If it is "industry standard", does that make it ethical?
Corporations tend not to mind if you take away a business strategy of theirs, as long as you take it away from everybody else at the same time. If you only take it away from one corporation, that corporation will be temporarily outcompeted by the corporations you haven't yet taken the business strategy away from, so they heavily resist that.
But heaven forbid governments hold a dominant corporation accountable in the public interest.
That's not really relevant to the parent's observation that Facebook is likely arguing that they're being singled out in an environment where their practices are so rampant as to be standard.
>But heaven forbid governments hold a dominant corporation accountable in the public interest.
"accountable to the public interest" is an incredibly disingenuous way to say "enforce their laws". The difference matters in this context because the counter argument would be "why is the law being enforced predominantly against a handful of American companies instead of the industry at large?"
Either it is enforced against Facebook first, and Facebook complains "Why don't all of the the small fries have to do it yet" and if it is enforced against the small fries, they will say, "Why doesn't Facebook have to do it yet"?
And the answer is, the justice department will probably enforce the law in the way that the expect to have the best effect for themselves. It is not necessary to wait until you are sued before you become legally compliant?
When a government agency (think IRS or FAA) decides on a specific interpretation of a law, rule or regulation, they don’t go after a random guy to prosecute. They publish an opinion, a guideline, or interpretation and a compliance deadline. The industry is given a choice to comply or present an alternative interpretation (through courts, lobbyists or legislative representatives).
It’s one thing if one company out of a hundred doesn’t comply, and somewhat different when the standard industry practice goes against new interpretation.
Selective encorcement is more typical of countries with weak judicial systems and endemic corruption, where “friends” of the current government get compassionate understanding, but everybody else is subject to the strict rule of the law.
That erosion is not corruption on its own, but can lead to it.
Which, granted, is something that happens but people largely regard this kind of unequal protection of the law to be a bad thing.
I don't see the point of this sort of "but johnny did it too" line of argument. So authorities are looking into a report of widespread abuse. Where's the relevance of not advertising how they may or may not look into other small-scale and lower-profile cases? In fact, aren't resources better spent by going after the single largest and more eggregious source of abuse that has a global reach and has been continuously abusing its position for over a decade?
EDIT: Downvotes? I'm stating facts. How can you downvote facts?
> How can my argument be US centric when I'm European and have never even visited the US?
You don't have to be from the US for your post to sound US centric. It sounds exactly like every other "USA is da best! The east is inferior in every way. We have zero problems." argument which is found everywhere online, especially on sites with a large proportion of US users (like HN).
The comment I replied to had no sources as well and yet it isn't downvoted.
> It sounds exactly like every other "USA is da best! The east is inferior in every way. We have zero problems."
Actually my comment says the exact opposite, it says that at least the western part of the EU is less corrupt than the US. Do you realize that I said the west [of EU], not the west as in the US? You're the one who is thinking US-centric after all, thinking that when someone says "the west" they mean the US even though it's in a sentence that talks about parts of EU, this possibility didn't even occur to me - that's how foreign it is to me.
Read it again. It stated much less confidence in those baseless claims, inviting sourced rebuttal. You claimed to be "obviously" right without any sources, and apparently you were not.
Edit: also, complaining about downvotes, especially without even trying to admit mistake is considered as a bad behavior here.
That kind of hand-wavy stuff doesn't fly here. If you're going to make a claim like "EU Countries are more corrupt than the US", YOU have to provide a credible source for that claim.
Telling people to go and verify for themselves a claim that you made is just lazy and disingenuous.
Such activities are illegal and considered corruption in most countries.
The US is not unique. If you see something happening here, it is almost always happening in other western countries, and acting like we are the only to have a problem does a disservice to worldwide development.
Lobbying has nothing to do with donating money, and lobbying elected representatives is definitely not illegal in most democracies.
Please don't twist conversation into debates about semantics: it's not helpful.
Yes, and you said that both are illegal in most "other" counties. Except lobbying isn't illegal in any healthy democracy, including in Europe. Donating "millions of dollars" isn't really legal in the US either.
This is flat-out untrue, and repeating this incorrect meme ad nauseum simply makes it harder to address actual problems when they arise. Lobbying is simply the process of petitioning elected officials. It's a necessary part of any functioning democracy, or else there's no fundamental feedback loop connecting elected officials to their constituents in between elections.
> If there was a lobbying group that did not donate money you would have to specify that in conversation
Corporate entities are prohibited from donating money to campaigns, whether or not a quid pro quo is implied.
The same issue comes up with the word theory to scientists vs it's meaning in the common vernacular.
As to your second part about corporate entities being prohibited from donating money to campaigns, excuse me while I set up a PAC to donate funds to a senator who is aware that I donate to the PAC and that I would really appreciate it if I got a tax break.
What the law intends != what is actually happening
Yes, and just as we ignore people who dismiss evolution because "it's just a theory", we should take the same attitude towards people who conflate lobbbying and campaign contributions, because they clearly don't understand how the democratic process works, and acting on their demands is actively harmful.
> What you've stated is true by the technical definition of the term, but lobbying in the _common vernacular_ of the United States is synonymous with paying money.
Yes, and the "common vernacular" is wrong and actively harmful. The two things are completely unrelated, and perpetuating the conflation makes it harder to understand what's actually going on.
If you think something is broken, you actually have to understand how it's broken in order to fix it. There's no virtue in going out of your way to make it more difficult for people to understand how things work. That's how you end up with people wasting time advocating "reforms" that span the range from "well-intentioned but redundant and/or ineffective" to "completely self-contradictory and nonsensical".
E.g. your assumptions being incorrect. You could have avoided a lot of downvotes with showing some humility. Assuming someone does not know about large shifts in EU membership seems like argument in bad faith.
Europe, Germany and France in particular, has a strong history of state involvement in large corporations.
I suppose you could call that an administrative philosophy. To me it sounds like another form of corruption.
And I guess Facebook and others have been trying to lobby it away for years already.
The entire tech industry can now consider themselves warned. Not even giant American corporations with direct links to the White House are above the law.
Still, the lawsuits should be simultaneously served to all companies. Preferably with a courtesy heads up.
GDPR had been announced 2012, implemented fully in 2016. Active enforcement will start May 2018 with again a temporary period to allow companies to correct. Refusal to comply after that can result in penalties up to a maximum of 4% of the companies global revenue.
How much courtesy lead time does a company actually need to comply?
"You have 20 seconds to comply" says the robocop :-)
The summary of the court of the case, if ruled in favor of the one suing or in favor of the public interest, will be used to prosecute all other offenders if they do not comply. If the defense wins, it can be used by others as a defense.
While not 'fair' it works as the smaller fish will probably go bottoms up trying to mount a proper defense against larger governmental or lobbying groups which results in a no-win scenario for all: The company is dead and there is still no ruling, or a ruling lacking proper defense.
Or say Intel users that are now sewing on the meltdown bug should they get involved in AMD too from some feeling of solidarity?
In this case someone did something illegal and someone else complained to the justice, should they first find all (I hope you understand what all means, aka don't forget anybody) and try to do what? start 1000 processes in justice? It makes sense to start with the bigger criminals, if the court decides favorably then you continue to the next ones.
2. Do you realize how much manpower it would take to require that all separate cases be tried at once? You might as well just come out and say you don't want any cases to be tried at all, as that would be the outcome.
The courts are just agreeing with these citizens/rights group. It's not like an EU agency is targeting Facebook unfairly.
Personally I can only see this as a good thing. As a non-user I don't want Facebook tracking me. Same as I don't want tracked by any other company.
Because the largest companies that European citizens are using and that breaking the law are American. There is no point in targetting first the Chinese and Russian companies doing the same tracking, as few European citizens are affected. And as far as I know, there is zero European company doing the same thing on such a level.
That's not a counter argument but dissatisfaction. Are you saying that EU companies also don't follow their laws?
You're correct but mainly because I wasn't paying attention and phrased it as a question. Written instead as a statement, it's a valid counter argument because it's criticizing the parent comment's ridicule of a different instance of criticism.
> Are you saying that EU companies also don't follow their laws?
I'm insinuating that if someone wanted to defend Facebook's position one avenue would be to argue that the law is being selectively enforced. Obviously this isn't a comprehensive argument but it's an easy platform to jump in other directions from.
I doubt a statement expressing dissatisfaction is a valid legal argument responding to a legal ruling. Clearly the term argument in this context is for a legal argument not a colloquial use of the term, since a legal appeal is what is being discussed.
When people get traffic tickets, the judge won't let them off for saying, "But, your honor, the police officer didn't pull over any of the other speeders around me."
Not so if it is the only way for the business model to be profitable. More generally, this argument assumes that there is a fixed profit to the business, and the only thing to compete for is a bigger share of that fixed profit. The reality is that corporations are amenable to increasing the profit all around so long as they get part of it, and don't particularly care who gets exploited in the process. Conversely, they do tend to protest when the pool is reduced, even if it affects their competitors similarly.
If I go to the police to complain that my neighbour is spying on me, it's only natural that the police only investigates that neighbour.
"But, officer, everybody else was speeding, too!"
That said, you'll end up driving white-knuckled and fearful of your life if you dare go the speed limit on the Mass Pike. You'd have to drive 70-75 minimum here just to feel safe.
I hate when someone drivers respecting the limit and you get jerks with big cars or trucks behind you and force you to go faster(by force I mean get close behind you, use the horn and other bad behavior that can intimidate a new driver).
Well, you are just the fisrt one and the biggest one.
"Officer, The guy in front of me was driving fast too, so why not him?"
However, regulators like to make examples of bigger corporations since the publicity is more effective with them, and also they are able to both pay up and/or change.
If you look at EU court decisions concerning privacy, you see that it mostly concerns European companies and government bodies (e.g. people storing their fingerprints being stored for passport applications). Those cases just don't get as much exposure in the US:
Another factor here may be that EU companies generally stick more to privacy rules, because it is easier to get sued directly by their citizens. E.g. in Germany many institutions and companies are paranoid when it comes to privacy and go out of their way to avoid lawsuits.
To use your example, US has targeted companies from IP-protection-weak countries. Was it directly targeting China? I'd say not necessarily.
It is like the Microsoft anti competition case would not take place until we find some small non US OS vendor to punish first so the Americans won't get upset.
I read that as: why are you only paying attention now? (i.e. after allowing the industry to reach its current, pathological state)
Do you prefer that we create laws for fixing problems that do not exist yet?
Also: from the jurisdiction's point of view, this is perhaps the only efficient way to allocate legal / judicial resources. You go after a small handful of big-name "make an example" cases, and hope that this deters use of the business strategy by the long tail of smaller companies you can't afford to go after.
That's not true in this case. As the large incumbent in social media and advertising, Facebook are the company most impacted by this, whether or not their competitors are impacted.
"Why have you singled us out for dumping 1000 tonnes of ash into environment each day? Look, this guy is dumping his ashtray on the grass right now!"
Nope, not at all. Standard practice does not override ethics. Tobacco companies would consider advertising and promoting smoking as industry practice, but we cracked down down on that because encouraging people to do something that is demonstrably bad for their health was something we decided wasn't ethical and would be cracked down on.
FB's system is much more reliant on tracking though. Google's can at least work anonymously, eg searched 'dentists' in some area. FB's is almost useless without tracking.
Seems innocuous enough until you really think about what they're saying. "But, tracking these people without their consent allows companies, including us, to make money off of them".
