
List of Websites not available in the EU because of GDPR - w-m
https://data.verifiedjoseph.com/dataset/websites-not-available-eu-gdpr
======
sshine
Meanwhile, visiting a large commercial website today involves:

1\. A pop-up notifying the visitor on the website's cookie policy (required by
EU law).

2\. A pop-up asking the visitor to consent to its privacy policy (required by
EU law).

3\. A pop-up asking the visitor if they'd like to subscribe to its newsletter.

4\. A pop-up telling the visitor that it's run out of "free articles", but
that you can sign up at a premium.

5\. A pop-up asking the visitor to turn off the adblocker because the site's
revenue depends on the ads.

6\. A pop-up asking the visitor to participate in an online survey.

7\. A pop-up telling the visitor about a unique way to earn money in your
underwear.

None of the pop-ups will share UI for closing them, and some of the close
buttons will be so hard to press that you accidentally change site instead.

 _(Clarification: It doesn 't have to be a pop-up, but it does have to be
annoying.)_

~~~
cyborgx7
I'm sure you know this, as you have included a bunch of pop-ups that aren't
necessary but websites do anyway. But for other people who love to hate on the
GDPR, 1 and 2 are not necessarialy required by EU law either. Just don't have
cookies when you don't need them and don't save data the visitor hasn't agreed
to.

~~~
josteink
> But for other people who love to hate on the GDPR, 1 and 2 are not
> necessarialy required by EU law either. Just don't have cookies when you
> don't need them and don't save data the visitor hasn't agreed to.

It's this simple, and yet everyone on the internet freaks out like having a
GDPR-compliant general purpose website is some massive undertaking.

I can't fathom how people got so used to endless tracking that a non-tracking
site now literally seems like a impossibility to them.

All in all, it's pretty sad.

~~~
ddalex
So technologically the non-tracking website is very very simple.

Business wise, not so much. How do you monetize such a site? Even a simple
commerce site needs to keep tracking of users, and to do any kind of marketing
you need explicit user consent.

~~~
pdpi
> Even a simple commerce site needs to keep tracking of users

Functional cookies like this are exempt from GDPR's opt-in requirement

~~~
dvfjsdhgfv
Exactly. I've been running a few webshops where cookies were used only to keep
the session/cart state. It never occurred to me I should irritate my users
with cookie/GDPR notices. To quote the famous cookie law [1], the cookies
exempt from consent were:

* user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases

* authentication cookies, to identify the user once he has logged in, for the duration of a session

* user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration

* multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session

* load‑balancing cookies, for the duration of session

* user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)

* third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.

This means you could freely use cookies for normal operation. It's only when
you start tracking people you needed to ask their consent.

[1]
[http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm](http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm)

------
lagadu
AKA: list of websites whose habits regarding your personal data are so shady,
they're literally illegal in large swaths of the world.

~~~
thisgoodlife
Or maybe just revenue from eu < cost to comply

~~~
pmlnr
cost to comply is not to log data of the same users they are showing the
blockade right now. I fail to see how that's so expensive to do.

~~~
steventhedev
Or perhaps they've been advised that because they have an email subscription,
they'd need to hire a full time DPO, and their outside counsel quoted them
several thousand dollars a year.

It's simple arithmetic to decide it's cheaper to block all EU visitors.

~~~
oblio
> they'd need to hire a full time DPO

They don't. They need to designate someone as the DPO, it doesn't have to be
full time.

~~~
repolfx
That's technically true but practically untrue.

The DPO is a major imposition and simply being required to comply with the DPO
parts alone is sufficient to make the EU not worthwhile for many businesses.

1\. Whilst a DPO can theoretically be part time, a DPO is not allowed to have
other roles in the firm that could create a "conflict of interest". This is so
vague that in a company that works with data, almost any other role could be
argued to create such a conflict of interest.

2\. The DPO position has a list of mandatory responsibilities and even
qualifications that will be accepted. For example the EU has advised DPOs need
"expertise in EU data protection law". Where will foreign websites find such a
person?

3\. The DPO works for the firm but cannot be told how to do their job. They
also cannot be fired or penalised for anything related to their job
responsibilities.

In practice these rules mean it's very likely everyone will outsource the DPO
role to third parties.

------
OJFord
I've ran into this a few times through 'normal usage', e.g. I search for
something, click the link, and get told off for being in the EU (for the time
being).

'Food Network' is one I've hit a few times searching for recipes; it seems
several other domains are under its umbrella:
[https://www.foodnetwork.com/not-
available.html](https://www.foodnetwork.com/not-available.html)

------
brobdingnagians
Currently a US citizen living in Spain, I hit these decently often looking up
news articles that look interesting about things in the US, but stopped short
by the notices about GDPR. I'd be curious if some of the newspapers eventually
comply after several court cases defining some details on how it is treated--
seems disproportionately higher for newspapers; anyone know why? other than
their audiences don't tend to be in Europe?

~~~
guitarbill
A lot of these sites are ostensibly local US news or media (e.g. WPTA - Fort
Wayne, IN), and it's hard to see how they fall under the GDPR.

So either it's a political statement, or they somehow are subject to the GDPR,
e.g. they are owned by a multi-national conglomerate, or sell data to them.

~~~
raverbashing
Yeah, they don't fall under GDPR it's mostly a knee-jerk reaction (or, as you
mentioned, they are owned by a bigger conglomerate)

~~~
chrismeller
IP addresses are specifically considered to be personal data, so even
accepting a page view from an EU citizen and writing the IP to an Apache log
file could subject them to it. Same with cookies and any kind of analytics or
advertising partners (which most local news sites seem oddly heavy on).

Even if they somehow figured out that they were already completely compliant
(and ignoring the work involved in discovering that), there are policies and
procedures you need to write to document who you share their data with and
respond to requests from EU citizens about their data and the features to
support answering those.

~~~
josteink
> IP addresses are specifically considered to be personal data

Again. Knee jerk internet reactions divorced from reality.

Access logs are _not_ illegal under the GDPR. Stop spreading FUD.

------
tw1010
Such a lazy and stubborn approach to just ban EU users to protest GDPR.

~~~
patricius
Well, complying has costs, you know. Perhaps, in some cases, it’s just a
matter of not wanting/being able to justify that cost.

------
techscruggs
The majority of these websites appear to be US based local news outlets. They
have very little motivation to comply with GDPR.

As a side note, a lot of the comments here suggest that few people are
reviewing the list at all before offering their opinion. Yes GDPR is a great
step forward for data privacy, but there is little reason to shame "The Pueblo
Chieftain" for not complying with GDPR. What is more likely:

1) compliance doesn't matter to them or their audience 2) they are trying to
exploit and monetize your data

~~~
DanBC
They don't need to comply with GDPR. They're not doing business in the EU;
they're not based in the EU; they're not targetting EU citizens. They're
exempt from the regulations.

> but there is little reason to shame "The Pueblo Chieftain" for not complying
> with GDPR.

People are complaining about the corrupt business model of massive misuse of
personal data.

~~~
donohoe
Its not that simple.

The may have a parent company that does have an EU presence making the parent
company liable in the event of a violation.

------
Nursie
The GDPR stuff has opened my eyes to just how widespread data tracking and
sharing has been.

I went to a small local news site to read a story, I think it was for "Wales
Online" and got presented with the options box. After clicking through to look
at their advertising 'partners' my data could be sent to, I found a list of
probably 200 different entities.

Presumably, for being a local news thing, this means that they have used some
sort of advertising and analytics framework that plugs into some middleware
system and from there passes out what it knows to these other places. I can't
imagine each one is individually in the codebase.

What it exposed was the massive extent of what's going on. To access just a
few hundred words of text, my details and activity would be passed on to an
unbelievable array of companies. I'm very glad the GDPR has come in.

------
dotancohen
Thank you for this list of websites that I'll never use, even though I'm not
in the EU.

------
sjmulder
What I think would also be useful (or more useful) is a list of sites that
blatantly don't comply in popular ways such as requiring tracking consent ("By
continuing to use …") or assuming consent, often making it hard to opt out
("You need to enable third party cookies and visit these 95 places to opt
out").

Right now ICOs can't even begin to hunt down all the small offenders, but once
case law builds up and we have such a list bulk processes can be set up.

A browser extension could be used to ease reporting and even detect popular
noncompliant solutions.

~~~
cyborgx7
Yeah, all the website manufacturers seem to have severly misunderstood what
"opt-in" means. I hope they get some hefty fines to make them comply.

------
nkkollaw
I think we should rephrase, it's not "because of GDPR", it's "because of their
incompetence".

I have made a few sites GDPR-compliant, and honestly unless your business
practices are based on exploiting people's data, it's not that hard.

~~~
donohoe
Unnecessarily harsh.

It often comes down to advertising. No one (and I include Google and others in
this) has properly figured out GDPR compliant advertising IMHO.

The effort of disabling ads for EU visitors is higher than just blocking EU
visitors if you don't have a lot of resources.

~~~
nkkollaw
I think you're confused about what GDPR requires from companies.

The whole thing is simply about not collecting data you're not supposed to
need in order to provide the service, and whatever you do it must be opt-in.

The only reason why a company needs to block a whole continent is that they've
based their whole infrastructure on exploiting the user's data to such a level
that they cannot provide their service without collecting and retain data
they're not supposed to collect.

As for "a lot of resources", Instagram and the L.A. Times should have enough
resources to become compliant.

------
KineticLensman
I haven't exactly done a scientific survey here, but what is interesting is to
click the links and see what response comes back (I'm in the UK, still part of
the EU). Here are some of them:

* Sorry, this content is not available in your region.

* The precondition on the request for the URL / evaluated to false.

* Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. "

* 451: Unavailable due to legal reasons

* Error code 16. This request was blocked by the security rules

* Apologies! The site you are trying to visit is not available in your area. Please note, to comply with GDPR we have purged our newsletter lists and databases for anyone located within the European Union. Thank you for your interest.

* 403 ERROR The request could not be satisfied.

* We're sorry you’re not able to access the site at this time, but this is a temporary measure to ensure we can best protect your data under new privacy regulations. We value your support; thanks for your patience and we can't wait to have you back!

I find it interesting that some present the problem as a technical problem
whereas others explicitly mention a region problem or even GDPR

I also found a couple of places where the sites are in fact accessible, e.g.
instapaper.com

The vast majority of the sites seem to be US local news sites, so perhaps to
them providing access for EU citizens isn't really a key goal

~~~
seszett
> _The vast majority of the sites seem to be US local news sites_

That's even more weird since they are explicitly not covered by GDPR, because
their target audience is obviously not based in the EU (and they most probably
don't do any business in the EU either, so are completely out of reach as
well).

It seems to me like they are the very websites for which this exemption was
intended.

~~~
josteink
> It seems to me like they are the very websites for which this exemption was
> intended.

That doesn't help much when every US arm-chair lawyer (like the techies here
on HN) spends all their time causing paranoia and telling everyone how even
_access logs_ are illegal now under GDPR, and how they will be brought into
bankruptcy by the EU.

Ofcourse the business-people are going to panic when all they hear are their
techies are telling them that EU is going to shut them down.

Whatever crappy legal regime these US techies will be stuck with in the
future, one thing is certain: they brought it onto themselves.

------
jlengrand
Interesting that there are quite a few news websites in there. GDPR is better
for users overall, but due to websites not willing to reduce their user
tracking practices some news sources become less available.

~~~
donohoe
Its not all about 'unwilling to reduce' its often a matter of not knowing how,
or which ones are compliant and which ones are not.

~~~
jlengrand
Don't disagree! The reasons could be multiple. What is the reason to spend
money to be compliant to european laws for a local californian newspaper?

What I find interesting is that they took the time to raise a location based
405, so they seem at least aware of it !

------
franciscop
It'd be nice if there was an Alexa ranking column and sorted by that instead
of alphabetic.

~~~
sshine
Yes, right now they are ordered by how little I care.

------
mtgx
"Because of websites not willing to stop tracking users against their freely-
given consent."

Fixed that for you.

~~~
fiiv
I agree, it's really not the legislation that should be blamed, it's the
crappy websites.

~~~
BjoernKW
It's both. The legislation, while based on good intentions, isn't exactly a
prime example of an easy-to-implement, consistent set of rules.

There's no excuse for larger players to not implement these rules. Many
smaller players however, struggled and in some cases still struggle with this
because some of the rules are rather vague (sometimes intentionally so in
order to be future-proof) and hence open for interpretation.

There's the rub: While the law is clearly targeted at larger companies - to
the extent some have called it Lex Facebook - it's the smaller companies and
hobbyists, for whom implementing GDPR is more of a problem. I wouldn't be
surprised if, in the long run, companies such as Facebook actually benefited
from GDPR, at the expense of smaller competitors.

~~~
fiiv
What part of it do you think is hard to do for small business exactly?

~~~
BjoernKW
I described some of the issues small businesses are faced with in this comment
on an earlier article about GDPR:

[https://news.ycombinator.com/item?id=17099878](https://news.ycombinator.com/item?id=17099878)

------
zorked
And nothing of value was lost.

------
jzs
I can't figure out what i think about it. Most of those are of no use to me
anyways as a European citizen.

However were i interested in US local news i'd be sad not to be able to access
them.

From the websites point of view, i guess there's not enough money to be made
from people located in the European union. They are certainly not targeting a
global audience. In the end, they are free to choose.

------
amelius
Why is this useful? I'd rather like to see a list of websites that someone
_needed_ to visit but couldn't because of GDPR.

~~~
SiempreViernes
Clearly it is a list of website someone _tried_ to visit, judging if they
actually _needed to_ is a tad police-state.

------
mdrzn
So, any chance to blacklist them from HN? Or at least offer an alternative for
EU-members? There must be a couple millions on this platform, I guesstimate.

I'm still hoping for the "Outline it" link right after the "web" one.

------
megous
Why is it all mostly news websites?

~~~
Freak_NL
Local and regional news media like newspapers are often owned by large
conglomerates that hold dozens, if not hundreds, of titles. These are likely
to follow a single guideline with regards to the GDPR.

------
dmortin
There could be a browser extension which opens these pages via US proxies when
blocked.

------
__BrianDGLS__
I can access them and I'm in the EU...

By not available what do you mean?

~~~
danols
Same. I clicked 5 of them at random and only 2 was blocked for me.

------
yakamok
i honestly like the fact these sites block access, for me its a sign they
don't care about users privacy or are just too lazy to comply. I have several
projects that need to comply with the GDPR, i did not feel it to be a big
effort to comply.

I currently block sites with annoying pop ups or show failure to comply.

------
Freak_NL
Where can we submit pull requests? Plenty of crappy websites missing that do
show up in search engine results.

------
notimetorelax
Random two I tried loaded for me. I’m in Switzerland, though. Maybe it makes a
difference?

~~~
messe
Well, for one thing, Switzerland isn't in the EU.

~~~
oblio
It's in the EEA
([https://en.wikipedia.org/wiki/European_Economic_Area](https://en.wikipedia.org/wiki/European_Economic_Area)),
so GDPR still applies.

~~~
repolfx
It's not in the EEA and your own wiki link shows that.

Switzerland is not under GDPR however, unfortunately many American sites
assume EU = Europe. This is understandable because so many EU supporters
insist on using the word "Europe" when what they actually mean is EU, in order
to create this exact impression (and to confer on the EU the sense that it's
as large and stable as a continent).

~~~
oblio
To-may-to, to-mah-to. They're in EFTA.

[https://en.wikipedia.org/wiki/European_Free_Trade_Associatio...](https://en.wikipedia.org/wiki/European_Free_Trade_Association)

> They adopt almost all EU legislation related to the single market, except
> laws on agriculture and fisheries.

[https://blog.kpmg.ch/eu-data-protection-regulation-also-
conc...](https://blog.kpmg.ch/eu-data-protection-regulation-also-concerns-
switzerland/)

> When the Swiss Federal Council has engaged the Federal Department of Justice
> and Police to draft a revised DPA, which is expected by end of August 2016,
> it was the decision of the Swiss Federal Council to draft the revision in
> due consideration of the EU data protection regulation. The Swiss Federal
> Council also outlined, that it is economically important for Switzerland to
> be recognized as a country with an appropriate data protection level for the
> EU. Hence, the revised DPA is likely to be influenced by GDPR’s principles
> and will likely include largely analogical rules and provisions. According
> to the envisaged timeline, the revised DPA should be enacted around the same
> period as the GDPR, which is beginning of 2018.

Switzerland is for most intents and purposes in the EU, minus a delay of
several years of applying the EU acquis (EU body of laws concerning countries
part of the single market).

------
fmajid
List of websites with despicable privacy practices

FTFY

------
erikbye
Good riddance.

------
yumashka
By the way, some of them are not accessible from Russia. :) But Russia is not
in EU/GDPR. <sic>

------
BearsAreCool
The number I am more interested in is how many websites don't comply with the
GDPR but don't block EU residents from viewing. One website I use basically
said "We're too small matter, nobody will care if we don't comply" and I
imagine there are many other websites like that.

