
GDPR Hall of Shame - K0nserv
http://gdprhallofshame.com/
======
Drakim
"Whoops, we can't secretly sell your data anymore! That means you can't
control your smart wifi lightbulbs from now on!"

For me, this is a refutation of the "If you don't pay for the product, you are
the product." There is no inherent reason why a company would only do that for
a free product. If it works for free products, it works just the same for paid
products.

Even if GDPR has flaws, and is gonna cause some disruption, I think we really
needed something like this.

~~~
eli
For sure, GDPR is causing headaches for companies that were secretly selling
your data. But it's also a big problem for companies that were (perhaps
sloppily) logging & storing data for their own reasons or maybe even for no
real reason. I think the latter is much more common than the former.

~~~
ghaff
A lot of smaller sites don't necessarily know everything that they're
collecting. Arguably, this is a good opportunity to figure that out. However,
it's equally arguable that in many cases it's just easier to cut off EU access
if there's any doubt and the EU just isn't important to their business (or
hobby). If I ran a US centric ecommerce site, for example, I'd be very tempted
to just stop selling in the EU for now.

~~~
enginaar
What if EU citizens who are visiting US make purchases from your site?

~~~
ghaff
Almost certainly does not apply. [1] For that matter, the same FAQ suggests
that it's probably not necessary to block IP addresses if you're not located
in the EU and aren't actively marketing to EU residents. But I can certainly
understand small companies taking a better safe than sorry approach if they
don't do material EU business.

[1] [https://www.gdpreu.org/the-regulation/who-must-
comply/](https://www.gdpreu.org/the-regulation/who-must-comply/)

~~~
merinowool
It wouldn't apply if you explicitly ask user if he/she is an EU resident,
preferably by checking ID and route to /dev/null if user is.

------
PeterisP
I nominate Slate [https://slate.com/privacy](https://slate.com/privacy) for a
creative interpretation of GDPR article 7.3 "It shall be as easy to withdraw
as to give consent" (the "consent" happens through an uncloseable window with
no other options where a single click sets that cookie):

"The Right to Withdraw Consent. If you would like to opt-out at any time,
please delete the “gdpr_consent_1” cookie from your browser window. You will
have to opt-in again in order to view Slate content."

~~~
dx034
I'm pretty sure that no European court would accept that. I doubt most users
(and most judges) even know how to delete cookies. I don't even know how to do
that on my phone (not sure if that's possible?). And not allowing users with
mobile browsers to withdraw consent is definitely a violation.

~~~
HelloNurse
It would be acceptable if consent involved _manually_ adding a specific cookie
(slightly harder than deleting an existing cookie).

Thinking of it, adding cookies manually and maintaining a cookie whitelist
could be a useful browser feature in the coming years. Most cookie-based
tracking would be forced to disappear.

------
adtac
The Yahoo! one [1] is definitely in violation of GDPR, right? GDPR doesn't
cover me as I'm neither in the EU nor am I an EU citizen, so I really hope
someone lets the regulators know about this. The first major penalty will be
example setting.

Which made me curious: could a service exist where citizens not covered by
GDPR submit complaints, so that a GDPR-covered citizen could put the complaint
in formally?

[1] Hidden opt-out is non-compliant, but Yahoo! went ahead and opted you in to
a hundred different ad services automatically:
[http://gdprhallofshame.com/content/images/2018/05/ouch.jpg](http://gdprhallofshame.com/content/images/2018/05/ouch.jpg)

~~~
detuur
Yahoo is bad, especially concerning the opt-in, but by far not the worst.
Those are Google and Facebook, which have made all of their services "all-or-
nothing". If you don't accept every single bit of data processing, your only
alternative is to delete your account. Literally runs counter to everything
the GDPR stands for.

~~~
aeorgnoieang
> Literally runs counter to everything the GDPR stands for.

If the idea is that no one should be able to avoid complying with the GDPR,
even if they decide they no longer want to do business with whomever it is
exactly that's covered by it, then maybe the whole thing was a bad tradeoff.
I'll grant that Google and Facebook _might_ be acting in bad faith – hell,
I'll just assume they are – but surely, for some not-necessarily-insignificant
number of other entities, it should be perfectly fine if they decide that the
costs of compliance exceed the corresponding benefits.

------
pjc50
Of these, the worst are the "embedded" ones: the IoT lightbulbs and the Razer
devices. Nobody ever expected their lightbulbs to be processing personal data
on behalf of third parties.

The one that might be legitimate is the "cheap flights" one; after all, they
require your consent for email marketing, and they can't offer you a discount
flight without it.

~~~
Silhouette
I must admit, even as a critic of the GDPR in some respects, as an individual
I am hoping that its heavy-handed approach will mean I can buy everyday things
again without having spyware, telemetry, and so on coming as standard. I don't
want a "smart" phone or a "smart" TV or a "connected" car, where the scare
quotes denote entirely unnecessary invasion of privacy and/or security and
safety risks. I buy a phone to communicate, a TV to watch stuff, and a car to
get from A to B, and it will be nice if we can get back to doing those things
better instead of tacking on all the user-hostile extras.

~~~
zerostar07
Then just buy older stuff nobody says you need a smartphone.

~~~
Silhouette
Have you tried buying a non-smart TV or a non-connected car recently? Or even
a feature phone that is basic in features but good quality? I do have quite a
few devices from just before the madness became almost inescapable, but it has
become increasingly difficult to get hold of these things in recent years.
Aside from the sales and marketing aspects, there are other pressures that are
forcing older models into obsolescence prematurely, such as changing encodings
and DRM mechanisms for video, changing standards for wireless communications,
and environmental and safety issues that drive older cars off the roads.

------
xmodem
The Instapaper one - #1 - is troubling for a non-obvious reason. One of the
tenets of GDPR is that you have to be told how your data is being used. So the
only explanation for this behaviour is that there's some shady shit going down
that they want to stop before they have to admit to it.

If I used Instapaper I'd be filing a complaint with my local DPA about this.

~~~
dingo_bat
> So the only explanation for this behaviour is that there's some shady shit
> going down that they want to stop before they have to admit to it.

No, it can something as simple as "we cannot guarantee that all your data is
deleted with our current storage system". It would be a lot better if people
stop being so alarmist.

~~~
Silhouette
_It would be a lot better if people stop being so alarmist._

Indeed. It's odd looking at discussions about the GDPR on HN.

On the one hand, we have people who argue that compliance isn't really that
big a deal if you're not doing anything horribly wrong, most ethical
businesses would already be mostly compliant anyway, etc.

On the other hand, we have people who argue that even if that is the case, the
length and ambiguity of the regulations and guidance combined with the
potential penalties still cause significant overheads and risks, particularly
for smaller businesses without dedicated resources to deal with compliance
matters.

There is some truth behind both of those positions, I think.

But then I've seen so many comments now on HN and other geek-friendly forums
that seem to be based on the premise that most/all businesses are somehow
doing evil things with personal data and they must be stopped. A noticeable
number of people are advocating obviously vexatious use of the new subject
rights, not in response to any specific concern or after some unsatisfactory
attempt to resolve concerns reasonably, but as a weapon with the clear goal of
causing maximum disruption and cost to organisations. I wonder how anyone can
think giving so much "legal ammunition" to these people is a good idea.

~~~
4684499

        > so many comments now on HN and other geek-friendly forums that seem to be based on the premise that most/all businesses are somehow doing evil things with personal data and they must be stopped
    

I think it's pretty reasonable to have that premise when those businesses
can't tell their users what they did or will do with personal data. No one
could even tell whether it's evil or good if you don't show me some details.
And sometimes, you assume it's good for me, but I think it's bad for me. Thank
you for your good intention but all I want is just an opt-in option, not opt-
out, is that so hard to accept? When you drag me into something I don't want,
why would I assume you are doing something good? Users being alarmist is not
users' fault, data companies' unethical use of data made users react this way.

    
    
        > "we cannot guarantee that all your data is deleted with our current storage system".
    

If so, just say it. But after that, you may want to explain to me why you
can't even take care of my data while claiming you respect it. Did you collect
my data then just forget where you store it? If the deletion is that hard, why
should users trust such company in the first place?

GDPR is an action of defense, not a weapon for invasion. Only predator would
think it's a weapon and be afraid. GDPR is not perfect for now, but
complaining the ambiguity of it doesn't make internet companies' vague ToS or
Privacy Policy clear as crystal. Let's not play double standards here.

I'm quite aware HN is full of people work in data industries, I just have to
say it.

------
owenwil
Hey! I made this, mostly just to poke fun at my inbox being here in Europe and
experiencing it first hand. Feel free to fire me a reply with any good ones
you've spotted; I'll be actively adding through tomorrow and beyond.

~~~
bencollier49
The Endomondo app is a doozy. They require opt-in to two items to carry on
using the app, but then also say that by clicking continue, you're agreeing to
their privacy policy, which indemnifies them against GDPR. It's slightly
clever misdirection, in my opinion. I clicked 'OK' in the end because the EULA
appears to be invalid anyway; by borking the consent process they have no
legal basis for processing my data.

~~~
owenwil
Wow - got a screenshot of that one?

------
BjoernKW
The EU Commission's very own website deserves an honourable mention at least.

Last time I looked (just a few days ago) it was the epitome of "What you're
not allowed to do anymore according to GDPR.": Tracking and other cookies with
no way to opt out, no privacy policy etc.

Then again, GDPR of course doesn't apply to them. The very least they could do
in my opinion, however is to lead by example.

------
jannemann
My favourite at the moment is sendwithus. They said their service will never
be GDPR compliant. But fortunately they have a new "enterprise grade" product
called sendwithus dyspatch. Same feature set, new price plus GDPR compliance.
This is a price jump from $79/Month to a minimum of $24.000/year. And this is
with discount for former sendwithus users. I would consider this to be mafia
methods.

~~~
lovich
Why? This seems like good behavior. They're original product is supported by a
business model that relies on user data. Now they are offering a similar
product that doesn't make money off of user data but instead charges the user.
I am all for the GPDR, but the regulations don't say you can't suck up all
user data _and_ you still have to provide your service for free/discounted

~~~
ginko
So you're saying user's data is worth $23052 per year?

~~~
lovich
Maybe, maybe not. If it's not I assume they'll be forced to lower their prices
and go out of business. I don't have a problem with a company charging money
for their product though.

The GDPR appears to be doing its job here because it's forcing a company out
of a business model that is unethical and into one that's better for society,
regardless of it's better or not for the company and some of its customers

------
downandout
Could somebody help me understand the criticism in this article of companies
like Instapaper blocking EU users? When you face fines of up to 20M EUR,
you’re not going to take on that liability if you have a choice.

Most companies outside the EU will eventually block EU traffic. GDPR is just
too big of a liability. It has nothing to do with “selling user data” or bad
intentions with user privacy. I won’t take EU traffic for the same reason that
I don’t drive at 140mph in a 25mph zone - it’s irresponsibly dangerous.

~~~
icebraining
Blocking EU users temporarily doesn't remove the need to comply - they're
still holding data from these users.

------
umbrellaman
CCleaner deserves a special spot in this hall after the recent change with the
"You cannot opt-out" privacy option in the free version of the program.

[1][https://www.ghacks.net/2018/05/24/ccleaner-update-
introduces...](https://www.ghacks.net/2018/05/24/ccleaner-update-introduces-
privacy-options/)

[2]
[https://forum.piriform.com/topic/51913-ccleaner-5436520-cann...](https://forum.piriform.com/topic/51913-ccleaner-5436520-cannot-
opt-out-of-privacy-exposing-compulsions/)

~~~
letsgetphysITal
That's not how GDPR works. You're not allowed to make use of your product /
service require acceptance of collection of data. You must either offer it
without data collection as an option, or simply refuse service.

~~~
aeorgnoieang
I'm guessing, if that's enforced, that a lot of these same organizations will
opt to refuse service.

~~~
letsgetphysITal
A lot are. GDPR Hall of Shame looks like a list of these companies.

~~~
aeorgnoieang
Which ones? The list looks like a bunch of organizations trying to do a clumsy
end-run around the intent of the law instead of refusing service.

------
cift
It'll be interesting to see how the EU reacts to all of the companies like
Oath that, by default, share your data with 300+ ad agencies.

After the GDPR hype has died down, hopefully new tech companies will think
twice about data privacy

~~~
Arwill
To me, that one was the most striking. It shows how widespread data sharing
is. In the end to whom did they NOT sell user data?

------
cift
Mirror: [http://archive.is/BCZCB](http://archive.is/BCZCB)

EDIT: Updated with new post

------
mtgx
Came here to mention Oath, but it seems the site has already covered it:

[http://gdprhallofshame.com/5-techcrunch-engadget-and-oath-
co...](http://gdprhallofshame.com/5-techcrunch-engadget-and-oath-cookie-gore/)

Great idea for a site. I'm sure it won't lack content for quite some time.

~~~
HelloNurse
I defied RSI to click all Yahoo partners, and opening a random sample of
privacy policy links I found one that was written in Chinese. So much for
consent.

------
bo1024
I want to know if credit card companies Mastercard, Visa, etc. are subject to
GDPR. They definitely sell or use your purchase data for purposes unrelated to
the service.

~~~
Kpourdeilami
On another note, does GDPR mean you can request credit report agencies to
delete all their data on you?

~~~
PeterisP
"Credit reporting agencies" in the USA sense aren't really a thing in EU,
there are similar but substantially different (and nation-specific, not EU-
wide) mechanisms of verifying the creditworthiness of customers, often with
specific national laws regulating the usage this data which would override
GDPR.

Furthermore "please delete my data" doesn't really mean "delete _all_ my
data", it means something like "I revoke whatever consent I gave and delete
all my data that _you now have no right to use_ " \- so the company is allowed
to keep all the data for which the GDPR gives them a right to use without your
consent.

~~~
giobox
I'm curious, in what sense do you mean "Credit reporting agencies" in the USA
sense aren't really a thing in EU"?

I've lived in both the UK and USA and used credit products in each, and your
access to such credit appears to me almost entirely determined by a handful of
credit reporting agencies "scores" in both countries in a pretty similar way.
Heck it's even often the same company - Equifax (one of the largest) operate
in the UK as well.

~~~
PeterisP
There are many differences; it's hard to generalize because each EU country is
different (there's no harmonization for this, and there are major differences
especially along the "ex-Warsaw-Pact" border; half of EU had their whole
financial system [re]built in 1990s), but you'll often see the following
differences:

1) There's no "EU score", each lending market is somewhat separate. Past
history in one location may or may not influence your score in another
location.

2) Instead of a general/universal "credit score" calculated by an agency,
there's often a concept of "credit history" which (depending on the country)
may or may not list the amounts of existing loans, of previous loans, and
history of late payments. The difference being that instead of lenders getting
a score calculated by some agency, the lenders get the data and make their own
decision, with possibly very different opinions on which factors are
important. Not everywhere, of course, some countries (e.g. UK or Nordics) are
more like USA.

3) The process tends to be highly regulated. If you're providing factual data
as opposed to an opaque score, each item better be correct - distributing to
all lenders "Bob defaulted on a loan in 1999" is libel if it's not true; the
dispute process tends to be more consumer-friendly than USA - e.g. a
requirement to remove the disputed items immediately and return them only if
the debtor can prove its validity), maybe a requirement to expire entries of
missed payments within x years, etc.

4) In some countries, that agency is run by the gov't, i.e. purely a central
official registry of loans and/or bad loans, which is somewhat sufficient to
verify creditworthiness. In others, it's like Equifax.

5) There often is a principle that the credit reporting agencies _can 't_
give/sell that data to anyone - you must give explicit permission for every
company before they can gain access to that data.

6) In many countries there's no concept of "building credit" \- where there
only information provided is about _negative_ events (e.g. defaults or missed
payments), so having never taken a loan combined with good income gets a
perfect rating, as it's not distinguishable from a long credit history and
having never missed a payment.

So it's quite tricky - similar but different.

------
chrisper
The #2 one seems a bit off. "RE:" stands for Regarding. Yes it makes people
look at your email, but it isn't "fake."

~~~
m0shen
Nitpick, but re is a word

[https://en.oxforddictionaries.com/definition/re](https://en.oxforddictionaries.com/definition/re)

~~~
chrisper
It's not nitpick, it's trivia!

------
zerostar07
OK but maybe your website should not use cookies without asking? You don't
have a privacy policy either so not clear how u re going to use them. And
maybe don't use google analytics without a privacy policy? Or at least
anonymize the IP?

------
pit2
It looks like the witch-hunting is about to start.

~~~
SmellyGeekBoy
It's about time.

------
gerbilly
I've been in the internet since the 80s.

Man what a nice thing we've built.

We have turned the internet into a network where people snitch on each other
to marketers for fractions of a penny.

~~~
pc86
The 80s? Were you involved in ARPANet or something?

~~~
robin_reala
I first went onto the internet in 1990 when my BBS got a connection. It was
quite well developed by the end of the 80s.

~~~
ghaff
80s were still fairly early for Internet access. I was on the ARPANET as early
as 1979 or so but just trading the occasional email in a lab. "Real" internet
access, first at work and then through my BBS, was probably more like the
early 1990s.

~~~
robin_reala
Oh yeah, I didn’t do anything on the Internet in 1990 apart from typing ‘go
internet’ into CIX (my BBS at the time), sitting there wondering what you
could do with it, then killing the connection when my dad pointed out that we
paid by the minute for the phone line :) I don’t think I knew anyone online
that wasn’t on CIX either.

~~~
DanBC
People don't understand just how expensive early online access was.

Here's a page from 1988 Whole Earth Catalogue "Signal - Communication tools
for the Information Age"

[http://tinypic.com/view.php?pic=2janfrd&s=7#.WwcJwiAh200](http://tinypic.com/view.php?pic=2janfrd&s=7#.WwcJwiAh200)

Compuserve, charging $11 per hour, had "more than 250,000 subscribers".

The Source, charging $8 per hour, was popular for its conferencing system
"parti".

Delphi, charging $6 per hour had a loyal but small (less than 10,000 users)
following.

BIX, $9 per hour, grew from a magazine. I like the quote: "This is the
computer industry as it used to be: people sharing ideas and solutions without
the greed and grit with associated with today's corporate driven, litigation-
laced, industry" (written 30 years ago).

[http://www.wholeearth.com/issue-electronic-
edition.php?iss=1...](http://www.wholeearth.com/issue-electronic-
edition.php?iss=1300)

~~~
robin_reala
CIX supplied Ameol (a most excellent offline reader) which could connect
quickly and disconnect. In the UK we didn’t have the luxury of the US’s free
local calls, so that was an added expense on top of that.

~~~
ghaff
>In the UK we didn’t have the luxury of the US’s free local calls

Although free local calls could be quite limited in area. Intrastate long
distance (which could be as little as 15 or 20 miles away) could actually be
more expensive than interstate long distance. I don't remember the details but
I used a private BBS service in the nearest major city in the 80s. I had some
sort of phone plan that optimized for this but I still used offline tools to
minimize my online time. (i.e. Login, suck down content, logoff, read and
reply offline)

I used similar tools for Compuserve. As you say, it was extraordinarily
expensive by today's standards. People complain about the pricing of a lot of
things but telecoms and pretty much everything related to computing is
incredibly cheap.

------
some_account
Ive been enjoying all the emails from companies and watching them put on a
show how they support user privacy and just needs me to continue agreeing to
accepting being the product.

I dont think so. There are very few companies I actually use in my life, and
less than a handful of them are online. The rest - bugger off.

~~~
zamazingo
> Ive been enjoying all the emails from companies

I've been receiving so many "here is our policy, if you continue your use, you
accept it, kbye" emails... I truly hope EU will take the default-opt-in
problem seriously.

------
ToastyMallows
I'd love an RSS feed of this site :)

------
midasz
Hugged to death already?

~~~
owenwil
Sorry, had to go up a few sizes on DigitalOcean

~~~
adtac
Curious: what tier were you using and what tier did you move up to? In case I
ever get to the frontpage, I'd like to be prepared :)

And usually, what is it that causes outages like HN/reddit's hug of death?
Number of open sockets / file descriptors? RAM? CPU? Network congestion?

~~~
Keats
If you have a static site, being on top of reddit/HN will barely be visible on
the smallest instance you can find.

------
dominotw
shaming seems to be down currently.

~~~
enginaar
yea, still down

------
matte_black
GDPR and policies like it are an existential threat to a Big Data future where
so much can be possible if we are able to amass as much data as possible
without fear of consequences.

GDPR should be resisted by as many companies and startups as possible.

~~~
bartvbl
Whatever the case might be, companies have shown themselves to not handle
people's personal data properly, as shown by the massive leaks in the past.
Whatever utopia you're thinking of, it's not happening anytime soon, and GDPR
is a rightful measure to slightly apply the brakes on rampant data collection
and misuse.

~~~
matte_black
Massive leaks are a security issue, and have nothing to do with users being
able to delete their data at will.

~~~
ironcan
Well, if it's their data, shouldn't they be able to delete it at will?

~~~
matte_black
If you know something about me why is it my right to make you forget about it?

~~~
ginko
human memory isn't data storage.

companies aren't humans.

