
Ask HN: Has anyone made a GDPR graveyard? - lwansbrough
You know, sites that are shuttering because of the risk&#x2F;burden GDPR is placing on them. I&#x27;ve seen a few so I&#x27;m wondering if anyone is compiling a list. Such a list would be politically <i>really bad</i> for politics in the EU, I think.
======
svennek
Why?

The GDPR is made to protect people from scrupleless companies and practices.

Not all companies are good citizen (Cambridge Analytics comes to mind), and as
a european I say "Good riddance".

For normal companies doing normal things with their data, the effort is mostly
documentation and good-willed "try to abide the rules".

If you followed the spirit of the pre-GDPR rules, you would almost certainly
be compliant without much work even for the GDPR - at least here in Denmark.

But if you business is exploiting data, you collected with questionable
methods - then yes, you are going to have a problem...

I would also like to see the graveyard site, mostly because I would then have
something to point to when showing that the GDPR works as intented...

~~~
lwansbrough
> The GDPR is made to protect people from scrupleless companies and practices.

This ignores the vast amount of legislation that creates an enormous legal
burden for small companies.

> Not all companies are good citizen (Cambridge Analytics comes to mind), and
> as a european I say "Good riddance".

Not all companies in violation of GDPR are bad or negligent.

> For normal companies doing normal things with their data, the effort is
> mostly documentation and good-willed "try to abide the rules".

> If you followed the spirit of the pre-GDPR rules, you would almost certainly
> be compliant without much work even for the GDPR - at least here in Denmark.

Until someone sues you and you have to prove that.

> But if you business is exploiting data, you collected with questionable
> methods - then yes, you are going to have a problem...

Quite often, data can be both in the "public interest" (not the definition
legally defined by GDPR, just that there's no reasonable expectation of
privacy by the data creator) and "expoiting" \-- such as data derived from
pseudonymous sources but could be argued as PII, even though practically
speaking, it isn't really.

> I would also like to see the graveyard site, mostly because I would then
> have something to point to when showing that the GDPR works as intented...

Most of the sites I've seen that are dead-by-GDPR are small businesses that
weren't doing anything any reasonable person would be against, but a single
takedown request could be over-burdening for them to respond to as it may have
merits by the letter of the law.

~~~
svennek
If you are an European company, most of this stuff has been the law for
decades!

Running a project/company means taking on risk. Financially and otherwise. Why
is data-care risk so much worse?

And sueing is only going to happen in the US. In Europe getting sued is
extremely rare. I expect most DPA (gov bodies handling this) starts out with a
kindly worded letter. You comply, nothing happened.. (Most other legislation
works this way in Europe already). Fines are mostly for repeat-offenders or
clearly black sheep.

In the US, who knows... Most europeans are baffled by the courts and cases in
the US. But I think US companies have to be handled by an EU DPA anyways, so
we are back to the letter again..

I run a small company (two employees) and I am not concerned. I know a lot of
small companies, they are mostly not concerned. I know a few larger companies,
they are not concerned (unless they have data handling as their main
business).

My own work in this has been somewhere in the neighbourhood of a workweek. Not
any worse than complying with tax-law...

There is also no "automatic 20M euro fine". Most matters are likely handled by
a kindly- or sternly worded letter, or a small fine (in the 5-20k EUR range
for small companies, which sucks but shouldn't kill you....

~~~
Mirioron
You're very naive about this situation. Just because the possibility legally
exists already means that you're taking this into account when calculating
risk.

Also, EU tax-law is one of the reasons that small digital businesses have
suffered in recent years. The VAT fiasco was very poorly handled and it's
still ongoing.

~~~
svennek
What?

(disclaimer: i don't sell services outside a few countries)

There is a solution called One Stop VAT where all comminication and reporting
goes to your home-country (given you are an EU company).

All your taxes are then calculated at your local rate (as I understand it),
execpt for companies with a valid VAT-number, where reverse tax is standard
(i.e. zero-rated tax).

[https://europa.eu/youreurope/business/vat-customs/moss-
schem...](https://europa.eu/youreurope/business/vat-customs/moss-
scheme/index_en.htm)

------
dvfjsdhgfv
> Such a list would be politically really bad for politics in the EU

Why so? I'd be happy to see such a list of shame. You know, companies already
quoted here on HN as "clearly unable to get the consent" (of the people whose
data they're processing). Let's see who they are and what they were doing.

~~~
Boulth
Exactly this. Companies shutting down make it look like a bully GDPR made them
do it but then HN commenters indicate that these companies primary business
was selling customer data:

> Streetlend made its money by selling your privacy data to advertisers
> through Amazon.

Source:
[https://news.ycombinator.com/item?id=16955709](https://news.ycombinator.com/item?id=16955709)

~~~
yehosef
The founder claims this wasn't true.
[https://news.ycombinator.com/item?id=16956549](https://news.ycombinator.com/item?id=16956549)

AFAIK, slander is still a problem in some parts of the world.

------
downandout
Here are a few stories about sites/services being shutdown...I expect the real
deuluge won't happen until after it takes effect.

StreetLend.com -
[https://news.ycombinator.com/item?id=16954306](https://news.ycombinator.com/item?id=16954306)

Super Monday Night Combat - [https://www.polygon.com/2018/4/28/17295498/super-
monday-nigh...](https://www.polygon.com/2018/4/28/17295498/super-monday-night-
combat-shutting-down-gdpr)

Tunngle - [https://www.tunngle.net/en/](https://www.tunngle.net/en/)

Ragnarok Online - [http://massivelyop.com/2018/04/26/ragnarok-online-shuts-
down...](http://massivelyop.com/2018/04/26/ragnarok-online-shuts-down-in-
europe-due-to-new-regulations/)

Verve - [https://adexchanger.com/mobile/verve-closes-european-
busines...](https://adexchanger.com/mobile/verve-closes-european-business-
thanks-to-gdpr/)

SteamSpy -
[https://www.reddit.com/r/pcgaming/comments/8bdkuz/steam_sale...](https://www.reddit.com/r/pcgaming/comments/8bdkuz/steam_sales_tracker_steamspy_will_no_longer_be/)

~~~
guitarbill
SteamSpy is disingenuous in that yes, they can't scrape people's Steam
profiles anymore because they're now private by default. That change could
have come at any time, and in fact you've always been able to make profiles
private [0], but probably the default is a result of the GDPR.

This is more of a result of their shaky business model than the GDPR. And
nothing in the GDPR is preventing Steam from publishing anonymized game stats
via an official API, or for people to make their profiles public again, or
SteamSpy collecting this data with consent some other way.

[0]
[https://support.steampowered.com/kb_article.php?ref=4113-YUD...](https://support.steampowered.com/kb_article.php?ref=4113-YUDH-6401)

------
kilian
Beyond all the "why" questions, here's an actual company blocking the entirety
of it's EU userbase: Warpportal/Ragnarok

source:
[https://forums.warpportal.com/index.php?/topic/235548-import...](https://forums.warpportal.com/index.php?/topic/235548-important-
notice-regarding-european-region-access/)

------
panarky
A GDPR graveyard? Let's make it interesting and start a GDPR deadpool.

------
SyneRyder
I'd be interested in this, though I don't think it will have any political
impact. Here is one person deleting their personal blog's comments & (already
confirmed/double opted-in) MailChimp list as the easiest way to stay GDPR
compliant:

[http://alastairjohnston.co.uk/oh-gdpr-what-have-you-
done/](http://alastairjohnston.co.uk/oh-gdpr-what-have-you-done/)

~~~
guitarbill
That's cause his blog is full of Javascript shite, including something that
prevents me selecting the text, or right-clicking.

> "what I can’t be sure of is what happens to data that passes through the
> various apps, WordPress plugins, cookies etc that are part of this blog, but
> not controlled or run by me."

This is a dumb argument, it's his personal blog, it's controlled by him. That
including how much JS and social media trackers to stuff into each page.

With comments, it's easy. Somebody wants you to post the comment, which is why
they submitted it. No extra consent needed, although maybe they'll want it
deleted in future. Of course, an email address is required to post, but "it
will not be published". Why exactly is it required then?

~~~
SyneRyder
> _With comments, it 's easy. Somebody wants you to post the comment, which is
> why they submitted it. No extra consent needed..._

No, that's the point - consent is required for that. And for the consent to be
explicit, some are advising it needs to be a Modal blocking dialog that
prevents the user from using any other part of the website before dealing with
it, and that demonstrates the user did actually scroll through all the privacy
terms, not just ignored them and clicked the checkbox.

 _> This is a dumb argument, it's his personal blog, it's controlled by him.
That including how much JS and social media trackers to stuff into each page._

That's fair. I know I've personally been deleting Google Fonts and Adobe
Typekit and hosting my own webfonts instead as a result of this. I'm still
figuring out how to best replace Google Analytics, and looking to remove any
Twitter & YouTube embeds I had in old posts that could possibly track
visitors. (I agree that is all a good outcome of GDPR.)

~~~
guitarbill
I'd say posting somebody's comment they want posted qualifies as legitimate
interest, and therefore doesn't need consent. What other reasonable
expectation could a person have that you'd do with that information? No need
to overthink or overengineer this.

~~~
SyneRyder
My understanding is that's not sufficient. Here's where I personally got very
worried (sorry this is so long):

MailChimp recently sent out an email to their customers advising that all
their current HTTPS Submit forms are not GDPR compliant. They're rolling out
all new submit forms in May that have legalese that must be explicitly agreed
to, in addition to the Email field & Submit button. It's a Modal blocking form
so the visitor can't possibly do anything else.

Here is an example of their new modal submit form, it's a doozy:

[https://kb.mailchimp.com/binaries/content/gallery/mailchimpk...](https://kb.mailchimp.com/binaries/content/gallery/mailchimpkb/common/lists/signup-
forms/gdpr/gdpr_mktgperm.png)

I don't do any "customized ads" or "direct mail", but apparently that
boilerplate of legalese and "we use your email address to send you email, tick
here to confirm you want email" is still required. It's a bit like the Cookie
notifications all over again.

I realize I haven't directly responded to your blog comment submit button, but
I hope this explains the motivation / understanding behind my comments here. I
too would have thought an email field & submit form would be a reasonable
expectation, but the form designed by MailChimp's lawyers is _way_ more
legalese & boilerplate than I ever anticipated would be required by GDPR.

(Honestly, I do also get the comments here about "you're not going to be
caught or made an example of so don't worry" too. In practice I will do what I
can to be compliant, listen to what my visitors & customers want, and hope for
the best.)

~~~
guitarbill
Of course it's fucking sufficient, that's literally the definition of
"legitimate interest" [0]. I write comment. I want you to publish comment. You
publish comment, and don't spam me - maybe even don't require my email.

If you say, "hey, provide your email, and I'll send you newsletters and you
can unsubscribe at any time", and I say "sweet, sign me up", and then you only
send me newsletters with no tracking or adtech, that's legitimate interest.

If you use a third party, if they store only the minimum necessary and don't
use it for anything else, that'd be fine to. E.g. obviously they need my email
address, but only for sending the emails.

And if Mailchip were decent, they'd just send out plain emails. The problem is
probably their emails are full of tracking links and other adtech garbage, and
who knows who they sell info on to?

Then again, they call themselves a marketing platform, not a newsletter
service, or email sender. Kind of obvious.

Also, that's a shitty dialog. Mailchimp's private policy and terms are
probably largely void under EU law anyway, just by being almost
incomprehensible by the lay person. How am I supposed to give consent freely
when it would take days to read? Probably best to avoid Mailchimp. Thanks
GDPR!

Edit: ordering

[0] [https://ico.org.uk/for-organisations/guide-to-the-general-
da...](https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/)

------
nickpp
Honest question: can anybody predict if Google Analytics is going to be on the
list?

Because as interpreted today, GDPR compliance for google analytics on any
website would simply kill the UX for the first-time visitor of that website.
Which is pretty much the most important UX for any website...

~~~
nfoz
Then those websites should stop using Google Analytics, which DOES violate
their users' privacy unless there is informed consent about what it's doing.

~~~
nickpp
1) You do realize those sites are pretty much 99% of the web, right?

2) Those sites used GA to statistically analyse and understand their user
base, in order to better serve them. How do you propose to do it instead? How
to find out what was a bad redesign? A bad landing page? How to understand a
conversion ratio? The churn?

~~~
nfoz
1) 99% of websites are secretly sharing their users' identification and
browsing habits with a single multinational advertising company. Yeah, let's
shut that down as emphatically as possible.

2) You can write a book without tracking my every page-flip. You can write a
desktop app without phoning-home and tracking my usage. You can operate a
store without secretly selling my shopping habits and purchase information to
other companies behind my back.

Do something honest, or don't do it at all.

~~~
nickpp
Have YOU done it or are you talking from your imagination?

Analytics and statistics are in every modern developer's tool belt. Because
they ultimately benefit users.

------
matthewmacleod
I am _absolutley speechless_ about the number of people who seem to consider
data protection to be an unreasonable burden for a company. Complying with
GDPR is pretty straightforward:

\- Don’t keep data unless you have to

\- Get explicit consent for keeping data

\- Keep the data you have secure

\- Allow users to see their data and know how it’s used

\- Allow users to delete their data

This is inline with regulation in other fields: worker rights, food hygiene,
health and safety etc.

I look forward to seeing your list, because it will be a list of _companies
you are lucky you will never transact with_.

~~~
huhtenberg
Is visitor's IP address a "data"?

If yes, you can't have a web server log.

~~~
DanBC
An IP address is only personal data if you can link it with other stuff to
identify a natural person.

If your weblogs are used to prevent crime (fraud, for example), you're allowed
to keep them.

People are making the mistake of thinking that "user permission" is the only
reason you can keep data, but that's not true.

~~~
megaman22
How far does this go, though?

For example, on my silly little blog, I've got logging for each http request
that records the url hit, the ip address, and a browser user agent. I can
trace that session through, and have a pretty good fingerprint of that user
from that alone. If that person goes and sends me an email or leaves a comment
with some tidbit of information that correlates (name, where they are from,
email, what post they were reading, etc), have I now accidentally collected
enough information that it violates GPDR?

~~~
PuffinBlue
What do you mean 'violates GDPR'?

GDPR doesn't necessarily make having such info illegal. It's more what you do
with it and how you inform and allow the individual to control/delete it.

------
originalsimba
This is a brilliant idea, if it doesn't exist already I hope someone puts one
online, a simple wordpress page using a twentysixteen or twentyfifteen would
suffice.

Or even a github page with just a list.

[UPDATE] I took the liberty to get the ball rolling.

[https://github.com/killed-by-gdpr/killed-by-
gdpr.github.io](https://github.com/killed-by-gdpr/killed-by-gdpr.github.io)
and

[https://killed-by-gdpr.github.io/](https://killed-by-gdpr.github.io/)

Contributions welcome.

~~~
svennek
www.geocities.com ;)

------
dingo_bat
The biggest problem is figuring out what things won't even exist because of
this overreaching and ultimately pointless law.

