
GDPR for lazy people: Block all European users with Cloudflare Workers - jgrid007
https://apility.io/2018/05/25/gdpr-lazy-block-eu-users-cloudflare-workers/
======
jeremyt
I’ve been reading hacker news for about a decade, and it’s getting to the
point where I don’t think there are many entrepreneurs and/or technical people
on here anymore.

The number of people who are saying it’s no big deal to comply with this huge
law, especially for very small startups, is mind boggling.

Let’s just take one feature: the requirement that you can permanently delete
all of your information. Most early-stage startups use the (in 2008, when I
did mine) best practice of “delete=1”. Changing your whole database over to
permanent cascade delete is only easy if you’re a very experienced programmer
or who knows what he’s doing. And that sets aside the fact that even if you
know what you’re doing technically, there are lots of business logic problems
with just deleting things out of the database and anonymizing users is very
tricky.

I was not a great programmer when I started my first startup. I was learning
as I went along.

We couldn’t afford a lawyer, and the amount of time for me (the only
programmer) to go through and read all the regulations and make all the
requisite changes in the product I would estimate might take on the order of a
month or two, which if timed poorly would’ve killed our company. I say again:
at an early stage startup with one programmer, you cannot have that one
programmer spending two months on compliance.

It’s just gotten to the point that there’s one comment after another
responding to this regulation or that regulation or this situation or whatever
with “well, just call HR“, or “I can’t believe you don’t have a company policy
for that!”

Or “well just ask your lawyers“. It ain’t that easy. Do you have any idea how
much it would cost to have “your lawyers” go through the GDPR, tell you what
you need to do, and deal with all of the edge cases and gray areas? $20k or
$30k doesn’t seem too high.

My biggest fear is that all of these complex bureaucratic laws are just
raising the bar for doing a startup. Maybe the days of two people doing a
startup in someone’s garage should be in the past? If so, that makes me kind
of sad.

Regardless it’s not obvious that GDPR is the right policy or that it’s well
designed or clear.

~~~
gerdesj
I'm a Brit. I am the MD of a small IT company. I have two partners and 20
employees. We started in 2000. We turn over about £1.5Mpa. We sell our
services to people and organisations. Our backups are now smaller these days
(thanks to GDPR).

I understand that because you are outside the EU you might feel like a target
but that is not the point of GDPR. There is no way on earth that the EU as a
whole has looked on your company/project or whatever and decided to screw you.

Have a look at the first few paras of this: [http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX...](http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:32016R0679) after it says "Whereas". Does the
language look a little familiar? Do the sentiments look strangely familiar in
some way?

GDPR is not about destroying people's livelihoods. It is about protecting
basic, fundamental rights that say 30 years ago we never knew needed to exist.

After all the knee jerk reactions have calmed down a bit, you may find that
you personally have benefited in some way from EU regs. If you find that, then
I suggest you fight tooth and nail for similar to be enacted at home. I'll be
the first to thank you for that.

~~~
eli
It's reassuring to hear that the GDPR is not meant to target little startups
and projects but I would like it a lot better if it said that in the actual
law, rather than just trusting all current and future regulators to treat me
kindly.

If it's only meant to be used against big companies or extreme offenders, why
doesn't it say so? It seems like the spirit of the law and the language of the
law are not aligned and in my opinion that's a sign of poorly designed
regulation.

I object to the idea that small projects should be ok with breaking the law
merely because they very likely won't get caught.

~~~
gerdesj
"but I would like it a lot better if it said that in the actual law"

Have you read the bloody law! [http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX...](http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:32016R0679)

This is legislation designed to protect not only me (as an individual) but you
as well (as a probable foreigner) from me!

~~~
fanzhang
Reading the law, I only see a single exception for small companies: Article
30.1 and 30.2 doesn't apply for companies less than 250 employees.

Out of an 88 page law, 1% of an auxiliary middle of the law is carved out for
small companies.

I'm not sure that counts as differential application for small companies. In
the US at least, large portions of entire key burdensome laws don't apply for
employers below size 50, 10, 5, etc. This does not seem to be the case here.

Does anyone know whether an official impact study on innovation was even done
before its passage?

~~~
camillomiller
You can be a company of ten people and still turn over millions by selling
your users’ data in shadowy ways. Why shouldn’t you be stopped just because
you’re small. How can the size a company be used as a rational differentiator
in a law like this?

~~~
Clubber
Because the vast, vast, vast majority of small companies aren't turning over
millions of dollars. That's the same logic as, "some people cheat on welfare,
so lets defund it." This logic gets pushed around a lot by GOP pundits.

The law may be good as a whole but be overly burdensome for small companies.
You should at least acknowledge that instead of just dismissing that outright.

------
ThJ
I keep seeing these posts on how to block European users to avoid the GDPR. As
a citizen of Europe, seeing these posts consistently making it to the front
page is disappointing. It would seem that Silicon Valley perceives the GDPR as
more of a hindrance than an opportunity to offer users better privacy. Nothing
has been learned.

~~~
tquinn
I feel the EU regulators could stand to learn something. If EU citizens are
small portion of your users, and your tasked with parsing this document
[http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX...](http://eur-
lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679)

just blocking them doesn't seem like that bad of an idea, especially with the
fines involved.

I think the things that bother me is:

1) A College student working on a side project with no revenue are treated the
same as some massive multi-national.

2) It's a foreign requirement that feels like a violation of sovereignty. Most
business/startup owners complain about there being too much domestic
regulations, now we have to worry about things outside of our own countries --
that also can come into conflict with our domestic tax authorities on things
like data retention. An international agreement would be entirely different.

3) The GDPR requires clear and concise language, but have done nothing of the
sort when writing the regulations. For most websites outside of the EU, could
they not have produced a concise 1-2 page infographic produced by the
regulators themselves?

~~~
takeitto
> It's a foreign requirement that feels like a violation of sovereignty.

Sure, if you cater to users in your own country. If you cater (read: deal with
data) to users from the EU, you should follow local consumer protection laws.

EU laws have always been more strict than US privacy laws: This caused unfair
competition, where US companies were free to export their privacy-damaging
business model overseas, while local companies were forced to respect privacy.
Respecting privacy is just not very competitive/profitable at the moment.

Your viewpoint pushed to the extreme (sorry if you don't recognize your
original view): China selling counterfeit goods or unsafe toys to the US, and
feeling like any push-back is messing with their sovereignty of lax copyright
-, trademark -, and health laws.

~~~
eli
What does it mean for a website to "cater" to just my home country? The
internet doesn't know political boundaries and most sites cater to all
visitors on some marginal level.

~~~
askmike
Most websites are products nowadays. If you have a simple blog without
trackers and ads this is really not going to effect you that much.

> The internet doesn't know political boundaries

Tell that to this US law the whole world has to comply with to called DMCA.

~~~
eli
Even my simple blog with no ads has google analytics on it. I don't feel like
I was doing anything wrong or abusive, but I guess there's a case to be made.

I assure you I have been against the DMCA since before it passed, though I
don't think it's quite the same nor do two wrongs make a right.

~~~
ForHackernews
Maybe you aren't, but Google probably is. You're helping Google monitor
individuals everywhere they go online.

------
anfogoat
My biggest _annoyance_ with GDPR and its advocates is the constant touting of
"giving users control over their data" when in reality it is hindering
voluntary actions that by their nature require some of "my data". If I want to
service a small group of people with, say, an XMPP network, and those users
are willing and eager to just go with it without any of this bs with terms and
three-letter EU dictated roles, then it should be possible. When you've made
it prohibitive, then you've done something wrong IMO.

My biggest _fear_ regarding GDPR is that, to me at least, it seems like a one-
size-fits-all regulation for a world where only organisations are allowed to
run services, and where all services are centralized. Which is not the world
we live in (yet).

~~~
partycoder
GDPR is simply a response to abusive behavior. May not be the best response,
but it was about time.

Then, it is surprising to me that Americans are against a national id card,
but are not OK with a privacy protection law.

~~~
thisone
I believe it's because, in general, Americans distrust government and trust
corporations

~~~
casefields
We distrust both but only one has a monopoly on violence that can be pointed
in our direction at any time.

~~~
throwawayxbz
I guess we’re just kind of ignoring things like credit bureaus, who sell
finacial data about you whether you like it or not, and god help you if you
miss a payment. But hey, even if you dont screw up, maybe something gets
reported wrong, or maybe you just don’t spend like the algorithm wants you to,
and your credit, and thus your life, is ruined.

I guess we’re also ignoring private health insurance companies and how they
can just kind of, you know, deny you for any reason. But it’s cool because
your insurance is dependent on a benevolent private company providing you
employment.

See where I’m going with this? The Ayn Rand “government is violence” nonsense
needs to stop. It’s not corporations vs. government, it’s powerful
institutions vs. we, the plebes.

------
shiado
I simply don't understand how or why a law that has scope in the EU is causing
trouble for companies which conduct no business in the EU beyond responding to
HTTP requests on a global decentralized telecommunications network. Why would
an American internet business which conducts no operations in Europe and has
no servers in Europe be subject to regulation that affects the EU? What is
going to happen? Is the EU going to target American banks of American
businesses and try to extract fines? Is the EU going to extradite owners of
these businesses? Are EU courts going to issue default judgements on
businesses and individuals?

~~~
jacquesm
> Is the EU going to target American banks of American businesses and try to
> extract fines?

You mean like America? That time when the USA decided to enforce _their_
embargo against Cuba by intercepting a payment from one of the Nordics for a
bunch of Cuban cigars? No, that's unlikely.

> Is the EU going to extradite owners of these businesses?

Extremely unlikely, besides that would require the cooperation of the other
country. But - and this is interesting - the other countries typically expect
the EU to cooperate with extraditions when the law is broken and we do. So who
knows.

> Are EU courts going to issue default judgements on businesses and
> individuals?

Against individuals: Unlikely, but it could happen, against businesses, that's
typically how things go when one party doesn't show up.

But note that for that to happen you first have to ignore the regulators for
long enough to get them really pissed off, an action I would recommend
against.

~~~
davesque
> You mean like America?

Ahh yes, one of my favorite logical fallacies:
[https://en.wikipedia.org/wiki/Tu_quoque](https://en.wikipedia.org/wiki/Tu_quoque)

~~~
speakeron
_Tu quoque_ is not a logical fallacy. There's no logical step that's violated.
It's an _informal_ fallacy.

~~~
davesque
Technically, yes. It's an informal _logical_ fallacy. The point is that it's a
pretty ineffective means of advancing the discussion.

------
davidgh
Compliance with GDPR for an existing small business might be tricky. But...

I’ve been in the “online payment processing” space for decades. When I first
got involved, there were no central guidelines for handling sensitive credit
card data. And to be honest, there was a lot of neglect within the industry as
a result. As I share memories with my colleagues of what was done in the early
days it is laughable and a horror at the same time. We were all learning on
our feet.

When PCI was introduced in the mid-early 2000s, it was not easy to undo / redo
things to be compliant. It took time and cost money. At the time I wished I
was working on features rather than “compliance”. But we got there. It didn’t
kill us, and in the end we had a better service because of it.

Fast forward a decade and I found myself working on another startup in the
payments space. PCI compliance was in the very fabric from which we started -
we designed things from the very beginning with PCI in mind. And that made PCI
much easier overall because every decision contemplated PCI.

I feel GDPR will be similar. It will be a transitional burden because existing
businesses will have to undo some practices and that is hard. But going
forward startups will build services with GDPR in mind from day one, weaving
compliance into the fabric of the product piece by piece, and everyone will be
better off for it.

I’m sympathetic to small businesses that face a difficult transition. But I do
feel that the burden is in the transition, and not something that will hang
overhead forever.

~~~
marcodave
That's a very good approach and mindset. Now the tide has passed, let's wait
until waters calm down

------
jotaen
I think the most important part about the post is at the very end:

> Please don’t take us seriously

> This is an example of all the things you can do with Cloudflare Workes and
> our API. If you like it, please spread the word! But hey, don’t take us
> seriously. We just wanted to take the drama out from all the GDPR madness
> out there.

Anyway: just for academic interest I’m curious how much this increases the
overall request latency, as there would be one additional blocking HTTP call
at the beginning. Do you have any benchmarks for that API call to check the
blacklist?

~~~
logronoide
You can see the average latency here:
[https://status.apility.io](https://status.apility.io)

But Cloudflare has servers very close to our endpoints around the world, so I
guess < 50ms if you don't use SSL could be a good estimation.

We are working hard to reduce the amount of time to establish the connection.
It's about 80% of the time of the request.

~~~
kentonv
If you make sure that the response is cacheable, then Cloudflare will cache it
at the edge and so only the first check for any particular IP will be slow.

What makes a response cacheable is a little complicated. There's cache
headers, but also some heuristics involved. However, you can override all of
that from a Worker by passing an explicit cache TTL to fetch():

    
    
        fetch(url, {cf: {cacheTtl: 86400}})
    

This will force Cloudflare to cache the response at the edge for one day
regardless of anything else. (Note: The documentation currently claims this
option is available to enterprise customers only, but as of this week, it
actually works for everyone. Docs to be updated soon.)

~~~
logronoide
Yes, you should cache as much as you can to reduce the latency. We have some
examples using NGINX and Lua to cache at the very edge and reduce roundtrips
to our endpoints.

Probably I will give it a try on Workers another Friday afternoon.

------
logronoide
I'm the author of the post. My most stupid post is in HN! crazy! I just wanted
to be sarcastic and make some laughs about people blocking all traffic from
Europe, which is crazy!

It's a Friday afternoon blog post to show how cool my product is with
Cloudflare Workers and having fun at the same time!

~~~
matte_black
It's no laughing matter for some companies. EU citizens have turned into pests
overnight. There are businesses who don't make much money from the EU to
justify compliance with the regulations.

~~~
disconnected
> EU citizens have turned into pests overnight.

More than USA citizens with dubious DMCA takedown requests?

~~~
freedomben
This strikes me as the typical political response when you are backing a
terrible candidate and somebody points out something terrible they do/did.
Rather than defend your candidate you respond by attacking theirs. My kids do
this all the time when I catch them doing something wrong, "well #{brother}
was doing #{badthing}!"

Both seem wrong, can we agree on that? DMCA is a disgusting weapon, as is _a
lot_ that the US has done. Does that make weapons created by Europe ok?

~~~
pjscott
It's been around long enough to have a short name in a dead language:

[https://en.wikipedia.org/wiki/Tu_quoque](https://en.wikipedia.org/wiki/Tu_quoque)

~~~
freedomben
Oh man, that's genius. Totally gonna bookmark that.

------
codazoda
I run a simple personal blog. I make a meager $200 a year or so from targetted
ads on that blog. I have Adsense and Analytics collecting what they collect.
My stats have IP's, countries, browsers, OS's, list of pages a visitor looked
at, etc. I look through the info on occassion to decide which random rambling
I wrote that I should improve or update on the site. This is a hobby but it
has expenses and income so it's effectively a business.

At $200 a year there's no point spending even a few hours to figure out if I
need to ensure GDPR compliance in the first place much less to do so. No point
in figureing out how to erase users if I should ever be asked to, etc.

Last night I tried to log into AdSense and turn off targetted ads because I
figure that handles most of my risk and is one of the evils people seem to be
trying to kill. I couldn't find the option, only found old articles about it
"coming soon" on Google, and got nowhere in a half hour or so.

Are there any limits to the sizes of companies that have to deal with this?
Blocking EU might be the only real option I have (although some say that's not
even enough).

~~~
ryanwaggoner
You filthy person. You're violating people's human rights! Shut it down
immediately or face the consequences! The world is better off without your
dirty honey trap that tries to STEAL AND THEN _SELL_ USER DATA!!!

/s, obviously

This is only _slightly_ more hysterical and illogical than the typical fan of
the GDPR on HN seems to be.

IANAL, but if I were in your shoes, I'd either block the EU if that's easy, or
just ignore this entirely. They can't enforce anything.

------
johnrichardson
A trend I've noticed from lurking and browsing these comments: commenters who
have experience taking risk and operating under existential conditions in
stressful, budget constrained companies (AKA, startup founders) tend to be
critical of the GDPR.

Commenters who work as 9-5 employees or have never started a company (or at
least, don't mention as having done so in their profiles) tend to be more
supportive of the GDPR.

Funny how that works..

~~~
scarlac
A little nuance to your stats: I've spend the majority of my career in
startups, mostly my own, many times struggling to survive. Never worked in a
comfy big corp. I currently work in a startup and my hours are far from 9-5.

 _I support GDPR._ It's the first reasonable solution to privacy I've seen.
And I hated the cookie alerts. The transition is tough and we're fighting to
figure it out at the moment. But the basic principles in GDPR are solid.

------
zenovision
I plan to completely ignore GDPR laws and will not modify neither my privacy
policy not my SaaS product, even if I have a lot of customers from the EU.

~~~
Bud
Why? You're opposed to privacy? And how do you plan to react when you get
penalized?

~~~
zenovision
I do care about privacy - I don't use Analytics on my website, don't show any
ads, don't send marketing emails and don't sell customer data to anyone.
However, I will not comply with that bureaucratic law, because the EU will not
be able to enforce it in my country and I have much more important things to
do to stay competitive on the market (I have a lot of competitors).

~~~
anf
Do you send user data anywhere in a way users may not expect? If not there's
probably nothing to comply with. It's really the opposite of bureaucratic law
— the entire thing is quite readable and reasonable.

~~~
chernobogdan
Its going to become cookie law v2 with more annoying opt-ins

------
DanBlake
Considered this before, but it doesnt work. IIRC, the law applies to euro
citizens both living in country and abroad. As such, geoip blocking is not a
working strategy. (a french citizen who lives in japan still had GDPR rights)
A better one would likely be a clickwrap agreement for all users stating
"European citizens are not allowed on this service" which they have to click a
"I am not european" tickbox to.

~~~
logronoide
I'm the author of the post, and yes: blocking 500 million geolocated people is
crazy. That's not the spirit of the law.

I just wrote the post because if you want to overkill and you are lazy, you
can follow our recipe to 'implement' GDPR. I just wanted to be sarcastic and
also show how easy to implement Cloudworkers + Apility.io.

~~~
outside1234
On the contrary, if you are running a business where 99% of your customers are
outside of the EU, its totally rational versus opening yourself up to massive
liability.

~~~
orf
You need to purge that 1% customer data though. If you're accepting EU
citizens data through _any_ channel - another business, them using a VPN, via
smoke signals, you need to comply.

~~~
dazilcher
Yeah, no, please stop this FUD.

You need to comply with the laws of the jurisdiction you operate in. If you
don't operate in the EU (and having a presence on a global communication
network does not qualify), EU laws are not applicable.

The onus is on concerned EU citizens to stick to .eu domains with a feel-good
GDPR-VERIFIED banner if they are so inclined, not on the rest of the world to
bend over.

As a non-EU business, I will pay my GDPR "fines" right after I'm done paying
my Iran and North Korea issued fines. Cheers!

~~~
orf
This, ladies and gentlemen, is exactly why the GDPR is needed.

~~~
dazilcher
For comedic effect?

Seriously though, I made no comment on the law itself so I'm not sure what
your point is. Most reasonable people would agree it's a good law in spirit,
and I wish I had some of those protections where I live.

But the notion that it can be enforced on non-EU entities is ludicrous.

------
8bitsrule
I'm glad see that the EU has created a potent reason for US internet services
to take a hard look at their tracking/privacy feeding-frenzy.

When my ad-blocker tells me that 50 to 200 trackers are interested in me
reading some innocuous, unparsable word-blob, or watching some throwaway
video, I see that as a symptom of thoughtless hoarding and unreasonable
prying. This is not gathering intelligence: quite the opposite.

Were there some _demonstrable, substantial_ benefit to all this for the end-
user it might make a bit more sense. But there are no upsides to seeing shark
fins at the beach.

When I guesstimate the costs -- just those of energy usage, bandwidth and man-
hours, not to mention the rest -- and compare that to the supposed results
(only imaginary to me, the end-user)? Sorry, it looks like madness.

~~~
manigandham
> I see that as a symptom of thoughtless hoarding and unreasonable prying

It's a symptom of people not paying for content and news. Also the fact that
publishers want to provide equal and easy access to everyone regardless of
affordability.

> demonstrable, substantial benefit to all this for the end-user it might make
> a bit more sense.

The content you're consuming.

~~~
8bitsrule
Guess what sir/madam? when I started using the net, there was plenty of great
content on bulletin boards and on usenet. And when the WWW started up, there
was plenty more great content. SHARED. Eminently affordable. And very, very
social. People talking to people, with no overseer/exploiter in between.

> publishers want to provide equal and easy access

What they want is money. 'Content' is what they've got to sell. And they hire
pros to jazz it up and fluff it up, never mind reality or reason.

You're never going to convince me that the commercialization and infiltration
of interpersonal communications is an improvement. (Except for snoopers and
exploiters.) And I'm _very_ sure that I'm in the majority on that one.

If it were up to me I'd limit all the advertisers to one TLD: .stripmall . And
then avoiding all the B.S. would be REAL easy. All the 'news' websites that
scrape their content would be there.

~~~
manigandham
> ou're never going to convince me that the commercialization ... is an
> improvement.

Ok, then live in the past I guess? Both content quality and quantity has
vastly increased over the past 2 decades to meet the modern demands of
billions of people who are now online. This is fact, the world has moved on.
Either way you are not the arbiter of what is valuable content or not for
someone else. People choose for themselves.

Yes, publishers are businesses. They must make money to create commercial
content. This doesn't mean there isn't free content available, and in fact
there's more of it than ever before due to the trivial costs of publishing
media, but the rest of the stuff has to be paid for somehow.

As stated, consumers do not like to pay (often due to bad value assessment and
inability). Ads are much more granular, passive, and equally accessible
whether you're a billionaire or a 3rd-world farmer. This also doesn't mean
subscriptions and other patronage options don't exist, there are millions
examples of those as well.

Does the implementation of advertising online suck? Yes. It's slow,
frustrating, privacy invasive and filled with fraud, but you're talking to one
of the few people who has pushed for regulation for the last 5 years. It's not
a new complaint and it'll take time to change a 12-figure global industry.

However if you think the world hasn't benefited from the commercialization of
the internet, with education, entertainment, and information creating progress
in every corner of the world, than you are most definitely not in the
majority. You're actually in such a minority that it's basically considered
the same as any other conspiracy group and largely irrelevant in any serious
economic, societal, political or business discussion.

I recommend revising your perspective and acknowledging the differences
between advertising as a concept vs the implementation, and especially the
progress that it has brought that has led to the world that you seem to take
for granted today.

------
chrononaut
I think there are a number of comments being made throughout this whole thread
that are conflating the effort required to comply with the best security
practices to protect user data, compared to the effort required to comply with
the language of GDPR. A general theme seems to be that if a company is afraid
to do the latter, they must not be willing to do the former.

Which brings up a question, is the complexity of building and offering a GDPR-
compliant solution really any different than building a solution that conforms
to best security practices? I wouldn't think there is much difference. What is
the remaining overhead to comply with GDPR? I am sure just understanding it is
a notable piece, but would the developers already be aware of all CWEs, BCPs,
existing laws and standards for their components which would also be overhead?

~~~
zerostar07
GDPR is not about security but about privacy and data access protection. In
fact security is mostly on paper: requires that you document the data and
procedures, but doesn't require you to upgrade your security. So the effort
for the one has little to do with effort for the other.

~~~
chrononaut
Good point; the sentiment in the original post did mean to include privacy in
addition to security.

------
jakub_jo
Since there are IP addresses collected and sent to third parties without
consent, it violates the GDPR.

~~~
Psilidae
By that logic, doesn't the entire Internet fundamentally violate GDPR?

~~~
outside1234
Time to shut down DNS!

------
Jeremy1026
Keep in mind, just blocking traffic out of the EU does not serve as GDPR
compliance. EU citizens are covered by GDPR, not EU traffic. A EU citizen
traveling to the US is still afforded all the protections of GDPR as they do
back at home.

~~~
rarec
Genuinely curious; how is that even remotely possible to enforce?

~~~
bertolo1988
It's not. If you have any legal disagreement with a company outside the EU
they tell you to complain on that company origin.

I experienced this myself. EU is absolutely powerless outside their borders.

------
bonsai80
Yes, please do block all those customers. What a terrific business opportunity
for new companies to enter markets previously full of strong competition!

------
smooc
I don’t see a lot of comments looking at the practical side of things. I am
implementing GDPR and here are some suggestions:

1\. Collect only what is necessary for providing your service 2\. Make clear
what you store and for what reason 3\. Ask consent and give the opportunity to
retract this consent as easily

Deletion:

1\. PII means information that makes a person identifiable. This is the type
of information that you need to remove 2\. So if you are storing PII
information for the use of profiling you will need to disconnect the profile
from the PII information. E.g. you could use user table where you would
overwrite the PII information with generic information. You can still use the
now stale profile withou PII information (for example in statistics,
aggregations etc), but you cannot tie it to a single person anymore. Ie. You
should not be able to reconnect the person to profile you have stored. 3\. As
technical possibilities evolve you need to improve the disconnection over
time.

There are legitimate business reasons to store some PII information. E.g. for
security reasons, other laws etc. So IP addresses don’t need to be deleted
from your web logs, but if not given consent you cannot use them for ads, sell
them etc.

The required clarity that GDPR will bring to your data is actually going to
benefit you. Your data scientists will love it, because the tooling that helps
with Gdpr also helps with discoverability, data quality etc.

Enjoy GdPR, there is a lot of business opportunity in it.

------
lsmarigo
To offer a non-dev perspective on Hn, it feels like tech companies are really
trying to annoy us users with GDPR updates in an effort to nurture opposition
to similar proposed regulations in the future. I hope it doesn't work.

I love GDPR, getting rid of the WHOIS database stuff alone is enough to make
me a huge fan. The option to delete my data is also amazing.

~~~
saagarjha
Isn't this pretty much what happened with the cookie law? It states that
cookies necessary for the functioning of sites were ok, but everyone ended up
putting up those warnings anyways and it greatly diluted any benefit of the
rule and it ended up like Prop 65: warnings everywhere, even when they weren't
useful. Overall, it just led to the law being ridiculed.

~~~
CreepGin
Wait what? Really? All the annoying "cookie" popups I've seen were them
telling me the cookies were used for necessary function. I always thought it
was due to some European law. Are you telling me it's not even required by the
law?

~~~
Pulcinella
Correct. The “necessary” function was that the website and advertisers wanted
to track you all over the web. Login cookies and the like don’t require
notices so if you see a notice it was because they wanted to track you.

~~~
Eupolemos
I didn't even know that - thank you :)

------
hoppelhase
Hopefully, these actions will spawn european competitors that will eventually
take over the market. If you're ignorant and don't care about privacy, you do
not deserve better.

------
Exuma
Why wouldn't you use the built in `request.headers.get("CF-IpCountry")`?

This is a very weak and lame attempt at just getting people to use your
service when it's already built in...

~~~
apple4ever
Or even better, just use the Firewall to block by country. That's what we do
to stop bots from countries we don't sell in.

~~~
Exuma
Id argue the web workers are better (although they are paid for), only because
you have full control over what to do with them (like showing them a message
that you're not GDPR compliant in their area yet, etc)

------
riantogo
That works. YMMV but If you still want EU users here is what I did last night:
[https://medium.com/@riantogo/gdpr-band-
aid-b619d0b17e5b](https://medium.com/@riantogo/gdpr-band-aid-b619d0b17e5b)

~~~
jacquesm
I like it for being to the point and actionable. Thank you!

------
doesnt_know
Plenty of other countries have similar, or even stronger consumer privacy
protection laws. It's not too much of a stretch to imagine the US eventually
becoming the outlier to the point they have a sort of self imposed "great
firewall".

The rest of the world will continue on without them, especially as the ~middle
class~ population explodes in countries where there previously wasn't one.

The US is really only the "center of the Internet" for primarily English
speaking countries, as the others have regional variants of popular US based
services. There is no real reason why things wouldn't just split out to Europe
and Oceania even more.

------
spockz
Isn’t the IP address of a person/data which is subject to GDPR? So this form
of blockade means that you need to disclose that you are using service X for
checking the black list and that they might track/ store data.

------
oldgun
Someone should really make a tool: use Cloudflare to block your own trackers
and user data collector and etc with one click :)

------
CameraSupra
I didn't get past the first paragraph. The site lobbed four interruptions my
way:

    
    
      - Agree to cookie
      - Forced "Do you want our newsletter" prompt
      - Request to show notifications
      - Pop-up icon to subscribe to notifications
    

... and one non-intrusive top-of-page banner notification, " Awesome! Your IP
is not in our blacklists of abuse...". This last item (when dismissed) may
have triggered the 4th item above.

Edit: fix list formatting

------
LinuxBender
How does CloudFlare know if someone is a citizen of the EU and traveling
abroad? In haproxy, I redirect a few accept-language headers, but even this
has its faults.

~~~
sp332
You're the third person to ask this and I'd like to ask you: is this idea
coming from a specific source? The law, like any other EU law, obviously does
not apply outside the EU. It applies to companies that do business in the EU
(even if they are based outside), but it can't apply to companies that don't
do business there. [https://ec.europa.eu/info/law/law-topic/data-
protection/refo...](https://ec.europa.eu/info/law/law-topic/data-
protection/reform/rules-business-and-organisations/application-regulation/who-
does-data-protection-law-apply_en)

~~~
chatmasta
You’re going to get downvoted for that comment, but you do raise a legitimate
question of enforceability. Sure the EU can say any company in the world who
has EU residents’ data should comply with GDPR. But... or what exactly? The EU
doesn’t have the power to fine companies outside of their jurisdiction. I
mean, they can try. But as far as I know there is no enforceability to ensure
that the company actually pays the fine.

For larger companies with offices in the EU (especially the ones headquartered
there for tax purposes), they obviously have no choice to comply. But what
about a small startup, with its only domicile and employees in the US?

What exactly could the EU do to punish a startup in that case? Unless they
have some enforceability treaty with the US, I don’t see how they have any
legal ground to extract fines for arbitrary laws defined in their
jurisdiction. The worst they could do is ask EU ISPs and/or payment networks
to block the offending sites, right?

~~~
tatersolid
Corporate counsel, who actually went to many of the lead-up conferences for
GDPR, said the data authorities from many member countries didn’t even
hesitate before saying they would file civil lawsuits against non-EU
companies.

Such a suit could be ignored too, but it would certainly be a PITA for
vacationing executives who get locked up in Italy for an outstanding summary
judgement.

~~~
tathougies
> but it would certainly be a PITA for vacationing executives who get locked
> up in Italy for an outstanding summary judgement.

It's a good thing there are a lot of beautiful parts of the world other than
Italy.

------
sepin4
As a person on both sides of this regulation I have to say I'm not conflicted
at all were I stand. On a professional level this will have a huge impact on
the firm that I've been employed for more than 5 years because of the legacy
practices used in the software. This has been the proverbial "clusterfuck" at
work. This might even have serious implications to the future of the firm as
most of our customers reside in EU. Nevertheless on a personal level I'm so
happy and relieved that finally something is being done to protect
information. In fact I believe that the tighter the screw on the regulation
the better. If some businesses have to stop entirely in order to reevaluate
what has been done, why it shouldn't be done this way(I like the analogy about
slavery I read in the comments here) and start from scratch if possible at
all, then so be it. Even if it threatens my job security(and I just bought
myself an apartment) I'd still be in favour of this. In fact I believe that in
a few years if this sticks it would be much easier if not trivial to deal with
GDPR regulations and then my only regret would be that this was not
implemented sooner.

------
donohoe
Assuming, and this is a big assumption, you can cookie (CDN level) or
otherwise leave an indication client-side that the visitor is from the EU,
then you can easily make the page GDPR compliant instead of blocking.

[https://github.com/donohoe/simple-gdpr-
lockdown/](https://github.com/donohoe/simple-gdpr-lockdown/)

This does NOT solve the problem, its just (IMHO) a better alternative to
blocking.

------
kadenshep
The amount of dishonest conversation in this thread coming from supposed
"hackers" is extremely aggravating. These laws have existed in various forms
across several European countries for a few decades. It's now a standard
across all of the EU. This is to say, that these have been tried, tested,
found to be functional and useful; these regulations now have proper surface
area coverage.

This is good for both companies and users. It gives companies clear goals and
policies for how to treat users, their data, and what their users want to do
with their data.

I think what we're seeing is a light shining brightly on some pretty scummy
practices. It's _understandable_ why developers who rely on user ignorance to
make a profit/revenue would be bummed about this, because these regulations
are correctly placing the burden on you, the developer, to be forthright and
honest about what you're doing with people's personal and private information.

To developers who don't want to do business in an open and honest manner, who
rely on low brow tactics with user data, who didn't have the good sense to
know what was coming and plan for it: Good riddance. Try again.

------
amerkhalid
I agree it is raising a bar for starting a new business but I think this is a
good thing in this case.

As a victim of identity theft, I say that burden should be on entrepreneurs to
learn and write good code. I have written a lot of bad code myself but back
then everyone was writing bad code to get to market as fast as possible.
People who wrote good code and followed best practices for their users’
privacy and security were at disadvantage. This regulation evens out the
playing field, so now good guys/gals can compete too.

Also this is not hard if you were already following the best practices for
security and user privacy. Sure there is some new stuff like real deletes
instead of soft deletes. I can tell you from my experience that the people who
are the most stressed about GDPR are those who are working at the companies
where they had very bad dev practices. One of my friend who works at a decent-
sized ecommerce shop, had to finally get rid of CC numbers in their logs. That
guys had been pushing for better security and dev practices but would get
overridden by managers and team leads.

I am glad that GDPR is finally forcing higher ups to finally improve their dev
and security practices.

------
globuous
Wait, I don't understand, this is blocking traffic from EU continent. I
thought GDPR was applicable for all EU citizens regardless of where they
physically are. And I may be wrong, but I thought it did not apply to non-EU
citizens surfing the web from the EU (although I may be wrong about that).

A more effective way might be to ask on page load if the user is an EU
citizen. You know, like some financial website asking you if you are a US
citizen on page load [0] (i remember marshall wace's old website doing it, it
looks like they do not anymore).

And EU traffic being the "most malicious" ? Is this satire, irony, or
something else ? Seriously, if I go on website W and they go through all the
dark patterns possible to collect and share my data without me knowing about
it and I'm the malicious one ? Better read that than being blind...

[0] [https://www.quora.com/All-of-a-sudden-Bank-of-America-is-
ask...](https://www.quora.com/All-of-a-sudden-Bank-of-America-is-asking-if-I-
have-dual-citizenship-in-the-U-S-and-another-country-They-have-never-asked-
that-before-Why-is-the-bank-doing-this)

~~~
Bromskloss
> I thought GDPR was applicable for all EU citizens regardless of where they
> physically are.

Do you mean a company and its customer, both located outside the European
union, would still fall under this law if the customer happens to be a citizen
of a EU country?

~~~
mickronome
That's how some US tax/banking codes already work, so it's not without
precedent. I don't remember exactly what it's called. But allegedly it's a
hassle for everyone involved, both banks and customers.

Ah, found it: "... is the Foreign Account Tax Compliance Act (FATCA), which
was passed in 2010 and will go into effect in January of 2013. The act
requires all foreign banks to identify and report on US citizens with accounts
holding more than $50,000 in an effort to clamp down on tax evasion. If banks
refuse to comply, they could face a punitive 30 percent withholding tax on all
payments from the US."

------
nkkollaw
Why is everyone losing his mind over this!!?

The law makes perfect sense, it's not that hard to be compliant, and
businesses with good ethics will already be compliant!

------
PeterStuer
Joking aside, I have yet to find a site that isn't using the whole dark
patterns book and then some to trick users to consent. Realy disappointing.

~~~
iraphael
I received an email from a website I don't remember signing up for, and have
no clue what they do. After a few attempts I am able to log in. I go through
menu after menu looking for the "permanently delete all my data" button only
to find an FAQ that says

"Q: How do I delete my account?"

"A: Please get in touch with our Customer Services team if you have any
worries or concerns. If something at {website} has troubled you, we'll be
happy to help sort it out."

To their credit, the support chat person was very efficient in complying with
my request.

------
Tharkun
I know plenty of people who block all of China, simply to be rid of its many
botnes which run rampant and are hosted by network administrators who don't
respond to abuse requests. I guess Europeans can now experience how it feels
to have parts of the internet made unavailable by whimsical sysadmins.

------
allan_s
Even though this post is sarcastic, people forgot that your EU resident could
still access you when in vacation or business trip outside of the EU and that
they certainly already have plenty of data store fom EU resident, so blocking
all european IPs does nothing to help them being compliant.

~~~
snowwolf
This is a common misunderstanding. GDPR makes no mention of citizens or
residents. It just says “data subjects IN the union”

[https://gdpr-info.eu/art-3-gdpr/](https://gdpr-info.eu/art-3-gdpr/)

------
heavymark
While I know they are not recommending, recommending this, for everyone who
does, this doesn’t get you off the hook at all unless you are a new site who
has never had EU visitors. Also of course all the EU citizens in the US, GDPR
would presumably still apply.

~~~
ATsch
Regarding the last point, I'm not sure why this point is still being parroted,
despite so frequently being corrected:

The GDPR applies to any residents of the EU, not EU citizens regardless of
location.

------
gerdesj
The discussion here is getting quite heated. I'm sure no one has missed that
this is a bit of a light hearted piss take.

I was going to go to town on it until I did a quick pre-emptive search but I
had no idea about this being a thing: [https://developer.mozilla.org/en-
US/docs/Web/HTTP/Status/451](https://developer.mozilla.org/en-
US/docs/Web/HTTP/Status/451) \- _451 Unavailable For Legal Reasons_

I'll assume that 451 is designed to be available if a canary might be required
at short notice.

------
jaakl
It is not just Europe and GDPR. You should block users from every single
country where you are not ready to take responsibility to comply with the
local laws. By providing service/content in international scale you are doing
business with real physical people there, regardless of your own or your
server's location. Seriously. So Cloudflare (and all other CDN/web service
providers) should really have country-based opt-in instead of opt-out, so you
at least think a second before clicking the tick.

------
drngdds
Protip: you can ignore the GDPR and get away with it if your business is
located somewhere that the GDPR has a snowball's chance in hell of being
enforced. For example, America

------
belorn
Just curious, but what does the investors think when a company volentarly
leaves the EU market because it is easier to simply ignore eu as a market then
to comply to GDPR?

~~~
reaperducer
It all depends on your investors and who your company's target audience is.

If I run a business putting up American flags on people's houses on patriotic
holidays (an actual business in my neighborhood), then ignoring the EU market
is an easy decision because I already was.

~~~
belorn
And if you presented a nice growth graph over American customers with the
implication for expansion over other regions such as EU, whats the possibility
that some investors considered that potential when they invested?

Like say a software service which I would assume is more common investment
target here rather than flags.

~~~
reaperducer
Your example is a different audience. As I pointed out, it depends on your
target audience. Not every company wants or even needs to do business with the
E.U. in order to be successful. I know that sounds strange to someone in
Europe, and I've never been able to make my Austrian friends understand it,
but it's true. There are millions of businesses from Australia to Alabama and
beyond who don't care about the E.U.

For all its noise and bluster about "500 million customers lost!" the European
Union is still less than 7% of the world. I think most businesses would be
happy to serve the other 93%.

~~~
azernik
But almost a quarter of world GDP.

~~~
reaperducer
I think the rest of the world can survive on the 75%+ remaining.

~~~
belorn
But that bypass the original question. A company might survive fine on 75%,
but what will investors think when the potential growth is being artificial
cut down to 75%?

I would imagine that the stock market value would take a rather strong dip if
a company proclaimed that they revenue would be cut down to 75%. Investments
and stock options are not only valued by the companies current ability to
survive, but also speculative value.

~~~
reaperducer
_> what will investors think when the potential growth is being artificial cut
down to 75%?_

You make two mistakes:

1 - Assuming every business has investors. The majority do not.

2 - Assuming every business is suited to a global audience. The vast majority
are not.

~~~
belorn
If you don't have a investor then clearly the question does not apply. Similar
if you don't have a company the question does not apply.

"what does the _investors_ think when a _company_ volentarly _leaves_ the _EU
market_?"

This question has 4 predicates.

1) investors. If no investors then there is no investors that can have an
opinion.

2) Company. If no company then no investors, and since you have no investors
than point 1 applies.

3) leaves. If the company don't leave the market then the investors can't
object to a company is leaving, as such point 1 and point 2 applies.

4) EU market. If the company is not leaving the EU market then the question
about what investors will think about a company leaving the EU market is not
relevant, and thus point 1, point 2 and point 3 applies.

> Assuming every business is suited to a global audience

That was the question. What does investors assume when investing in a software
company such as those ycombinate investors usually invest in, for which HN is
a forum created by ycombinate.

------
cynwoody
Holy crap! 1123 comments and the damned article link doesn't work! Might
someone have something to hide?

[http://webcache.googleusercontent.com/search?q=cache:xrEsOXE...](http://webcache.googleusercontent.com/search?q=cache:xrEsOXE4eakJ:https://apility.io/2018/05/25/gdpr-
lazy-block-european-users-cloudflare-
workers/&num=1&hl=en&gl=us&strip=1&vwsrc=)

Judge for yourself!

------
sriku
Encouraging this attitude is childish. GDPR (which has been around for 2 years
now) is a way for people to say "ok now grow up guys, we know you like to
tinker, but we're getting screwed in ways we don't like and we've given you
enough rope". This post is saying "so just don't sell soylent in the US
because we're too good to bother passing FDA".

No serious and earnest would/should consider this.

Your work affects lives. Period.

------
jakeogh
HN Meta: Is it really necessary to split 1k comments into 5 pages? Many sites
serve a homepage much larger than every comment here on a single page.

~~~
teddyh
It isn’t just to limit page size, it also works as a damper on heated
discussions, as most people won’t read more than the first page, but
comparatively few people stop reading in the middle of a page, regardless of
length.

~~~
jakeogh
I figured that, but I didn't want to make such an embarrassing assumption
about what purports to be a reliable tech discussion site. Especially when I
noticed new comments automatically went to page >1\. Sad, but hey, it's HN's
property.

~~~
teddyh
The position of new comment apparently depends on the commenter’s “karma”.

~~~
jakeogh
Normally, they appear top for a few seconds, but I understand the alg that
takes karma into account, maybe it changed a bit. If it's a thread split into
pages...

------
abiox
so, say i'm outside the EU, and put a project up online, awesome.com. it's
accessible from anywhere (or rather, it doesn't filter traffic), except from a
eu ip. i don't explicitly "target" anyone.

does the gdpr suggest that, if a "data subject" in the eu accesses my website
without my consent, the eu will view me as subject to it's legal system?

------
Bizarro
Clearly, the EU can't enforce or even make laws that apply globally. If you
don't have a presence in the EU the GDPR does not apply to you, period. And
the GDPR doesn't apply to EU citizens outside the EU, period.

But this thread and others just show how people will continually lie when it
comes to the politics of GDPR. And when they don't want to lie, they partake
in whataboutism. Even EU bureaucrats seem to be willing to partake in at least
promoting the idea that it's a global law for their political agenda, when
they know it's not.

I don't know why people continue to lie about the jurisdiction of this law,
when everybody here knows it's not true.

------
erebrus
This might be a silly question, but I'll take the chance to ask it anyway.
What constitutes personal data? More precisely, using FB as example, does it
apply to things like: 1\. where have you been? 2\. what have you liked? 3\.
photos you've shared? 4\. comments and posts you've made?

Or is it really just identification details like name, address, etc.?

------
skunkwerk
You need a legal basis for automated decision-making, such as doing
geolocation on a user's IP address (which can be considered PII, as per EU
legal rulings from last year). Which means you cannot block them without first
getting that legal basis (i.e. consent). Therefore, you're in a catch 22.

~~~
segmondy
Rubbish, folks block Africa and China all the time

------
ernesth
Is it supposed to be enough to be compliant with the GDPR? If you have
harvested data from Europe, you are not allowed to sell/transmit it without
informing the concerned party. I feel that to become GDPR compliant this way,
you also have to delete all data that may have come from european residents.

------
ic4l
You do not need Apility to accomplish this.

Here is a example of blocking all EU country codes without using any external
API's.

[https://gist.github.com/icodeforlove/9d22e44d0f227cb2740fd3d...](https://gist.github.com/icodeforlove/9d22e44d0f227cb2740fd3db4d88af3f)

------
lima
Some notes:

\- This is insufficient for GDPR compliance. Besides the other points
mentioned in this thread, you also need to delete any data about EU residents
you have already collected.

\- CloudFlare sets a geolocation header, you can probably just use that
without consulting a third party, without adding any latency!

------
joshe
Any recommendations or resources for what micro internet sites should do? I'm
thinking in scale from website with my picture and some software projects on
it, to micro free webservice like uptime checker, to $1 seating chart maker.

Block EU is totally reasonable for all these. Is it necessary?

~~~
olivierduval
No, it shouldn't be necessary.

Because: do you need personal informations from users? If yes: why?

Payment & Accounting => allowed ("legitimate use") Technical Monitoring =>
allowed ("legitimate use")

And if some user want to cancel its account: is it a problem (if he doesn't
owe you anuthing)??? No? Well... then you'll have no problem

~~~
joshe
Yes but we aren't really sure are we? Like if the ip address gets stored in
some open source logging software, it seems like you need to track it down and
delete it on request. Or do you? No one seems to know.

------
rp36
I worked on the same script using CloudFlare workers just a while ago, if
someone is interested:

[https://gist.github.com/botsplash/bf494ea9e95d945229a0a667a5...](https://gist.github.com/botsplash/bf494ea9e95d945229a0a667a562b0e0)

------
toweringgoat
Your geographic knowledge is poor, and you should feel bad. There are a bunch
of European countries now blocked that aren't in the EU.

(Some of the more famous blocked websites are similarly misinformed, e.g. the
chicago tribune tries to tell me I'm in the EU and blocks me.)

------
jedberg
But this wouldn't even work, because it applies to all EU citizens, regardless
of geography.

~~~
genericone
This is a great point actually... the GDPR law specifically applies to holders
of EU passports. If your website clearly disallows EU citizens, ie: a popup
stating "You are not authorized to access this website if you are, or plan to
become within the next 2 years, an EU citizen", are you being compliant with
GDPR? Or is there simply no way to be GDPR compliant if you store any
personally identifiable data?

I won't get into intentions, but it seems like the law is so broad that it
just allows any EU government to selectively enforce the law and collect fines
from any company they choose...

~~~
jedberg
If you don't do any business in the EU, while you may technically fall under
the law, it would be nearly impossible to prosecute you for it.

But the moment you try to access the EU market....

------
zyngaro
Seems like nobody got the point of gdpr. A it's core a move to break the US
companies (the GAFAs) Monopoly in Europe and to potentially fine them with
huge amounts of money. The fact that GDPR is actually a good thing for the
users is subordinate.

------
jsjohnst
I’m really getting sick of seeing IP filtering being mentioned in the context
of blocking a specific nationality of person. Do people not understand a
European citizen can travel? Use VPNs? Have an IP that is misreported to the
wrong location?

~~~
castis
Yeah this is basically the equivalent of sticking your fingers in your ears
and going "LALALALALALALALA"

------
gwbas1c
The GDPR comes across as a consequence of businesses not self -reguating
themselves well enough. If businesses weren't so lacksidasical with personal
information; and aggressive with marketing, we wouldn't need it!

------
CryptoPunk
What an utter shame. All of the services that people in the EU now will not
get to use, all because Big Brother doesn't think people are responsible
enough to decide for themselves what data to share with websites.

------
brownbat
Funny that that site announces it's using cookies in a pop-up that blocks much
of the text before a click, per another EU reg.

Not that we got the best UX from that one, where I'm constantly reminded
cookies are a thing, via a large blocking box requiring user interaction, like
a pop-up ad for something I already know and can totally control on my end.

There's a saying about how internet considers censorship damage and routes
around it? Maybe better: the internet considers regulations information, and
anycasts them, regardless of their quality.

China's a bit of a counterexample. Maybe the firewall is bidirectional, keeps
democracy out and censorship in?

Maybe that's the endgame, balkanization. Some people will get to live under
paternalistic maximalism, some under authoritarians hunting dissidents, some
under anarchocapitalism, all dystopias in their own special way. And some of
us will flee to Tor and .onion sites and encrypted signatures where we manage
our own privacy and prevent third parties from auditing our communications.

Edit, "brevity."

------
mamon
Alternative approach by USA today: add and tracking free site for EU users :)

[https://eu.usatoday.com/EU-learn-more/](https://eu.usatoday.com/EU-learn-
more/)

------
fanzhang
Has anyone noticed that this is brilliant content marketing by apility.io?
Generate a controversial headline, news-jack a current event topic, and then
disclaim at the end to prevent the serious backlash.

------
HumanDrivenDev
The other option - if you have no business presence in Europe - is to ignore
it. It's never concerned that I'm likely breaking the laws of North Korea
every day, for example.

------
bloak
Slightly OTT: Does anyone know why May 25 was chosen as "GDPR day"?

I asked a data protection specialist, a real expert on the legislation, but
they couldn't answer that question for me.

~~~
djhworld
Just a deadline.

Two years ago (14 April 2016) the regulation was adopted, and a 2 year notice
period was put in place so businesses could prepare

That notice period ended today

------
bertolo1988
Nothing will happen to companies outside the EU. You can violate GDPR freely.

There is no possible way they can enforce any law, fine or penalty outside
their borders. They won't even try.

~~~
freedomben
I heard one person say that they were worried about traveling to Europe to
visit if they had any GDPR violations. Do you that's a valid concern?

~~~
tathougies
The EU or its member countries are free to arrest whoever they want whenever
they want on their own soil, and not face any kind of externally enforceable
sanctions. Best way to avoid being subject to arrest in a foreign country is
to simply not go there.

------
acou_nPlusOne_t
Man, i miss those days before this industry got jumped by all those hijackers.

Imagine if the law was layered, as in - below a certain size, you could get
away with unintentional mischief.

------
jakeogh
Why bother? If you are not in the EU, and you don't have assets in the EU to
seize, it does not apply to you. The EU does not get to make laws for other
countries.

------
ajtulloch
[https://en.m.wikipedia.org/wiki/Capital_strike](https://en.m.wikipedia.org/wiki/Capital_strike)

------
sequoia
Crocodile tears. After facebook, google, cambridge analytica etc. screwing us
all six ways to Sunday, nothing makes me happier than to see greedy
inconsiderate techie "entrepreneurs" kick and scream and cry at regulators
(read: voters) bringing the hammer down. If you didn't want regulators
involved, maybe don't treat users like human garbage? You/we brought this on
ourselves. There is a new Constable in town. Now put on your big girl/boy
panties and deal with it.

Or is handling user data responsibly one of the new "three greatest challenges
in computer science"?

------
SadWebDeveloper
5 USD per month + 0.50 for every 1 million requests my site gets... that a lot
of money being wasted on feature that could be solved in another way.

------
kevinr
There's one very important problem with this approach: this blocks people from
accessing your site who are doing so from the EU, whereas the GDPR applies to
EU _citizens_ , wherever they access the Internet from.

In other words, an EU citizen residing in and accessing the Internet from the
US has just as much right to invoke the GDPR with these sites as an EU citizen
residing in and accessing the Internet from the EU. Blocking people accessing
your site from the EU does not allow your site to not respond to such
requests.

~~~
Laforet
Do EU laws still apply when a person has physically left EU jurisdiction? I
doubt it. After all, every egg sold in the US would be in violation of EU food
safety laws (and vice versa).

~~~
kevinr
It depends on the law. In the case of the GDPR, it does apply despite the
person not being physically in the EU.

------
sschueller
Go ahead and block the EU. I will clone your business for the EU market and I
don't have to worry about pesky US competition. /s

------
_pmf_
Doing this would be a huge boost to Europe's economy by weaning us off the
teat of Silicon Valley's robber barons. Do it!

------
onetimemanytime
It may make sense. If 4% - 5% come from EU why go through all the hassle and
risk fines? Block them. Unfair to users? Oh well...

------
marcrosoft
Why are people empowering the EU as a one world government by legitimizing
their world wide law? This is flat out dangerous.

------
estevaovix
Not that simple. It doesn’t matter where the connection is coming from, what
really matters is if the person is european.

------
phyzome
More like "GDPR for stupid people"

------
cabaalis
I have a couple of side projects I've been slowly working on toward launch. I
hate to say it, but I am indeed very inclined to simply block EU users until I
can prove the economic viability of the products. There is no personal data
involved except their login credentials and what they type in, and that
information certainly is not the planned source of income. But it simply isn't
worth taking on the liability.

------
k__
Either we get blocked and have the opportunity to build our own alternatives
without legacy baggage.

Or we get better privacy abroad.

Seems a win-win.

------
solotronics
say you are a small or medium sized business based for example in the US, can
the EU even do anything to you if you don't comply with GDPR? I agree 100%
with people being in charge of their personal data but the US isn't part of
the EU.

------
bengale
Great, lets hope European companies move quickly to provide services for these
users.

------
herbst
I hope people realize that there is a difference between Europe and EU...

------
rsuelzer
On the plus side, the USA Today in Europe is completely ad free now.

------
Fnoord
How does this make you compliant for the data you _currently_ own?

------
l0b0
I for one love the fact that companies I dealt with once who knows how many
years ago are begging me to click a link to "keep in touch." Good bloody
riddance. This is possibly the best privacy news of the Internet age.

------
wjn0
I think some people are missing a real opportunity here. It seems GDPR is here
to stay.

A simple, straightforward guide to GDPR compliance for small-medium size
websites who otherwise would have difficulty complying, including FOS well-
executed software extensions that make it even easier:

* Backup compliance

* Database deletion performance improvements

* Legal explanations à la tldrlegal [1]

Haven't done general population-facing web dev for a while, but it seems
fairly straightforward. How to monetize it, if at all, I'm not entirely sure.
Maybe charge a reasonable fee for short consultations which consist of
essentially running down a checklist?

[1] [https://tldrlegal.com](https://tldrlegal.com)

------
kworker
Sadly it's not humorous for many people.

------
kerng
This won't protect you by the way.

------
tener
I think GDPR applies to EU citizens no matter where they are? So while this
will work for most cases, it doesn't really give you immunity?

~~~
gnode
No; it applies to EU residents, and they don't have to be citizens. From
Article 3 (2):

"This Regulation applies to the processing of personal data of data subjects
who are in the Union"

~~~
tener
Does "in the Union" has to mean geographical presence? As far as I can tell it
may mean legal membership?

~~~
azernik
No. It does not. _States_ are members, not individuals. The legal terminology
for citizens is, quite simply, "citizens of the Union".

------
gorm
Actually you are breaking GDPR rules because you are transfering personal
information (the users IP) to cloudflare.

------
toweringgoat
Yet another website doesn't know the difference between EU and Europe.

I'm not in the EU. You don't need to block me.

------
pleasecalllater
Or rather: block all EU users because you want to sell the users' data without
informing them about it?

------
xxdesmus
"Page not found"

~~~
logronoide
I don't understand how this post could reach HN just a few minutes after I
published it... Whoever it did, thanks!

I decided to make a little change in the URL (Europeans instead of EU) and
that's why there was a short period of 404 errors before I created the
redirect.

~~~
xxdesmus
working now. :)

------
partycoder
Does not work.

If you already have information on EU users, you may be violating GDPR
anyways.

------
BadassFractal
I thought GDPR applies for EU citizens outside of the EU as well?

------
KempFood
EU laws can be ignored. Block 'em!

Maybe someday they will learn?

------
ChaseHall
im so surprised companies are doing this, but also not at the same time.
shocker.

------
qop
Can American businesses actually be sued or anything over GDPR? What if all my
servers are housed in america?

If I have a user agreement that my users agree to, I don't particularly care
what another country thinks about what kinds of privacy they think my users
are entitled to. I would already have a legal agreement in that case.

~~~
azernik
If it is against the GDPR, then it is an _illegal_ agreement in the EU. Non-
enforceable contracts are a thing. You are not allowed to literally sign away
your firstborn, sell yourself into slavery, or accept a job at less than
minimum wage.

Enforceability will generally be based on revenue streams coming from the EU
(oh you want a credit card processed from an EU user? We'll be taking that
money as a payment towards your fine.) If you're a particularly flagrant
violator, they may arrest you if you ever dare set foot on European soil.

~~~
CryptoPunk
>>You are not allowed to literally sign away your firstborn, sell yourself
into slavery, or accept a job at less than minimum wage.

The last item is nothing like the first two. The EU is now going to see the
natural conclusion of a society based on its conception of contract rights.
Digital technology magnifies the effect of everything by several orders of
magnitude, so I suspect we'll see dramatic consequences flow from the law.

~~~
azernik
From a legal perspective, the last is pretty close to the first two. If you
sign a contract saying those things a court will throw it out. End of story.
This is how contracts work in the US too.

Same as how in California non-compete clauses are illegal.

~~~
CryptoPunk
No, it's nothing like the first two. Common law would disqualify the first
two, while certaintly allowing the last.

The last is only thrown out by courts because of statutory
interference/intervention in contracts.

~~~
azernik
a) There is no such thing as common law in non-UK Europe.

b) Common law was perfectly fine with slavery until it was outlawed by
statute.

c) Even in the American system, common law is just one more source of law,
alongside statute. Common law prohibits "unconscionable" contracts, but that
doesn't mean statute law is prohibited from prohibiting other kinds of
contracts (which it does _all the time_ ). Hence the boilerplate "void where
prohibited" language in all kinds of contracts.

------
xstartup
GDPR is set to destroy American tech/media companies along with those from
developing nations.

Europe has got most of its wealth through imperialism back in time robbing
countries of Africa and South Asian countries.

This is the primary reason countries of South Asia/Africa so poor today.

Before imperialism, most of Europe was poor while countries like China and
India were way richer.

India is just 70 years old by comparison which is not long enough to make back
the lost wealth due to its sheer size and diversity.

Now, American companies are able to an extract huge amount of money from
European nations using mostly legal (maybe unethical?) using companies like
Google and Facebook. They are set to make this illegal.

It's nothing more than a wealth preservation strategy. European nations can't
compete against America and rising nations (India, China etc...) due to their
aging population in near future.

So, they are going to shut off the market by making unreasonably harsh laws
which are quite difficult to comply with.

You are finding compliance difficult because it's intentionally part of their
design.

Keep an eye open and expect more unreasonable laws coming out of EU in near
future. They are not going to stop here.

~~~
xstartup
Care to explain downvotes? I would love to know why would anyone disagree with
me.

------
merinowool
How this checks if a user is European when using US VPN or being on holidays
outside EU?

~~~
megaman22
It uses its magic crystal ball, while simultaneously consulting a legion of
captive demons to determine this and other similarly unknowable information.

~~~
quickthrower2
Unknowable? It's can check your browser footprint and ask Facebook/Google if
you are on holiday.

------
ivanstame
Really guys? As a citizen of Europe I find these posts to be unacceptable. And
they are making it to the front page? Really?

I am very disappointed in all of you guys, just got one thing to say: FUCK
YOU!!!

------
donohoe
You do not have to do that.

Just use _Content-Security-Policies_ to block your pages from loading anything
but safe assets/services.

You will need to politely ask those not using browsers that support CSPs to
switch/upgrade.

------
wierd0
All of a sudden HN has divided into EU vs US on basic human rights? This seems
odd. I don't think you guys really think there is anything wrong with GDPR,
not in its implementation nor in its sentiment. I really don't. The reason you
are whining like crazy though is because you are in a project where the
deadline/budget did not take into account this new EU law.

Hey, blame the ones who planned your project, not the EU.

