Hacker News new | past | comments | ask | show | jobs | submit login
Study: Google is the biggest beneficiary of the GDPR (cliqz.com)
191 points by kkm 5 months ago | hide | past | web | favorite | 135 comments

Yeah, I wouldn't trust this source on anything privacy related.

They present themselves as user privacy champions but primarily make money via, you guessed it, advertisements.

They are owned by Burda, a large German media organization who, again, make money by advertisement and processing of their user's data.

"We’re breaking new grounds when it comes to developing our business model. Bringing together targeting and privacy, we are currently testing a technology which allows companies and brands to show you relevant offers directly in the browser."[0]

[0] https://cliqz.com/en/about

Hey, Björn from Cliqz here. Great to see the post has generated some interesting discussions on matters of privacy, compliance, and as you point out - business models.

Cliqz never has collected any personal data on its users, and never will. Over the course of the last 4 years, we started building a private search engine, to only realize that if we are to truly offer a usable alternative to navigate the web privately - we had to do much more. So we quickly found ourselves building an anti-tracking technology, anti-phishing, and anonymous rate limiting using Direct Anonymous Attestation. This research has been published / presented in the WWW Conference, Crypto and Privacy Village at DEF CON and CCC's Privacy Week.

We have packed all these technologies in desktop and mobile browsers. This is what we do and it's what got Mozilla interested in Cliqz, and why they are an investor, just like Burda Media. All the technologies we have built share 2 attributes:

1. None collect personal data

2. Rely on client-side logic (computers are powerful enough these days to be used for more than display interfaces)

Offers is part of how we monetize (we're exploring paid products too). Like any other technology at Cliqz, they share the same 2 attributes (No personal data, all triggering logic resides in the client). The code is open sourced here [1]. You can read a high-level description here [2].

We believe our approach is a healthy alternative to monetizing products on the web. At all times we allow the user to control what features from Cliqz they want to use; including offers. We understand there are plenty of reasons to be frustrated with the state of the web (we are too) - but blatantly rejecting any business model that brings privacy-preserving products to the market is not healthy.

[1]: https://github.com/cliqz-oss/browser-core/tree/master/module...

[2]: https://cliqz.com/en/cliqz-angebote

This is also the company that acquired Ghostery.

And also the company that caused quite a stir when they partnered with Firefox to carry out a study, which included collecting and sending browser data to Cliqz servers.

That explains why the latest Ghostery update on Android was so terrible. It lost all of my tabs and had 3 different places to disable some form of tracking.

The author of this article didn't bother to read even a summary of the GDPR law. It doesn't matter what the user consents to, you cannot use their personal data ad hoc. You need to justify its collection, storage and transfer to the regulator, not the user. This is in contrast to the ill thought out cookie law where websites could get away with it by irritating consent banners.

Sort of like, but not exactly the same as, those consent forms you sign when you go river rafting. They do not legally protect the rafting company from negligence. In fact, they're almost a waste of paper.

> It doesn't matter what the user consents to

That's not entirely true. If a user really consents to being tracked for advertising purposes, the GDPR allows tracking. Whether the consent banners inform users honestly about the extent of tracking is another question. I think they don't.

What's worse is that Google still tracks users by default, even if they never visited an actual Google property, let alone have a Google account. That's an obvious violation of the GDPR but Google will probably try to shift the blame on publishers.

> If a user really consents to being tracked for advertising purposes, the GDPR allows tracking.

That's not exactly true either. For the consent to be valid, it must be freely given - that is:

1. The user must have a choice to give consent or not give it

2. The service provided should be the same regardless of #1, unless the consent is necessary for the service (e.g. consent to store address for delivery of goods - although in such case this shouldn't really be based on consent)

Unfortunately many sites either do not give opt out at all, or make it hard to find it - in such cases consent can't really be considered to be freely given.

That is not true you are confusing single purpose with a “valid” purpose from the users point of view which isn’t actually the case your business needs can be just as a valid reason under the GDPR as anything, you do not have to provide service to users who decline if say it affects your ad revenue the GDPR cannot force you to provide a “free” service to users.

Consent is just one lawful basis for data collection, business justification is another one and ad revenue is a perfectly valid reason in which case you don’t even need consent but just to inform the user.


You can do what ever you want under “vital interests” as long as you feel comfortable explaining those to the regulator, not the user.

Consent is used often because the current interpretation of most legal experts is that it shifts the liability to the user however this has never been tested.

The parent was responding to a claim that consent works as a base of processing, and only talking about that base. That other bases can work is true (I'm personally really curious how this is going to play out for ad-financed services), but just because they didn't mention it they aren't "confused" about anything.

The parent is not correct however you can use consent as your lawful basis and deny services to users who do not consent under any business justification as long as you have one.

If targeted ads give you more revenue and you choose to use solely targeted ads because thats your business model GDPR does not forced you to provide a free service or a service that generate less revenue.

So no #2 doesn’t have to be as #1 this is confusing things with the single purpose clause in which case you can’t make X and Y being co dependent.

E.G. while I can perfectly refuse service if you do not accept ads I can’t refuse to sell you something for not wanting to join my mailing list.

Also not only that does nothing stopping you from having multiple bases for consent it’s actually the recommended approach.

Please see GDPR Article 7, §4:

"When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."

And then Recital 43:

"Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance."


1. You ask users for consent

2. The consent is not strictly necessary to provide the service

3. You deny the service to users who decline to give consent

Then the consent isn't freely given and therefore invalid.

> GDPR does not forced you to provide a free service or a service that generate less revenue.

True, but then consent isn't the right basis for processing of data. As you mentioned, business justification, or "legitimate interests" as GDPR puts it, is what you should be using.

Article 7 does not violate what i said this is a single purpose clause.

Meaning i can't force you to sign up to my mailing list or refuse to sell you items on my store, the current interpretation of most DPA is that it doesn't apply to single purpose processing.

Also again as stated below people confuse the "I agree" button to a GDPR consent, the fact that there is ok/opt-out UI for GDPR does not mean that they are seeking consent as their lawful bases but they still need to inform the user and allow them to opt-out (even if opt-out means that they opt-out of the service).

Only about half the GDPR popups I've seen were actually worded solely for seeking consent even tho they had the agree/opt-out buttons below the text itself stated the legitimate interests of both them and their partners in why they need the data for most things with maybe a handful of purposes relying on consent alone.

Google has introduced non-targeted ads for GDPR compliance. It sounds like a sizeable chunk of the market disagrees with you that you can force the use of data for targeting on users under GDPR.


A sizeable chunk of the market doesn't disagree with me but rather get something than nothing.

If Google can generate the same ad revenue of close enough to it without having you to force your users to agree or opt-out into oblivion in which case you lose the revenue stream from all users that opt-out.

It's also important to note that Google's non-targeted ads server two functions as they both allow you to display ads to users who did not consent to data collection as well as potentially protects you as an advertiser from ensuring that your ads are delivered in a GDPR compliant manner.

Under the broader interpretation of the GDPR you as an advertiser might be liable if you buy spaces for targeted ads that are displayed unlawfully and this is because GDPR essentially mandates that you must ensure the compliance of your partners.

This goes against what I've seen in regard to consent (generally warnings to not use it unless truly necessary - if you require something put it as legitimate interest or requirement to perform the contract, do not ask for consent since it sets wrong expectations).

I also don't think consent is the right basis to use all the time (however it's important to note that no lawful basis takes precedence over any other) and good vetted vital interests and a contractual agreement is preferable, however consent is the easy way out.

"This is what we do do you agree: yes/no" is much easier than to develop a valid vital 1st and 3rd party interest for each case and most online services don't require a contract.

However the idea that somehow you have to provide services to people who do not consent is simply false.

That you can't do is tie completely unrelated interests to a single consent for example:

I have a website that shows you local events and allows you to sign up for them, my business model is to sell your contact details to promoters. If you do not consent there is no reason under the GDPR to compel me to provide you with a service that costs me money to run while you refuse to participate in my revenu stream.

What I can't do is say if I run a ticket website to refuse to sell you a ticket if you do not consent to me using the details you've put into in order to purchase them to be sold to promoters or in other words under the GDPR the information collected for the purpose of selling you a ticket cannot be used for another purpose selling your info to promoters.

It's also important to note that in some cases the "I agree" isn't actually used for consent it's just a UX quirk, you can still allow people to opt out even if you don't use consent as the lawful basis for example I can display you the following message:

"I collect the following information: XYZ, and issue the following tracking cookies: ZYX the lawful basis for this is the vital interest of my company and my business partners" I still technically need to give you a way to opt out, so the windows that says opt-out or agree isn't necessarily a consent window from a GDPR point of view.

And as previously mentioned I can deny a service to you if you opt-out because I can't monetize you in which case I can legally redirect you to a page that says you can't access by website until you agree to my terms, in this case again consent is not necessarily a lawful basis rather than you acknowledging the lawful basis i presented under my terms of service.

Your position will certainly be argued for in a court at some point.

So will the counter position that sending reader info to countless third parties isn't actually necessary to monetize, as plenty segmentation value comes from the readers' selection of the site itself.

It will be argued the marginal value of each additional exposure of the reader's private data does not outweigh the individual's right to privacy.

In the meantime, here is a reasonably neutral but in depth overview for site owners interested in learning more to better navigate GDPR:


It doesn't need to be argued it's a perfectly valid reason (and has been reaffirmed by different DPAs), the GDPR does not define what a valid or a non valid legitimate interest is, it just has to be well defined and transparent.

I suggest you read the "legitimate Interests" part of the document you provided.

>It will be argued the marginal value of each additional exposure of the reader's private data does not outweigh the individual's right to privacy.

There is nothing in the GDPR that puts on legitimate interest over another including your so called right to privacy.

> There is nothing in the GDPR that puts on legitimate interest over another including your so called right to privacy.

In fact there is one exception which thankfully limits legitimate interests of data controllers:

"processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."

It remains to be seen in practice how much data controllers' interests can be overridden by "interests or fundamental rights and freedoms of the data subject".

I think the biggest issue with GDPR so far is enforcement.

It's still early days, but many companies don't even follow GDPR as they're supposed to, including Google and Facebook. That will only be settled after an enforcement wave against both large and average-sized companies (GDPR is more lenient towards small companies).

Somewhat tangential: have you seen GitLab’s notice? And what’s your opinion of that style, as far as informing/consent?

GitLab seems to use the Cookiebot solution. I like that "Marketing" cookies are disabled by default, although they should be labeled as "Advertising". Also, even if you bother to read the purposes of all the 80 advertising cookies, the descriptions are incomplete and dishonest. For example:

Doubleclick cookie notice: "Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user."

Facebook cookie notice: "Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers."

These descriptions fail to mention that the collected data will be combined with information from thousands of other websites you visit which allows to create sophisticated user profiles. From these profiles, you can infer things like gender, age, socio-economic status, interests, or hobbies with relatively high accuracy. Even if you asked them, Google and Facebook couldn't tell which hidden categories their machine learning models can discover.

I agree with what you’re saying; you’re proposing some ideal changes. But I think given where we were as a community or what has become the norm in tracking/social, this is a great step and is a big improvement over the past. It looks like someone from GitLab replied in a sibling to my comment, so maybe giving this extra feedback will bring about further changes.

Edit: and yes, I just checked and it looks like Cookiebot.

At GitLab we really care about transparency and it's one of our core values. Here you can find out more about Cookies policy https://docs.gitlab.com/cookies-policy/

> It doesn't matter what the user consents to, you cannot use their personal data ad hoc. You need to justify its collection, storage and transfer to the regulator, not the user.

I think one of the points is that there are very few companies that have the financial resources to do that, one of those companies that can afford it being Google. The next retort is "but then those companies should stop using trackers all-together" which leaves most of those companies that don't have Google's financial resources without ad money, meaning they're most likely to go out of business, practically creating an oligopoly where a handful of companies control most of what's published on the Internet. Granted, we would have gotten there regardless, only that legislation like GDPR is accelerating this process.

>but then those companies should stop using trackers all-together

Yes, why do they have to track their users? Why don't use real targeted advertisement instead? If I go to a car forum, car related ads would be relevant for me. Using ML, tracking and profiling to give me ads for the fridge I did buy last week is not relevant

>Using ML, tracking and profiling to give me ads for the fridge I did buy last week is not relevant

Come on, that's not what they are trying to do and you know it. There's so many valid arguments you could make, why use a strawman?

But the answer to your first question, is because ads targeted to users pay more, get more clicks, and overall perform better than those that are targeted to the page.

patio11 had a great back of the envelope calculation awhile ago on this. Turns out showing ads for a fridge right after you just bought one might be highly successful.

Say the average person buys a fridge once every 10-20 years, the probability you're looking for a fridge this month is something like 1/120-1/240, call it .75 percent.

Some percentage of fridge purchases end up being returned. Let's say 2 percent of them. If you return a fridge, you pretty much are guaranteed to need a new one, so around 2 percent of people that just purchased a fridge are very likely to buy a new one.

That's over double the likelihood of someone that didn't just buy a fridge!

> ... might be highly successful.

Only in the context of the disastrous relevance of tracking.

Does tracking earn companies more than it costs users in added electricity? I doubt it.

I find that extremely unlikely, only because companies aren't entirely stupid, and if MANY companies have started doing that in this space, and since they started it their profits have gone up significantly, it points to this kind of tracking making a significant amount of money.

And most of the tracking happens on the server, the client really only keeping some tokens for state and sending them with the requests.

> only because companies aren't entirely stupid

[citation needed]

Cents per user is still a lot of money if you have a billion users.

Maybe the real value of tracking is the perceived value of tracking? It's a good way to combat competition as tracking requires that you already have a large presence.

Until one of us shows some kind of proof, we are both just guessing.

Now companies might do dumb stuff, but they don't just continue to grow and dominate by making exclusively bad decisions. Google is built on targeted advertising, and it's paid off for them very well, so it can't be a complete boondoggle.

The wikipedia article on targeted advertising says that targeted ads make about 2.7 more money than the alternative.

I don't have any numbers on material costs, but I can't imagine it costing users that much in electricity. Still, it is just a guess so if you have anything that shows otherwise I'd love to read it!


I bet rafting consent forms are still useful in the sense that they discourage most people with trivial-to-moderate injuries from thinking about holding the company liable.

Same as 'Stay Back 500ft, Not responsible for damage' signs on the back of gravel trucks. Youd better bet they are 100% liable for anything that flies out. But it discourages the unmotivated and the uneducated from seeking their entitled legal relief.

As someone who leads outdoor trips, I've been told (not sure how true) that one of the supposed benefits is that it informs about dangers. So someone who suffers an injury--not through negligence on the part of the trip leader--would have a tougher case arguing that no one told them that the activity was other than completely safe and they wouldn't have done it had they known.

On the other hand, I've also been told by lawyers that the usual scrawl your signature at the bottom of a paper after a quick glance probably doesn't make much of a difference.

Oh no, not the smaller advertising trackers.

This is interesting data but I'm not sure it supports the title - It shows Google's market share in the EU going up a tiny bit, but total tracking goes down in the same period, while the baseline is probably runaway growth like the US. Google may be hurt the least, but I doubt they're a "beneficiary" in economic terms.

It's a shame Project Wonderful just shut down - it felt like the kind of project that the GDPR should help. There must be a market for content-based, non-tracking ads that you can put up on any website without GDPR concerns. Google can and will fill that market, but since they can't lean on their global panopticon other ad providers can compete on fair terms.

From Project Wonderful's shutdown notice:

> Some advertising networks have held on by adopting more and more invasive user tracking, forcing their publishers to sign binding contracts, or by trying to train publishers (and readers!) to expect that "sometimes a bad ad will sneak through", but that's something we always refused to do. We believed - and still believe - that you deserve better. We believed - and still believe - in a world where an ad blocker wouldn't be an obvious thing to install, because advertising would be good, interesting, and non-invasive.

> Google may be hurt the least, but I doubt they're a "beneficiary" in economic terms.

So, relatively Google is the biggest beneficiary.

> Google may be hurt the least, but I doubt they're a "beneficiary" in economic terms.

Quite the opposite, if you pass a 20% tax on every company, except for Google, who gets a 10% tax, it is a beneficiary.

Everything is relative.

Yeah, beneficiaries are the end users and their privacy being worth something now. Which is something that wasn't the case before.

Probably not, having a few large companies benefiting from it compared to the rest of the market reduces competition, resulting in a loss to consumers.

Is Google the biggest "beneficiary" here, or is it more that a lot of shady operations were totally shafting people on their data/privacy and so they've finally had to close down or expose themselves to massive legal risks?

The significant drop in trackers on EU sites reported here (and not a huge surge in Google trackers on EU sites) suggests to me that it is other adtech/tracker companies that have lost, rather than google gaining.

Either way, it is good to see some hard figures on tracking being rolled-back a bit. Now we just need some enforcement to fix the badly-implemented consent-walls (e.g. slate.com).

You're not looking for a surge from Google though - they're already the 1000lb gorilla, what you're looking for is the limitation in competition, which is what's occurring.

As with a lot of EU digital regulations, they're essentially centralising power to organisations who have the legal resources to either go through the process (and find loopholes), or the cash to fight it.

A lack of competition in the tracking space won't really mean the practice will disappear, but that the organisation who has the biggest consent database will take all the money by default.

I might be biased as a marketer, but I'd prefer to have multiple small companies who're tracking limited pieces of info about me across different parts of my web experience (and who may fuck up occasionally), than one huge company knowing 100% of my information.

(Edit: as a side note, the linked article is doing something shitty with the scrolling on the site, which is more annoying than semi-targeted advertising to me...)

The multiple small companies tracking limited pieces of info about you would anyway be happy to sell and share that for money, this is partly how those huge DMP databases are built.

You can limit that with different legislation though - the data-sharing and processing parts would do this, without the additional level of explicit consent which is the stumbling block (requiring scale).

I'm not advocating in favour of tracking, but the effects of enforcing collecting explicit opt-in consent appears to be centralising power, rather than getting rid of the industry. I'd rather have implicit consent across multiple providers (with processing safeguards and data sharing agreements stating they're only pooling the data amongst their advertisers), than explicit consent with only one behemoth.

it is google because they have the largest pot of data which allows them to very granularly target you with confidence. Whatever data the shady small business had, it was probably partial, old and outdated.

> Although the number of trackers is decreasing overall, a few large tracking operators such as Google receive even more user data.

This won't be a popular opinion here, but... it's actually good news/ what you observe is GDPR protecting user privacy. You think that Google is bad? Then, you probablly haven't seen the smaller players. With e.g. Mouseflow, you can literally watch users enter their personal email in your "register account" field, then change their mind and use a disposable account. Or glean other kind of sensitive details (passwords too, I think).

From the final paragraph of the article

> In the end, users should never only rely on laws and regulations such as the GDPR to protect their privacy. Instead, they should be aware of who they are providing which data to.

Ignoring the fact that GDPR is primarily a regulation ensuring that they know who they are providing which data to, and ensuring they have a choice about providing it.

Is there any evidence of GDPR having the desired effect for which it was put in place? Is citizens' data being protected more than before?

The second-order effects that everyone predicted are already happening (big tech companies change nothing significant, many small companies shutting down).

The long-term and unforseen second-order effects have yet to bear fruit, as far as I know (please let me know if you've seen anything).

Yes, the amount of tracking cookies is declining.


The shutting down of companies is a desired effect, because those are the companies that won't get consent. Data resellers for example that dont provide any advantage tto the user.

We haven't even seen the actual effects yet because google Facebook et al are probably in violation and are waiting to be sued to fight it out in courts

One positive effect you can already see: people think about privacy laws. Most of the GDPR was already law in various EU countries, just largely ignored by everybody. GDPR gave the laws more teeth and publicity.

For real improvements, we will have to wait a few years to find out what and who regulators will persue for violations, and how the courts interpret the GDPR. If regulators never look at small companies, the second order effects on small companies will vanish. If regulators miss to successfully prosecute the obvious violations by tech giants, no meaningful effects will stay at all. It all comes down to what regulators will do, and it's way too early to tell.

The GDPR isn't only about the Internet economy. It affects offline businesses as well. You start to notice things like a plumbing company asking for consent to use your contact data on a paper form. The fact that people think a lot more about data protection and privacy is a good thing in itself.

One nasty side effect is some large organisations are shutting out Europe. I can no longer access severs popular US based sites and instead get messages about the content not being available in your region. (Most recently: latimes.con and fox8.com)

That's also fine - was their content worth your privacy? If they can't be GDPR compliant we don't want them.

Maybe you don’t but can you speak for everyone? The poster seemed to think that was undesirable.

We, the people of the EU, have democratically decided that we don't want them.

I see a problem with people (even democratically) deciding for me. I'd rather like it to be settled down between myself and the website owner.

That does not work. You have no bargaining power.

He had the power to say yes for himself before, and now he doesn't.

How did that democracy work with articles 11 and 13?

The European Union is the antithesis of democracy. If it wasn't, those directives would never have passed.

Democracy does not mean that every decision is good.

Democracy can also undermine itself. If people "democratically" decide they don't want free speech or private property, it's not a democracy any more. I don't assert it's exactly what articles 11 and 13 are doing, but it's a step in this direction.

And the power to use proxies and non personal emails.

Was their content worth my privacy? I will never know as they will not let me see it.

Besides, if they didn’t block me, I can always ensure my privacy to a reasonable degree by using private browsing mode on my browser. That requires very little effort, unlike what I would have to do now — use some VPN provider who quite likely would be monitoring ALL my data not just to that site.