That's actually a pretty brazen thing to say; as if the fact that people can be monetized should trump their right to privacy.
Industry here is essentially Google and Facebook. The other "players" fight for the crumbs. Ethical? They need growth, every quarter.
1. I don't have an account on Facebook.
2. Blocked Facebook domains via /etc/hosts
3. Use ghostery
And despite all of these steps it feels like we are wasting our brightest minds to always be a step ahead in surveilling what the humans of this world are doing to exploit it for targeted advertising.
I am not defending FB, my point is that you do not need an army of geniuses to extend the tracking to everyone.
Someone should invent a http header that lets you signal that you don't want to be tracked. It could be named something like DNT, for do-not-track. People could then set DNT=1 and websites such as Facebook would know not to track you...
- it was on by default. You shouldn't have to 'opt-out' of invasive surveillance.
- it was enforceable and backed by a vigilant regulator and credibly enforced legal deterrents. We're far beyond a 'pinky-promise' being enough.
Conmppanies did not liked when IE did this but I think the solution would be simple,
when you start the browser for the first time you will be asked if you want to get tracked or not, you will have 2 big buttons to chose.
Then FB. Google and others should ask the users to switch this because they want to track you on a different website and explain to the users why.
That's the wrong question to ask. You shouldn't have to tell it not to track you. That shouldn't be able to do it, unless you explicitly tell them "hey you can track me."
Google, Criteo and other have long had a default opt-in policy for their retargeting products, etc.
Or is my sarcasm sensor not working this morning?
By not having a fucking Facebook account! it seems to me that's actually the crux of that court decision.
It's more complicated than deciding not to have a Facebook account, though that's a great first step.
>all of which upload your personal data from the phones to their own servers without your knowledge or consent.
Our default legal position shouldn’t be one of accommodating a corporation’s existing market-acquisition practices over people’s privacy.
I'd think the most pro-privacy reasonable approach would be to stop companies from identifying them beyond "someone who did not consent to being tracked".
Facebook has such incredible smart engineers that they can file patents to identify you based on the dust of your camera lens . It should be a cinch to them not to track such third parties in any way, shape or form.
The problem was that they gave zero fucks about the privacy implication to third parties, which have nothing to do - and no business relationship with Facebook. It seems quite the opposite: That the go through great length to maintain shadow profiles and track everybody.
I really hope that the GDPR forces them to clean up their act.
For instance, it could still be legal for Facebook to slurp your friend's address book (and your profile, indirectly), but the regulation could require them to discard and purge that information if they can't immediately match it to an account.
Since I'm not a member of their service there's no valid reason for them to maintain personally identifiable data about me. Let alone that they never asked for my permission and that I never, ever consented to their gobling up of my data and that of other non-members.
At least according to my understanding this is a very clear violation of the GDPR, which - if the courts agree - could cost them dearly.
I wonder how Facebook intends to deal with that. If I interprete the directive correctly they are obliged to delete all such data since storing, mainting and proecssing it clearly violates the law.
There should also be a central place for us to put our emails there so spammers won't spam us?If this seems a horrible idea then your suggestion is exactly the same.
This the most G. K. Chesterton-esque comment I have ever read on this site.
Poe's law may apply, but if you're actually being serious, "Let's build a list tracking all the people who want to avoid tracking" first, probably wouldn't work, and second, is the surveillance equivalent of a "standards problem" 
How much "brightness" is required to carry out such a strategy? If millions of users followed step 2 (or blocked Facebook domains through another means), what would happen? How would the "brightest minds" respond?
Very much not an excuse. It's up to the business to work out how to do this within the law.
> and reach customers
If I am not a Facebook user I am not your customer.
It is even worse to be made into a product that FB sells when you aren’t even a FB user.
A bit like when you wait for the green light to walk over the street; if you see someone walking the red light, you walk it too.
Of course you still get flattened by a semi-truck doing 50 kph.
I also don't see any advantage for the user, getting ads is not in their interest.
And let's be honest, most ads are total garbage.
If users want your service, they will pay for it. If they don't, well then your services is not needed.
Revenue might be lower. That is not in itself proof of a worse outcome. Maximising numbers like revenue or GDP is not good per se. Neither is maximising the amount of content created. If you want to know the trade-off is worth it you also have to look at the costs. The impact of tracking on privacy is not zero. The impact of ever more attention grabbing ads is not zero. The impact of persuading us to buy ever more stuff is not zero.
Also, the vast majority of small scale content creators are hobbyists.
If you want to host your blog, then just pay for it. I do the same. Not because I want to earn money with it, but because I want to. I can see why this is a problem for commercial entities, but not for personal stuff.
So the site will die, because nobody thought it had any value.
What's the problem?
Nobody owes artists a living, a vocation that traditionally was engaged in alongside traditional paying work.
Nobody owes advertisers living, or their eyes and attention.
Nobody owes a living to the person who makes their money from ads all over their blog.
I'm sorry, but if your business model boils down to using your unknown blog and barely visited web site as a vehicle to bombard people with ads for money then you don't have a business model at all.
I really don't like your definition of 'free'.
wikipedia has been relying on donations for quite some time. guardian.co.uk is one of the recent examples asking for donations and working out for them.
Ok that has to be a joke, the paywall journals subscriptions are nothing like ads.
Please, don't conflate any pay method with pay wall (which is a pretty good one). If business cannot retain itself w/o breaking the law and has to shove unwanted images/videos/etc. straight in the face, it may as well not exist. The ads have degraded user experience in so bad ways that having a page with little content and 'next' button just to show more ads is pretty much the norm now.
> breaking the law
No one is breaking the law yet. The law has been changed, and has been changed in a way that destroys businesses and people.
Or: just make it opt-in.
A somewhat related note: Relying solely on ads is a bad idea. Personally, I'll install an adblocker on every PC I get access to (family and friends stuff).
EU doesn't care about this. Like this argument works only in the US.
Yes, tracking cookies is ethical.
If some internet users do not want to get tracked - they can run their browser in Incognito Mode.
* Explicit consent for non-essential data use, you always need to provide opt-out without degrading the service
* Opt-in/out separately for every activity (no more "research purposes")
* Data deletion and takeout. Maybe in the future EU will also introduce some standards for the takeout, which will allow us to migrate between services much easier (as we now can switch between banks or telcos in a semi-automatic way)
Minus the part where you're giving away your product for free with legally mandated nothing in return.
The GDPR does forbid hinging service quality/availability on consent but I don't think it forbids putting it behind a paywall as alternative.
Although this is one of the areas where it seems some sort of challenge is inevitable. Requiring businesses to give people more control over data about them is one thing. Requiring businesses to do things that make no business sense, like providing services to people despite getting nothing in return, is something else entirely.
Additionally, this does not affect data that is necessary to operate the service. When you run a GPS tracker app then it is entirely okay to ask for the right to process someone's position as part of that contract (as long as you don't share it with a third party).
Essentially the GDPR makes such a business model almost unsustainable. IMO rightfully so.
Personally, I value my privacy. I don't tend to use services like Facebook, mostly because I don't want to encourage that sort of perpetual surveillance or volunteer that much data about myself (or encourage my friends/family/colleagues to do so for me) to be used for purposes I don't fully understand.
On the other hand, apparently there are literally billions of people in the world who disagree with me. Most people I know demonstrably are willing to give up some privacy in return for the convenience that Facebook provides to them.
Requiring such a business to allow users more control over how data about them is being processed is one thing, and there are pros and cons that reasonable people can debate in that area. But I'm not sure the EU has any moral/ethical right to dictate that business models that have supported highly successful businesses with literally unprecedented levels of popular support should no longer be viable, and the conditions we're talking about here look awfully close to allowing that.
I would say that being popular does not correlate with being good and moral. Being successful does not correlate with being good and moral either.
>Most people I know demonstrably are willing to give up some privacy in return for the convenience that Facebook provides to them.
The patient is not always right. A lot of people would give up privacy for facebook because in the faustian bargain, the short-term benefit outweighs the long-term consequences.
This notion of "implied consent" is being actively fought with GDPR. You have to provide explicit consent to the usage of your data. And more importantly you can revoke it (at any point) and the site can't deny or degrade the service (unless the data is strictly necessary for a specific action related to the service).
With ePrivacy this will go one step further. Right now you only need to provide opt-out, which means most people will likely leave it as it. Going forward those additional services (marketing purposes, ad tracking) will need to be strictly opt-in (and there's already internal research done in some companies showing that marketing/ad opt-in rates will be 10-12% at best).
Furthermore, if I remember correctly, no explicit consent is required where the cookie has to be used for features the user requested, like a shopping cart.
So, if the law was actually written to require what it was supposed to require, and actually enforced, a web site operator would have the options to either:
a) implement an opt-out globally across the entire site to ensure no part sets a cookie and doesn't track them, with a high risk if you get it wrong, annoy every visitor with a modal yes/no before letting them onto the site (which would hurt your conversion rates etc.), where the "no" would be a meaningful choice that would still let them use your site, and there would be very little incentive for the user to click yes
b) stop tracking users unnecessarily in general
As it is written, the options are:
a) implement an opt-out globally across the entire site to ensure that no part sets a cookie and doesn't track the users, with a high risk if you get it wrong
b) slap an annoying banner on your web site
One of these options is significantly less work and allows you to keep tracking users, so guess what gets done.
From what I understand, the GDPR also disallows denying users access to a site if they don't consent to an unrelated data collection.
Before accessing the website, you get a choice between yes and no.
If you select no, the site will not do any tracking, no analytics — some sites disable ads in that case entirely. You still get to access the site.
If you select yes, you getthe tracking.
I have history turned off in google maps. I can’t name the points I make, it tells me I need to turn history and tracking back on. I hope that becomes an unjustifiable degrade.
GDPR extends this concept also to consent for processing private data - there are some ways how that consent can be granted and received, but contracts of adhesion are not (will not be when GDPR comes in force) one of them. In particular, GDPR specifies that anything included in such a "take it or leave it" contract is not considered "freely given" consent and thus such a contract does not and can not give you any rights to use that data, no matter what is written there.
There is currently no detailed description as to what the definition of "sufficiently" is. For example:
- can I use your data to build a targeting machine learning model?
- can I use it to target you?
- do I need specific opt-in for every model?
Most things in GDPR are not specified in order to both give flexibility to the sites and to reduce the number of loopholes (which are technically legal but against the spirit of the law). You need to decide on the implementation and be ready to defend it in case of an audit.
Not true. There are some countries where it works like this, but also countries where it's the opposite. In some EU countries this got ruled as unconstitutional. In some other countries, this got ruled by the highest court of law as unlawful.
> This is a corporate regulation, not a criminal case.
That doesn't matter in most EU countries.
Until you prove otherwise, by means of contract, legitimate business interest, law or consent, assume private data is meant to remain private.
You could see the cookie law as a gentle request for Internet businesses to self-regulate and limit unnecessary tracking. It didn't work (I don't know of any case when businesses decided to self-regulate themselves out of potential extra profit), so now GDPR is meant to force companies to stop their user-hostile data abuse.
Hello. I have moral objections to excessive tracking, and none of my businesses use things like retargeting based on tracking pixels, even though this would almost certainly improve the conversion rates for our online ads significantly.
There, now you've seen a case where a business self-regulated out of potential extra profit in exactly this area. :-)
Sad you don't link to your businesses in your profile; now that you made me want to check them out and maybe reward with money.
There are rules about things banks have to inform you of, or pharmaceuticals. On the academic side, this can be effective. Disclosure and making information public. On the consumer side it is almost always disingenuous. Small print meticulously written by compliance officers and reviewed by regulators. No one seems capable of stepping back and asking "are consumers better informed."
When internet service X wants you to know your card is about to expire, they make sure that you are informed. When a regulator wants you to be informed about cookies.... we get small print, and a nag screen making us promise that we read it.
Some things are hard to solve with laws.
> Explicit consent for non-essential data use, [...]
This raises a bunch of questions. Anyone know the answer to any of these?
1. Suppose that the data is used to pay for keeping the site afloat? Does that make it essential?
> [...] you always need to provide opt-out without degrading the service
2. Suppose my site is presented as a site that has basic and premium content. The premium content is behind a subscription paywall.
On the paywall, it offers to waive the subscription fee if you consent to non-essential data use. If you either do not consent, or, after consenting later change your mind and opt-out, is it "degrading the service" if I no longer let you have access to the material behind the paywall?
3. In #2, does it matter if that's how my site works for people that I can identify as being the EU, but works different for people elsewhere (e.g., for people in the US it collects data on everyone and does not offer the option to pay)?
4. Suppose I just say "the hell with this...I don't want to deal with GDPR", and have my site ask first time visitors if they are in the EU or EU citizens.
If they say that are not, I set a cookie that records this, and they get my normal site, which only follows whatever data collection rules my country imposes.
If they say they are, I just send them to a page that says EU people are not allowed to use my site.
What's the situation if someone inside the EU lies and tells me that they are not in the EU? Am I in violation of GDPR for keeping forbidden data on them, or does their lying to me count as consent?
 In fact, most of the data we keep on EU customers is data that we don't even want to keep, but the EU is requiring us to keep it for VAT MOSS reporting. Before VAT MOSS, all our EU sales went through a UK entity, and we paid UK VAT on all of them, which required much less information for reporting.
If you use the data for bank transactions or paypal subscriptions it's essential.
If you sell the data for profit, it might be essential but it falls under "opt-in only" of the GDPR. So in this part; not essential in the above sense.
>2. Suppose my site is presented as a site that has basic and premium content. The premium content is behind a subscription paywall.
Subscription paywall is fine. What isn't fine is degrading the service if the user opts out of having trackers included in the website when they visit.
>3. In #2, does it matter if that's how my site works for people that I can identify as being the EU, but works different for people elsewhere (e.g., for people in the US it collects data on everyone and does not offer the option to pay)?
GDPR only applies when you target people currently in the EU (citizen or not) and EU citizens outside the EU.
>4. Suppose I just say "the hell with this...I don't want to deal with GDPR", and have my site ask first time visitors if they are in the EU or EU citizens.
If they say no, I would say that is okay to believe considering the GDPR also requires a "Are you 16" question. Ask a lawyer.
Where is this specified? It's not what I understood from Recital 23†; as far as I can tell, it applies if the business is established in the EU or if the user is in the EU, but not to EU citizens outside the EU (if the business is foreign).
I don’t know the answer (interesting idea though). One thought came to mind: If you do it this way, you can only monetise your EU customers indirectly. As soon as you bill them, you’ll probably need to capture their address info at which point you know for sure they are in the EU. Yes you could argue it’s a non-EU citizen using an EU address while not being physically within the EU at the point of the transaction, but I wouldn’t think that would get a free pass in court.
IANAL, but intuitively, I'd say no.
In a technical sense, it's not essential: Even if your whole income is based on data reselling, your site wouldn't instantly become unusable the moment you can't collect any user data anymore. (Unless you deliberately make it so, but then that's your decision and not a technical necessity)
Yes, you will operate at a loss, but that is your problem as a business. It doesn't have anything to do with your ability to perform the service.
In a more general sense, basing your business model on data collection is your decision. There are other ways to make money on the internet. So if you have the option of finding other sources of funding, it's not "essential".