFAIK, they (thankfully, from a privacy perspective) failed.
It realy is very much like environmental regulation. Before things like the EPA etc. came to be, it was a toxic 'everything goes' type of environment. Transition to a regime where businesses are held to data responsibility might be painful at first, but ultimately hugely beneficial to all.
So pretty much every page is going to get a "loading page" again where users have to confirm if they will allow Google Analytics, etc. to be used? And probably a warning about cookies? That's how this is going to play out, yeah? At least for sites that fall under it.
Not sure that really accomplishes the intent... seems like it'll just be an annoyance to all non-cookied users.
Beside that there are regulations that allow them to do this. Even for European Agencys it will continue to be legal to do so.
Government organisations don't sit outside of regulations. The regulations are designed around their needs and they make sure their regulatory needs are met.
For ex. you can track anon visitors fine if you generate an ID identifiable ONLY on your DB. So if you store only an ID in the DB(awaiting to be matched when a conversion is made with consent given) is totally fine because even if someone hacks your DB can't be able to match that ID to any person, even if they have other data from Facebook, Google etc.
In case of an IP it's a different thing. If you get an IP, you can actually identify a person if you have a DB with the IP+other personal information about it.
nobody realized how much big of a deal GDPR is going to be. if you digitized your partner business card, if you store their number on your phone etc that's personal data and that all need to be renegotiated and you need a database to hold track of their informed consent.
You don't even have to digitise the information, if you were to store your business cards in a structured filing system they would be under the GDPR too [1]
That article brings up good points about synchronizing data. I intentionally do not keep my friends' names in my contacts (I primarily use recent numbers, and I started storing a few anonymous names when Signal required use of actual contact entries) because I do not want my friends' data to be sent to whatever random service I might have installed.
Given the whole Cambridge Analytica thing this seems good.
This article focuses very one-sidedly on the consent aspect but this is not the whole story. The basic principle behind GDPR is not "getting consent" it is "if you want to collect or process data you need a justification" [1]. The justification should and will be in most cases some other law or regulation. Only if you can't find that justification elsewhere you will need to get consent.
A good example for this is the Cookie under GDPR. The original plan was for both the GDPR and the ePrivacy Regulation [2] (not to be confused with the ePrivacy Direcive) to come into effect on 25 May 2018. The ePrivacy Regulation would have had given the justification for using analytics Cookies without consent. Now that ePrivacy Regulation is delayed some argue that national laws can provide that justification until we have a EU-Regulation.
[1]
>In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law [..]
"Today, for instance, we see that a majority of people who install an ad blocker don't actually do it to block ads (that's just an added bonus). They are actually doing it to block tracking"
Google has been working on making Google Analytics GDPR compliant, but you must actively change some settings to pseudonymize collected data and also sign/accept a GDPR contract with them. Also you must make sure to not explicitly add any personal data to GA. For example avoid sending any user names, email addresses, ip addresses, or any form data to Google Analytics as part of event data.
I don't have an overview of all steps required but provided you do this then GA should still be allowed to be used without explicit user permission.
A very good question which I don't know the answer. But what I do know is that since IP addresses are considered personal information, then you can tell the GA script to anonymise it.
I researched this and didn't find a conclusive answer yet. What I found out is:
The original plan was for both the GDPR and the ePrivacy Regulation [1] (not to be confused with the ePrivacy Direcive) to come into effect on 25 May 2018. The ePrivacy Regulation would have had a special exemption for analytics cookies. If that would have been enough to not require consent for Google Analytics I do not know.
Now the ePrivacy Regulation is delayed but the GDPR is not.
I didn't find a lot of information about what that means for the time after 25 May 2018. The following is from German sources (primarily e-recht24.de [2]) and is only from a German perspective.
Google's terms [3] in accordance with German law currently require consent in the case of AdSense but not for Google Analytics. According to [2] this is in obvious conflict with current EU law but the EU Commission denies that.
e-recht24.de [2] is careful to avoid a clear statement about the situation after 25 May but from my understanding they hint that the situation will not change. German law is already in conflict with EU law and this fact is ignored by all parties. The GDPR will not change that situation.
As far as I've researched, no. GDPR is open to the sorts of tracking that is used to make your product better. In the case of google analytics, you're watching for aspects of your product or blog that are doing well so you can produce more of the content viewers like.
One of the caveats though, is that you shouldn't be able to identify a specific user. So, you would need to anonymize the IP addresses you're tracking [1]. My understanding is that you should not be tracking or storing information that can be used to identify a single user. So cookies are ok, but you have to ask permission for any cookie that can be used to personally identify a user.
Ask yourself this simple question (per my other comment). If the answer is 'yes' (and I am not saying it is btw) if 'every site' (your site) didn't what do you think will happen? (Vs. what could happen).
Yes, and if the user refuses to give that permission, the site has to honor that, and can’t refuse to provide its content. Same as the original cookie law, which almost everyone did wrong (thanks to the UK national implementation of it)
Most companies seem to be setting up GDPR portals to download/delete all your personal data. I'm waiting for the breach of one of these portals - that will lots of fun to watch.
I am coming to the whole GDPR party really late (very recent startup).
For example we use Auth0 for our authentication service. Auth0 doesn't support storing everything. So we use the auth0 user id in a db table, which contains some user preferences.
Does that mean i need to get consent from the user to use their user id? In our database even though they are paying for this service, and we are paying for their auth0 user account?
Also if someone were to submit a GDPR request, how am i supposed to verify this person is who they claim to be?
As a matter of morals/competitive edge, companies should try to keep personal data safe and perhaps not collect it at all.
That said, GDPR is ridiculous and in many countries, contradictory. This leads to litigation spaghetti code. It will be exploited in ways we can't yet imagine.
It is dangerous to assume GDPR applies to YOU if you are based in the US. As the world (thankfully) doesn't operate under a one-world government, let the EU live in their ignorant "This site contains cookies" world.
its a big market but not crucial. EU users are notoriously risk-averse and won't try new things, and wait for others to set the trends. EU is important for global giants, but for more specialized, less competitive services, a cost-benefit analysis is needed to decide whether EU is worth serving.
Why would you feel bad for them? They have had 2 years to prepare for this, hopefully a few fines here and there will make people realise this _is_ a big deal and they can't just ignore it.
About time too, I really really hope this has an incredible profound impact on privacy and the EU will demonstrate this is a law people _must_ abide by.
Maybe the next version of GDPR will tighten the screws and take it all the way to the end user. You install some app and share your contacts with it? Pony up 10% of your annual income. You forgot your phone in a cab? That is putting everyone who has ever emailed you at risk. 15% of your annual income as fine for your carelessness. Would you still support it?
Such sweeping laws require a lot of thought and debate. It is unfair to say, “hey they had 2yrs so it is their problem”. We need to do better than, “must abide by law” and push for just and fair laws.
So, we should all be monitoring all legal changes for every Internet connected country? Is PRC's great firewall a good thing? Because that is where things like GDPR will push the rest of us. The easiest way to comply with this murky EU regulation is to block the EU... especially since we cannot deny service on a case-by-case basis.
IP adresses being protected as personal data has an interesting side effect. You can't be compliant under both EU GDPR and Turkish internet security laws (probably shared by a lot of oppressive and semi-oppressive regimes). That law states you have to keep the poster IP address of every post on the site and turn them over on court order.
Obviously, as with every law in Turkey, the enforcement is very subjective (for example, Twitter does not respond to most requests and nothing goes wrong for them. But say, if you're a non-Twitter scale website, you deny a couple requests or probably only one and you're getting blocked), and you might be able to get away with the "we don't store them/store them anonymized because GDPR" defence once.
Yes there' a 'justice' loophole in GDPR but I don't think "we're still saving the IP addresses anyway in case a court requests it" argument would fly. In the end, to be perfectly legal in both jurisdictions, you'll probably need to differentiate based on IP address ranges or something.
> You can't be compliant under both EU GDPR and Turkish internet security laws [...] states you have to keep the poster IP address of every post on the site
GDPR does have specific exemptions for holding/processing data per legal requirements.
Yes there' a 'justice' exemption/loophole in GDPR but I don't think "we're still saving the IP addresses anyway in case a court requests it" argument would fly.
Assuming I understand this correctly GDPR basically make products like Mixpanel’s JavaScript (browser loaded) library and other similar products from other companies unusable since they are oftn setup to collect data (including IP addresses) on first visit. Adblockers make the data collected incomplete even if this wasn’t an issue.
If these products don't take steps to be GDPR-compliant themselves they are going to be unusable, yes. Which is why I assume most of them will do in some form.
E.g. an analytics product does not have to collect IPs. I've seen one company in the field requiring customers to explicitly mark form fields as safe for tracking the contents of in session replay (so they don't accidentally end up with your customer addresses, while still allowing you to see how far people went with the signup process, which product options they had selected), ...
I think this is a cover up for making it easier for government officials to get data about you. To protect your customers you should store as little personal data as possible and encrypt all other data such as e-mail and messages, so it only can be decrypted by the user's password or key, that you only have the hash for. And also inform your customers about he importance of strong passwords or using key's. I tried to create a Microsoft account the other day and the password was only allowed to have A-z0-9 characters, with four numbers. You can probably guess most peoples password by using their name plus the birth year of their child. So don't impose any rules other then length and a warning if the password hash is in the list of 100,000 most common passwords.
Interesting analysis! I wonder how this would affect AMP articles. What happens when a one-time visitor (from the publisher's perspective, but not from Google's perspective) looks at the cached AMP version of the page on Google's servers and Google's domain? Ads and tracking could hosted by Google as well (AdSense + Analytics), so everything is technically 1st party.
Wouldn't Google be the data-controller in that case?
Google might still be allowed to do the personal tracking if they ever obtained consent from that user. Another reason why the AMP caching is bad for the web, I guess.
And from the user's perspective AMP articles would become even more appealing because they would never be bothered with consent popups.
I read this as an extended consent banner ("this site contains cookies") + user ability to hard delete pii + IP. Hard delete is substantial, but the banner is just going to be ignored like the cookie notice. If that has an affect of traffic, it'll be punishing sites that don't require login/signup, which means the average EU consumer will be required to sign up for more accounts in order to do what they did before (because if you're going to require consent, why not require signup?). In any case, I can't see very many use cases where a site dials back its data collecting. Retargeting is the crux of ad-supported sites.
This article has it completely wrong. I work for an email tracking company and you can still have tracking tools but the ballpark has changed drastically for collecting user information.
Sadly, I feel this will hurt the ones without a proper IT force the most.
What if a site simply made available direct access to download all raw data related to a session / user account that had been stored? And of course attempt to describe / explain each data point. Would this be sufficient to meet the GDPR guidelines? I have only limited exposure to this legislation so far, but want to learn more. I have no reservations to share all data stored to a visitor, and would probably opt to do this if it covers you instead of painstakingly going through each data point to evaluate what needs to be done.
Give the user complete access to the raw data and give them the opportunity to delete all records of that data if they choose to.
deletion/retention of data is the harder part than accessing data. deletion after a reasonable time, such as account shutdown request by user. or users should have option to delete. or if you keep data for a long time, encrypting it safely. add on top of that legal holds (subpoena) and that it’s affecting your core data models, it’s not a simple task. it’s a lot of work.
one nice problem that popped up is we have mysql tables that can’t handle the delete traffic fast enough. gdpr is not a project you want to leave till the last few weeks
I’m not convinced IP addresses are automatically personal data. Granted, they CAN be personal data, if they can be linked to a specific person. But assuming I just keep generic log files, and that I would not in a subject access request be able to tell someone the IP addresses that the user has used, is it really personal data? Also, it is not clear to me what other laws require in terms of keeping log files. It is possible that by keeping no log files at all, you risk breaking some other law (UK).
It doesn't matter what you consider IP addresses to be, it matters what European regulatory authorities consider them to be.
And yes, many IP addresses can be linked to a specific person. I don't doubt that, by being logged in to Google, Facebook, and a bunch of other services, and by having an ISP that provides a unique IP address per subscriber, that the majority of sites out there that use 3rd party tracking know who I am just by my IP address at any given time.
To be clear, I am only talking about the interpretation of the regulation, not my own considerations.
The article made it sound like IP addresses are always personal data. My point is that, if I run a website and keep generic nginx log files, is it really personable data with regards to my website?
Yes, the ISP can link that IP address back to a person, but if that person came to me as the website administrator and asked for all data held for that person, I would actually not be able to make the connection.
Yes, it is. That you don't necessarily have the ability to make that connection doesn't matter, although if it turns out you have it of course makes matters worse. (This also isn't new under GDPR, current european law interpretation already supports this. See http://curia.europa.eu/juris/document/document.jsf?text=&doc... for the court decision firmly establishing this: Since the visitors provider has the data, and will share this data in some cases, it's possible to establish the link and the dat thus has to be protected accordingly)
Well actually this analysis by White & Case of the same case[1], seems to suggest that it may not be (paragraph “impact on businesses”) personal data if the business has no means of linking the addresses to users.
This is going to be a much bigger problem for Amazon than it is for you personally, so it'll be interesting to see what AWS logs even look like come May 25th. If you don't have consent and a compelling business reason to store this PII then they definitely don't.
To give you one idea of how things will change in a post-GDPR world, I can tell you a story about how things are going in my industry: Most PII is going to be removed from domain WHOIS information.
Still NSA and their likes do collect and store all this data, so effective privacy/data protection/anonymization is still a task of the users themselves and their client tech.
I would imagine that only legitimate businesses have to be GDPR compliant. Government agencies almost certainly fall under some national security exemption.
As of April 2018, Estonian e-Residency does not grant any right other than access to e-services. [0] It is implausible digital residency programs will ever supersede standard citizenship or residency requirements and procedures.
Great question, I'm also Canadian but have European citizenship, maybe I'll be able to use this to get information from my municipal government that I can't get as a Canadian.
So the entire web that depends on ads is doomed, google and fb. will now keep 100% of advertising revenue, and european users will start receiving 2nd-rate service (if at all) , because they are unmonetizable. I think the article has too much FUD
It's everyone, not just publishers. How many people here are preparing to ensure their web server doesn't log ip addresses before acquiring visitors' explicit permission to do so, for example?
To whom do you give your consent by the way? Is it the domain or is it to a company. What if your sales and operations departments are organized into different companies, do you have to give consent twice?
> 12. In jurisdictions that require informed consent for the storing and accessing of cookies or other information on an end user’s device (such as the European Union), ensure, in a verifiable manner, that an end user provides the necessary consent before you use Facebook technologies that enable us to store and access cookies or other information on the end user’s device. For suggestions on implementing consent mechanisms, visit Facebook’s Cookie Consent Guide for Sites and Apps.
13. Obtain consent from people before you give us information that you independently collected from them.
There's a very clear distinction: GDPR requires that consent is not a precondition for offering a service.
Most cookie policies in practice are all or nothing: you either accept and continue, or you decline and cannot use the service/website. That is not allowed under GDPR.
"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement [...]" [1]
"Consent is presumed not to be freely given [...] if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance." [2]
> the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
but to play the devil's advocate, if it costs money to provide a service, but that money is currently supplied by selling personal data to third-parties, then isn't it true that the service cannot be provided without the data?
That's of course the rub with any regulation touching internal processes (just as it is with financial regulation, anti-discrimination laws, workers rights to some extend, ...). If you don't make a mistake revealing it, aren't forced into an audit and have no ex-employees holding a grudge, you can get far violating them.
Part of GDPR effect is that if you get caught, you can't talk it away with some blanket claim in your EULA, you need to have a detailed justification, and there is potential for painful fines, so the risk increases.
We cannot say for sure yet, but in general we can expect that these things will never be checked until there is a data breach of some kind; or if evidence is found in another way.
If the details of the breach indicate you were using data for another purpose than what was allowed you will have a problem.
as a Kraut: if you start now, you're practically too late. It will be interesting to see which major corporation will face the fine of 20 million Euro or 4% of annual turnover the first.
"You cannot use any personal identifying data from any visitor who is a one-time visitor."
If an IP address is "personal identifying data" (as the author subsequently states), then every visitor is a one-time visitor. You can try tracking unique visitors by something else, like some user agent data, but it's less accurate. Ignoring IP means optimizing a site for click-to-sales becomes a lot more vague.
If a site converts each unique IP to a hash, then that's one way to get a unique visitor, but then which hash method do you use? MD5 is hackable to anyone having a list of hashes to IP addresses, and anything else can be more complicated and less standardized, so therefore more prone to bugs and bad coding, and therefore more costly to the business.
"You cannot load any 3rd party service, because by doing that you would be sending personally identifying data to those services (like people's IP address)."
If you can't even load 3rd-party software because they can see IP addresses, then you can't have any tracking, including aggregate, unless you build your own, which can be highly costly and is inherently inefficient with many pre-built solutions already existing and refined, even if they're open-source.
This restriction seems just as unreasonable as the first, also based on IP, and I'm not sure the politicians who made this restriction understand the web.
"You cannot even do personally identifying internal analytics."
If this is true, then you're cutting out a lot of site optimization and sales navigation because you're not always going to be right about what people want or how they will click things on the site. Without IP tracking, you can't follow where someone is going or tie that user to a bug, just get an aggregate of many, which can be vague.
"The reason is that a first time visitor hasn't done anything that could be considered consent, so you have nothing to work with."
This is incorrect, the user has given consent to make available any info the browser provides, which has to include IP address so the server knows where to send the response. If a politician doesn't understand this, then someone hasn't explained it to them.
It is a natural right of a website and publisher to use IP addresses, because they are required for web communication and identifying abusers. How they use it beyond that is what should be regulated, not just the visibility or collection of it.
"I don't think publishers realize just what this means."
I don't think the politicians understand just what this means either.
It seems to me that GDPR restricts economic growth.
For example, I'd be quite happy to let my local supermarket sell my personal data to Google in exchange for a 3% discount on my grocery prices. Everone would benefit: (1) The supermarket gets an additional source of revenue; (2) Google can charge more for ads; (3) The toothpaste company gets better return on it's advertising; (4) I pay less for my groceries.
GDPR prohibits this kind of win-win agreement, doesn't it?
From what I can see, this would be fine under GDPR anyway, so long as when you buy something in a supermarket they ask you "is it okay if we send information of what you bought to Google?"
Of course it's completely impractical to get cashiers to do this every time someone buys something, so it will likely just be applicable to store reward cards. They're doing this already, and all GDPR will introduce is moving the paragraph in the TOC you sign which says "we might sell your data to third parties" to the top in big letters and make sure you explicitly agree to it (or similar to achieve informed consent). As well as adding some safeguards in place.
A point on your example, stores already do sell your personal data to third parties as an additional source of revenue, but instead of giving you a 3% discount they usually just analyse your purchasing habits and throw discounts on other goods which they think you'll be susceptible to buying, so usually instead of you spending less you actually spend more on things you didn't really want before being offered.
Doesn't GDPR say that 'informed consent' cannot be a condition of providing a business service? So as far as I can see the supermarket cannot say, "In order to receive the store rewards benefits you must agree to us selling your data to third parties".
Advertising produces nothing. It doesn’t increase your income, you can’t buy more because of it (especially, if like most people you’re already up to your eyeballs in debt). It just chages what you spend money on.
Advertising doesn’t help manufacturers make more or better goods. It just helps them sell them at the expense of others. Advertising is a deadweight loss, a competition between sellers that leaves them all worse off.
> It seems to me that GDPR restricts economic growth.
It plainly does. It trades profit and economic potential for privacy, there's no question about that. I've seen near universal agreement from EU persons that that's a desirable trade in this case.
It gives US startups an immense advantage. They can grow far more profitably in the very large homogeneous US market, unhindered by GDPR-style restrictions & compliance, and then take their scale/resources and project into the rest of the world and comply with local requirements.
That US advantage will get larger by the year, as the globe perpetually fractures more and more on compliance requirements. It's going to become more difficult to operate in all foreign markets, as regulations for online services grow nearly everywhere. Most nations will put up barriers of compliance that will have a tangible cost. Europe will have numerous different GDPR-like regulations among its nations. There are 50 countries in Europe and only 27 are in the EU, that guarantees a messy, fractured compliance zone overall.
This is only the beginning of what will be a dramatic reshaping of the way you could formerly build once in almost any nation and easily go global with a service, that will become impossible without considerable financial resources.
It won't be: comply with GDPR and you're good. It'll be: build 50 different compliance systems to reach into 100 countries. Only very rich tech companies will be able to do it, something the US particularly specializes in building.
1. Social websites don’t have to be giant, centralized communities too big to police themselves.
2. People need more tools to help them achieve things in the real world, rather than spending hours a day chatting about the real world online.
3. There are ways to make money online without ads begging you to click on them, and they involve real-world goods and services that your website can help connect people for?
What kind of world would it be that one minute spent online would result in hours of enjoyment out of the house?
Would you NEED to collect data on people in order to tailor ads to them, when the interface would enable them to express their own INTENT to spend money, which you can then help facilitate?
EDIT: downvoted heavily, what else is new. Yeah, clearly saying people want to achieve things in the real world deserves condemnation and scorn from anonymous downvoters, but no counterpoint is given.
All the things you mention are certainly possible, but if that’s truly what consumers wanted (judged by where they spend their time and money), then the market would reward companies that provided those services.
Put another way, you can argue as much as you want that people want to eat salad and steamed vegetables for every meal, because it will make them thinner and healthier. And yet, McDonalds is still doing well (maybe not quite as well as before, but still very well).
Regulation will curtail the edge cases where people are acting to their own detriment to a degree that society deems unacceptable. Beyond that, it’s up to the invisible hand of capitalism to dictate what customers want.
The market rewards working services over not-yet-working ones - it's not surprising that customers who prefer a more complicated service will use the less complicated one in the meantime. There's also all sorts of confounding things with social networks like network effects.
Capitalism is one way to get at a society's preferences. It is not the only way, nor is it able to perfectly determine a society's preferences.
To expand on what merinowool said: Under capitalism you are free to do whatever you want with your own property provided you extend the same courtesy to others, and don't interfere either their use of their property. It is easy to see that this is an optimum balance: any more freedom than that would necessarily come at someone else's expense. This is sufficient on its own to say that any other system must be less free than capitalism.
"Democracy" comes in many forms. If a particular implementation of democracy includes strong (effectively absolute) protection for the rights of the minority, including property rights, then it becomes a special case of capitalism where interested people voluntarily choose to address issues of common concern through voting. One example of such a system is a co-op; no one is forced to participate, but those who do become members have equal representation with respect to the disposition of the co-op's common property.
If respect for the minority's rights is subject to majority vote, however, then things which one would be free to do under capitalism—by definition involving only one's own property and that of others who voluntarily choose to participate—become restricted to suit the will of the majority, which plainly makes one less free.
>There are ways to make money online without ads begging you to click on them, and they involve real-world goods and services that your website can help connect people for?
Not every website is in a position to sell something directly. That's how ads work in the first place.
I run a collaborative writing forum that is predominantly used by teens. I make so little money off it that I'm running it as a charity because forums like it were a valuable part of my youth. And there's very little I can do to make money from my userbase these days, though it used to make a couple thousand bucks per month and got me through uni.
People on HN and the like love to scoff and go "if you can't make money, then you don't deserve to exist" which is awfully short sighted. Like the only consequence they can think of as they Mr Burns their hands together is The Verge, operated by a billion dollar company, shutting down.
Ads service the middle of the bellcurve of sites that aren't 100% charity but also not in a position to peddle you merchandise. The internet is going to lose out if society doesn't find an alternative. Just more centralization.
The question is whether your ads really need to be targeted to individual persons (requiring a huge surveillance infrastructure) or if you can just sell ads to some sponsors and everybody sees the same ads.
I prefer the second option. Nothing wrong with ads per se.
It's just not feasible for the sites like parent commenter described to look for sponsors, sign contracts, etc. We are talking about, say, $200-600 per month in advertising. You can spend more time searching for next sponsor then you will make from ads.
They can monetize by working with 3rd party, like SSP, who will sell the inventory programmatically. But to monetize effectively, that 3rd party will do tracking, that's true.
I totally agree that your forum should exist. My main question would be, what exactly are you providing as a service ti the teens? Custom software? A server? It seems to be quite cheap to just download something and run it on a server. I’d like to see a self-configuring, end-to-end encrypted decentralized thing that people can literally just run on their own machines and let servers act like dumb hubs. Something like SAFE network. Then the forum software is just a client side thing like SourceTree for git. And that can be open source and free for the teens.
> 3. There are ways to make money online without ads begging you to click on them, and they involve real-world goods and services that your website can help connect people for?
Yeah, I could even imagine a scenario where you help connect people to real-world goods and services for free; the provider of those goods and services would be more than happy to help keep your bills paid, assuming there was some kind of mechanism that would drive people to their goods and services and not a competitor.
I think the problem with 1 is that the usefulness of Facebook, for a lot of people, comes from having darn near anyone they ever knew on the platform.
There's the benefit of being able to trivially connect with friends, family and acquaintances by a few degrees. But since that applies to those users too, and the overlap is partial, the user graph grows unbounded.
If you limit it in some way, then you necessarily will have some users at an edge with a restricted experience. That's likely very bad for business.
With point 2 there's the general overall argument of whether these concrete, codified social networks should exist at all - whether they are healthy to society or people compared to the more limited gossip circles they would be in otherwise.
I don't think it's clear cut to call it worse and I don't know if we can put that cat back in the bag even if we wanted to.
I don't think the legislators understand the technical complexity it would take to comply with GDPR nor the benefits of tracking for the internet.
Tracking makes markets more efficient.
1. Advertisers can tune their ads/targeting to get higher conversions and sales. They pay higher PPMs and PPCs.
2. Publishers get higher PPMs and PPCs. This motivates them to invest more in their content and website because each new user will yield more money with higher PPMs.
3. Users get more relevant and safer ads. Remember the shady banner ads of the late 90's and 2000's? That's the type of low conversion rate / click through rate ads that will run when advertisers can't target their audience efficiently and PPMs are very low. Relevant ads also save users (the segment that buys stuff from ads) time from researching for products and services.
4. Users get personalized content from publishers. This has a few negatives but I would argue that it greatly improves user experience.
The technical and administrative complexity required for the legislation effectively shuts off tracking for all websites that aren't owned by a megacorp. Small and medium sized publishers now have less motivation to get good content out and improve their websites from the lower PPMs.
> Relevant ads also save users (the segment that buys stuff from ads) time from researching for products and services.
That is specifically not wanted.
Several European governments are subsidizing projects to provide consistent and exhaustive comparison tests between many products instead, so customers can for each category of product they may need find massive comparison tables, find which products fulfill their needs, and can buy the cheapest one.
This makes the market more efficient, because the best product for the lowest price wins, instead of the best marketed product.
So is that going to be another parcel of life under the state control?
It is easy to predict such tools are going to be abused (for example excluding products from a producer that has opposite political views to the currently ruling people)
Sorry but that's outright bullshit. In practice, targeted ads feel absolutely worse (at least for me), as an example I remember buying an umbrella a year ago on Amazon... guess what do I still get recommended to me on there? F'ing umbrellas... I know I'm in the UK but come on, one is enough.
> Remember the shady banner ads of the late 90's and 2000's?
I still see that garbage all over the place, including from supposedly "reputable" ad providers with apparently top-notch tracking like Google. Fake antivirus software or tech support scams are still common on there.
> Users get personalized content from publishers. This has a few negatives but I would argue that it greatly improves user experience.
That's my other problem with tracking-based ads, as it creates an echo chamber. I'd much prefer getting "irrelevant" ads as it makes me discover products I would've never otherwise thought about. I prefer print & real-world billboard ads for this reason as they're generic and expose me to stuff I wouldn't see otherwise.
For a recent project I read (and translated to plain english) [1] every single article in the GDPR legislation and for our purposes it can be summed up as:
"Treat user data like names and emails as if they were credit card numbers"
AKA: be paranoid about keeping them, encrypt them, use SSL on your site, respond to requests from people if they ask if you have them, fix them if they're wrong, don't use them if they say you can't.
Obviously that's not the entirety of it, but as a working mental model I think it goes a long way.
1 - https://blog.varonis.com/gdpr-requirements-list-in-plain-eng...