You certainly don't need to use a VPN - much less one that routes all your traffic - to access a site from another place.

I suggest: https://outline.com/

If you didn't think their content was worth it you didn't have to visit. Now no one can.

You can only make that choice if you're informed about the tradeoff. Getting sites to inform users is the main purpose of the GDPR. It's not the EU's fault that the LA Times would rather block people than do that.

> was their content worth your privacy?

What privacy was I losing?

First one that comes to my mind: their advertisers knowing you're on those sites, which page you read, when, for how long, etc. This is mitigated by running an Adblocker and a selective Javascript disabling extension like uMatrix or NoScript, but it would be much better if those sites would let their readers decide if they want to be tracked or not.

Anyway, I'm also blocked on those sites but the same news on LA Times and Fox appear on countless other sites. I'm not losing anything, they're not wasting power and bandwidth for a freeloader. Win/win.

If you agree to pay $10 a month per paper, then you could have it. But majority of people have proven that they will not pay, hence it does not justify to have a paid subscription system without ads.

When more and more people block ads, there will only be a few large sites remaining on the internet because the rest will not be able to survive in the most likely scenario. You could cry all about your freedom then.

It that ever happens I can go back buying newspapers as I did before they moved on the Internet. I bet some of them will always be free, but if only a few of them will be we should be very careful about what we read.

It's just my personal anecdote, but I'm happy to be able to choose which cookies can be used. And when I see the changes the companies I worked with and the comany in which I work had to make, I think it's a good thing. People are more cautious with how they use the data of users now.

One effect I haven't seen mentioned yet is that EU data subjects can permanently delete their Facebook accounts, along with all associated data. (Previously you could only indefinitely 'deactivate'.)

It's led to one company I use supporting (and forcing) HTTPS. They should have been doing it before, but it's still a win. They've also stopped asking for addresses, and are removing existing addresses:

> To reduce the amount of personal data we process for you, we have stopped asking for address, city, state and zip code in our shop (we do not ship physical goods anyway). Also, we are in the process of removing all existing address information from our customer database.

More companies go public when they get hacked

I'm not surprised. I used to work on a team at Google that had to deal with GDPR (I still work at Google, but on a different team), and we had to get legal review for a lot use-cases. For example, we had a backup system that took snapshots of our user-provided data. If a user requested their data be purged, should we purge all the backups as well?

Since we had legal counsel in house, it wasn't too terrible. For a smaller company that doesn't have those resources though, GDPR compliance must have been a huge burden.

You know what? It's only a huge burden for organisations that process a lot of personal data in a variety of interesting ways.

As someone leading the privacy program at an organization that doesn't have that much personal data (relative to most businesses in our industry at least, and probably overall) and doesn't process it in particularly "interesting ways," I strongly disagree. The GDPR was and is a huge burden. You can believe that it's worth it without engaging in the fantasy that it's not burdensome, but don't deny the reality of the burden.

As someone who was involved in the GDPR work for an organisation that holds some fairly critical information about people and needs to share it with other organisations both as Data Controller and Data Processor, it really wasn’t too bad, mainly because we had already thought quite carefully about privacy and data security.

As a committee member on a local swimming club, it took about 2 hours.

There's a huge variance depending on the complexity of the business and how many different things you do. Most of the variance has little to do with the shadiness/lack thereof of what you were doing with the data or even how well it had been thought through. Most of the variance is in how many different types of things you're doing and how many different data inputs you have.

I've talked to colleagues who do a wide variety of processing for their controllers in a business with just a few employees, which is paralyzing. The company I work in is somewhere in the middle. I've also talked to colleagues at companies who only have a few inputs, and regardless of the volume of input that seems to be pretty easy.

I disagree. The sheer magnitude of fines that can be imposed makes the potential damage huge, even if the probability of being hit by them is small. This makes the risk of noncompliance high.

More generally, I am wondering: how do smaller companies go about even attempting to comply with the GDPR? The “head in the sand” approach of simply not serving requests to people physically in the EU doesn’t work for a number of reasons, and I don’t see how you can even sell anything on the internet without being within its reach. (Of course, now that I think about it, how is the EU going to fine a small business in the US that has no overseas operations?)

Are there any resources for small businesses in the US that want to protect themselves from onerous fines the data regulators can impose? How can they even begin to assess the risks of noncompliance?

Offtopic: am I the only one to see the optical illusion of the 0% line bendin upwards to the left in the "change in the number of trackers per page, by category, EU vs US"? [1]

[1] deep link: https://static.cliqz.com/wp-content/uploads/2018/10/trackers...

No, you're not.

What I am still missing from Google is a clear instruction that explains how to adjust the Analytics settings to be 100% compliant with GDPR. The fact that this is missing made me decide to drop Google Analytics in the foreseeable future.

Saying Google is the biggest beneficiary is grossly misleading. Their reach increased by a whopping 0.9% while everyone else's declined. Even if reach is the only relevant metric, that's hardly worth talking about.

The actual biggest beneficiaries are the citizens whose data is protected.

Market share is only part of the picture. What happened to the size of the market in the EU after GDPR?

Plus it knocked a lot of potential competitors off the internet.

I know multiple young startups and entrepreneurs in Europe that killed their projects/ideas because the additional burden of coping with GDPR was too much for them.

It's not that big a burden - just have an officer and don't collect certain types of data without the user's consent. If you can't do that minimal amount of effort and either ensure the user's privacy, or get the user's consent, then you shouldn't be in the business.

It's like complaining about how new credit card businesses or banks can't just start up but need a load of compliancy. That was tried with cryptocurrencies and billions of user's monies was lost due to poor security and scummy companies.

You really don’t think having a data protection officer (even if not a dedicated one) isn’t a significant burden to a tiny business?

Like who?

Seriously. Besides that one blogger who was screaming because he didn't even want to bother with the help wordpress provided, I did not hear of a single person/company that quit because of that.

It would also be quite embarrassing considering the time you had to prepare, the help that is all over now or the fact that nobody seems to enforce it. Especially for businesses.

Here you go: https://www.theguardian.com/technology/2018/may/24/sites-blo...

First hit from a google search for “GDPR shut down”.

> Unroll.me, an inbox management firm, announced it was completely withdrawing services for EU companies due to an inability to offer its product – which is monetised by selling insights gleaned from reading users’ emails

Dodged a bullet here.

- history.com forwards to their german page history.de as it always did

- Ragnarok Online is working: https://www.ragnarokeurope.com/?lang=de

- Klout sounds just as dirty as unroll

- Super Monday Night Combat is working https://www.uberent.com/smnc/

Sooo what's the problem again?

The discussion culture here is disgusting.

I get downvotes for FACTS? Seriously people?

I've read that many times here, but it's weird because I don't know any. None of my neighbours, clients or partners have had any significant problems with GDPR, in a kinda large tech complex in France (with about 300 startups, though of course I don't interact with all of them).

Maybe you mostly have relations with startups that work in the ad industry?

In France, the CNIL did already enforce constrains on data management. The GDPR could be seen has an enhancement of current constrains/laws.

Why would they give up specifically because of GDPR? It just makes no sense, there's thousands of regulations already on all the parts of the day-to-day life of running a business, I wonder how they planned to manage the rest of them.

Seriously. The Data Protection Directive alone already included most of the GDPR.

Not even going as far as IT, just labour laws are already 10x more complex and difficult to follow compared to GDPR.

Except that companies that don’t employ anyone in the EU don’t have to follow EU labor laws.

Really? Because I haven’t heard of any, and I live and work here. Any sources?

They are young single founders in the idea or mvc stage. So nobody that is mentioned by any sources.

I’m a little surprised then, because the only problem I see for basic GDPR compliance for a single founder is if their business model is based on monetising their users’ data. Which is going to be a problem, regardless of the size of the organisation.

It took me 2 hours to get my family member's small web business GDPR compliant...

Are you sure it’s really compliant? Are you willing to risk the possibility of huge fines if you’re wrong?

Sounds like you need better friends.

The only way GDPR could kill a business in the conception stage is if the business model was to secretly collect user data and sell it for profit. A business that can't get started due to GDPR is a business that never deserved to exist.

If I read that graph correctly the number of trackers per page has gone UP 20% since April in some categories for US visitors.

But it went down in the EU, so I guess they need to make more money on tracking and profiling somewhere else now.

Not terribly surprising.

The purpose of GDPR wasn't to hurt large companies, but to protect citizens.

Anyone surprised? It was clear since the beginning that that’s going to happen...

This was always going to be the case. Google benefits from having a direct relationship with the customer, meaning that consent is relatively trivial to get. None of these third party tracker companies have that relationship, so rely on securing opt ins on a piecemeal basis. This is why a large number of the third party tracker companies all shut up shop in Europe in the months before GDPR.

If I go to a random website and they serve third party google ads, I don't have a direct relationship with Google in that scenario. It's not enough to say that because I have a gmail account I consent to being tracked all over the web on every website.

You don’t have a GMail account, though, as there’s no such thing as a GMail account. You have a Google account, and GMail is bundled in as a service.

FWIW - ‘tracked all over the world on every website’ also comes with some significant caveats.

Nothing about what you are saying here is related to my point though.

If I use one product of google, it does not mean they have a "business relationship" that entitles them to tracking me as a third party on random websites.

And even if it somehow did, I could merely opt to not be part of that, and neither the website nor google can deny me service for opting out. That's one of the main aspects of GDPR, you can't make a service conditional on clicking "I agree" and signing away all your rights.

If you’re using a signed in Google Account or a signed in Chrome Browser, Google will argue that the tracking is compatible with the services that you have agreed to as it helps provide a more personalized experience.

But that's not how GDPR works, if I agree to use a service it does not mean I agree to be tracked for a "more personalized experience".

Facebook is even worse, they track me without me even having any interaction with them prior.

That’s exactly how GDPR works - Google will say that they are protected under the legitimate interest exemption.

Really, Google tracks me while I'm visiting a non-Google website (!!!), and they expect to be protected as having a "legitimate interest exception"?

Unless Google can successfully argue that every action, every step, every breath I take, is now a business transaction with them because I made a google account, then they don't have a "legitimate interest exception" for jack shit.

Google is an advertising company and uses legitimate interests as a legal basis for collection when using personal data for activities such as serving contextual ads, ads reporting and to combat fraud and abuse. As for the third party website using third cookies etc to transact with Google, you have a choice whether to consent to that with the publisher.

By that logic GDPR actually doesn't affect a single company in the world, because by having an affect on the company, it will impact their legitimate business interests, and thus they will be exempt from GDPR.

I'm a company that forwards your postbox content to your house, and I also sell your nighttime movement data that I've harvested from GPS though my delivery app. Totally exempt from the GDPR since it's part of my core business to silently sell your data.

I'm surprised at the US number of trackers count - I would have expected some degree of free rider benefit for US based consumers. Otherwise, the numbers seem to bear out some consolidation, with web pages giving up trackers but more likely to hold onto boutique solutions (the ranked <150 group) for specialized needs.

>The average number of trackers per page has dropped by almost 4% from April to July. The opposite is true in the US: there, the average number of trackers per page has increased by 8 percent over the same period.

since when is this a bad thing? i want my page less bloated with 100 trackers...

"WhoTracks.me is a joint initiative of Cliqz and Ghostery. It provides structured information on tracking technologies, market structure and data-sharing on the web and thus creates more transparency. On the WhoTracks.me website, interested parties will find visualized monthly tracker statistics. They are based on the evaluation of around 300 million-page loads and more than half a million websites."

Considering IP-address is considered personal information it sounds like this study is based on data that was illegally collected according to GDPR.

I assuming the data was collected through the Ghostery browser extensions, which requires explicit opt-in to share that data.

Outside of the specifics of this article, I've wondered what effect GDPR has had on smaller companies and even individual developers. My company spent a lot of time and money to become compliant. Not only was this expensive, but we relied on lawyers to advise on where we could draw the line for compliance. If the company were a bit smaller I imagine it would be impossible to tackle this project.

From what I've heard from people with Google and FB accounts, both basically ignored the law and presented their users with take it or leave it pop-ups on their online properties. That's why they're getting sued...

Are they getting sued? I'm not aware of any GDPR-related cases against Facebook or Google so far?

Über-fucking-raschung. Regulation is beneficial to big companies.

Meanwhile, little players like looks at diagram Facebook lose.

Too much has happened to Facebook recently to really assert connection of decline with GDPR.

The biggest beneficiaries of the GDPR are individual citizens.

But that doesn't even enter into the tech industry zeitgeist, where commentators are enthralled by the bloodsport between corporate champions and the lives lived by actual humans are incidental and inconsequential.

There was another HN thread with BrendanEich in it talking about this: https://news.ycombinator.com/item?id=18119367

But who could have known?

I was looking at a couple of non technical friends browsing the Internet. Not one took time to read consent prompts, they just mindlessly click whatever takes the notice out of the way. GDPR is dangerous and doesn't fix anything.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact