99% of people don't read anything before they push yes. Most people get increasingly annoyed at the mountain of e-mails, and the hundreds of pages they in principle have to read through.
It's an extension of the already existing kafkaesque "press yes to allow cookies" that everyday has to be pressed multiple times with no real benefits other than wasting peoples time (at least in the EU).
People are already completely over encumbered with information.
The more people have to do the same thing the less they give-a-f.
This carpet bombing of legal jargon makes people hate services, especially the smaller ones i am sure. "oh i don't want to deal with lots of legal contracts again".
I completely agree that something has to be done about the data-mining and fingerprinting monster, but the way all of this is implemented only further exacerbates the mega-corp gardens because they can afford to hire armies of lawyers, and because people get tired of clicking "i consent" after the bare minimum has been done - which off course means only saying yes to companies highest on the Alexa ranking.
Ironically these global conglomorates are the worst offenders and the original data-disaster culprit.
Profile delete buttons, user data overview pages and the rest of GDPR i think is very welcome.
It'd be less kafkaesque if the fucking ad industry could use a cookie to store my consent once I have given it.
No offense, but this feels like a “99%” and “most” that is something less than rigorous. I don’t think sound arguments for or against GDPR can come from the “Ah Reckon” space. Throwing out made-up numbers that just represent personal assumptions and anecdote is an impediment to real discussion of these issues.
I’d add that GDPR explicitly forbids just the kind of “press yes to forfeit all of your rights” crap we’ve seen before. I realize that some sites are still trying to get away with it, it it’s non-compliant.
I've read the contracts I have to sign, and generally this throws people off drastically. When I ask, they tell me I'm the first to read them. Things like leases at a place that has been around decades and I'm the first to sit down and read before signing. While it isn't rigorous, from my experience with wet ink legal documents, saying 1% do read EULAs and privacy policies is a very optimistic over estimation by magnitudes.
And just as honestly, what are we going to do - say no? Saying no is more and more simply not allowed if you want to use a service. I've had job offers who would rather have me walk than change the terms of employment. There's not a website out there which allows you to use it if you do not consent to their EULA. Hell, I've encountered a EULA when starting my (purchased, not leased) car.
I have yet to see a non-terrible GDPR screen, and I'm an American. Every single one so far has been either a giant box of doom, or a giant modal of doom with a dozen checkboxes and a freakin' contract on it.
Nope, don't care, I just want to read the one paragraph of your blog - that's it.
Anecdotally i have never personally witnessed any other than the most academically inclined legal nerds be interested in any terms of service or legal docs. Family, university peers, user analysis from my own services - all i have ever seen is frantic clicking until people get to where they want.
Just googled and it seems i am on point:
Also my point is not that the GDPR is stupid. I think most of the new protections are fair. I am just pointing out that the "one button click to consent" is completely meaningless because people have no idea what they are doing, are tired, are stressed out, or just don't care (most people).
No, we made murder illegal and now we have a system to deal with murderers when they kill someone.
Out of analogy, we made non-consensual data collection illegal, and now we have a mean to handle the situation when it arises.
Unfortunately the option of reading something isn't always reasonable. Check out Ultimate Guitar . Clicking "Manage my choices" gives a list of just shy of 250 vendors, and no explanation as to what or where they're sharing with those vendors. Other websites have longer lists, and have an opt-out per vendor!! These websites are deliberately making it as difficult as possible to reasonable manage your data.
In the first, you may just end up with a database for full of data that you may have to throw out when somebody complains. In the second case, why bother your users?
If there is a real request to consent, then it is easy enough to decline. But so far, real requests for consent are quite rare. Most dialogs are basically: we are going to feed you cookies and violate your privacy; do you want to agree now or later?
Which is why defaulting to 'Accept cookies' is against the principle of the GDPR, other that for cookies vital to the running of the service.
I'm not saying GDPR isn't good for privacy (we need it); it just makes competition harder.
Yes, a Corporation that manages not to dump toxic waste in rivers is going to have a moat against smaller companies that do dump toxic waste in rivers.
But I'd rather it be illegal than have companies competing for who can externalize their costs more effectively by passing their problem of waste management to the state / local area.
Nobody disagrees with GDPR's intent. The qualm is with its administrative approach. If someone said "write a bailout for lawyers and lobbyists," it would look like GDPR.
Taking your analogy, a good law would assess a fine for dumping. A bad law would (a) require continuous certification that one is not dumping and (b) allow anyone to prompt an expensive inspection (done via writing letter responses to a regulator, not on-site inspection by an expert) by reporting you to one of twenty-eight national regulators, each of which have jurisdiction over you.
The former imposes a fixed costs, regardless of compliance. That benefits incumbents. The latter promotes venue shopping, a further advantage to size and incumbency.
Note that the European consumer protection laws already allow consumers to sue in their own country. So if you do business in all EU country, you can be sued in lots of places.
Maybe if you are continuously worried about regulators, then it is better to not start a business. In the real world, regulators are busy enough. Regulators are not going to bother random companies in other countries just for the fun of it.
Yeah sure, all that privacy, who needs it anyway?
Who would have thought that legislators had something to gain from a proposal they push?
The worst I've heard of was the abuse of millions of people's data by Cambridge Analytics to mess with an election, but maybe that's just a little icky too?
Without targeted advertising there is much less financial incentive to collect data so the surveillance state won't get help from corporations.
I'm working on GDPR right now at my company, and it's not a small effort.
None. Do not target the EU initially, start in the US market with your MVP. It's by far the most liberal major market to do an MVP in, in all regards. It's the world's largest economy and easily accessible; plus you essentially get Canada as a bonus: a combined $21.5 trillion in economy. Entirely disregard GDPR until you've scaled the business enough to afford whatever you've calculated GDPR compliance will cost you in terms of effort / resources, then push into the EU when it's convenient.
Enforcement and jurisdiction have yet to be tested yet, of course, but it isn't as simple as "don't set up shop in the EU".
It also doesn't matter what China purports I should do with their citizen data, or South Africa, or Australia, or Brazil: their wishes don't overrule the supremacy of US law inside the US. If China wants me to delete everything on my service about Tiananmen Square, or an anti-China activist, guess what, that's not going to happen for the exact same reason. I'm also not subject to the UK government's enforced media blackout on the Tommy Robinson arrest: they too can piss off.
If a EU citizen signs up with my US based service, their data will be governed by US law.
It is that simple. It will remain that simple. The US isn't going to cede its sovereignty to the EU: it's drastically more powerful than the EU in every regard. There is no scenario where the US lays back and allows the EU to legislate how the domestic US economy operates in such large ways.
The only likely outcome is that the US comes up with its own new privacy rules in the next few years, which will be different - more lenient - than GDPR. If you want to operate in the two markets, you'll have to comply with each approach accordingly.
It's not a thesis, it's proven, court established rule of law with more than a century of built-up precedence establishing how things actually work when it comes to US sovereignty. This is all quite laughable.
It's identical to saying: well, the US is just going to enforce its freedom of speech approach on Germany or the UK (where offending people is increasingly illegal). So all people and businesses in those nations should disregard their own laws and comply with US laws, you don't want to test the thesis about just how far US jurisdiction extends, better to comply with US freedom of speech laws instead.
Imagine me traveling to Britain and telling them that since I'm an American, their speech laws don't apply to me. I'm governed by US speech laws, regardless of where I'm at. That'd be good for a jolly laugh: look at this delusional, entitled American that thinks they control the planet. Or try telling the Chinese the same thing on their territory.
There are millions of small businesses in the US, very few of them will ever comply with GDPR - even if they have occasional stray EU customers - precisely because the EU has no jurisdiction and those businesses don't operate by EU law.
Account for deletion when designing the product. When considered from the beginning, the cost is typically negligible. It's only when shoehorned on the end that it gets expensive.
But... companies have had two years of notice about this. Any projects that have been running for fewer than two years have had plenty of notice. And it's not only the government who requires data deletion - it's your data sources (like Twitter) and your big customers who write it into their contracts.
Just plan for being able to delete data. You are gonna need it.
In my opinion the GDPR should have tiered regulations based on global revenue. It's pretty hard to profit off of data and not have some sort of cash flow
What if GDPR is what pushes distributed computing into the mainstream?
If GDPR makes it even harder for small fry to compete with the giants, then the small fry should change the rules.
Zero centralized servers, zero PII, no EULAs, no legaleze, only open-source P2P.
Megacorps can be GDPR-compliant with buildings full of lawyers, and the rest will be GDPR-irrelevant with no lawyers at all.
how that should work exactly? I mean, even if platform is P2P, you still have user id, you still have user interests, et cetera.
The only thing changed bc of P2P is that it gets much more complicated, or even impossible, to delete your account/data.
No _you_ don't.
Peers on the network may have this but there's no entity subject to GDPR.
So if GDPR tilts the playing field in favor of the megacorps, perhaps it also encourages anonymity and distributed networks.
If easy competition is being paid for through shady practices, then it should never have been that easy. It’s a no-brainer that a large, established business has certain advantages over up-and-comers; GDPR didn’t make that the case either. It’s easier for a large, rich company to do almost anything, including respecting our privacy as enforced by regulation or law.
You don't have to be doing anything shady with data for the GDPR to be a threat to you and your business. You can be collecting a bare minimum of data that you only use with the purest of intentions and still be in violation of the law and subject to its penalties.
Just asking for an email that will literally be used for nothing but to send a registration confirmation - you know, to sign up users, the same way we've been doing forever - puts you in its compliance crosshairs. You're now legally liable for a whole raft of additional compliance measures that probably necessitate paying a lawyer a decent chunk of change to make sure you're above board with. Your "MVP" has now expanded from "here's a simple idea I cranked out this weekend" to "here's a simple idea and a legal contract and audit trails that prove consent and an obligation to exfil data from my database on demand in perpetuity and data portability endpoints and data exchange contracts with every API provider I use and my database has to be encrypted at rest and highly redundant and I have to set up regular vulnerability scans and if I want to back up my database to a non-EU datacenter I have to obtain consent from all my users first and a bunch of additional requirements that possibly make it illegal to not age out my Apache access logs and why am I doing this at all again?"
GDPR significantly increases the friction for moving new ideas from concept to product, even if there is absolutely zero nefarious happening in the product. If it only made life hard on the people engaged in shady practices, there'd be a lot less concern over it, but that's just not the case. It doesn't just punish the misuse of data, it punishes the lack of proactive compliance to a set of criteria which are frankly beyond many hobbyists.
Some see this as a good thing. But I think that it's also fair to guess that it's going to cause otherwise good and benign ideas, products, and even entire companies to die on the vine as a result.
I would personally consider “not knowing where users’ data is, or being able to tell them” to be a nefarious act in itself.
You have to tell the user why you are collecting it, what it will be used for and for how long you will retain it.
If you are just using as a login and to confirm the e-mail is valid, there's not much else you have to do.
Oh - you want to use that e-mail for lots of other things, some of which aren't central to the running of the service the user's signing up for? Then yes, you have to document and enumerate those reasons and ask the user if they are OK with that.
Just saying "I'm using your email for signups" doesn't make you compliant. If it did then I doubt anyone would have a problem with it.
Other than to try and make the regulations seem more baroque than they are.
For better or worse, entrepreneurs only have their peers to blame for this, the peers who fucked up so badly that the government felt it had to step in.
I'm not saying "hobbyists shouldn't have to comply with the law", I'm saying "the law is disproportionately punitive to hobbyists in terms of burden imposed".
"Hey, I need to be able to query and delete data" is not a huge cognitive overhead when creating a MVP.
You have to be able to demonstrate audit trails of consent, including what the user consented to and when. You have to be able to demonstrate audit trails proving deletion requests. You have to have audit trails of who has ever accessed this data. You have to have a means to exclude pieces of your dataset from aggregate statistics on demand. Also, your audit trails can't contain PII because then your audit trails are in violation of the deletion requests, so you have to have mechanisms of proving that you processed deletion requests without actually identifying the data processed. You're also now obligated to respond to data inquiries in perpetuity, even to people for whom you have no data. Article 32 appears to impose a requirement for encryption at rest, high availability, disaster recovery, and regular penetration testing - all good things, to be sure, but completely impractical for the small hobbyist. Your "querying and deleting" is, by the letter of the law, now required to be a full-blown production-ready architecture with a business's worth of documentation.
And all because you wanted an email address to keep your login form from getting spammed?
I realize that in practicality, this is unlikely to ever be leveraged in any significant scope against most hobbyists, but the law is merciless and it is foolish to assume that you won't be caught in its crosshairs just because you weren't its intended target.
No, all this because companies were selling your email address to spammers.
Also, your reading of the law seems at odds with most other readings I've seen. I'm sure it will come down to a lawyer - but I'm also sure that hobby programmer who take reasonable steps won't ever be in the crosshairs of the EU.
In a jurisdiction. GDPR means a dollar can buy more MVPs outside Europe than inside. Keep in mind that this has no bearing on the privacy stance of the ultimate product. Just the fixed cost of iteration.
I hope it does. Europe, however, has a unique penchant for unnecessary bureaucracy. Nobody is complaining about GDPR’s requirements. It’s the ancillary administration which is destructive.
Companies have had years in which they were receiving warnings and recommendations for best practices - they ignored them. This is the piper coming with the bill.
And also including doing creepy things with our private data that stay just on the right side of the law.
2. The amount of personal data and the administrative burden are sometimes correlated, but often aren't. Collecting name and email from a few people in eighteen different ways creates a much, much larger administrative load than collecting name, email, and ten other items of information in a single way.
3. One can use all that personal data well and not violate the rights of data subjects without being remotely GDPR-compliant.
4. Most of the administrative burden does little to nothing for how well data subjects' data is used.
I don't think this is the case at all. Essentially all personal data is sensitive.
The amount of personal data and the administrative burden are sometimes correlated, but often aren't. Collecting name and email from a few people in eighteen different ways creates a much, much larger administrative load than collecting name, email, and ten other items of information in a single way.
That's true, but also seems entirely reasonable. If you are collecting data in eighteen different ways, that means there are eighteen times as many ways you can fail to adequately audit or secure it.
One can use all that personal data well and not violate the rights of data subjects without being remotely GDPR-compliant.
Probably technically true, but in practice? Regulators are more concerned about compliance than anything else. Are there likely scenarios in which data is collected and processed in a responsible manner, but technical GDPR compliance is a huge burden?
Most of the administrative burden does little to nothing for how well data subjects' data is used.
Why would this be the case? Most of the administrative requirements appear to be entirely justified methods to ensure that you have understood and evaluated the methods of compliance.
Noooooo, not according to this or any other privacy law. Under the GDPR, it's "data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation."
> Are there likely scenarios in which data is collected and processed in a responsible manner, but technical GDPR compliance is a huge burden?
Yes. My company, and most companies of other privacy professionals I've talked to.
> Why would this be the case? Most of the administrative requirements appear to be entirely justified methods to ensure that you have understood and evaluated the methods of compliance.
If you think that any cost is justified to ensure that something that ought to be done is actually being done, sure. By any analysis of costs and benefits, I think you might come to a different conclusion, but that would require some kind of real analysis of costs and benefits. I haven't seen that from anyone who is both (a) a supporter of the law and (b) has actually spent time implementing it in a real, involved business that deals with personal data (and I mean actually implementing it, and not the absurdly simple version many HN commenters seem to be doing that doesn't include massive amounts of documentation).
Being able to provide a user with the data you have on them, and being able to delete it, should be basic requirements of any software company. And now they are, which is great.
I highly doubt that Google is pleased with the current situation as the article implies.
Many of the wealthy people became rich at first through business practices that either were in a grey area from the beginning, outright illegal, or they were made illegal later on.
However, they got to keep their money, either because laws tend not to be retroactive, or because nobody caught them, etc.
I agree there is an element true in "regulations will have the monopolists even more to entrench themselves in their markets," but mostly because they got their wealth through practices that are now made illegal, and they get to keep all of that wealth when nobody else can do the same anymore.
That's really the problem here.
The US isn't the wild west of Capitalism. It's a very regulated economic system. It has been that way for a very long time now. At least 10m of those 11 million millionaires generated the bulk of their wealth in the last 30-40 years, a time in which the US economy was largely as regulated as it is today. They didn't get that wealth by not having to deal with regulations or laws that were imposed later - the US has more than doubled its millionaire count just since 1996.
I grew up in a very poor area of the US. I knew at least two dozen self-made millionaires. Every one of them did it via rather boring small businesses: insurance agencies, convenience stores, shops, franchises, publishing, real estate, car dealerships, etc. Not one of them operated in a legal grey area. There was no magic to it either, it was grinding year after year for multiple decades.
I've also spent my entire adult life researching business, business formation, finance, economics, and reading every book I can get my hands on for those areas. I've read dozens of books on the history of business in the US over the last 25 years. I spend hours per day reading every consequential financial figure and article that gets published about the US and global economies. The notion that a meaningful share of rich people get started via doing something illegal, is nothing more than propaganda, and entirely unsupported propaganda at that. You will never see such claims supported with evidence.
Can a cheater now ask to be forgotten and therefore the ban must be removed?
It's complete irony. I am seriously clicking through these ginormous modals like there is no tomorrow when i have to do research on many websites.
"Free surfing" or should we say old school internet surfing has become a chore now because of these idiotic modals.
I am sure people will flee to walled gardens pretty quickly if they have to constantly make extra clicks to access stuff.
archive.is were having issues