I've been talking to a very well known giant corporation for months. The VP and director love my product and want to start using it right away for their department. But their legal team is scared shitless with 4% fines in GDPR. They are putting some draconian clauses, (various ISO certifications and such) in the contract that I, as a small company, cannot comply. That's their interpretation of GDPR. It doesn't matter whether it's right or wrong.
The VP and Director are really nice people and I've developed very good rapport with them. But I'm afraid their patience will run out soon and they'll go back to using spreadsheets. A lose-lose situation.
This is the side-effect of GDPR.
I'm all up for GDPR. I have uBlock, have blackholed all Facebook domains, etc. But don't assume that GDPR doesn't affect normal business transactions. Anyone who says, "Oh, how hard could it be?" has no idea what they are talking about.
>You can control individual cookie preferences, indicate your cookie preferences to others, and opt-out of web analytics and optimization tools. Learn More
I believe they should not be affected by GDPR either, since they're not actually identifying a person.
Cookies get sent with most requests as headers so you're unnecessarily bogging down requests with data unrelated to the session.
Of course this may require some heavy changes on the client-side code, as the client now must have the ability to apply user's customization locally, but there are benefit: After you done that, then you don't have to read user's customization data from any of your infrastructure every time user reloads your page.
I do not want to have the same experience on my work computer vs my home computer.
I do not want to have the same experience on my home computer vs my personal phone.
I do not want to have the same experience on my personal phone vs my work phone.
I do not want to have the same experience on my work phone vs my work computer.
Cookies are delivered with the request. If it has feature selections, great, no more work necessary on your part.
If the feature selection is hidden behind a user ID, then you need to look up the user ID in a database and then request the user's features.
Indeed, it seems to me that requiring a login in order to customize the viewing experience is what bogs down requests.
I wouldn't bother changing any preferences that disappear every time I clear out my cookies. For starters, I'd have to figure out where on the website the preferences are set -- and if it's in the user profile, well, just save my preferences there.
So based on this description they are doing PII.
"Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
An IP address is an "identifier". However, an IP address does not in and of itself identify a natural person; you know that, I know that, and even the GDPR knows that.
However, if you start building a map of IP addresses to user real names, or some other form of profile construction, then the IP addresses become personal information.
(comment hoisted from other thread)
The GDPR does not address PII at all. To a first approximation, PII is now an American legal concept and Europe has a completely different (and strictly broader) definition of privacy-relevant data.
That’s about as violating as it gets.
Is it because I've asked Mozilla to show me a web page, and the data collection happens as an automatic result of that?
Mozilla is the Data Controller, and they asked a third-party (Google Analytics) to process the data of Mozilla's users (that includes simple visitors to the site), making Google a Data Processor. The Data Controllers generally have more obligations than Processors, since they control how the data is handled, and to whom it's passed.
>Our Firefox data collection review process is the
cornerstone of our effort to meaningfully practice
privacy-by-design and assess privacy impacts to our users.
We believe it is consistent with the GDPR’s requirements
for privacy impact assessments. Mozilla has had this
process in place for several years and revamped it in
I guess from the email it was implied that they are already compliant, but then the linked blog post in the email in no way confirms that...
The email said:
GDPR has implications for many organizations, and that includes Mozilla. But unlike other organizations, Mozilla has always stood for and practiced data privacy principles that are at the heart of privacy laws like the GDPR. It feels like the rest of the world is catching up to where we've been all along.
( ) Enable third party cookies. This may allow third party websites to track you across the internet.
( ) Disable third party cookies. This may break some functionality on some websites.
It's no more confusing to end users than the endless sets of checkboxes websites have to use for GDRP or the pointless click OK to accept cookies notices.
And Firefox Nightly does not track personally identifiable telemetry anymore?
No. Mozilla still tracks every step I take.
What the fuck, Mozilla?
EDIT: Example. Go to If you go to view-source:https://addons.mozilla.org/en-US/firefox/ — In the code you’ll find Google Analytics, and if you open the page, it’ll set tracking cookies. No cookie notice, no opt-in, at all.
How the FUCK is this supposed to be GDPR-compliant? Cambridge Analytica is more GDPR-compliant than this.
EDIT 2: See also https://github.com/mozilla/addons-frontend/issues/2785 to show that about:addons loads addons.mozilla.org, including the Google Analytics trackers without opt-in.
EDIT 3: See also https://www.mozilla.org/en-US/firefox/channel/desktop/ which explains that Nightly and Beta always send telemetry, which can not be turned off in any way, and your only way to avoid it is to stop using the product, which again violates the GDPR section on "free consent".
I can imagine this being legitimate interest, can be disabled with DNT flag, and it's not personal data. Mozilla signed a legal contract with Google which prevents Google from using this information.
> EDIT 3: See also https://www.mozilla.org/en-US/firefox/channel/desktop/ which explains that Nightly and Beta always send telemetry, which can not be turned off in any way, and your only way to avoid it is to stop using the product, which again violates the GDPR section on "free consent".
Options -> "Privacy & Security" > "Nightly Data Collection and Use"
Also, it uses word "automatically", not "always", and "Learn more" link on this page tells you how to disable that. Additionally, telemetry information is NOT personal data - it stores information like how many times you have opened web browsers, how many tabs do you use, but it doesn't send personal data.
Crash reports may contain personal data, but even on nightly, they aren't automatically submitted.
Still it would require at least a cookie notice.
> Options -> "Privacy & Security" > "Nightly Data Collection and Use"
That does not disable all telemetry, there were a few discussions about this on the bugtracker, in Nightly, some kinds of telemetry can not even disabled through about:config as they are set to "locked: true".
Actually the do not track and tetemetry preferences do not work on the addon page.
Telemetry settings however don't work unfortunately :(.
Fair enough, I'm actually somewhat curious why Mozilla doesn't provide a cookie notice. Not that it matters, because those notices are used everywhere and people ignore them.
"GA also doesn't track IPs or store PII within the tool."
"While we don’t yet have U.S.-EU negotiated civil enforcement mechanisms for the GDPR (and it is unknown whether we ever will), there is still the application of international law and potential cooperation agreements between U.S. and EU law enforcement agencies, which have been increasing in recent years."
That's politician for "We have absolutely no recourse if the company doesn't have an established business in the EU."
EDIT: That's a nice article. It goes to explain that if a company has no presence in the EU, it has to identify an agent in the EU to act on its behalf. So any company can simply NOT do this if they never intend to have EU offices and the EU has no recourse.
Microsoft had a presence in the EU long before the antitrust violations came. I'm talking about a US company that has no presence in the EU. That's a harder example largely because it doesn't exist.
Their absolute best option would be to attack global platforms that small businesses rely on to get the platforms to enforce compliance or blacklist those small companies. This is especially potent for Visa and MasterCard. I doubt that will ultimately work though.
Actually, that part is the most plausible way that companies outside the EU with no EU presence could be forced to to comply the the GDPR.
A lot of devs hanging out on HN are working for companies that have at least some B2B aspect. Being GDPR non-compliant means these companies will have to avoid you too, because even if they're themselves not affected by GDPR they may have customers who are and need the compliance to be able to do business with those customers.
But that said, as an EU company, US companies are only an option if they're Privacy Shield certified and offer a Data Processing Agreement. And even then it's safer to go for a company in the EU or in an "adequate" country. You don't want to be caught unaware when some court or orange person decides to blatantly violate the Privacy Shield guarantees and you have to treat it as a breach.
Calling it a "backyard" is disingenuous. Most companies are going to follow this because they have global aspirations, but that doesn't mean it's impossible... or even all that hard.
There are people that like and do not like the GDPR. Telling that you belong to one group is not even information.