Hacker News new | comments | show | ask | jobs | submit login

It's plenty reasonable to be skeptical of the public utterances of CEOs, but it's not necessarily true that his words are hollow because his company is not currently compliant with the law he's proposing. As long as competitors are free to ignore this proposed privacy requirement it probably makes no competitive sense for his company to comply with it. In that case, it's perfectly logical to agitate for a law, which would let you adhere to stricter privacy requirements confident that your competition has to do so as well.



This is a classic case of a well established company lobbying for regulations to keep newcomers out of their sector.


> This is a classic case of a well established company lobbying for regulations to keep newcomers out of their sector.

No it's not because SF won't be allowed to do it either. It's like a power company advocating for the banning of coal while still using it because its the cheapest option. You can participate in a practice to stay competitive while advocating for the banning of that practice.


The point is newcomers have a disadvantage against any type of regulation they need to comply to - simply because they often have less funding/resources than a giant company. This happens in practice all the time.


>newcomers have a disadvantage against any type of regulation they need to comply to

This is unquestionably true, but it is an awful excuse to not enact any regulations. Honestly, what do people expect is the answer if the free market has already shown to fail to address this problem and we are ruling out regulation because is increases the barrier to entry?


I'm not against all regulations - some can be useful - they just need to be implemented with great caution - ideally in a way that is very easy and clear to implement. In theory I don't see how regulations could avoid security breaches anyway (which I think is a greater problem). It'd be interesting to fine large companies with security breaches to encourage better tech, but then they'd never report it.


Security breaches aren't the problem with harvesting private individuals' data. It's a matter of ownership and sovereignty, in the large and small.


How harmful a security breach is depends on how much private data about users was stored though. So even though security breaches will still happen, they will cause less harm if less sensitive data is leaked as a result.


When you say "regulations", I hear "market protections", "rule of law", and "fair and impartial judiciary".

"regulations could avoid security breaches anyway"

Translucent Databases 2nd Ed: Confusion, Misdirection, Randomness, Sharing, Authentication And Steganography To Defend Privacy http://a.co/c78Gij0

TL;DR: All demographic records are stored encrypted, are no longer retrievable if you lose the signing key. Think "proper password storage" extended to all things.

Bonus: Support for GDPR "right to be forgotten" for free. Just erase the key(s).


I'm starting a chemical manufacturing business, but regulations are putting an undue burden on me by not letting me just dump waste product into the nearest river. Dow Chemical Company didn't have to abide by all these regulations when they were founded in 1897, it's not fair!

Edit: To be clear, I'm not saying anything about the necessity of any regulations. I'm just saying that when evaluating possible future regulations, viewing just in the light of incumbent/newcomer dynamics alone will give you absurd results.


There are many regulations that will burden you by having to record, audit, etc, where/when/why/how you are dumping waste, to help assure you aren't dumping it into a river.

Dow, having established cash flow and infrastructure, can trivially bear whatever these costs. These regulations were even created because Dow themselves (et al), somewhere in the middle of their life, optimized their profit by dumping in rivers.

You personally know the environmental harm and grave illegality [0] of improperly disposing of waste products, and your company is small enough that you can be sure everybody is of similar mind - you're focused on solving technical problems, having not yet been taken over by beancount-maximizers. But you still must pay the costs of the overbearing "compliance" paperwork designed around large amoral entities, perhaps even having to hire a dedicated government bureaucrat fresh out of law school. This is the gatekeeping-legislation dynamic people complain about.

[0] Which given your corporate size and lack of TBTF, would be a criminal penalty rather than a civil wrist slap.


It's dangerous to assume there isn't such a thing as pointless regulations that actually harm consumers by making a useful service/product more out of reach.


Your comparison is laughable. Try competing with Comcast and AT&T.


Comcast and AT&T are slightly different, in that they have government granted advantages (not just usage rights to infrastructure, and infrastructure access which is much harder or impossible to achieve now, but in some cases the government paid for that infrastructure before handing it over), not just the benefit of coming up prior to regulation and already having practices in place to deal with regulation.


Isn't this exactly the reason Stripe became successful. It was a real problem, with well thought out regulation from previous abuse, that most people avoided because they wanted an easy path to riches.


A newcomer could be bigger. Lots of money looking for high margin businesses to operate in.


In theory, but surprisingly not in practice. Often the most innovative ideas come from scrappy businesses without tons of funding off the bat. Look at healthcare insurance - not a lot of newcomers, despite some very high profit margins.


Health insurance or insurance in general is a low margin business, and whatever margin they have is mostly through investing the premiums they collected before paying it out in claims. Most insurers pay more in claims than they get in premiums making up the losses with their investment, that's because they price their policies to undercut competitors that might not have access to such a large pool of money. So you can see how a newcomer can have hard time becoming a profitable insurance business.


To borrow your metaphor, I'd say it's more like an oil company investing in solar, and advocating for it's future, because it knows it's current business will not last forever. Getting on the front of this allows Salesforce good PR, and lets them have a role, however small, in shaping the regulations to come.

Any business leader who has studied the tobacco industry would do this.


The amount of data they have is non trivial and the insights from it are surely non trivial. Even if they have to delete the data due to privacy laws, they've still learned and come out on top. Newer competitors will never have the opportunity to gain such insights.

This becomes even more true as machine learning becomes more and more important. The first movers have a strict advantage over later entrants simply because of the amount of data.


A strong law like the GPDR would actually shake things up - a lot.

As it is, the large players like Facebook, google, Salesforce and a bunch of others like our banks, credit card companies, internet providers are all extremely well established.

A GPDR-like law would open up entirely new ways of doing business partly because these companies could no longer do business the way they are. “Free” services could no longer make their money by selling your data.

We could end up with a more “honest” set of services. Like a social network that’s actually free or paid for by individual contributions.


A GPDR-like law would open up entirely new ways of doing business partly because these companies could no longer do business the way they are. “Free” services could no longer make their money by selling your data.

You're completely disregarding the fact that it takes significant resources to comply with a law like GDPR. Insurance to defray the costs of potential litigation and fines, development time, ongoing compliance (audits etc.), legal expenses, and on and on. Most startups simply can't afford this.

So you may wind up with more "honest" services, but there will be far fewer of them and they'll have more power and leverage than they ever have before because of the lack of competitors and artificial, enormous regulatory barriers to entry. GDPR is a startup killer.


I'm not disregarding the cost of compliance. In fact it's implicit in my argument. Some business models would no longer make sense. Others would look more attractive. It would increase the cost of, or completely do away with, doing things certain ways which naturally opens the door to doing things differently. Yes, there likely would be fewer services initially.

"Insurance to defray the costs of potential litigation and fines, development time, ongoing compliance...GDPR is a startup killer"

That doesn't have to be the case. The law could easily carve-out a "safe harbor" of sorts for companies that commit to not gathering or storing any but the most basic information about their visitors.

"... there will be far fewer of them and they'll have more power..."

Or existing companies could loose a lot of power and leverage because their business-model doesn't makes sense. New ones could pop-up in their place.

I'm more than willing to give up tyrants like Facebook and Equifax for the right to control my own private data.

Privacy is good, long live disruption!


I'm more than willing to give up tyrants like Facebook and Equifax for the right to control my own private data.

You’re missing the point. These “tyrants” can fully afford to comply (while paying scores of legal staff to scour the law to find and exploit every possible loophole), but startups can’t. That means no competitors will be able to emerge and challenge them. These companies will still be able to do much of whatever they want simply because consumers won’t have a choice. GDRP consolidates market power in the hands of entrenched competitors that can afford to comply.

Privacy is good, long live disruption!

Privacy is good. Killing the ability for startups to compete is bad.


Wait, but if those hypothetically competitive startups can only compete because they can trample my privacy, why the heck do I want them?

I mean, it’s not like Facebook and Google aren’t already big enough to smother would-be competition in the cradle. In the other scenario competition may still be smothered, but I still get some regulatory privacy protections.

EDIT: Also, as a matter of principle, I’d gladly see dozens of startups burn if it meant broad privacy protection were enacted.


Wait, but if those hypothetically competitive startups can only compete because they can trample my privacy, why the heck do I want them?

GDPR compliance and "trampling your privacy" are not remotely related. GDPR is massive overkill and unnecessarily burdensome.

I’d gladly see dozens of startups burn if it meant broad privacy protection were enacted.

EU startups will burn - not dozens though, hundreds or thousands of them - and even more will never get the funding to start because no one wants to invest in a business that can be killed instantly by massive fines at the whim of the government. US startups will thrive because they are not subject to GDPR if they don't target EU customers, even if there is some incidental EU traffic to their sites. I don't have to protect your information GDPR style on my US site, even if you are from Germany, as long as I'm not actively trying to get people from the EU to my site. But most sites outside the EU will just block EU traffic anyway (which is what we decided to do). So enjoy your new, smaller Internet with companies that will "trample your privacy" anyway because you have no competitors to go to for their services. Yes, you will be informed about what they're doing in vague terms, and yes you will have given them "informed consent"....but is it really consent if you have to give it because there are no alternatives?


I think you're disregarding that these are huge companies whose business models and moats would be significantly disrupted by a GDPR-like law. To quote GoT, chaos is a ladder. This could help new innovative companies compete, at least in the short term, against these established behemoths.


This could help new innovative companies compete, at least in the short term, against these established behemoths.

Again, most “new innovative” companies can’t afford to comply with laws like GDPR.


I have seen this narrative parrotted quite frequently, but it's false. GDPR isn't as crushing as people currently feel it is, but it will force companies to adopt better policies to avoid problems. Startups right now are best positioned to make the transition whereas the behemoths will be forced into significant spends on legal fees or insurance - not to mention scandals such as the Facebook debacle that has so many people up in arms.

Disruption is startup paradise.


Having just lead the GDPR effort at my company, I disagree. It's absolutely a burden. It slows down sales and makes customer relationships more difficult and expensive. Any custom integration we do needs to have a custom data processing agreement put into place and reviewed by a lawyer. I now find myself paying lots of new fees to various places: the ITA, DPA, the Swiss data authority, and organizations like ISSA. It forced us to get a more expensive insurance policy.

On top of that, the technical controls were actually expensive to implement. The issue is not that consent is hard to revoke or that data is hard to delete. It's that everything needs to be auditable. Under a strict reading, you need to have an audit trail of every processing activity. Anytime a user profile is edited for any reason, even just an automated removal of whitespace, is supposed to be auditable and made notifiable to the user. Anytime you refresh a user's Instagram stats, you need to have an audit of that. Most companies don't go this far, but it's a huge risk to do anything less because we don't know what fines are going to look like in practice yet.

Plus the fact that we just spent $15k in legal fees going over our new privacy policy, data protection policy, updated MSA, updated order form, new user agreement, etc, I can say with confidence that it is indeed expensive and burdensome.


I have seen this narrative parrotted quite frequently, but it's false. GDPR isn't as crushing as people currently feel it is

You’re saying this based on what exactly? Have you actually been in charge of trying to comply? I have. For us, it was going to be a 7 figure endeavor (upfront, and then 6 figures/yr for ongoing compliance, insurance, etc.) and we are pretty small (a few million visitors/mo spread across several sites). We made the decision to just block EU traffic, even though we have been advised that GDPR probably doesn’t apply to us anyway. I can’t have one of the 28 countries that GDPR applies to randomly decide that it applies to me because they’re a little short on tax revenue that month, then have an expensive legal fight that will end in a multimillion-dollar fine anyway.


Citation needed


We're a small business and it cost us about $50k to become compliant, if you add up the legal fees and hours spent on technology. We are also forced to get a more expensive insurance policy.


Citation needed for what? For proving that GDPR compliance is expensive?

https://iapp.org/news/a/recent-survey-shows-gdpr-compliance-...

https://www.ft.com/content/0d47ffe4-ccb6-11e7-b781-794ce08b2...

https://www.dri.org/home/2018/02/26/gdpr-it-s-coming-it-s-ex...

https://www.wandera.com/blog/gdpr-expensive-data-breach-pena...

Those were just on the first page of Google. There are hundreds of others. That's not even counting my own experience with it.


That's an idealist view on how this is going to play out. My contrarian view is that these large firms will have the staff to understand how to comply with these laws without having to substantively change.

For example, Facebook is going to force everyone to opt-in to accept the status quo while remaining in GDPR compliance:

https://www.independent.co.uk/life-style/gadgets-and-tech/ne...

Good luck doing that if you are a startup!


I expect they'll be ruled as unable to rely on that coerced consent in the end, given how strictly the requirements for acceptable consent are defined. But they will be able to delay such a final ruling for quite a while with appeals, and maybe make arguments to mitigate the possible fines down to a lower level of any.


facebook doesnt sell data. facebook sells attention and billboard space. you pay facebook, facebook runs your ad on their platform, and gives you some paramaters for which people are targeted. the data never leaves facebooks black box.


Except the data did leave with Cambridge Analytica


facebook has two kinds of data

- data you give it (birthday, religion, likes)

- data it learns about you. (ad tracking, habits, demographics)

facebook built a developer tool that let app developers ASK USERS for "data you gave it"

users clicked YES when prompted with the question, GIVING the app developers the data. Cambridge Analytica NEVER got to touch "data facebook learned about you."

the way the developer tools were designed, when you gave the app access to your facebook account, it could look at things YOUR FRIENDS had made avaliable to YOU. The app could act as you, and see what you see. You can never see "data facebook learned about your friends."

The issue is, people couldnt trust their friends not to click "SHARE DATA." The issue is IF its inappropriate for apps I install to see data shared with me by my friends. Once facebook learned this ability was being misused, they shut it down, back in 2014.


Salesforce-hosted data can be largely exempted from GDPR because Article 17 allows for the retention of customer billing and accounting data (which are often stored in Salesforce CRM and ERP back office system).


Regulations that create positive obligations -- "you must do this" -- create barriers to entry, because it costs money to do that. But I'm not sure it's the same with regulations that create negative obligations, because not doing stuff is usually free, except when the negative obligation is actually a positive obligation "to prevent xyz".


Except for the fact that the requirements to become compliant with such a law, including removing past data, could cripple Salesforce


That almost never happens. It's not in the gov's interest to tank successful companies that employ a bunch of people - and large companies are in the best position to give personal feedback to politicians to customize the process so its particularly easy for them. That's how regulatory capture starts.


I think at this point, consumer are more interested in their rights being protected than in more competition.


How would this keep newcomers out?


Salesforce relied on things this 'privacy law' would make illegal in order to get where they are today. This law would prevent other companies from following in their footsteps.


That’s really not true at all. DMP was a very recent acquisition, as was Marketing Cloud and Pardot.

Core Salesforce is a company data store often requiring human data input. It’s where your information goes when you fill out a “Contact us” form on somebody’s website.


How is that relevant? Say a law like this comes into effect, then they'll need to change their practices / delete that data etc. So going forward they won't have that advantage over an upstart, they'll need to compete in the same market.


They have the advantage of size and resources.

If the starting table stakes to get started becomes GDPR-style compliance infrastructure that takes 3 engineering man years to implement properly, then new companies will happen less, which means less future competition for the incumbent.


Salesforce is a company that operates in Europe. They already have to comply with GDPR (and have already spent tons of dev time on scrambling to comply). They're ready for GDPR, and so they're probably betting they're ready for whatever (likely weaker) US law inspired by GDPR that would come along. Any new competitors, on the other hand (or any non-multinational competitors) would have to scramble and pay heavy costs to "catch up".

It's using the legal system as a tool for their competitive advantage -- force everyone to do the thing you're already doing.


> Say a law like this comes into effect, then they'll need to change their practices / delete that data etc.

Oh honey.


Yes. We are learning from our mistakes.


Are those things we want other companies to be doing, though?


>> Salesforce relied on things this 'privacy law' would make illegal in order to get where they are today. This law would prevent other companies from following in their footsteps.

> Are those things we want other companies to be doing, though?

Apparently if someone got successful doing something bad once, we're supposed to be OK with people doing that bad thing forever, lest we risk some "regulatory capture" boogeyman.

The solution to regulatory capture is an actual solution to regulatory capture, not a general aversion to regulation.


There is almost no solution to regulatory capture - more gov to solve it does not work in practice, particularly because after these commissions are founded are idealistic principles, the public stops paying attention and often doesn't have the breadth of knowledge to understand how regulations could be used to prevent healthy competition. The way it unfolds, turns out, is very predictable. It limits the tools/services that could otherwise be offered and often keeps progress in that industry frozen in time almost, the existing companies frozen in place too.


Cost ($$, time, etc) of compliance impacts newcomers more than incumbents.


Higher cost to do business by requiring compliance with regulations.


I think the cost is small compared to the externalized cost to each person who's data has been leaked, lost or misused.


OH NO! Someone might lose a few dollars because they can't vacuum up my personal data and sell it for their personal gain! Heaven forbid!


Thank you for your sarcasm, its been very valuable.


^This * 100.


Not only that but increased regulation often favors incumbents because it increases the cost of competing which has a higher burden on a lean, new entrant.


Personally, my favorite is Larry and Sergey. I wrote an essay about one problem: http://yuhongbao.blogspot.ca/2018/04/google-doubleclick-mozi...




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: