Hacker News new | past | comments | ask | show | jobs | submit login
Google Emerges as Early Winner from Europe’s New Data Privacy Law (wsj.com)
52 points by m_haggar on May 31, 2018 | hide | past | favorite | 90 comments



While GDPR in itself has accomplished the goal of raising awareness on data security and transparency, probably only temporarily, the mind numbingly idiotic push-button based consent model is an utter failure.

99% of people don't read anything before they push yes. Most people get increasingly annoyed at the mountain of e-mails, and the hundreds of pages they in principle have to read through.

It's an extension of the already existing kafkaesque "press yes to allow cookies" that everyday has to be pressed multiple times with no real benefits other than wasting peoples time (at least in the EU).

People are already completely over encumbered with information. The more people have to do the same thing the less they give-a-f.

This carpet bombing of legal jargon makes people hate services, especially the smaller ones i am sure. "oh i don't want to deal with lots of legal contracts again".

I completely agree that something has to be done about the data-mining and fingerprinting monster, but the way all of this is implemented only further exacerbates the mega-corp gardens because they can afford to hire armies of lawyers, and because people get tired of clicking "i consent" after the bare minimum has been done - which off course means only saying yes to companies highest on the Alexa ranking.

Ironically these global conglomorates are the worst offenders and the original data-disaster culprit.


While all the 'yes I consent' buttons might be annoying (maybe even on a similar level to the inane cookie warnings) the real value of the GDPR lies in the granting people the right to recall that consent later and the companies being forced to comply. Facebook certainly wouldn't have an 'actually delete my profile' feature if they hadn't been forced to make it.


My only gripe is with the sea of meaningless "i consent" buttons that gets increasingly diluted.

Profile delete buttons, user data overview pages and the rest of GDPR i think is very welcome.


> It's an extension of the already existing kafkaesque "press yes to allow cookies" that everyday has to be pressed multiple times with no real benefits other than wasting peoples time (at least in the EU).

It'd be less kafkaesque if the fucking ad industry could use a cookie to store my consent once I have given it.


99% of people don't read anything before they push yes. Most people get increasingly annoyed at the mountain of e-mails, and the hundreds of pages they in principle has to read through.

No offense, but this feels like a “99%” and “most” that is something less than rigorous. I don’t think sound arguments for or against GDPR can come from the “Ah Reckon” space. Throwing out made-up numbers that just represent personal assumptions and anecdote is an impediment to real discussion of these issues.

I’d add that GDPR explicitly forbids just the kind of “press yes to forfeit all of your rights” crap we’ve seen before. I realize that some sites are still trying to get away with it, it it’s non-compliant.


>No offense, but this feels like a “99%” and “most” that is something less than rigorous.

I've read the contracts I have to sign, and generally this throws people off drastically. When I ask, they tell me I'm the first to read them. Things like leases at a place that has been around decades and I'm the first to sit down and read before signing. While it isn't rigorous, from my experience with wet ink legal documents, saying 1% do read EULAs and privacy policies is a very optimistic over estimation by magnitudes.


I think that indicates that the legal documents weren't written to be read, more than people are too lazy to read them. They were written for a lawyer and for use in court, and it's not realistic to bring in a lawyer for every EULA and contract we encounter.

And just as honestly, what are we going to do - say no? Saying no is more and more simply not allowed if you want to use a service. I've had job offers who would rather have me walk than change the terms of employment. There's not a website out there which allows you to use it if you do not consent to their EULA. Hell, I've encountered a EULA when starting my (purchased, not leased) car.

You can't even post on Hacker News without consenting to 39 pages worth of privacy policy and TOS.


And that is why I think the core of the issue is consent. The power difference between the lawyers who understand the legal system and write these documents and the users who are forced to agree to use the service is so great that consent cannot exist between the two parties. We legally allow it, much like some countries will legally let a 9 year old sign some document and then hold them to it, but that is a legal fiction that needs to be done away with. Of course this would be a massive shock to how we do things (how would you sign up for a loan), but that alone doesn't justify allowing such abuse of consent to continue.


> I’d add that GDPR explicitly forbids just the kind of “press yes to forfeit all of your rights” crap we’ve seen before. I realize that some sites are still trying to get away with it, it it’s non-compliant.

I have yet to see a non-terrible GDPR screen, and I'm an American. Every single one so far has been either a giant box of doom, or a giant modal of doom with a dozen checkboxes and a freakin' contract on it.

Nope, don't care, I just want to read the one paragraph of your blog - that's it.


The Atlantic has a great system, and it’s all opt-in as required by GDPR.


Thought it was pretty common knowledge that people don't read anything contractual.

Anecdotally i have never personally witnessed any other than the most academically inclined legal nerds be interested in any terms of service or legal docs. Family, university peers, user analysis from my own services - all i have ever seen is frantic clicking until people get to where they want.

Just googled and it seems i am on point:

http://www.businessinsider.com/deloitte-study-91-percent-agr...

91 percent!

Also my point is not that the GDPR is stupid. I think most of the new protections are fair. I am just pointing out that the "one button click to consent" is completely meaningless because people have no idea what they are doing, are tired, are stressed out, or just don't care (most people).


Here's an overview of reading on the web in general: https://www.nngroup.com/articles/how-little-do-users-read/


[flagged]


> We made murder illegal and now nobody gets murdered

No, we made murder illegal and now we have a system to deal with murderers when they kill someone.

Out of analogy, we made non-consensual data collection illegal, and now we have a mean to handle the situation when it arises.


> 99% of people don't read anything before they push yes

Unfortunately the option of reading something isn't always reasonable. Check out Ultimate Guitar [0]. Clicking "Manage my choices" gives a list of just shy of 250 vendors, and no explanation as to what or where they're sharing with those vendors. Other websites have longer lists, and have an opt-out per vendor!! These websites are deliberately making it as difficult as possible to reasonable manage your data.

[0] https://www.ultimate-guitar.com/


If you have a dialog where the only option is to consent then either that is not real consent according to the GDPR or the consent was not really needed.

In the first, you may just end up with a database for full of data that you may have to throw out when somebody complains. In the second case, why bother your users?

If there is a real request to consent, then it is easy enough to decline. But so far, real requests for consent are quite rare. Most dialogs are basically: we are going to feed you cookies and violate your privacy; do you want to agree now or later?


> 99% of people don't read anything before they push yes.

Which is why defaulting to 'Accept cookies' is against the principle of the GDPR, other that for cookies vital to the running of the service.


But now you also have. "No I do not consent" buttons. If people are tired of it, they should just stick with 'No'.


No, you have "Click Here to manage your settings" with 10 different pop ups and laundry lists of people you can opt out of having your data shared with. Some of those require you to disable cookies to opt out of their collection too, rather than allowing you to opt out via them.


GDPR is yet another moat for established companies. It may take them some time to adapt their data models and engineer systems for data deletion, but once they have done so, it becomes something every startup will have to implement in order to compete.

I'm not saying GDPR isn't good for privacy (we need it); it just makes competition harder.


Alternatively, start-ups that bake in privacy by design, have a substantial advantage over lumbering established companies that have to adjust their existing processes and may - in some cases - discover that their business models are funadementally at odds with the regulations.


I think of it like outlawing chemical pollution of rivers.

Yes, a Corporation that manages not to dump toxic waste in rivers is going to have a moat against smaller companies that do dump toxic waste in rivers.

But I'd rather it be illegal than have companies competing for who can externalize their costs more effectively by passing their problem of waste management to the state / local area.


> I think of it like outlawing chemical pollution of rivers

Nobody disagrees with GDPR's intent. The qualm is with its administrative approach. If someone said "write a bailout for lawyers and lobbyists," it would look like GDPR.

Taking your analogy, a good law would assess a fine for dumping. A bad law would (a) require continuous certification that one is not dumping and (b) allow anyone to prompt an expensive inspection (done via writing letter responses to a regulator, not on-site inspection by an expert) by reporting you to one of twenty-eight national regulators, each of which have jurisdiction over you.

The former imposes a fixed costs, regardless of compliance. That benefits incumbents. The latter promotes venue shopping, a further advantage to size and incumbency.


Maybe it comes as a surprise, but there are places where if you generate industrial waste (even as a relatively small company) you have to be able to demonstrate that you get rid it in a responsible way. And if somebody complains with a local government that you are dumping waste in a particular way, they will send somebody over to investigate.

Note that the European consumer protection laws already allow consumers to sue in their own country. So if you do business in all EU country, you can be sued in lots of places.

Maybe if you are continuously worried about regulators, then it is better to not start a business. In the real world, regulators are busy enough. Regulators are not going to bother random companies in other countries just for the fun of it.


The only difference is that dumping toxic waste in rivers does actual, concrete harm. Targeted advertising? The worst I’ve heard about it is that it makes some people feel a little icky. I suppose that’s a concrete harm in a sense but it seems a much less serious one, at least to me.


> The worst I’ve heard about it is that it makes some people feel a little icky.

Yeah sure, all that privacy, who needs it anyway?

/s


Its interesting how one of the most frequent uses of the right to be forgotten is used by politicians cleaning up their search history.

Who would have thought that legislators had something to gain from a proposal they push?


Who would have thought that legislators would be aware of legislation.


I’m sorry but this is not really a substantive objection to what I said. Yes, people have a vague preference for privacy. I never disputed that. No, failing to respect that preference has not caused material, externally visible harm.


We're not taking about some vague concept. For some of us it is part of the constitution. It's the RIGHT to privacy. Your attempts at downplaying it are the main vehicle of the advertisement industry and it's a disgrace at least. This ideology has educated those "people" to ignore that by hiding the means and downplaying the relevance. This law tries to at least regain some of the awareness that has been lost in the last decades and this is why the industry is crying so much.


You have a constitutional right to privacy from the government. There is no such constitutional right (in the U.S.) that would prevent private surveillance, especially in cases where it is consensual.


How can anything be consensual even under the broken US law if one side doesn't know about it or at least doeasn't understand what is happening?!


At least in US law, it is incumbent on the parties of a contract to understand it. If they sign without understanding, that’s on them. Terms of use are a contract between you and a website owner. If you don’t understand them, you can either not use the website, or accept the risk that you’re consenting to something you may not like. (Again, this is the current state in the U.S. I’m aware it’s different elsewhere.)


> The worst I’ve heard about it is that it makes some people feel a little icky.

The worst I've heard of was the abuse of millions of people's data by Cambridge Analytics to mess with an election, but maybe that's just a little icky too?


Your usage of "abuse" is offensive to people that really experienced abuse.


Yeah right, because words always just have one meaning and one context.


Targeted advertising provides a financial incentive to create a total surveillance structure. It pays off to know every little detail about people's psychology and their habits. So companies have a motivation to create systems that future dictatorships will happily be using.

Without targeted advertising there is much less financial incentive to collect data so the surveillance state won't get help from corporations.


I'm not talking about corporations which have the means and the resources to engineer data pipelines that can be scrubbed and lawyers to deal with compliance. I'm speaking to the issue of you or I creating an MVP with a few months of dedicated hard work. How much extra time has to be spent on putting in place a process for data deletion?

I'm working on GDPR right now at my company, and it's not a small effort.


> I'm speaking to the issue of you or I creating an MVP with a few months of dedicated hard work. How much extra time has to be spent on putting in place a process for data deletion?

None. Do not target the EU initially, start in the US market with your MVP. It's by far the most liberal major market to do an MVP in, in all regards. It's the world's largest economy and easily accessible; plus you essentially get Canada as a bonus: a combined $21.5 trillion in economy. Entirely disregard GDPR until you've scaled the business enough to afford whatever you've calculated GDPR compliance will cost you in terms of effort / resources, then push into the EU when it's convenient.


That'd be fine if the GDPR were constrained to business done inside the EU, but it purports to exercise authority over any entity which asks for any information from any EU citizen, inside or outside of its borders.

Enforcement and jurisdiction have yet to be tested yet, of course, but it isn't as simple as "don't set up shop in the EU".


It doesn't matter what the EU purports, that's nothing more than a comical fantasy on their part. I live in the US, my business operates in the US, I operate by US law.

It also doesn't matter what China purports I should do with their citizen data, or South Africa, or Australia, or Brazil: their wishes don't overrule the supremacy of US law inside the US. If China wants me to delete everything on my service about Tiananmen Square, or an anti-China activist, guess what, that's not going to happen for the exact same reason. I'm also not subject to the UK government's enforced media blackout on the Tommy Robinson arrest: they too can piss off.

If a EU citizen signs up with my US based service, their data will be governed by US law.

It is that simple. It will remain that simple. The US isn't going to cede its sovereignty to the EU: it's drastically more powerful than the EU in every regard. There is no scenario where the US lays back and allows the EU to legislate how the domestic US economy operates in such large ways.

The only likely outcome is that the US comes up with its own new privacy rules in the next few years, which will be different - more lenient - than GDPR. If you want to operate in the two markets, you'll have to comply with each approach accordingly.


I'd like to think that you're right, but I also don't want to be the guy that has to spend several hundred thousand dollars to defend that thesis in court.


I'm happy to be that guy: the EU doesn't stand a chance and they know it.

It's not a thesis, it's proven, court established rule of law with more than a century of built-up precedence establishing how things actually work when it comes to US sovereignty. This is all quite laughable.

It's identical to saying: well, the US is just going to enforce its freedom of speech approach on Germany or the UK (where offending people is increasingly illegal). So all people and businesses in those nations should disregard their own laws and comply with US laws, you don't want to test the thesis about just how far US jurisdiction extends, better to comply with US freedom of speech laws instead.

Imagine me traveling to Britain and telling them that since I'm an American, their speech laws don't apply to me. I'm governed by US speech laws, regardless of where I'm at. That'd be good for a jolly laugh: look at this delusional, entitled American that thinks they control the planet. Or try telling the Chinese the same thing on their territory.

There are millions of small businesses in the US, very few of them will ever comply with GDPR - even if they have occasional stray EU customers - precisely because the EU has no jurisdiction and those businesses don't operate by EU law.


Yeah, there is going to be a wealth of problems in this regard.


> How much extra time has to be spent on putting in place a process for data deletion?

Account for deletion when designing the product. When considered from the beginning, the cost is typically negligible. It's only when shoehorned on the end that it gets expensive.

But... companies have had two years of notice about this. Any projects that have been running for fewer than two years have had plenty of notice. And it's not only the government who requires data deletion - it's your data sources (like Twitter) and your big customers who write it into their contracts.

Just plan for being able to delete data. You are gonna need it.


It's not the technical aspect of not dumping into rivers that is the problem, its the administrative side of dealing with paperwork and inspectors verifying your business which is located 100 miles from the nearest river doesn't dump into a river

In my opinion the GDPR should have tiered regulations based on global revenue. It's pretty hard to profit off of data and not have some sort of cash flow


> yet another moat for established companies

What if GDPR is what pushes distributed computing into the mainstream?

If GDPR makes it even harder for small fry to compete with the giants, then the small fry should change the rules.

Zero centralized servers, zero PII, no EULAs, no legaleze, only open-source P2P.

Megacorps can be GDPR-compliant with buildings full of lawyers, and the rest will be GDPR-irrelevant with no lawyers at all.


>zero PII, no EULAs, no legaleze, only open-source P2P

how that should work exactly? I mean, even if platform is P2P, you still have user id, you still have user interests, et cetera.

The only thing changed bc of P2P is that it gets much more complicated, or even impossible, to delete your account/data.


> you still have user id, you still have user interests

No _you_ don't.

Peers on the network may have this but there's no entity subject to GDPR.

So if GDPR tilts the playing field in favor of the megacorps, perhaps it also encourages anonymity and distributed networks.


I'm not saying GDPR isn't good for privacy (we need it); it just makes competition harder.

If easy competition is being paid for through shady practices, then it should never have been that easy. It’s a no-brainer that a large, established business has certain advantages over up-and-comers; GDPR didn’t make that the case either. It’s easier for a large, rich company to do almost anything, including respecting our privacy as enforced by regulation or law.


There's a consistent strain of conflation of this issue in all the GDPR threads, along the lines of "well, if you can't comply with the GDPR, you must be a evil company selling my data to bad people for bad reasons!"

You don't have to be doing anything shady with data for the GDPR to be a threat to you and your business. You can be collecting a bare minimum of data that you only use with the purest of intentions and still be in violation of the law and subject to its penalties.

Just asking for an email that will literally be used for nothing but to send a registration confirmation - you know, to sign up users, the same way we've been doing forever - puts you in its compliance crosshairs. You're now legally liable for a whole raft of additional compliance measures that probably necessitate paying a lawyer a decent chunk of change to make sure you're above board with. Your "MVP" has now expanded from "here's a simple idea I cranked out this weekend" to "here's a simple idea and a legal contract and audit trails that prove consent and an obligation to exfil data from my database on demand in perpetuity and data portability endpoints and data exchange contracts with every API provider I use and my database has to be encrypted at rest and highly redundant and I have to set up regular vulnerability scans and if I want to back up my database to a non-EU datacenter I have to obtain consent from all my users first and a bunch of additional requirements that possibly make it illegal to not age out my Apache access logs and why am I doing this at all again?"

GDPR significantly increases the friction for moving new ideas from concept to product, even if there is absolutely zero nefarious happening in the product. If it only made life hard on the people engaged in shady practices, there'd be a lot less concern over it, but that's just not the case. It doesn't just punish the misuse of data, it punishes the lack of proactive compliance to a set of criteria which are frankly beyond many hobbyists.

Some see this as a good thing. But I think that it's also fair to guess that it's going to cause otherwise good and benign ideas, products, and even entire companies to die on the vine as a result.


GDPR significantly increases the friction for moving new ideas from concept to product, even if there is absolutely zero nefarious happening in the product.

I would personally consider “not knowing where users’ data is, or being able to tell them” to be a nefarious act in itself.


> Just asking for an email that will literally be used for nothing but to send a registration confirmation - you know, to sign up users, the same way we've been doing forever - puts you in its compliance crosshairs. You're now legally liable for a whole raft of additional compliance measures that probably necessitate paying a lawyer a decent chunk of change to make sure you're above board with.

You have to tell the user why you are collecting it, what it will be used for and for how long you will retain it.

If you are just using as a login and to confirm the e-mail is valid, there's not much else you have to do.

Oh - you want to use that e-mail for lots of other things, some of which aren't central to the running of the service the user's signing up for? Then yes, you have to document and enumerate those reasons and ask the user if they are OK with that.


Yeah, that's article 5. There are 98 additional articles to the law, many of which impose additional administrative and technical requirements on your product.

Just saying "I'm using your email for signups" doesn't make you compliant. If it did then I doubt anyone would have a problem with it.


If there are 98 additional articles applying to e-maol signups, why did the poster go to such great lengths to introduce so many other factors which had nothing to do with e-mail signups?

Other than to try and make the regulations seem more baroque than they are.


And if your MVP makes money, you're on the hook for a lot of taxes and income reporting. It's part of the cost of doing business.

For better or worse, entrepreneurs only have their peers to blame for this, the peers who fucked up so badly that the government felt it had to step in.


The sum total requirement for reporting taxes on a hobby project in the US is filling out a single 1099-MISC at the end of the year, during a process that you'll already be doing anyway. It's not an onerous burden which introduces significant friction to the process of bringing a new idea to fruition.

I'm not saying "hobbyists shouldn't have to comply with the law", I'm saying "the law is disproportionately punitive to hobbyists in terms of burden imposed".


If, and only if, you don't know what you're doing with your data. Most cases can be covered with a bit of forethought and some documentation.

"Hey, I need to be able to query and delete data" is not a huge cognitive overhead when creating a MVP.


It's not just querying and deleting data, though.

You have to be able to demonstrate audit trails of consent, including what the user consented to and when. You have to be able to demonstrate audit trails proving deletion requests. You have to have audit trails of who has ever accessed this data. You have to have a means to exclude pieces of your dataset from aggregate statistics on demand. Also, your audit trails can't contain PII because then your audit trails are in violation of the deletion requests, so you have to have mechanisms of proving that you processed deletion requests without actually identifying the data processed. You're also now obligated to respond to data inquiries in perpetuity, even to people for whom you have no data. Article 32 appears to impose a requirement for encryption at rest, high availability, disaster recovery, and regular penetration testing - all good things, to be sure, but completely impractical for the small hobbyist. Your "querying and deleting" is, by the letter of the law, now required to be a full-blown production-ready architecture with a business's worth of documentation.

And all because you wanted an email address to keep your login form from getting spammed?

I realize that in practicality, this is unlikely to ever be leveraged in any significant scope against most hobbyists, but the law is merciless and it is foolish to assume that you won't be caught in its crosshairs just because you weren't its intended target.


> And all because you wanted an email address to keep your login form from getting spammed?

No, all this because companies were selling your email address to spammers.

Also, your reading of the law seems at odds with most other readings I've seen. I'm sure it will come down to a lawyer - but I'm also sure that hobby programmer who take reasonable steps won't ever be in the crosshairs of the EU.


> It's part of the cost of doing business.

In a jurisdiction. GDPR means a dollar can buy more MVPs outside Europe than inside. Keep in mind that this has no bearing on the privacy stance of the ultimate product. Just the fixed cost of iteration.


I hate to break it to you, but the idea behind the GDPR is gaining traction outside the Europe. Fighting this trend is only going to hurt more in the long run.


> the idea behind the GDPR is gaining traction outside the Europe

I hope it does. Europe, however, has a unique penchant for unnecessary bureaucracy. Nobody is complaining about GDPR’s requirements. It’s the ancillary administration which is destructive.


What enforces compliance if there is no administration - the administration is the teeth of the compliance.

Companies have had years in which they were receiving warnings and recommendations for best practices - they ignored them. This is the piper coming with the bill.


> It’s easier for a large, rich company to do almost anything, including respecting our privacy as enforced by regulation or law.

And also including doing creepy things with our private data that stay just on the right side of the law.


I don't think "startups" should be able to get away with just doing a "deleted=1" with my personal data, or to not know where my data is ending up, just because they are "startups".


There's a large distance between not knowing where your data ends up/using it badly and being actually GDPR-compliant, which in many businesses requires a massive administrative burden.


If it requires a massive administrative burden, that company has collected or is in the business of collecting a lot of personal data. In which case, it's good that there's a burden, since they are holding a lot of sensitive data and should be held accountable for what they do with it, and how they allow it to be used.


1. One can collect "a lot" of personal data without any of it being sensitive.

2. The amount of personal data and the administrative burden are sometimes correlated, but often aren't. Collecting name and email from a few people in eighteen different ways creates a much, much larger administrative load than collecting name, email, and ten other items of information in a single way.

3. One can use all that personal data well and not violate the rights of data subjects without being remotely GDPR-compliant.

4. Most of the administrative burden does little to nothing for how well data subjects' data is used.


One can collect "a lot" of personal data without any of it being sensitive.

I don't think this is the case at all. Essentially all personal data is sensitive.

The amount of personal data and the administrative burden are sometimes correlated, but often aren't. Collecting name and email from a few people in eighteen different ways creates a much, much larger administrative load than collecting name, email, and ten other items of information in a single way.

That's true, but also seems entirely reasonable. If you are collecting data in eighteen different ways, that means there are eighteen times as many ways you can fail to adequately audit or secure it.

One can use all that personal data well and not violate the rights of data subjects without being remotely GDPR-compliant.

Probably technically true, but in practice? Regulators are more concerned about compliance than anything else. Are there likely scenarios in which data is collected and processed in a responsible manner, but technical GDPR compliance is a huge burden?

Most of the administrative burden does little to nothing for how well data subjects' data is used.

Why would this be the case? Most of the administrative requirements appear to be entirely justified methods to ensure that you have understood and evaluated the methods of compliance.


> I don't think this is the case at all. Essentially all personal data is sensitive.

Noooooo, not according to this or any other privacy law. Under the GDPR, it's "data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation."

> Are there likely scenarios in which data is collected and processed in a responsible manner, but technical GDPR compliance is a huge burden?

Yes. My company, and most companies of other privacy professionals I've talked to.

> Why would this be the case? Most of the administrative requirements appear to be entirely justified methods to ensure that you have understood and evaluated the methods of compliance.

If you think that any cost is justified to ensure that something that ought to be done is actually being done, sure. By any analysis of costs and benefits, I think you might come to a different conclusion, but that would require some kind of real analysis of costs and benefits. I haven't seen that from anyone who is both (a) a supporter of the law and (b) has actually spent time implementing it in a real, involved business that deals with personal data (and I mean actually implementing it, and not the absurdly simple version many HN commenters seem to be doing that doesn't include massive amounts of documentation).


There isn't, especially for small companies. Also, it starts with recognizing that it's not their data, it's user's data.


Do most small companies have a CIPP/E or privacy lawyer (or someone who has equivalent training/experience) on staff? We know statistically that not only don't they, but they can't, because there aren't enough of them out there. And if you don't, you'd better have an insanely simple business, because otherwise you're not going to come close to compliance.


You can _obviously_ come into compliance without an on-staff privacy lawyer.


I know a lot of companies that think they have, and most of them are wrong. Some are deeply wrong.


Please give us more details of what you think the administrative burden is, because I think you have overestimated it.

Being able to provide a user with the data you have on them, and being able to delete it, should be basic requirements of any software company. And now they are, which is great.


I'm an attorney leading (from a legal standpoint) a SaaS provider's GDPR compliance effort. There most definitely is an administrative burden (setting aside whether you think that burden is merited). The SaaS provider is acting as a processor for its business customers (so fewer obligations than if it were controller) and there are many admin requirements. The GDPR is an accountability framework and one must be prepared to demonstrate not just compliance but often how one got to the compliance decisions they landed on. One must maintain processing records, implement DPA's and a variety of other things. The GDPR is not a privacy law, it's a data protection and personal rights law, which is much broader.


There is obviously an administrative burden, I don't deny that. I don't think it can reasonably be described as "massive".


If a startup is able to collect enough data about their users such that they are able to monetize that data, then they aren't really a startup anymore.

I highly doubt that Google is pleased with the current situation as the article implies.


Do you know that saying: "Don't ask me how I made my first million?"

Many of the wealthy people became rich at first through business practices that either were in a grey area from the beginning, outright illegal, or they were made illegal later on.

However, they got to keep their money, either because laws tend not to be retroactive, or because nobody caught them, etc.

I agree there is an element true in "regulations will have the monopolists even more to entrench themselves in their markets," but mostly because they got their wealth through practices that are now made illegal, and they get to keep all of that wealth when nobody else can do the same anymore.

That's really the problem here.


There are 11 million millionaires in the US. You've got it exactly backwards: few of them did something illegal to earn that first million. There are not many grey areas in US law as it pertains to business, there are very few. Most millionaires derive their wealth from ordinary small businesses.

The US isn't the wild west of Capitalism. It's a very regulated economic system. It has been that way for a very long time now. At least 10m of those 11 million millionaires generated the bulk of their wealth in the last 30-40 years, a time in which the US economy was largely as regulated as it is today. They didn't get that wealth by not having to deal with regulations or laws that were imposed later - the US has more than doubled its millionaire count just since 1996.

I grew up in a very poor area of the US. I knew at least two dozen self-made millionaires. Every one of them did it via rather boring small businesses: insurance agencies, convenience stores, shops, franchises, publishing, real estate, car dealerships, etc. Not one of them operated in a legal grey area. There was no magic to it either, it was grinding year after year for multiple decades.

I've also spent my entire adult life researching business, business formation, finance, economics, and reading every book I can get my hands on for those areas. I've read dozens of books on the history of business in the US over the last 25 years. I spend hours per day reading every consequential financial figure and article that gets published about the US and global economies. The notion that a meaningful share of rich people get started via doing something illegal, is nothing more than propaganda, and entirely unsupported propaganda at that. You will never see such claims supported with evidence.


So how are video games handling this in regards to banning cheaters using IP bans or HW ID bans?

Can a cheater now ask to be forgotten and therefore the ban must be removed?


On a side note, should we post a link on HN which most people cannot read without paying?



The perverse effect of these consent buttons is that people who configured their browsers to flush all cookies and session data on closing the session get harassed much more as websites do not remember their choice, even if they are the ones actually least likely to be tracked (save for browser fingerprinting).


Nail on head!

It's complete irony. I am seriously clicking through these ginormous modals like there is no tomorrow when i have to do research on many websites.

"Free surfing" or should we say old school internet surfing has become a chore now because of these idiotic modals.

I am sure people will flee to walled gardens pretty quickly if they have to constantly make extra clicks to access stuff.


Both in how companies are complying and in the public discourse, I’m seeing a jumbling of ‘consent’ and ‘notice’ that doesn’t align with my understanding of the intent and reading of the law. Under the transparency principle (Art. 5) and disclosure obligations (Arts 13 and 14), there are a variety of things that must be disclosed to a data subject at time of collection. See https://gdpr-info.eu/ for easy access to the law’s text. That’s what privacy polices (increasingly called privacy notices) are generally used for. Many companies are trying to either make you click something to prove they’ve notified you or add language to the notices saying “by using this site, you consent to this privacy policy”, which is a form of ‘consent’ they are deciding to collect themselves. Separately, a controller is supposed to have a legal basis for processing personal data (Art. 6). Consent of the data subject is only one of six legal bases. Legitimate interests of the controller is the other common basis for a business and is expected to be relied up on increasingly since the GDPR makes collecting valid consent harder and it has the downside that it must be tracked and can be withdrawn (which also must be tracked). Consent as a basis is not allowed to be buried in a privacy policy. It must be called out separately with a separate consent for each purpose the data will be used for on an opt-in basis. The policies and these consents all are supposed to be presented in as simple and plain English as possible and it’s encouraged to use layered notices/policies to convey quick summaries with an ability to drill down. To add to the complexity, email marketing is governed by the ePrivacy Directive (responsible for the cookie banners) and requires consent. Each country has its own enactment of ePrivacy so compliance is very complex. Also, under the GDPR, a data subject has an absolute right to object to direct marketing regardless of the basis being relied upon. Much of this flurry of email privacy policy updates and/or consents to marketing are conflating ePrivacy and the GDPR. What I see right now is a bit of a mess as companies try to figure out what compliance looks like and balance full disclosure (transparency) with simple, easy, plain English disclosure.


Non-Paywall: http://archive.is/qkRNS

archive.is were having issues


Edit: link removed, does not work


Mandates javascript though. Who knows what it's doing.


Not surprised. These type of regulations tend to help the big players a lot and just cause further concentration.




Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: