Hacker News new | past | comments | ask | show | jobs | submit login
[flagged] It's been three years. Stop saying your European visitors are important to you
231 points by PennRobotics on July 16, 2021 | hide | past | favorite | 181 comments
I live in Europe after growing up in the States. Every now and then, a link to an interesting news article is suggested to me. Clicking the link, I see this text:

  Our European visitors are important to us.
  
  This site is currently unavailable to visitors from the European Economic Area while we
  work to ensure your data is protected in accordance with applicable EU laws.
For my European friends, try a link like <www.everythinglubbock.com> or <www.tristatehomepage.com> or <www.khon2.com> or <www.wtrf.com> or <www.wnct.com> or <www.fox46.com> ... or many of the other "local" news sources in the U.S. It's important to note: While these sites cover news in a particular region, we'd need to start calling each McDonald's a local burger joint under this classification.

At the bottom of each page: <https://www.nexstar.tv> - If you click this link, you are not geoblocked! In fact, there are a ton of statistics showing just how many resources this media group has at their disposal to address releasing news articles to Europe. Save a click. It's 4 billion USD revenue, over 100 news sites and TV stations, and a reach into two-thirds of American households. This is no mom and pop operation. They just don't---or maybe can't---care.

I only focused on one media group, but there are others. Here's a news article from the same year GDPR began enforcement two years after its introduction in 2016: <https://www.bbc.com/news/world-europe-44248448>

A little has changed, but not much! Chicago Tribune is finally available. NY Daily News? Can't access. Baltimore Sun or Orlando Sentinel? Also, no.

"Why are you complaining?" you might ask. "What is your goal?"

Besides the obvious---I'd like to read about the communities of my friends and former neighbors---I want two outcomes:

First, any giant search engine company with a news subdomain and 100,000 employees could stop suggesting/featuring geofenced articles to European residents. At least weight these results so they aren't the number one, front page feature. (Although in Google's defense, one can usually click the "Cached" button to get the linked story.)

Second, say something else. The people living across the Atlantic (and their pesky differences of opinion on privacy) can't possibly be more than an inconvenience at this point.

  You are in Europe. Mind your own business.
---

Edit: First post. No idea how to get links to display properly even following "Formatting Options" instructions.




“We care about your privacy.” is also a real joker. Those boxes often provide no “opt-out all” button and force you to “object” to “legitimate interests” one-by-one even if you do “opt-out”.


Why do companies even bother writing that?

They clearly don't care, if they did that box wouldn't even be there.

Sites like Imgur are the absolute worst. "We care about your privacy" and presents you with a list of 1200 companies they share information with.


Because lying works, propaganda works. You won't ever be able to convince everyone but you can confuse enough people that there isn't a united front that demands change. Especially those who want to believe because they're comfortable and thus reluctant to challenge the status quo. Also people who aren't intelligent enough to understand what's going on.


Maybe more in a sense like "I care about your well being, as I'll exploit you and if you die then I can't exploit you anymore." kind of way.

It's not even lying.


When people say “we care about global warming”, it doesn’t mean they want global warming to occur. Same with companies, they don’t want your privacy to continue either.


Is there any way to auto opt-out of these sites? Like an adblocker, but for these privacy pops?


Here's an extension that just removes the cookie popover and shows the page underneath: https://www.i-dont-care-about-cookies.eu/

Here's an extension that auto deletes cookies: https://github.com/Cookie-AutoDelete/Cookie-AutoDelete


There's an extension for Firefox called: "Never-Consent". It only works for some site and completely breaks other.


ublock origin has several "annoyances" filters you can enable in the settings, they w usually remove them.


At least they are not lying when they phrase it as "We value your privacy". I know you value it, down to a dollar.


It used to be the most common lie was "I have read the EULA". Nowadays the most common lie is "we care about your privacy" or possibly "we get it, you hate ads".


Or, "We take security very seriously..." after they just got breached and their databases copied because they left a default password on a router.


I wonder why, when I click to choose which measures I opt in/out, by default everything is just disabled and I just press confirm. Is it just me? Anyway, always saves me some effort.

Tho I optin analytics usually :)


Well, to properly comply you should assume no consent by default. However, most of the dialogs these days assume opt out for the main bit but there is a separate section for Legitimate Interest and you have to manually opt out of those. Is it possible you are just not noticing the separate legitimate interest section?


I noticed that legitimate interest is opted in. But I still don't know what that means.


How GDPR is implemented is a total shitshow. It clearly says that it's an OPT-IN, not opt-out and one has to uncheck everything one by one.

We're creating a fucking dystopia just to click on more ads.


I used to see only that, but lately I've been seeing cases where once you choose the "manage cookies" option, all the nonessential cookies are opted out by default.


I can't trust that, a lot of websites do that but also keep all of the "Legitimate Interest" boxes ticked by default, I need to check every single pop-up to see if that's the case or not.

I hate these dark patterns and in spite I do lose my time to uncheck everything I can, if I can't untick everything in less than 20 seconds I simply close the website, no matter what.


You could also enable the annoyances filter lists if you're using ublock origin. They remove the prompt altogether, but you've not given permission to anything.


I've seen that too, but a dark pattern here is pretending this is the whole truth and then hide a few hundred under a less visible "legitimate interest" tab.

Personally I use the Lockdown app which seems to block a lot, but suggestions about better alternatives are welcome.


That's how it's been handled for nearly 100% of the sites I went to for the last two years (that actually do contain ads, or use tracking for pointless internal analytics, that is). Or a variation thereof similarly letting you switch off most tracking using no more than two clicks.


I make it a point to click "reject all" if the initial dialog only allows accepting some implicit default preferences.


Noyb.eu is working to fix this: https://noyb.eu/en/noyb-aims-end-cookie-banner-terror-and-is...


The GDPR itself is sane. Its enforcement is severely lacking though.


It‘s such an abhorrent marketing style of talking.

"Your life is important to us. Therefore we must kill you.“


The way Dilbert put it was "Your call is important to us...please hold while we ignore it."


"Our Business is life itself" ~Umbrella Corporation


In this case they're actually being consistent. Your privacy is so important to us that we won't allow you to access our website and get tracked.


It is a very safe assumption to make that anything you see or hear in media means the exact opposite.


Including your comment, I suppose? ;)


Coincidentally, the more I think about publishing to HN, the more nervous I get about my own data trail.


Not mine.*

*With apologies to The Life of Brian


It is absolutely, in no way whatsoever, even close to a safe assumption.

It is, in fact, what people who are far, far gone into conspiracy theory madness think.

Again, this is not a reasonable thing to think. It is bordering on mental illness.


Lawmakers and voters sometimes act as if regulations are free. They think “wouldn’t it be nice” and pass on the costs to businesses.

They aren’t in fact free.


Correct.

But the axiom is misguided.

Legislation on the safety of cars for instance is not free, but necessary.

You could argue that the makers of go-karts are being priced out of the market: after all, the free market should make people put a price on their own safety.

But the issue is often that people don’t really have a good grasp of what it truly means and you can’t put a monetary number on things like that.


I’m not an anarchist, I just don’t think people always realize or recognize that there will be downsides as well as upsides to the latest “sounds good” piece of legislation.


Sure. But the way you framed it makes it sound as if the legislation is a net bad thing. But when I get a GDPR block warning I’m actually happy because it means that company can’t operate without mishandling or selling my data. — sure the cost for them is higher, but it’s not unreasonable. I think a lot of people unduly criticise the GDPR because there is an industry building that requires fear mongering to get its way.


> You could argue that the makers of go-karts are being priced out of the market: after all, the free market should make people put a price on their own safety.

> But the issue is often that people don’t really have a good grasp of what it truly means and you can’t put a monetary number on things like that.

Furthermore, here in Europe everyone pays for health care for everyone to some degree so allowing people to do outrageously stupid stuff ends up increasing the tax for everyone.


Of course regulations are not without cost to those being regulated.

Lawmakers and voters would prefer not to have regulations; they would prefer if businesses just did the right thing. But they don't, so they have to be regulated. And nobody wants the cost of that regulation to fall on voters; so it falls on businesses.

Hey, who makes money out of these websites? Voters? Nope. Why should anyone but businesses pay the costs of regulating businesses?


To extend @bradleyjg's point, businesses often do try and "do the right thing" but don't always get the "voters" support. For instance, you could have no ads or tracking on your site, and just charge people to view the content. And of course the vast majority of people will simply not view it, go find a "free" version that has ads instead. Most companies could go 100% green today and do so by charging 2-10x more for their products -- do you think people in general would pay for it? It works on some scale, but not in general. So its not as simple as the business doing the right thing and business owners paying the costs. Its about forcing all business to adhere to some regulation, and pass the same cost on to customers in the same way, to achieve some hopefully laudable goal. And that's totally fine in my opinion, but it breaks down when people assume there are no costs passed on to customers, and (again to @bradleyjg's ponit) that you can merely make owners pay it without any knock on effect. Recognizing the costs and how policy works helps voters to push for the right ones IMHO.


It is magical thinking to believe that a law can impose a cost on businesses and it will come straight out of the pockets of the owners of that business.

There’s an entire sub-field of economics devoted to studying where the incidence of taxes and regulations fall, but voters don’t care to read the literature. If it sounds like we are sticking it to the people that their oversimplified model of the world has decided are bad guys, they are all for it.


That may well be "magical thinking"; but nobody said that costs imposed on businesses don't deplete consumers' wallets, eventually.

There's a libertarian, anti-regulation line of thought to which some USAians seem to be particularly prone.

Europe, and especially the EU, runs on regulations. Without all kinds of regulations, the EU would fall apart. Most people here understand that. They also understand that imposing costs on businesses results in marginally more expensive products (although GDPR compliance isn't expensive, especially if your gesture towards the GDPR is just a cookie wall).


Europeans would rather have the GDPR than be able to read American news sites. American news sites would rather block European readers than comply with the GDPR.

Everything is working as intended, no?


No.

The GDPR requires sites not to discriminate. It is a violation to refuse to serve users because they are in Europe.


Laws in Europe apply to European subjects only, not the entire world. Europe has no authority to force a non-European company to serve it's subjects.


It certainly has authority to block it from doing business in the EU if they don't comply, and to back that block with legal action against employees or assets inside the region if the company keeps breaking the law.


King Canute required the waves to stop. How did that work out for him?


To be fair on old Knut, his piece of seaside theatre was meant as a put-down for his flattering courtiers, who had told him he was so great he could stop the tide. He wanted to prove the opposite.


Words are free.

Stop saying banned customers are great.

This is my argument.


The frustration in the EU is the inability to access the content, not the verbiage of the deny message.


Writing words takes time and effort. Time and effort cost money.


  %s/are important to us/cannot view this content/g


The user here just wants honesty - a "As a local American* media, we cannot afford the additional costs of GDPR compliance. As such, this content is not available to EU/EEA." That's it. Not "We are evaluating options to deliver your favorite [sic] content to EEA." when they already decided to no longer server Europeans.

* "local American media" WTF. Almost all of you are large corporates.


This is trivially easy for "local american media" to solve: if you can't manage consent, then stop depositing cookies on European computers.


> then stop depositing cookies on European computers.

You've got GDPR super wrong. If you think GDPR was only about cookies, you've got it wrong (but that's where Google et al. focuses your attention to be honest- disinformation about GDPR and focusing on cookies even when cookies is NOT what GDPR is about).


I know how to suck eggs already; I was a GDPR compliance officer at my last firm. It's about privacy and data protection; cookies that don't violate privacy or track users, and are needed for the proper operation of the site, don't need consent.

The subject is silly banners. Those are nearly always about cookies, or "We won't serve you because you're in Europe, and GDPR" (and the latter violates the GDPR).

My view is that these banners are partly because some businesses think that by annoying users enough, they can get European users to reverse the GDPR. Ain't gonna happen.


Or maybe they are planning to give you localised [sic] content at some point and just haven't prioritised [sic] it yet?


> No idea how to get links to display properly even following "Formatting Options" instructions.

You can't have links in text posts like this. HN stories are a link or text. From https://news.ycombinator.com/formatdoc: "Urls become links, except in the text field of a submission."

To make proper links in comments, just put "https://" in front of them so they're URLs. "<" and ">" are for unusual URLs that get mis-detected with their surrounding text, and they are hardly ever needed.


Oops. Even in seven sentences, I missed a detail. :(

Thanks; noted for the future.


Maybe the blocked content is just divine retribution for the abhorrent cookie consent buttons we all have to press 20 times a day now.


Many sites show cookie consent when they don't have to.

You don't have to show cookie consent when you use cookies purely for "technical stuff" - e.g cookie based authentication.

>Operational cookies

>There are some cookies that we have to include in order for certain web pages to function. For this reason, they do not require your consent. In particular:

>authentication cookies

>technical cookies required by certain IT systems

https://ec.europa.eu/info/cookies_en


Consent is only necessary for cookies that aren't in the interest of the user (session cookies, other cookies set to fulfil user requests).

You only "have to" press these because a lot of websites decide they'd rather torture users with popups than stop tracking personal data.


I've never even been to Europe, and I still get them. What are we Americans, chopped liver?


Looks like sites "care about you" just as much as they do about Europeans.


I recommend the Consent-O-Matic browser extension and failing that, the "I don't care about cookies" browser extension.

https://github.com/cavi-au/Consent-O-Matic

https://www.i-dont-care-about-cookies.eu/


... only when paired with cookie browser settings switched to strict blocking.


Maybe because everyone (According to Facebook anyway, which is very not true) there wants to track - GDPR ain't really about the cookies, it's about the mismatch of corporate America's desire to track versus Europe's desire to not get tracked. Heck, American companies are breaking American law, at least in California.


I have been very grateful for GDPR, because on lots of sites the very first question is "do I care enough about this content to try and click a bunch of buttons?" Nine times out of ten the answer is no and I just close the tab without reading the article, and I genuinely think I'm happier for it. I certainly have more time.


EU said, "Do this or you can't do business in our countries." These websites said, "Ok" and didn't do business in those countries. Maybe kind of annoying, but this is explicitly the price you pay for more privacy.


Yes, but the complaint is about the awful PR messaging of "We care about you". Just be honest and be done with it.


This should become a meme so that those companies will think twice in using that phrasing.


They'll just switch their phrasing.


Seeking the wisdom of the HN crowd:

Does RSS, with the full article content in each item's description, avoid the "problem" of GDPR compliance?

Maybe it'll become "cheaper" for global content creators to go back to old-fashioned content-targeted ads, which can be distributed through RSS [1], among other domains.

Placing the ads will be more expensive [2] (no more than it used to be), but it might be cheaper than guaranteeing GDPR compliance with the adware they've grown cozy with recently, and it opens up the EU as an available market.

[1]: for one example of this already working, podcasts are distributed via RSS, and have a rapidly growing advertising market around them: https://www.emarketer.com/content/us-podcast-ad-spending-sur....

[2]: apparently, most podcast ads are placed with a human in the loop (only 8% are placed programmatically). there might be a product idea here, in building a "static, content-targeted ad" exchange.


What I don't understand is, why are these local US news sites required to comply with GDPR? I wouldn't think they'd have any obligation to follow it (or any possible recourse for not doing so) unless they have business operations in the EU. Are these local news sites in fact all owned by multinationals that do have operations in the EU?

Edit: I'm getting downvoted -- just in case it helps to clarify, I'm not trying to say anything anti-GDPR here... I'm just genuinely surprised these ostensibly US-only companies feel obligated to follow it and genuinely asking why? Is there an actual legal risk to non-compliance for them? Given the already low level of effort just to detect an EU-based IP address and show the patronizing error message, it seems like they must have had some motivation to even do that much and I'm just wondering what that was.


Any company that serves EU residents has to comply. If they block users from the EU, they don't have to comply. Fines can be massive (up to 2% global revenue).

Nexstar might not have any European assets, but non-compliance might not be a smart move if they get fined and business executives travel to Europe...


A company in the US has no legal obligation to pay fines in the EU. There is no ability to enforce these rules on US companies.

Also, individuals traveling to the EU will never be liable for the fines of their company.

Our company just completely ignores GDPR - and I suspect no one will ever care.


It sounds like you do some tracking, but don't do business in Europe. Okay, fine.

Do you do only your own tracking? Or do you directly or indirectly sell Europeans' personal data to other companies, who in turn may be doing business in Europe?

You can probably see where I'm going with this: those other companies may then potentially be liable in Europe for improperly handling Europeans' personal data. If I was buying personal data from US company as a European, I would make it part of the contract that the seller must comply with GDPR at least for Europeans, to avoid this potential liability.


You are speaking very speculatively about facts that cannot ever be demonstrated to any EU court. ...so the point from our perspective is moot. There is no legal risk, because there is no method of detection of a violation, and no method of enforcement.


I understand it as: if you're taking my data as European citizen, that is protected; even if you're in the US I'm still European.


That’s incorrect. What matters is where you are, not whether you’re an EU citizen.

If an EU citizen accesses a site from inside the USA, the GPDR does not apply. That’s also why these sites can use geo-blocking without knowing who accesses their site (for some definition of ‘can’. Technically they can’t because geo-blocking can’t be perfect. If you access a site from the EU through a VPN in the USA, the GDPR still applies)


The EU can still, in theory, sue them because they're serving Europeans. Especially in the beginning many companies became afraid of the possibility so they simply blocked access to see where it goes. Then it probably became clear the European customers are not worth the effort to change back. But actually it's still illegal what they're doing because the GDPR also states that customers have to be treated neutral regardless of their location, as long as it's not about licensing of course.


GDPR applies whenever you're providing services to EU citizens, regardless of where you have operations. If you want those people to read your stuff, it applies to you.

And before you say that's crazy, look at US tax laws.


Also, US Foreign Corruption Practices Act.


> GDPR applies whenever you're providing services to EU citizens

That's a common misconception. GDPR applies to the data of people "in the Union". There is no mention of citizens at all in GDPR.

If someone is not an EU citizen but is in the Union, it applies.

If someone is an EU citizen but is not in the Union, it does not apply.


> US-only companies feel obligated to follow it and genuinely asking why?

It doesn't matter where a company is located, only where its products are accessible. If you offer a product/service to EU citizens - for example a globally accessible news website - you have to comply with GDPR. Or you deny access to EU citizens, which is fine too.


The vast majority of "local" news sites are in fact owned by just a handful of media conglomerates.


I always read this as:

"Our European visitors are important to us BUT vacuuming all your data and selling to multiple bidders is importanter"

You wanna be obnoxious? Sure, go ahead, but I'll dislike your site more (and I have adblock so I have no qualms in accepting). Wanna pretend you're compliant by having an obvious non-compliant "solution" and think that will shield your responsibility? Now I'll just hate you and will probably bounce off your site


They're serving you a web-page regardless. It probably isn't the data as much as they don't want to run afoul of EU law.

Breaking the law is a generally considered a big mistake and regardless of the stereotyping about businesses they can be pretty timid when dealing with governments.


Sure, I have more respect for the ones that 451 it than for the ones that pretend (very obnoxiously) to be compliant.


> Breaking the law is a generally considered a big mistake

Except when it's about breaching the GDPR. In this case it's considered "business as usual" and Google and Facebook successfully get away with it.


But they are breaking the law.

"Accept/Ask me later" is in violation of the GDPR.


Exactly this. Every time I read about GDPR compliance, it feels like a very well-designed set of guidelines that are easy to follow ... IF you aren't stalking users. The complaints about it have the same tone as the Guild of Assassins complaining that laws against murder are really hard to comply with in their industry. Of course they are, and that's the point.

--------------

Hypothetical conversation with a Malicious Advertising Website:

MAW: Can I stalk my users without telling them?

GDPR: No, you must have consent to track users.

MAW: So I can assume I have consent because they're using my site?

GDPR: No, the consent must be explicit.

MAW: Got it, I'll put it somewhere in the fine print of the terms of service.

GDPR: Uninformed consent doesn't count. Fine print doesn't count as informing users.

MAW: Okay, so I'll have a banner with an obvious "accept" button and several hidden steps to opt out.

GDPR: Nope, it must be just as easy to retract permission as to grant it. If it's a single step to accept, then it must be a single step to reject.

MAW: In that case I'll have the "reject" button kick them off the site.

GDPR: Consent must be freely given, and having a service be conditional on consent is coercion. Consent to track may only be given as a gift, and not as an exchange.

MAW: WAAAH!! This is so hard!!

---------

Hypothetical conversation with a Non-Malicious Website:

NMW: I don't track any information about visitors to this site, and only serve non-targeted advertisements.

GDPR: Sounds good, go right ahead.

NMW: Say, I want to make a "To-Do List" site. Do I need to warn users that I'm going to remember the to-do items for them?

GDPR: Nope, no issue there. That's necessary for the service to function.

NMW: Huh, this is really simple.


MAW: Nevermind, I'll identify users via browser fingerprinting.

GDPR: Browser generated information was ruled personal data and falls under GDPR.

MAW: Just let me stalk on my users without their consent, goddamit!


>Every time I read about GDPR compliance, it feels like a very well-designed set of guidelines that are easy to follow ... IF you aren't stalking users.

There's a difference between being compliant and being _in compliance_. There's a real cost to the latter. Why should sites that primarily serve non-European readers bother with it? The assumption that they don't because they're all greedily stalking users is a misguided, but popular, cynical take.


I'm not sure what the distinction is between the two. Is one of those having a verified system to ensure that you are compliant, while the other is merely being compliant but unprovably so?


it looks like great tl;dr, but I'm not expert on GDPR

nice


It's a nice summary of the GDPR, and following this TLDR in good faith will get you in compliance (at least enough to avoid scrutiny from the regulator).


Except the GDPR doesn't work as sold.


More accurate to say "businesses don't do as told".


How so?


Not enough enforcement


> Every now and then, a link to an interesting news article is suggested to me.

If the link looks like something worth the effort, plug it in to archive.is and read the output there. Or try it via outline.com instead. These tend to work for most text-based articles/sites, and archive.is often breezes right through paywalls, too.


Thanks for the advice.

To load one of the Google News links took more than 30 seconds on archive.is but eventually worked.

Outline did not work with the links as-is.

In short, this is not a comfortable workaround, but it is a working alternative.


Just gotta ride the VPN all day long


Before GDPR passed I heard nothing but "I don't want to patronize a site that doesn't want to respect my privacy" and "we don't need sites that won't follow basic rules like this". Well you got your wish. Your internet is no longer polluted with these reprehensible site owners. Yet people continue to bitch and moan.


Read the thread. They can keep their news, but it's _pushed_ to me by Big Tech. Then, the news sources have the nerve to say, "Thanks for coming. Get out!"

It's the 0% APR that virtually nobody qualifies for at the dealership. Don't suggest content I want but can't have.


News aggregators hardly qualify as "big tech".


news.google.com is owned by Alphabet.


And Joe Biden owns a dog. Dogs still don't qualify as government property.


The moan is about the language used, not the availability of the site.


The reality is that "Outside US support" is usually the lower priority step-two of any project, because it is easier to make more money inside the US, for US companies, for example because of (a lack of) regulations like GDPR. (Source: I am a European working for a US company)

I don't think they entirely don't care, they just care more about (perhaps need to) making money fast than serving a global audience.


Jeez, what a mess. To extend the McDonald’s analogy, when McDonald’s is serving its American customers, it doesn’t heed European laws about beef and potatoes. Because those laws are irrelevant to them, they have no bearing on McDonald’s making money (again in the context of serving their American customers). McDonald’s is never going to check what Brussels says about dairy before they make a milkshake in Spokane. Sorry.

My friend, that couple of sentences you’re so wound up about means more or less exactly what you’ve said at the end. Businesses aren’t in the business of giving a shit about things that don’t affect their business. You’re upset that they don’t word it more bluntly? Really?

Actions have consequences is my response. Sorry you all didn’t get the consequences you wanted. But it’s very frustrating the childish way people on HN approach these issues. Zero material analysis or thinking, always pointedly naive idealism of this type: “well you SAID you care about Europeans”- come on.

I’m begging you all to take the next step and think through the actual forces at play, instead of banging on with the churlishness.

The way this works is very simple- law is introduced, business figures out the easiest way to deal with it and get back to what they were doing, rinse and repeat.

Maybe the European search engines do a better job at this. You could give them a try.


You missed the McDonald's analogy. A burger in every shop in the U.S. will taste the same as any other. It follows the rules of the franchise, just as every site I linked is a cookie cutter website for local news. Each "local" site has nearly the same functionality, look, backend... because they are from the same supplier. It's news franchises serving your local paper and TV station, and it has been for a while.

Certainly, this media conglomerate does not need to care about European visitors, but to claim they do on the "Access Denied" page is quite hypocritical.

I hadn't even mentioned the detail, "while we work to ensure..." This would imply they've been doing anything at all for the past three years.

Also, I'm 15 miles away from a Google office, so I guess I've been using a European search engine all along!


This:

> McDonald’s is never going to check what Brussels says about dairy before they make a milkshake in Spokane. Sorry.

conflicts with this:

> law is introduced, business figures out the easiest way to deal with it and get back to what they were doing, rinse and repeat.

So which is it? If they care about Brussels, then they are willing to go the extra mile. If they don't care, why put up the block anyways?


Amen. If a court in the EU fines the Bozeman Daily Chronicle, what is stopping the Chronicle from replying, "lol ok." and continuing to not care?


I think this works if you are small. If you are large, you might have a branch or subsidiary in EEA which may get fined or whose assets might get frozen.


Most companies (and most individuals, I'd say) want to do what's necessary to not be bothered. It's doubtful these organizations have any great fear of EU regulatory bodies, but if showing a warning (that the user can subsequently bypass) shows they made an effort and staves off 90% of complaints, it'll be worth it.


These companies are blocking EU (and presumably UK) viewers completely. An example: https://imgur.com/a/RSYXA0V

> Our European visitors are important to us.

> This site is currently unavailable to visitors from the European Economic Area while we work to ensure your data is protected in accordance with applicable EU laws.


But US meat is not allowed in Europe because of hormones.

So they have to adjust their EU meat supplier for servings in Europe though.


Someone located in Brussels does not buy a cheeseburger from a McDonalds in Spokane.

Someone located in Brussels might easily end up on the website of a Spokane newspaper.


A newspaper in Spokane is also not going to be covered by GDPR unless that actively target people in the EU. If a few people in the EU happen to wander over to your website, that's not enough to make you subject to GDPR.


I don't understand completely why you're being downvoted. I'm european, in favour of GDPR, and I think this is a valid way of doing it. These reactions confuse me the same as using incognito or adblockers to pass paywalls and such - if that's their business model and their choice, I'm going to say no, and won't even be interested.


> I don't understand completely why you're being downvoted.

Because it's irrelevant, wrong and passive-aggressive belligerent: "Sorry you all didn’t get the consequences you wanted... childish ... Zero thinking ... churlishness".


[flagged]


One of the most popular services of one of the most popular tech companies is pushing content to one of the largest economic participants that is relevant but unusable.

While I didn't mean for this to blow up and was merely venting, I'd like to think my unreplied vim-regex comments were good contributions and valid content for the HN community.

And just for you: Five years ago, the front page had "House sabotages net neutrality", "lawyers suing over We Shall Overcome", "Haitian cholera epidemic started by UN peacekeepers", "coffee shops signal urban change", "how the law is tracking down prank callers", "Merkel allows lawsuit against German comedian"... oh, and a new minor version of Jupyter and Tera were introduced.

I'm sad that you remember HN being different back then.


[flagged]


I'm a U.S. citizen and veteran working for a company with many customers the U.S. and friends working in every reach of the country. I didn't realize I'm not part of the tech scene because of my location.

Alas, I have paid and do still pay my country's defense budget---financially, physically, emotionally.


You broke the site guidelines with this. They ask:

"Don't feed egregious comments by replying; flag them instead."

a.k.a. please don't feed the trolls

https://news.ycombinator.com/newsguidelines.html

If you wouldn't mind reviewing and sticking to the rules when posting here, we'd be grateful.


Understood. Thanks. :)


Sorry to break your bubble.


Maybe the cost of GDPR compliance just isn't worth the small amount of revenue that they might make from European visitors? US visitors are probably much more 'valuable' in terms of advertisement revenue, and also much more likely to be a subscriber.

And I say this as a European myself. It sucks that I have to jump through hoops to access some sites but I can't really blame them.


I'm not really offended that I can't see all content from Europe, but the idiotic newspeak like "Our European visitors are important to us." is almost offensive. I don't see why they aren't just honest.


“Your call is important to us. Thank you for waiting. You are 8382nd in the call queue because our overworked and understaffed call centre team are all handling other customers. By the way, did you know we understaff this team because customers are super important to us?”


Toxic positivity. It's a pervasive feature of American culture.


I think this is more an example of what we call “bullshit.” There’s a lot of it.


In America we particularly have a lot of "bullshit we think protects us from lawsuits even if it really doesn't".


The concept of supermarket greeter blows my mind. As a customer this would be a reason to NOT go to that supermarket. As a potential employee I would have to be starving before I took that job.


Supermarket greeters are really for theft-prevention. It's not for the customer's benefit.


That "you are important for us and we care deeply about you and your pet iguana" it's the bread and butter of corporate America's PR - it has it's versions on other parts of the World too.


I'd love to know how much an American user's data is worth and what percentage of clicks belong to European domains.

I know the pervasiveness of the phrase no such thing as a free lunch, but is there really so much revenue lost by not harvesting data? (And yes, it doesn't take an MBA to notice any revenue loss should be avoided, so I understand the reluctance to publish to any market for free.)


I think the problem is not necessarily the loss in revenue due to "not harvesting data" but rather the cost of all the compliance measures and new processes the GDPR requires.


Three years was long enough to figure out that they do not actually find Europeans (or Americans residing in Europe) important.

Change the text.


It’s a bit silly because serving the content without cookies doesn’t cost more than not serving anything. It’s not like a restaurant where serving a steak means you now have one less steak, it’s just data that you can copy as much as you want.


I mean, data transfer is not totally without costs.

At a few thousand reads per day, a MB or so per read... this is costing up to FIFTY DOLLARS PER YEAR to just... give our content away for free?!


Hang on; you're still serving ads, no?

So what's this about "free"? I mean, you weren't planning to charge me in the first place.

So you want to set a cookie so that you can make your ads more "targetted", and so more valuable? There's no public evidence that ad targetting even works.

But this "free" business - I suspect that some local US paper doesn't make a lot of money from ads served to EU residents. So is it possible that the lost revenue stream is from selling PII to data brokers? Oh dear - that's pretty evil, even if the visitor isn't in the EU.


Obviously. But let them be honest about it.


Having worked on and lead 3 GDPR compliance projects, I can say that the cost of GDPR compliance is close to zero if your business is not tracking users or selling their data without consent. This assuming you are following best practises for storing users’ data (ie encryption, limited access to authorised personnel, etc…). If you store data without encryption, allow randos to access users’ personal data, you shouldn’t even be in business.

Also the EU is quite tolerant with breaches, as in if you are found in breach they will give plenty of time to address it (which often means removing a tracking cookie you forgot about or add it to your cookie policy).

At this point GDPR is way too tolerant, given that in 99% of cases you get away with a banner that makes it impossible to refuse tracking.

So not being GDPR compliant, which at this point means a bit more than being decent with users, says more about the business model of these companies than about anything else.


Don't know why you got downvoted.

As a former GDPR compliance officer for a company managing about 40 customer websites, I can confirm that GDPR compliance is not burdensome or costly, unless you are intent on violating the GDPR. You appoint someone on your tech staff as compliance officer, and as an organisation you make sure that complaints are handled.

Handling complaints is something any business should be able to do, GDPR or not; a business that can't handle complaints isn't a viable business.


For small organizations, even if they are not tracking or doing anything with data that would need to be changed to comply with GDPR, the couple hundred or so Euros a year to comply with Article 27 [1] might be enough for them to block EU access.

[1] https://gdpr-info.eu/art-27-gdpr/


If you are not doing anything with the data, you should just not collect it. A newspaper doesn’t need to collect my personal information.

Besides if you don’t have a regular client base in the EEA or you process and collect data only occasionally and on a small scale, you don’t have to appoint a GDPR representative.

In a few words: don’t collect data without permission, don't spy on your users, don’t profile them, don’t process or sell their data without permission, delete all data about them if they ask you to do so, and you’ll be OK.


So basically the US now has its own split off version of the web, only visible to other Americans.

The Great Firewall of the USA, or maybe The Great American Firewall.


IANAL, but can't they just word a disclaimer and checkbox? Something like:

"Our European visitors are important to us... but the cost of GDPR-compliance for a US-focused site is high. For your own GDPR protection, we advise you not to access our site. However, if you choose to do so, you agree to waive any and all rights granted to you under the GDPR. [ ] Agree"


Which is like saying “this building doesn’t follow engineering best practices, it may fall on your head at any moment” and expect to get away with that.


Isn't it more like a website in one country rightly stating it's not bound by the laws in another country?


You asked:

> IANAL, but can't they just word a disclaimer and checkbox?

The answer is no, as far as GDPR is concerned, if they want to process and/or sell data of EU citizens or residents they have to follow some rules. I’ve no idea how the EU plans to enforce this regulation outside of the EEA, but it’s beside the point (as in it’s not what you asked)


Would this mean all a non-EU website needs to do to safely serve GDPR-bound persons is trash any data collected from them?


Or not collect it in the first place. For those newspaper blocking traffic from the EU, it may be enough to remove all trackers


Correct, you're not a lawyer. IANAL either but I know enough to know people can't generally waive their rights. If they could then every website would just say "you are waiving your GDPR rights if you continue using this site" and be done with it.


I simply thought jurisdiction would be relevant here. The EU can make whatever rules it wants to cover its own citizens, and beyond that - they can't enforce them.


Apologies by the way, re-reading my post it comes across overly dismissive. I didn't intend it that way.


Thank you. This made my day. I didn't feel put-out (well, no more than I'm used to!), but it's refreshing and affirming to see empathy and self-accountability here on HN.

I will try to do better myself. I'm sure I am sometimes guilty of same.


> IANAL

Maybe you are not a lawyer; but perhaps you should actually read the GDPR before suggesting that it's possible to waive all one's rights under the GDPR.


This is what your politicians asked for.


...to be told we're important?


A bunch of Americans lying to us?


So should the whole world obey every diktat that comes from the EU? Whether GDPR is good or bad, it's an EU law, not an international or American one.


The complaint is about saying "we care" when they clearly don't.

It's perfectly reasonable for US media to block European users rather than deal with GDPR compliance, but why not be honest about it?


I’m the opposite: I grew up in Europe but live in the States. There’s a ton of European websites and content I can’t access from here.

While this may suck for you personally I don’t think American companies (especially local news companies) should have to comply with invasive and expensive European privacy laws. Especially after forcing the entire world to adopt useless and annoying cookie walls. If you really want to access those articles you can use a VPN like the rest of the world does when they are accessing geo restricted content. GDPR has never really been a reasonable law to begin with.


Can you give some examples of European websites which are unavailable in the USA?


I don't believe they need to comply, either. Just stop saying people living in Europe are important. They obviously are not.


The argument in the post is that they are all from the same, large media company:

> At the bottom of each page: <https://www.nexstar.tv>


Nobody asked for cookie walls, which anyway don't bring sites into compliance. The cookie walls are erected by companies that are trying to shirk GDPR responsibilities.

They can avoid these responsibilities by refusing to serve content in the EU. That's their prerogative (although it is discriminatory, and thefore violates GDPR). And if they think they are out-of-reach for EU law, they can just ignore the GDPR; but watch out, similar regulations are coming to a jurisdiction near you.

Whether the GDPR is "reasonable" depends on your perspective; regulated parties always think that the regulations under which they trade are unreasonable.

[Edit: qualified the "their prerogative" bit]


Then pay.


Pay for what, they are all free sites OP listed?


Pay to… buy out the news company? I guess?


Ah yes, another headline-only reader.


> It's been three years. Stop saying your European visitors are important to you

> Then pay.

I don't think it really fits as a response if I had only read the headline.

I do concede that my comment was more terse then necessary and not as constructive as it could have been.

My point was that the links listed looked like small free organizations that don't have the resources, or actually any other incentive. They probably have very few readers outside of their localities.

So pay for a bigger news org that does.


For a news source that does care and have the resources to implement GDPR compliance.


I'm European and I block EU customers as well (mainly for VATMOSS though, more than GDPR, albeit I'm not sure whether I'm GDPR ready or not).

Simply put, it's a very low margin and low time investment business on my side and I'd rather work on something that can make me more money than to implement the required changes to support Europe's regulatory plat du jour.

Having worked in big businesses, even if they have the money to spend, they may face other organisational issues. Implementing any change in big businesses is not easy and takes significant more time than you would imagine.

As you correctly say, I'm sure they evaluated the cost benefit of EU visitors and concluded it wasn't as high as the cost of getting things done.

For news, that means that people will be able to access less independent content, or maybe just access what is visible behind the walled gardens of social media. For ecommerce (and VATMOSS), stores just moved to Amazon / eBay so they don't have to deal with the complexity.

As usual, regulators screwed all us up pretending to target big business (whether it's privacy or paying sales tax) and dealt a massive blow to all the small competitors of big business.


Use VPN. And use browser extension like uBlock Origin. You can access blocked content and you get privacy.


I'd love to be able to drop NoScript and uBlock Origin, but the web has become such a shitshow that they're vital security tools.

But it's ridiculous that we have to go to such insane lengths, for privacy or even for access. Noscript, in particular, can be very annoying, but it saves me from a lot of worse annoyances.

This also crosses over to the crawling horror of IoT, where every device maker wants your sweet, sweet data. Oh, sure, we can throw our IoT devices on a carefully-firewalled VLAN - provided we have networking gear with that capability and the knowledge to use it, neither of which is likely for the average consumer.

I never imagined I'd live in a real-life cyberpunk dystopia when I first read "Johnny Mnemonic" in Omni so many years ago, but here we are.


This is a solution for an end user, and besides the point.


It’s mostly local papers in rural areas. They are trying to proof some point, and happen to be mostly just not very interesting for European readers. So cutting them off is cheap.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: