Hacker News new | past | comments | ask | show | jobs | submit login

Actually, the law is defined quite broadly, not restricting itself to "name, IP, email".

Have you considered how a combination of innocuous data points, such as "browser + city + top 3 popular sites" can make a person uniquely identifiable?

Or any other of the billions of combinations of your browsing patterns or seemingly random daily activities. Your entropy fingerprint, if you will.

Check out "differential privacy" to learn more [0].

We've built a product to help companies identify the more obvious "private data" cases (https://pii-tools.com), but we're not fooling ourselves that we've solved "personal data". Or that the task is even solvable. A dedicated person or algorithm can identify people from surprisingly little information (in the extreme, think Sherlock Holmes). Identification is a matter of degree, rather than a binary "name, IP, email" thing.

[0] https://en.wikipedia.org/wiki/Differential_privacy




> Have you considered how a combination of innocuous data points, such as "browser + city + top 3 popular sites" can make a person uniquely identifiable?

While this is certainly the case. As long as you do not use the data in that way it is not illegal to collect it. Intent and actions are very important in GDPR.

Standard law: Purchasing a knife is not illegal, but using it to kill is.

GDPR: Collecting browser, behaviour and city is not illegal, but correlating it in order to connect collected data to a single person is.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: