
CoinTouch.com shuts down, citing EU GDPR regulations - cbeach
https://www.cointouch.com/
======
KingNoosh
I just want to point out that is the same creator as StreetLend[0] who has
previously posted the same thing but under their other startup.

[0]
[https://news.ycombinator.com/item?id=16954306](https://news.ycombinator.com/item?id=16954306)

~~~
madeofpalk
Really, it's just more FUD.

> _GDPR threatens website owners with fines of 4% of turnover or €20 million
> (whichever is higher) if they do not jump through a number of ambiguously-
> defined hoops._

...No. GDPR certainly doesn't. The often quoted "4% of revenue" fines are
upper bound of fines for the serious _intentional_ and continuous
violations.[1] Spreading information like this is almost certainly the
textbook definition of FUD.

GDPR is, largely, 'common sense' regulation. At the gist of it is "be
responsible with users data". If you want to store personally identifiable
information, that comes with it a set of responsibilities that you have to
keep on top of. Delete data when users ask for it. Inform users about what you
do with their data. I really think that's the minimum you could ask for.

 _Edited fines to align closer to the language used in the actual regulation_

[1]:
[https://en.wikipedia.org/wiki/General_Data_Protection_Regula...](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Sanctions)

~~~
cbeach
> The often quoted "4% of revenue" fines are the last step after warnings and
> smaller fines.

Are you making a legally binding guarantee there?

~~~
ryanlol
This comment right here is a _perfect_ example of FUD.

------
dvt
> Young websites and non-profits cannot afford legal teams. Therefore the risk
> posed by GDPR is unacceptably high.

I was going to post something on the previous post (re: StreetLend), but I
guess I'll say it here: this is a bunch of nonsense. There are _plenty_ of
other regulations that can land a young startup in hot water (DMCA, for one,
which, by the way, carries a 5-year potential jail sentence as a penalty) and
yet we're seeing _more_ tech startups in 2018 than we did in 1998, not less.

This whole hoopla is just posturing.

~~~
throwaway2016a
DMCA is trivial to comply with compared to GDPR. The two aren't even remotely
comparable.

PCI is more comparable and it would take roughly speaking 16 years of
negligence to rack up the MINIMUM fine for GDPR.

As people pointed out you are unlikely to actually get fined. They say only
egregious violations will get fined but the risk is huge in comparison so even
if there is a 0.01% chance that may be too risky for many businesses.

~~~
AstralStorm
Is it really trivial though? You can be jailed as an accessory under DMCA for
not filtering user content or not responding to takedown notices. (Even if it
just was a mail server malfunction.)

Compared to this, GDPR is walk in the park mostly identical to current privacy
laws in the more aggressively private countries in EU.

------
theptip
I keep seeing this sort of claim:

> The law, combined with parasitic no-win-no-fee legal firms, puts website
> owners at risk of vindictive reporting. Young websites and non-profits
> cannot afford legal teams. Therefore the risk posed by GDPR is unacceptably
> high.

Perhaps there is a legal difference in the UK/EU that I'm missing, but surely
you could be operating this business under a limited liability entity, in
which case the worst-case situation is you get a GDPR lawsuit, and fold your
entity at no personal cost.

In the best case, you don't get a GDPR lawsuit because i) it's actually not as
bad as the FUD is making out, or ii) you get lucky. Either way, you didn't
need to shut down your website.

If you can't/won't spend the money to set up a limited liability vehicle,
that's a different matter entirely than you "cannot afford [a] legal team".
The former is O($100), the latter is O($10k) or higher. So yes, a new barrier
for hobbyists, but not in a different order of magnitude than server costs.

------
cft
Many independent developers / geeks are afraid of any regulation, regardless
of its merits or whether they are potentially compliant or not. They only want
to write code, not to investigate/fear compliance. GDPR is a hammer that hit
very small start-up landscape pretty hard.

~~~
madeofpalk
Eh. Cost of 'doing business'. I saw the analogy last time when the same author
posted their last "I'm shutting this down because of GDPR" post - chefs still
have to follow food safety regulations, even if they just want to cook food.

You want to write code? Deploy it to localhost:8000.

You want to launch something online and collect user data? Be responsible with
it. reply

~~~
notadoc
> Eh. Cost of 'doing business'.

For fun, let's say I visited one of your personal projects websites, say
something like a tax estimator, and it uses Google Analytics, maybe some web
fonts, and let's say you're serving ads on that website so that you can make
it support its own web hosting fee. It's also hosted on your own server.
Therefore you are storing and processing my data, for someone else, and
perhaps for your own internal usage as well to determine if your tax estimator
project is worth pursuing or keeping online.

Unfortunately when I visited your theoretical side project, you did not inform
me that you are storing or processing my personal information!

What are you doing with my personal information, like my IP address?

I'd like to request a copy of my personal information from your side project.

I'd also like to update my personal information as stored on your side
project, so that it is kept accurate.

I'd also like to request a copy of my personal data be delivered to a third
party of my choosing.

Have you appointed at data protector officer for this side-project yet?

Have you appointed a representative within the EU yet?

Can I get a copy of all the contracts you have in place with data processors
you may be using?

Finally, I'd like to request my personal data from your personal project
website, and I'd like you to delete it from your servers and all services that
were accessed via your website.

Sound good? How's your side project going? Is this onerous yet? This is just a
"cost of doing business" with your side project, right?

~~~
madeofpalk
Heh. Unsure if you got this on a fluke or you know me/looked me up - do you
mean my site [https://austax.money](https://austax.money)? I don't have ads
though.

Look - to be honest, that's probably something I need to think about some time
soon. A very realistic probability might be that I can't be bothered looking
too much in depth and I'll just shut it down, but I won't be too upset about
that.

Only think is that I won't go spreading some diatribe around the internet
about how EU regulation is killing me. I will acknowledge that it was my own
laziness that lead to me shutting down the hobby tool I built a few years ago
and no longer have a need for.

~~~
notadoc
Hypothetically, though it looks like you also have side projects that are
relevant to the topic. I would assume nearly everyone on HackerNews has or had
side projects that are using similar third party data processing, analytics,
ads, and perhaps even their own linode hosting such projects, all gathering
what GPDR determines is "personal data" like IP addresses, or maybe email
addresses and names for signups and so forth. Now do you see why this is a
hassle?

But really, how do you plan on complying with GPDR for your side projects?

> I will acknowledge that it was my own laziness that lead to me shutting down
> the hobby tool I built a few years ago and no longer have a need for.

What if that hobby was ramen profitable? Same decision?

------
DanBC
> The law, combined with parasitic no-win-no-fee legal firms, puts website
> owners at risk of vindictive reporting.

OP has misunderstood how the law operates.

It's not possible for an individual to take legal action. The regulator does
this. The fines are fines, and they're imposed by the regulator and paid to
the regulator. They're not compensation paid to the victim.

This means there's no payout for lawyers.

OP got this badly wrong, which makes me think they know very little about GDPR
and are just making some political point about regulation.

------
ryanlol
I guess you're based in the UK, were you previously compliant with the Data
Protection act of 1998?

If not, this seems rather stupid.

------
notadoc
Any US lawyers want to comment on how GDPR, a EU regulation, impacts US-based
business, startups, hobbyists, etc?

If it's an EU law, if they're based in the USA can they simply ignore the EU
law? Or move to the USA?

~~~
ryanlol
IANAL but this depends entirely on how much exposure you have in the EU. If
you have none, then you can safely ignore GDPR.

------
jahvo
Good, one less website owned by irresponsible people in existence. :-)

