
Publishers Haven't Realized How Big a Deal GDPR Is - transpute
https://baekdal.com/strategy/publishers-havent-realized-just-how-big-a-deal-gdpr-is/
======
michaelbuckbee
GDPR articles seem to be getting some traction on HN as everyone is trying to
figure out: "Do I need to do something for this? Is so, what?"

For a recent project I read (and translated to plain english) [1] every single
article in the GDPR legislation and for our purposes it can be summed up as:

"Treat user data like names and emails as if they were credit card numbers"

AKA: be paranoid about keeping them, encrypt them, use SSL on your site,
respond to requests from people if they ask if you have them, fix them if
they're wrong, don't use them if they say you can't.

Obviously that's not the entirety of it, but as a working mental model I think
it goes a long way.

1 - [https://blog.varonis.com/gdpr-requirements-list-in-plain-
eng...](https://blog.varonis.com/gdpr-requirements-list-in-plain-english/)

~~~
downandout
Honestly, the best thing to do if you don’t have a high percentage of EU
users/customers is to simply block EU IPs. First it was the completely useless
cookie notifications, now it’s GDPR, and nobody knows what the next thing will
be - we only know that there _will_ be a next thing (there always is), and
that it too will be costly and burdensome to comply with. Unless you derive a
significant percentage of your revenue from EU users, it just isn’t worth it
to try to keep up with the increasingly demanding whims of a heavy-handed
European government.

~~~
Kelbit
The EU has a population of over half a billion people and a GDP per capita of
$41k PPP (although those numbers will shrink a little bit post-Brexit).
Ignoring Europe as a potential market ignores half the western world - and it
is westerners, for the most part, who have disposable income to spend money on
goods and services.

Ignore Europe if you like. Just be aware that you are allowing your
competitors to gain an uncontested foothold without having to fight for it.
Once they are the incumbent in the European market, they will be hard to
unseat, even if you change your mind later.

~~~
downandout
There are thousands of types of sites, such as geographically focused message
boards, local professionals, smaller ecommerce sites, etc. who are exposed
under the GDPR but for whom EU traffic is incidental and worth nothing. A US
plumber doesn’t need or want appointments in London, but is technically
exposed under the GDPR. So for businesses like this, blocking EU traffic
should be an easy decision - there is no downside.

~~~
zorked
IANAL but I believe the GDPR is tolerant of incidental traffic. So if an
European accesses a local job board in South Korea, the EU will not go after
the Korean company and demand compliance. Now if said Korean company is
running a job board for Berlin, in German, charging in Euros, etc. it's a
different story.

~~~
downandout
That, along with many other parts of the GDPR, is both open for interpretation
and may vary from country to country within the EU. See
[https://aristilabs.com/how-the-gdpr-apply-to-your-us-
based-c...](https://aristilabs.com/how-the-gdpr-apply-to-your-us-based-
company-how-the-eu-can-fine-us-companies/)

------
rossdavidh
In fact, I think the author is underestimating the impact, right here: "Of
course, making this change will have a dramatic impact on your revenue for
single-visit traffic, because you basically have to design your ad model to
work completely differently from how it works today."

No, it will basically make a newsmedia site unprofitable. I think it is the EU
that has not fully thought this through. Most of the news industry is already
sickly, financially, and they mostly have no model other than advertising
(with a very few exceptions). The reason all this data got collected, was to
try to make the advertising valuable enough that they could sell it. It may be
that it never really worked, but it sure won't work without it. I think either
the EU will backtrack on this once they see that Google and Facebook can
easily force people to consent (because people consider those websites too
valuable to do without), but most other advertising-supported media cannot; or
they will see that the long-term impact of this is that it accelerates the
current death spiral of newsmedia, as all ad spending goes to Google and
Facebook and almost no one else.

I leave it as an open question as to whether this would be a good or bad
thing.

~~~
beojan
> No, it will basically make a newsmedia site unprofitable. I think it is the
> EU that has not fully thought this through. Most of the news industry is
> already sickly, financially, and they mostly have no model other than
> advertising (with a very few exceptions).

We have publicly funded broadcasters in most EU countries. The ad-supported
news sites, on the other hand, are generally doing more harm than good.

News outlets existed before the web, so they're not going to be threatened by
breaking the ad-supported website model. If anything, the traditional
newspapers will be saved by this, because if free online news disappears,
people will start buying newspaper subscriptions again.

> I think either the EU will backtrack on this once they see that Google and
> Facebook can easily force people to consent

They can't. The consent has to be for a specific purpose.

~~~
davidcbc
You don't see the potential problem if the only media that is able to exist is
that which is state sponsored?

You may be happy with the state sponsored options now, but will that always be
the case? Would you feel the same if you living in the Soviet Union or Germany
circa 1940?

~~~
martin_bech
How is CNN, Fox News and the sinclair group, working out for you guys?

I trust state paid media in the EU, way more than any US news media.

The reason why most EU countries have state paid media, is so that its non
commercial, non partisan, and cant be bought. There are different principles
in place, so government has no say, in what is broadcast/not broadcast. This
also means that all political parties get the same amount of exposure etc.

~~~
saryant
New York Times, Washington Post, Boston Globe?

Those are three publications that have sent shockwaves around the world with
their privately-funded investigative journalism.

~~~
beojan
Absolutely, and they would benefit from the end of ad supported, low quality
but free online news. All three are subscription funded.

~~~
saryant
40% of NYT's revenue comes from ads.

[https://www.nytimes.com/2018/02/08/business/new-york-
times-c...](https://www.nytimes.com/2018/02/08/business/new-york-times-
company-earnings.html)

~~~
beojan
That article is literally about 60% of their revenue being from subscriptions.

------
mlinksva
> Today, for instance, we see that a majority of people who install an ad
> blocker don't actually do it to block ads (that's just an added bonus). They
> are actually doing it to block tracking.

Is there any evidence for this at all?

~~~
feedmeseymour
Every person I know that uses an ad blocker (5, including myself) does it to
prevent tracking.

In fact, I want to white list certain websites (a dozen or so) to continue
seeing ads, but I don’t want to because I know that they are likely using
Google for their ads and I don’t want Google’s little grabbling hands tracking
me.

~~~
gambiting
I work in IT and I don't know anyone(myself included) who uses ad blockers to
block tracking. It's just about the annoying ads for me.

------
gonmf
"If you look at what is happening around us, you can see very clear signals
that the public has had enough."

No, outside of a few echo chambers, no one cares about privacy or knows what
GDPR is. Until GDPR shows everyday on the evening news for weeks it will not
be well-known, and there are many things more important to most people than
online privacy. Heck, Cambridge Analytica was only a scandal because the "bad
guy won".

~~~
TeMPOraL
> _Until GDPR shows everyday on the evening news for weeks it will not be
> well-known_

I think we've crossed that point few months ago in Europe. Last year I felt I
was probably the only one of my real-life friends who even knew what GDPR was.
These days, I see streams of articles about it on social media, aimed at non-
technical people. Hell, last week my SO told me she started receiving GDPR-
related e-mails at work from companies that are in business with her place.

I feel people do know. Unfortunately, I also fear they only think of it as yet
another random EU regulation thing, and not realize the benefits it'll bring.

~~~
PeterStuer
In which EU? :) Over here (Belgium), there has been a lot of talk in business
fore (which are only frequented by a specific minority of companies), but in
the general press I can't even recall seeing a single article. Even with those
'in the loop', the attitude is mostly 'wait an see', 'who is going to work on
enforcement (the regulators haven't expanded), and 'maybe it will be another
cookie-law (meaning a much hyped 'the sky is falling' regulation which turned
out to be we'll install a component that handles the implicit 'ok' click and
be done) and 'you never get a fine the first time, so why be proactive?'.

------
PeterStuer
There is a huge long tail of SME 'website owners' that have no idea what they
are in for. These sites are often developed/maintained by very cheap labor
(students/off-shored etc) and sprinkled liberally with all sorts of 3rd party
analytics/counters/share-buttons etc etc.

Not only do the site owners not even know that the site contains these things,
if they do, they don't even realize the extent of data collection going on. I
had a chat this morning with an owner like that. The site runs GA (they didn't
know), the site runs ShareAholic (which they said wouldn't be a problem as
they only use it to see in aggregate where their site visitors come from).

They never made a distinction between what data their site provides to these
services through scripts or cookies, and what they themselves then get/use
through the service provider.

This is not a special case. There are probably millions of these little
business sites out there.

------
Animats
It's even bigger than that. It's been mentioned on HN before, but see the
"GPDR Letter."[1] Anyone in the EU can send you such a letter, and you have 30
days to reply.

 _Please confirm to me whether or not my personal data is being processed. If
it is, please provide me with the categories of personal data you have about
me in your files and databases._

 _a. In particular, please tell me what you know about me in your information
systems, whether or not contained in databases, and including e-mail,
documents on your networks, or voice or other media that you may store._

 _b. Additionally, please advise me in which countries my personal data is
stored, or accessible from...._

 _c. Please provide me with a copy of, or access to, my personal data that you
have or are processing._

 _2\. Please provide me with a detailed accounting of the specific uses that
you have made, are making, or will be making of my personal data._

 _3\. Please provide a list of all third parties with whom you have (or may
have) shared my personal data._

Then, once you've replied, they can request deletion of any or all of that.

[1] [https://www.linkedin.com/pulse/nightmare-letter-subject-
acce...](https://www.linkedin.com/pulse/nightmare-letter-subject-access-
request-under-gdpr-karbaliotis)

~~~
kasey_junk
You should note that lots of what that letter suggest it has rights to, are
not rights granted under GDPR. Or at least would be subject to legal
clarification.

If you send that letter, expect to receive a standard response/report of data
with a form response that politely & legally amounts to “piss off”.

Large organizations have considerable resources set aside to make sure their
“piss off” letter is legally defensible & GDPR compliant.

That letter is likely only a problem when selectively used by a malicious
actor against a small organization. Frankly not the kind of org that is
systematically tracking personal data.

~~~
dmix
> That letter is likely only a problem when selectively used by a malicious
> actor against a small organization.

Which is what is so annoying and economically destructive about regulations
like these that are broadly applied to all companies, especially on the
internet where single person companies are very popular. They are designed in
a vindictive way against large companies like Facebook or major online
retailers who burned customera due to minimal information security investment.

But they so often ignore the reality of the burden it places on small firms
who account for 90% of businesses and 50% of employment, who cant afford
lawyers or the legal risks of a 'piss off' letter.

The western economic environment countinually gets more and more structured
favouring large firms, encouraging large scale merging, which usually
generates the type of large oligopoly companies who most often does the things
that cause regulations to get created, then imposed on smaller firms.

If Japan's economy is any indication we do _not_ want to state heavy economy
where big companies are the only sanctioned winners and smaller companies are
heavily disincentived by the state (whether indirectly, by side effect, or
overtly).

If not having these laws created isnt an option (seemingly impossible in an
administrative heavy org like EU), I then hope someday these regulation start
being structures like progressive income tax using size minimums or are
contained to specific industries where it's clearly a problem (both of which
would apply well to minimum wage laws for example). So laws are pinned
directly to a specific problem area justifying the heavy-handed state
intervention, not just blanket laws on everyone.

~~~
molf
For most smaller businesses there is no real reason to do all that much as
long as you can answer such questions on an ad-hoc basis. Although of course
we still have to see how widespread it will become in practice.

Basically you need to make sure you 100% know what data you collect (including
any third parties) and make sure you have a good reason to collect it.

Honestly most of GDPR should be considered "common sense". It's just that many
corporations actively act against the interest of individuals they collect
data on, and it's precisely these practices that GDPR tries to correct.

~~~
Silhouette
Unfortunately even if you're already handling personal data responsibly, the
GDPR still also requires that you be able to provide various documented
policies to your regulator on demand, still contains lots of ambiguity about
how far subject rights can go in practice, still imposes obligations to
include lots of extra detail in privacy policies or otherwise provide lots of
information and active warnings to data subjects, etc.

~~~
ryandrake
How about, “Our documented policy is to not collect personal information from
users at all.” Assuming it’s true, wouldn’t that be compliant?

~~~
kasey_junk
GDPR also expands what is personal data to include things that are collected
as a matter of course such as IP address.

You likely have a reason to log that data but GDPR requires that you document
it.

Further it reaches into your business even if you aren’t trying to do business
in the EU, as EU citizens can come to your site without your control.

There is a lot to like with GDPR but it absolutely is expansive & easy to have
many interpretations.

~~~
ryandrake
Maybe these things shouldn’t be collected as a matter of course. Should web
servers log client IP addresses by default? Why? Does my mail server need to
log email addresses of incoming mail by default? “Logging all the things” as
default behavior really needs to be a thing of the past.

If anyone wants to get their feet wet in open source, there are thousands of
high profile projects out there that could use a patch to scrub PII from their
logging, and these are probably simple diffs.

~~~
merinowool
What if you have a forum and users of that forum commit a crime, police asks
you to give up their data and you say you don't have any data?

~~~
wadkar
> you say you don’t have any data?

And what’s wrong in telling the truth to the police? Sounds great to me. Also,
see how signal responds to such requests.

------
captain_murdock
> we see that a majority of people who install an ad blocker don't actually do
> it to block ads (that's just an added bonus). They are actually doing it to
> block tracking.

This line severely damages the credibility of the article. I found the article
interesting up until I read it. I stopped reading once I read it because I
couldn't trust anything else the author says.

I highly doubt this statement is true. It may be true in very privacy-focused
circles and amongst some circles of IT professionals, but I highly doubt it is
true for the population.

If you make a statement this left-field, you've got to back that up with
credible research and I highly doubt that statement was based on any credible
research.

~~~
Etheryte
While I agree with you that the given statement is nonsense, I don’t think the
reasoning to stop reading is sound. It’s safe to say that every author has an
agenda of some sort, be it personal, business or otherwise, and you can’t and
shouldn’t inherently trust them. But at the same time I don’t see that as a
reason to not read what they write – healthy scepticism goes a long way.

------
Rjevski
My takeaway from the whole GDPR craze is that if you respect your users and
have some ethics as to how you process their data then you don't have much to
worry about to begin with.

If you are an asshole that's trying to get as much data off your users in
order to resell them to the highest bidder, share it with "partners" (partners
in crime that is), or to advertise/spam them with shit they don't need, then
frankly you (or your industry) asked for this themselves.

The only downside I see to GDPR is that we've now opened the gates for a new
breed of "GDPR consultant" that's gonna charge hundreds an hour just to rehash
what the law says in a slightly different way and defraud businesses that way
by pretending to be a valuable service (and no doubt there will be clueless
execs that'll actually believe it and pay for that).

~~~
ec109685
Do you have any citations for this belief? The law is pretty explicit that you
need consent to collect data from users, they need to be able to view what you
collected and they need to be able to delete it.

Are you hoping that nobody notices that you aren’t complying?

~~~
TeMPOraL
The point was that "if you respect your users and have some ethics", you're
likely already almost entirely compliant with GDPR.

~~~
ec109685
That's not true.

~~~
ionised
How informative.

~~~
ec109685
Please read the grand parent comment. If you collect data that can be tied to
the user using your app/site (e.g. create a session and store the id as a
cookie), you need to get consent for that. On top of that, the user should be
able to view and remove the data you have collected for them.

------
mgiannopoulos
The author claims that for one-time visitors you're not supposed to have any
3rd-party tracking code but uses Google Analytics which Ghostery counts as a
tracking code. How's that going to work out for practically every site in the
world?

~~~
ec109685
The author is wrong.

You just do what google does and ask for consent before providing access to
the site. The user doesn’t need to log in to consent. Once consented, the site
can set a cookie. Then that user becomes part of your “Full interaction users”
bucket.

~~~
r00fus
What if they don't consent? Will you have not do analytics for that user? You
can't block that user as per GDPR if they are simply answering no to the
consent.

~~~
mgiannopoulos
You can argue that GA is critical to the existence of the site, so you are
allowed to block non-consenting users. I hope anyway :)

------
asadkn
Thanks EU, we'll have more popups than ever that everyone's going to agree out
of habit.

It's not fun seeing a popup on every site you visit. This should have been a
brower-based implementation globally that every site must adhere to.

Even worse for me, I browse exclusively in private/incognito mode and this is
going to make that unusable with consent popups on sites on every visit.

~~~
return0
> This should have been a brower-based implementation globally that every site
> must adhere to.

This. if EU actually cared enough, they 'd go to the browser vendors to
enforce some basic prompts on tracking and forms, and it would be better than
gdpr because it would work for everyone from day 1. This law will bring a few
more prompts and not much else (because most services can be provided with
slight changes like hashed ips).

Cookie prompts on every site you visit on your slow-ass phone connection are
really really annoying and should go away. But americans don't protest about
them because they don't see them and europeans are , well, sheepish.

~~~
detaro
Or the tech industry could decide that'd be useful to have and implement it.
They could put it in a HTTP header with a nice name, maybe "do not track", and
don't bother people activating that with tracking or prompts. Oh wait...

How many websites are doing that? How many choose "let's bother our users"
over respecting their stated preference?

------
borne0
I've had to deal with this at work (anticipatory only so far), but what I
can't seem to figure out is what the inquiring European needs to provide to us
to prove that the data we have is actually theirs. We don't capture pii data
in most instances, so if someone requests their info under GDPR and provide us
an IP and a time do we take them at their word?

~~~
mtremsal
There's clear language in the regulation on the obligation to validate the
identity of the data subject.

How to do that in a satisfactory manner... leading practices might take a few
months to crystalize.

------
p49k
> I have yet to see any publisher who is actually changing what they are
> doing. Every single media site that I visit is still loading tons of 3rd
> party trackers. They are still not asking people for consent...

I’m pretty sure the reason for this is that they know that the day they switch
over to GDPR compliance, their ad revenue from EU will take a nosedive, and
they don’t want to throw away that revenue for the sake of being early.

------
nopriorarrests
<quote> One-time users includes all one-time visits and all the visits where
people have not done anything to give you their consent. This means you cannot
load any 3rd party tools. All your ads have to be delivered via 1st party
means (so no 3rd party ad code) and it cannot contain any personally
identifying information. </quote>

That is one weird claim. Let's count "one-time user" as someone completely
anonymous -- no cookie, no login name, nothing. Let's say someone browsing in
incognito mode from the freshly installed PC.

By definition publisher has no personal data about this person, so GDPR
doesn't apply here, IMHO, and it's quite fair. Why can't publisher load some
3rd party tool?

~~~
AlfeG
But there is a lot of other PID with this visit - ip address, cookies, browser
fingerprint

~~~
nopriorarrests
Ok, let's say I, as a publisher, don't set user cookie if user hasn't
registred/logged in, and don't store IP in logs, and don't do browser
fingerprinting.

Why can't I load some 3rd party tools?

What author is claiming, essentially, that in a mere 2 month from now, you can
sue almost any European publisher for data privacy breach. Outrageous claim
require outrageous proof.

~~~
guitarbill
> Why can't I load some 3rd party tools?

You can, you just need assurance that they're also GDPR compliant if you want
to be GDPR compliant.

If the third-party violates GDPR, but requires your website to run on (e.g.
third-party JS, other types of beacons), I think judges are going to have a
dim view on that, and so you can't simply claim that it's them, not you.
(There may be mitigations, e.g. if you have a contract with them that spells
out GDPR compliance, but then they break that - but how many people have
contracts for the JS they embed?)

Edit: One way this argument could be laid out is that by including such third-
parties in your website, you're instructing the browser to load them, and
therefore effectively forwarding GDPR-related data to them. Technically, this
isn't really too different from a REST API call you'd perform on the server,
or an AJAX call (although the server call doesn't necessarily forward e.g. the
IP).

~~~
nopriorarrests
Interesting. I personally use uBlock and "cookie autodelete", which deletes
cookies for all sites except the white-listed ones each 5 minutes,
automatically.

So if your interpretation is correct, and GDPR affects even completely
anonymous users, I'll be seeing and clicking "consent box" each time I go read
a newspaper or just do general browsing. Like the "we use cookies" stuff, but
on steroids.

EDIT: but still, I find this hard to believe, tbh. It means no ads served to
anonymous users, and this has consequences I can't even imagine.

~~~
guitarbill
Of course you can serve ads, they just can't use any personal information or
tracking unless people have consented. Ad blockers will still be a thing.

As for consent, you have to be able to refuse. A consent box popping up each
time would be the dumbest way to do this, but not that different than those
full-screen email/newsletter begging boxes we have now.

~~~
nopriorarrests
Why dumbest?

If we agreed that even incognito browsing contains the traces of PII,
publisher has to get my consent, explicitly, that's the whole point of GDPR. I
see no other option than to do popup window for each new visitor (where new ==
has no associated cookie). What are other options?

~~~
guitarbill
Don't use the PII. Is that really too much to ask?

------
dbg31415
So pretty much every page is going to get a "loading page" again where users
have to confirm if they will allow Google Analytics, etc. to be used? And
probably a warning about cookies? That's how this is going to play out, yeah?
At least for sites that fall under it.

Not sure that really accomplishes the intent... seems like it'll just be an
annoyance to all non-cookied users.

------
notimetorelax
Site is down, here’s the google cache link:
[http://webcache.googleusercontent.com/search?q=cache:https:/...](http://webcache.googleusercontent.com/search?q=cache:https://baekdal.com/strategy/publishers-
havent-realized-just-how-big-a-deal-gdpr-is/&num=1&prmd=ivn&strip=1&vwsrc=0)

------
whataretensors
Doesn't the NSA and other intelligence agencies collect detailed data on
everyone? They also seem to have backdoors into a lot of centralized systems.

Nobody seems to care that government organizations sit outside of regulation
and tell us we need to regulate everyone else. It's simply a power play.

~~~
number6
Beside that there are regulations that allow them to do this. Even for
European Agencys it will continue to be legal to do so.

Government organisations don't sit outside of regulations. The regulations are
designed around their needs and they make sure their regulatory needs are met.

------
going_to_800
This article is not totally accurate.

For ex. you can track anon visitors fine if you generate an ID identifiable
ONLY on your DB. So if you store only an ID in the DB(awaiting to be matched
when a conversion is made with consent given) is totally fine because even if
someone hacks your DB can't be able to match that ID to any person, even if
they have other data from Facebook, Google etc.

In case of an IP it's a different thing. If you get an IP, you can actually
identify a person if you have a DB with the IP+other personal information
about it.

~~~
ec109685
How are you tying your ID and the user? If it’s a cookie, you need to get
consent and let the user view and rectify information tied to that ID.

------
LoSboccacc
nobody realized how much big of a deal GDPR is going to be. if you digitized
your partner business card, if you store their number on your phone etc that's
personal data and that all need to be renegotiated and you need a database to
hold track of their informed consent.

a little exaggerated for fun here [https://www.brandexpublishing.co.uk/the-
new-procedure-for-ex...](https://www.brandexpublishing.co.uk/the-new-
procedure-for-exchanging-business-cards-under-gdpr/)

~~~
jsty
You don't even have to digitise the information, if you were to store your
business cards in a structured filing system they would be under the GDPR too
[1]

[1] See definition of personal data: [https://ico.org.uk/for-
organisations/guide-to-the-general-da...](https://ico.org.uk/for-
organisations/guide-to-the-general-data-protection-regulation-gdpr/key-
definitions/)

~~~
vageli
I wonder what that means for Rolodexes.

------
weinzierl
This article focuses very one-sidedly on the consent aspect but this is not
the whole story. The basic principle behind GDPR is not "getting consent" it
is "if you want to collect or process data you need a justification" [1]. The
justification should and will be in most cases some other law or regulation.
Only if you can't find that justification elsewhere you will need to get
consent.

A good example for this is the Cookie under GDPR. The original plan was for
both the GDPR and the ePrivacy Regulation [2] (not to be confused with the
ePrivacy Direcive) to come into effect on 25 May 2018. The ePrivacy Regulation
would have had given the justification for using analytics Cookies without
consent. Now that ePrivacy Regulation is delayed some argue that national laws
can provide that justification until we have a EU-Regulation.

[1]

>In order for processing to be lawful, personal data should be processed on
the basis of the consent of the data subject concerned or some other
legitimate basis, laid down by law, either in this Regulation or in other
Union or Member State law [..]

[http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=146243980...](http://eur-
lex.europa.eu/legal-content/EN/TXT/?qid=1462439808430&uri=CELEX:32016R0679)

[2]
[https://en.wikipedia.org/wiki/EPrivacy_Regulation_(European_...](https://en.wikipedia.org/wiki/EPrivacy_Regulation_\(European_Union\))

------
jotm
" _Today, for instance, we see that a majority of people who install an ad
blocker don 't actually do it to block ads (that's just an added bonus). They
are actually doing it to block tracking_"

No, it's the other way around.

------
pspeter3
Does this mean every site will need to ask permission for Google Analytics?

~~~
martin-adams
A very good question which I don't know the answer. But what I do know is that
since IP addresses are considered personal information, then you can tell the
GA script to anonymise it.

[https://support.google.com/analytics/answer/2763052?hl=en](https://support.google.com/analytics/answer/2763052?hl=en)

Of course, that doesn't stop that IP address becoming aware to the GA servers,
but they should stop it being used further down the line.

I suspect it's similar to using a CDN where the IP address again is passed to
a third party.

~~~
molf
This is true, but you also must engage in a GDPR contract with Google
Analytics. I believe they have recently added this as a feature somewhere.

------
cdjk
Most companies seem to be setting up GDPR portals to download/delete all your
personal data. I'm waiting for the breach of one of these portals - that will
lots of fun to watch.

------
sadturnip
I am coming to the whole GDPR party really late (very recent startup).

For example we use Auth0 for our authentication service. Auth0 doesn't support
storing everything. So we use the auth0 user id in a db table, which contains
some user preferences.

Does that mean i need to get consent from the user to use their user id? In
our database even though they are paying for this service, and we are paying
for their auth0 user account?

Also if someone were to submit a GDPR request, how am i supposed to verify
this person is who they claim to be?

~~~
molf
If you cannot operate the service without that particular data, you don’t need
explicit consent.

------
marcrosoft
As a matter of morals/competitive edge, companies should try to keep personal
data safe and perhaps not collect it at all.

That said, GDPR is ridiculous and in many countries, contradictory. This leads
to litigation spaghetti code. It will be exploited in ways we can't yet
imagine.

It is dangerous to assume GDPR applies to YOU if you are based in the US. As
the world (thankfully) doesn't operate under a one-world government, let the
EU live in their ignorant "This site contains cookies" world.

~~~
juanpicardo
Most business will want to comply because the EU market is quite large.

~~~
return1
its a big market but not crucial. EU users are notoriously risk-averse and
won't try new things, and wait for others to set the trends. EU is important
for global giants, but for more specialized, less competitive services, a
cost-benefit analysis is needed to decide whether EU is worth serving.

------
adamnemecek
Can’t say i feel bad for them.

~~~
tcd
Why would you feel bad for them? They have had 2 years to prepare for this,
hopefully a few fines here and there will make people realise this _is_ a big
deal and they can't just ignore it.

About time too, I really really hope this has an incredible profound impact on
privacy and the EU will demonstrate this is a law people _must_ abide by.

~~~
riantogo
Maybe the next version of GDPR will tighten the screws and take it all the way
to the end user. You install some app and share your contacts with it? Pony up
10% of your annual income. You forgot your phone in a cab? That is putting
everyone who has ever emailed you at risk. 15% of your annual income as fine
for your carelessness. Would you still support it?

Such sweeping laws require a lot of thought and debate. It is unfair to say,
“hey they had 2yrs so it is their problem”. We need to do better than, “must
abide by law” and push for just and fair laws.

~~~
Someone
What makes you think this hasn’t had _a lot of thought and debate_?
[https://edps.europa.eu/data-protection/data-
protection/legis...](https://edps.europa.eu/data-protection/data-
protection/legislation/history-general-data-protection-regulation_en) shows it
took from June 2011 to December 2015 (at least; it builds on the European Data
Protection Directive, whose history goes back to 1980
([https://en.m.wikipedia.org/wiki/Data_Protection_Directive#Co...](https://en.m.wikipedia.org/wiki/Data_Protection_Directive#Context\)))
to create.

------
ardacinar
IP adresses being protected as personal data has an interesting side effect.
You can't be compliant under both EU GDPR and Turkish internet security laws
(probably shared by a lot of oppressive and semi-oppressive regimes). That law
states you have to keep the poster IP address of every post on the site and
turn them over on court order.

Obviously, as with every law in Turkey, the enforcement is very subjective
(for example, Twitter does not respond to most requests and nothing goes wrong
for them. But say, if you're a non-Twitter scale website, you deny a couple
requests or probably only one and you're getting blocked), and you might be
able to get away with the "we don't store them/store them anonymized because
GDPR" defence once.

Yes there' a 'justice' loophole in GDPR but I don't think "we're still saving
the IP addresses anyway in case a court requests it" argument would fly. In
the end, to be perfectly legal in both jurisdictions, you'll probably need to
differentiate based on IP address ranges or something.

~~~
zimpenfish
> You can't be compliant under both EU GDPR and Turkish internet security laws
> [...] states you have to keep the poster IP address of every post on the
> site

GDPR does have specific exemptions for holding/processing data per legal
requirements.

~~~
ardacinar
Yes there' a 'justice' exemption/loophole in GDPR but I don't think "we're
still saving the IP addresses anyway in case a court requests it" argument
would fly.

------
ajeet_dhaliwal
Assuming I understand this correctly GDPR basically make products like
Mixpanel’s JavaScript (browser loaded) library and other similar products from
other companies unusable since they are oftn setup to collect data (including
IP addresses) on first visit. Adblockers make the data collected incomplete
even if this wasn’t an issue.

~~~
detaro
If these products don't take steps to be GDPR-compliant themselves they are
going to be unusable, yes. Which is why I assume most of them will do in some
form.

E.g. an analytics product does not have to collect IPs. I've seen one company
in the field requiring customers to explicitly mark form fields as safe for
tracking the contents of in session replay (so they don't accidentally end up
with your customer addresses, while still allowing you to see how far people
went with the signup process, which product options they had selected), ...

------
z3t4
I think this is a cover up for making it easier for government officials to
get data about you. To protect your customers you should store as little
personal data as possible and encrypt all other data such as e-mail and
messages, so it only can be decrypted by the user's password or key, that you
only have the hash for. And also inform your customers about he importance of
strong passwords or using key's. I tried to create a Microsoft account the
other day and the password was only allowed to have A-z0-9 characters, with
four numbers. You can probably guess most peoples password by using their name
plus the birth year of their child. So don't impose any rules other then
length and a warning if the password hash is in the list of 100,000 most
common passwords.

------
jannes
Interesting analysis! I wonder how this would affect AMP articles. What
happens when a one-time visitor (from the publisher's perspective, but not
from Google's perspective) looks at the cached AMP version of the page on
Google's servers and Google's domain? Ads and tracking could hosted by Google
as well (AdSense + Analytics), so everything is technically 1st party.

Wouldn't Google be the data-controller in that case?

Google might still be allowed to do the personal tracking if they ever
obtained consent from that user. Another reason why the AMP caching is bad for
the web, I guess.

And from the user's perspective AMP articles would become even more appealing
because they would never be bothered with consent popups.

------
curo
I read this as an extended consent banner ("this site contains cookies") +
user ability to hard delete pii + IP. Hard delete is substantial, but the
banner is just going to be ignored like the cookie notice. If that has an
affect of traffic, it'll be punishing sites that don't require login/signup,
which means the average EU consumer will be required to sign up for more
accounts in order to do what they did before (because if you're going to
require consent, why not require signup?). In any case, I can't see very many
use cases where a site dials back its data collecting. Retargeting is the crux
of ad-supported sites.

------
codetoliveby
This article has it completely wrong. I work for an email tracking company and
you can still have tracking tools but the ballpark has changed drastically for
collecting user information.

Sadly, I feel this will hurt the ones without a proper IT force the most.

------
perpetualcrayon
What if a site simply made available direct access to download all raw data
related to a session / user account that had been stored? And of course
attempt to describe / explain each data point. Would this be sufficient to
meet the GDPR guidelines? I have only limited exposure to this legislation so
far, but want to learn more. I have no reservations to share all data stored
to a visitor, and would probably opt to do this if it covers you instead of
painstakingly going through each data point to evaluate what needs to be done.

Give the user complete access to the raw data and give them the opportunity to
delete all records of that data if they choose to.

~~~
foolfoolz
deletion/retention of data is the harder part than accessing data. deletion
after a reasonable time, such as account shutdown request by user. or users
should have option to delete. or if you keep data for a long time, encrypting
it safely. add on top of that legal holds (subpoena) and that it’s affecting
your core data models, it’s not a simple task. it’s a lot of work.

one nice problem that popped up is we have mysql tables that can’t handle the
delete traffic fast enough. gdpr is not a project you want to leave till the
last few weeks

------
ptype
I’m not convinced IP addresses are automatically personal data. Granted, they
CAN be personal data, if they can be linked to a specific person. But assuming
I just keep generic log files, and that I would not in a subject access
request be able to tell someone the IP addresses that the user has used, is it
really personal data? Also, it is not clear to me what other laws require in
terms of keeping log files. It is possible that by keeping no log files at
all, you risk breaking some other law (UK).

~~~
CydeWeys
It doesn't matter what you consider IP addresses to be, it matters what
European regulatory authorities consider them to be.

And yes, many IP addresses can be linked to a specific person. I don't doubt
that, by being logged in to Google, Facebook, and a bunch of other services,
and by having an ISP that provides a unique IP address per subscriber, that
the majority of sites out there that use 3rd party tracking know who I am just
by my IP address at any given time.

~~~
ptype
To be clear, I am only talking about the interpretation of the regulation, not
my own considerations.

The article made it sound like IP addresses are always personal data. My point
is that, if I run a website and keep generic nginx log files, is it really
personable data with regards to my website?

Yes, the ISP can link that IP address back to a person, but if that person
came to me as the website administrator and asked for all data held for that
person, I would actually not be able to make the connection.

~~~
detaro
Yes, it is. That you don't necessarily have the ability to make that
connection doesn't matter, although if it turns out you have it of course
makes matters worse. (This also isn't new under GDPR, current european law
interpretation already supports this. See
[http://curia.europa.eu/juris/document/document.jsf?text=&doc...](http://curia.europa.eu/juris/document/document.jsf?text=&docid=184668&doclang=EN)
for the court decision firmly establishing this: Since the visitors provider
has the data, and will share this data in some cases, it's possible to
establish the link and the dat thus has to be protected accordingly)

~~~
ptype
Well actually this analysis by White & Case of the same case[1], seems to
suggest that it may not be (paragraph “impact on businesses”) personal data if
the business has no means of linking the addresses to users.

[1] [https://www.whitecase.com/publications/alert/court-
confirms-...](https://www.whitecase.com/publications/alert/court-confirms-ip-
addresses-are-personal-data-some-cases)

~~~
detaro
Interesting, commentary I saw interpreted that more widely. Thanks for the
link!

------
jh72de
Still NSA and their likes do collect and store all this data, so effective
privacy/data protection/anonymization is still a task of the users themselves
and their client tech.

~~~
paulddraper
Is the US government GDPR compliant, or does it not do business with EU
citizens?

Or are they granted an expection for being trustworthy good guys unlike these
unscrupulous businesses?

~~~
drchiu
I would imagine that only legitimate businesses have to be GDPR compliant.
Government agencies almost certainly fall under some national security
exemption.

~~~
roel_v
Wut? No. The first organizations I'm going to send gdpr letters are hospitals,
which are in no way businesses here in the Netherlands.

------
realo
As a Canadian, if I am also an eCitizen of Estonia, will the GDPR protect me
from EU-based companies?

Or do I have to actually _live_ in the EU to be protected?

~~~
wll
As of April 2018, Estonian e-Residency does not grant any right other than
access to e-services. [0] It is implausible digital residency programs will
ever supersede standard citizenship or residency requirements and procedures.

[0]
[https://web.archive.org/web/20180409002346/https://e-residen...](https://web.archive.org/web/20180409002346/https://e-resident.gov.ee/faqs/about-
e-residency/#what-can-i-do-as-an-e-resident)

------
raiph
I'm surprised there's been no mention in this thread of Brave and/or BAT.[1]
Or is my understanding that they're directly relevant a misunderstanding?

[1]
[https://en.wikipedia.org/wiki/Basic_Attention_Token](https://en.wikipedia.org/wiki/Basic_Attention_Token)

------
Mooty
If anyone is searching a MOOC to comply his work with GDPR, this one was
really concise and complete :
[https://bluelearning.fr/formation/rgpd/](https://bluelearning.fr/formation/rgpd/)

PS : Ask for English version, they can do an English version, they did one for
us.

------
yuhong
The final version of my essay on a similar topic has been posted:
[http://yuhongbao.blogspot.ca/2018/04/google-doubleclick-
mozi...](http://yuhongbao.blogspot.ca/2018/04/google-doubleclick-mozilla-
essay-final.html)

------
return0
So the entire web that depends on ads is doomed, google and fb. will now keep
100% of advertising revenue, and european users will start receiving 2nd-rate
service (if at all) , because they are unmonetizable. I think the article has
too much FUD

~~~
molf
You can show ads without needlessly collecting personal data.

~~~
return0
... if you have the money to hire at least one marketing manager and buy some
ad managing software.

------
hanoz
It's everyone, not just publishers. How many people here are preparing to
ensure their web server doesn't log ip addresses before acquiring visitors'
explicit permission to do so, for example?

------
patricjansson
To whom do you give your consent by the way? Is it the domain or is it to a
company. What if your sales and operations departments are organized into
different companies, do you have to give consent twice?

------
clay_the_ripper
Would this mean for example I can’t load the Facebook pixel without consent?

~~~
detaro
Yes. Facebook's terms and conditions explicitly mention that you have to do
this.
[https://developers.facebook.com/policy/?locale=en_us](https://developers.facebook.com/policy/?locale=en_us)

> _12\. In jurisdictions that require informed consent for the storing and
> accessing of cookies or other information on an end user’s device (such as
> the European Union), ensure, in a verifiable manner, that an end user
> provides the necessary consent before you use Facebook technologies that
> enable us to store and access cookies or other information on the end user’s
> device. For suggestions on implementing consent mechanisms, visit Facebook’s
> Cookie Consent Guide for Sites and Apps.

13\. Obtain consent from people before you give us information that you
independently collected from them._

------
k__
Why not do it like with cookies?

People are already used to accept these cookie policies, so why not just widen
it to GDPR related stuff?

Also how much can be caught with "security" reasons?

~~~
molf
There's a very clear distinction: GDPR requires that consent is not a
precondition for offering a service.

Most cookie policies in practice are all or nothing: you either accept and
continue, or you decline and cannot use the service/website. That is not
allowed under GDPR.

~~~
reid
Interesting. Which part of GDPR disallows the “decline and you cannot use the
service” case?

~~~
molf
Quoting GDPR:

"Consent should be given by a clear affirmative act establishing a freely
given, specific, informed and unambiguous indication of the data subject’s
agreement [...]" [1]

"Consent is presumed not to be freely given [...] if the performance of a
contract, including the provision of a service, is dependent on the consent
despite such consent not being necessary for such performance." [2]

[1] [https://gdpr-info.eu/recitals/no-32/](https://gdpr-
info.eu/recitals/no-32/) [2] [https://gdpr-
info.eu/recitals/no-43/](https://gdpr-info.eu/recitals/no-43/)

~~~
chii
> the provision of a service, is dependent on the consent despite such consent
> not being necessary for such performance.

but to play the devil's advocate, if it costs money to provide a service, but
that money is currently supplied by selling personal data to third-parties,
then isn't it true that the service cannot be provided without the data?

~~~
zaarn
Well then you'll have to hinge the performance of your service on actually
asking the user for money.

------
minusSeven
What happens if you don't follow the rules? How are the penalties enforced?

------
_pRwn_
as a Kraut: if you start now, you're practically too late. It will be
interesting to see which major corporation will face the fine of 20 million
Euro or 4% of annual turnover the first.

------
oh-kumudo
Does this affect individual blogger though?

------
daveheq
There's some major problems with this:

"You cannot use any personal identifying data from any visitor who is a one-
time visitor."

If an IP address is "personal identifying data" (as the author subsequently
states), then every visitor is a one-time visitor. You can try tracking unique
visitors by something else, like some user agent data, but it's less accurate.
Ignoring IP means optimizing a site for click-to-sales becomes a lot more
vague.

If a site converts each unique IP to a hash, then that's one way to get a
unique visitor, but then which hash method do you use? MD5 is hackable to
anyone having a list of hashes to IP addresses, and anything else can be more
complicated and less standardized, so therefore more prone to bugs and bad
coding, and therefore more costly to the business.

"You cannot load any 3rd party service, because by doing that you would be
sending personally identifying data to those services (like people's IP
address)."

If you can't even load 3rd-party software because they can see IP addresses,
then you can't have any tracking, including aggregate, unless you build your
own, which can be highly costly and is inherently inefficient with many pre-
built solutions already existing and refined, even if they're open-source.

This restriction seems just as unreasonable as the first, also based on IP,
and I'm not sure the politicians who made this restriction understand the web.

"You cannot even do personally identifying internal analytics."

If this is true, then you're cutting out a lot of site optimization and sales
navigation because you're not always going to be right about what people want
or how they will click things on the site. Without IP tracking, you can't
follow where someone is going or tie that user to a bug, just get an aggregate
of many, which can be vague.

"The reason is that a first time visitor hasn't done anything that could be
considered consent, so you have nothing to work with."

This is incorrect, the user has given consent to make available any info the
browser provides, which has to include IP address so the server knows where to
send the response. If a politician doesn't understand this, then someone
hasn't explained it to them.

It is a natural right of a website and publisher to use IP addresses, because
they are required for web communication and identifying abusers. How they use
it beyond that is what should be regulated, not just the visibility or
collection of it.

"I don't think publishers realize just what this means."

I don't think the politicians understand just what this means either.

------
MarkMc
It seems to me that GDPR restricts economic growth.

For example, I'd be quite happy to let my local supermarket sell my personal
data to Google in exchange for a 3% discount on my grocery prices. Everone
would benefit: (1) The supermarket gets an additional source of revenue; (2)
Google can charge more for ads; (3) The toothpaste company gets better return
on it's advertising; (4) I pay less for my groceries.

GDPR prohibits this kind of win-win agreement, doesn't it?

~~~
mayniac
From what I can see, this would be fine under GDPR anyway, so long as when you
buy something in a supermarket they ask you "is it okay if we send information
of what you bought to Google?"

Of course it's completely impractical to get cashiers to do this every time
someone buys something, so it will likely just be applicable to store reward
cards. They're doing this already, and all GDPR will introduce is moving the
paragraph in the TOC you sign which says "we might sell your data to third
parties" to the top in big letters and make sure you explicitly agree to it
(or similar to achieve informed consent). As well as adding some safeguards in
place.

A point on your example, stores already do sell your personal data to third
parties as an additional source of revenue, but instead of giving you a 3%
discount they usually just analyse your purchasing habits and throw discounts
on other goods which they think you'll be susceptible to buying, so usually
instead of you spending less you actually spend more on things you didn't
really want before being offered.

~~~
MarkMc
Doesn't GDPR say that 'informed consent' cannot be a condition of providing a
business service? So as far as I can see the supermarket cannot say, "In order
to receive the store rewards benefits you must agree to us selling your data
to third parties".

------
EGreg
What if I told you...

(Morpheus photo)

1\. Social websites don’t have to be giant, centralized communities too big to
police themselves.

2\. People need more tools to help them achieve things in the real world,
rather than spending hours a day chatting about the real world online.

3\. There are ways to make money online without ads begging you to click on
them, and they involve real-world goods and services that your website can
help connect people for?

What kind of world would it be that one minute spent online would result in
hours of enjoyment out of the house?

Would you NEED to collect data on people in order to tailor ads to them, when
the interface would enable them to express their own INTENT to spend money,
which you can then help facilitate?

 _EDIT: downvoted heavily, what else is new. Yeah, clearly saying people want
to achieve things in the real world deserves condemnation and scorn from
anonymous downvoters, but no counterpoint is given._

~~~
URSpider94
All the things you mention are certainly possible, but if that’s truly what
consumers wanted (judged by where they spend their time and money), then the
market would reward companies that provided those services.

Put another way, you can argue as much as you want that people want to eat
salad and steamed vegetables for every meal, because it will make them thinner
and healthier. And yet, McDonalds is still doing well (maybe not quite as well
as before, but still very well).

Regulation will curtail the edge cases where people are acting to their own
detriment to a degree that society deems unacceptable. Beyond that, it’s up to
the invisible hand of capitalism to dictate what customers want.

~~~
geofft
What? Why?

The market rewards working services over not-yet-working ones - it's not
surprising that customers who prefer a more complicated service will use the
less complicated one in the meantime. There's also all sorts of confounding
things with social networks like network effects.

Capitalism is one way to get at a society's preferences. It is not the only
way, nor is it able to perfectly determine a society's preferences.

~~~
merinowool
Capitalism is the most free of all, from there the more you turn left the more
authoritarian it gets.

~~~
geofft
Why is democracy not the most free of all? Let one person have one vote - not
one dollar have one vote.

~~~
nybble41
To expand on what merinowool said: Under capitalism you are free to do
whatever you want with your own property provided you extend the same courtesy
to others, and don't interfere either _their_ use of _their_ property. It is
easy to see that this is an optimum balance: any more freedom than that would
necessarily come at someone else's expense. This is sufficient on its own to
say that any other system must be less free than capitalism.

"Democracy" comes in many forms. If a particular implementation of democracy
includes strong (effectively absolute) protection for the rights of the
minority, including property rights, then it becomes a special case of
capitalism where interested people voluntarily _choose_ to address issues of
common concern through voting. One example of such a system is a co-op; no one
is forced to participate, but those who do become members have equal
representation with respect to the disposition of the co-op's common property.

If respect for the minority's rights is subject to majority vote, however,
then things which one would be free to do under capitalism—by definition
involving only one's own property and that of others who voluntarily choose to
participate—become restricted to suit the will of the majority, which plainly
makes one less free.

~~~
merinowool
I couldn't put it any better. Thanks!

------
home_boi
I don't think the legislators understand the technical complexity it would
take to comply with GDPR nor the benefits of tracking for the internet.

Tracking makes markets more efficient.

1\. Advertisers can tune their ads/targeting to get higher conversions and
sales. They pay higher PPMs and PPCs.

2\. Publishers get higher PPMs and PPCs. This motivates them to invest more in
their content and website because each new user will yield more money with
higher PPMs.

3\. Users get more relevant and safer ads. Remember the shady banner ads of
the late 90's and 2000's? That's the type of low conversion rate / click
through rate ads that will run when advertisers can't target their audience
efficiently and PPMs are very low. Relevant ads also save users (the segment
that buys stuff from ads) time from researching for products and services.

4\. Users get personalized content from publishers. This has a few negatives
but I would argue that it greatly improves user experience.

The technical and administrative complexity required for the legislation
effectively shuts off tracking for all websites that aren't owned by a
megacorp. Small and medium sized publishers now have less motivation to get
good content out and improve their websites from the lower PPMs.

~~~
kuschku
> Relevant ads also save users (the segment that buys stuff from ads) time
> from researching for products and services.

That is specifically not wanted.

Several European governments are subsidizing projects to provide consistent
and exhaustive comparison tests between many products instead, so customers
can for each category of product they may need find massive comparison tables,
find which products fulfill their needs, and can buy the cheapest one.

This makes the market more efficient, because the best product for the lowest
price wins, instead of the best marketed product.

One such example is the Stiftung Warentest:
[https://en.wikipedia.org/wiki/Stiftung_Warentest](https://en.wikipedia.org/wiki/Stiftung_Warentest)

~~~
merinowool
So is that going to be another parcel of life under the state control? It is
easy to predict such tools are going to be abused (for example excluding
products from a producer that has opposite political views to the currently
ruling people)

~~~
kuschku
Every company today that you rely on to discover products will shape what you
see for their own advantage.

Google puts their own ads more prominently and bans competitors from certain
ad spaces, Amazon does the same, as does even Yahoo.

And your worst fear is that maybe the government might end up just as bad as
the companies that you see as alternative?

~~~
merinowool
There is a difference thought - you can't have multiple governments to choose
from at any given time. State always limit the choice.

