Hacker News new | past | comments | ask | show | jobs | submit login

This is like a case study of well-intentioned, carefully designed regulation doing more harm than good. Honestly, I'd rather just have a browser addin that blocks the cookies I don't want. The market was working fine. Now every new website is a pain, and my organization has hired some amiable lady to be "GDPR expert". She doesn't appear to know anything about anything, but she sure seems nice.

   The market was working fine.
At the very least, this is up for debate.

The harm is being done by companies attempting to keep the status quo by nagging users unless they give consent. I hope some of the worst offenders in this regard get slapped by regulators. You can be 100% GDPR compliant and have a functional website without needing any cookie or GDPR consent boxes.

GDPR absolutely does not do "more harm than good". It extends well, well beyond these dumb cookie warnings.

GDPR puts the citizen/customer in power of their own data. They can ask for their data, they can ask for it to be deleted, they have (however shitty the UX) control over where it goes. They can contact large corporations and request these things and be heard out.

I don't know how to explain it any other way: These things are fucking important.

As for your organization's GDPR expert who doesn't know anything about anything, this sounds like a "your organization" problem. Replace GDPR with some other acronym such as HIPAA, PCI or even SEO or PHP, it's still your organization's fault for hiring someone who doesn't know their stuff. How is that GDPR's fault?

Edit: Yes, keep downvoting facts. GDPR isn't just cookie warnings, how is that controversial?

> I don't know how to explain it any other way: These things are fucking important.

I believe that thought is treated as an axiom by some and an under-tested hypothesis by others.

That they're not important to everyone doesn't make them unimportant for everyone.

It's kinda like other rights such as free speech. Some people don't need/use it. Some specific people might arguably be better off without it. But Everyone needs it; as in, it needs to be available to everyone for it to work.

It's worth noting that the United States considers a right to keep and bear arms as important as a right to free speech.

Internationally, reasonable disagreement on rights seen by some as fundamental is to be expected.

You make a fair point, but the right to bear arms is mainly controversial for safety reasons. What safety issues are there with providing customers control (or at least visibility) over their data?

It's also worth pointing out that the right to bear arms, by its origin, should probably be called the "right to revolt". While this is still a controversial issue for governments (governments don't want revolt), it's less controversial for citizens.

I think the safety issues with GDPR compliance are minimal (there's a weak argument to be made for inefficiency introduction and contributing to warning blindness, but it is a weak argument).

Larger arguments are in the space of tradeoffs. What could companies be doing with the engineering resources devoted to GDPR compliance (including compliance with the consumer-frustrating applications of the law, like the cookie walls)? Since the US doesn't have a GDPR compliance law (and companies in the US only comply when they want to do business in the EU), we'll probably see with time whether the inefficiency introduced is worth the tradeoffs in a highly-competitive world of software services.

I agree with you that the whole thing is inefficient. I think every GDPR advocate, much like me, will agree that it still needs to be improved and worked on. We're nowhere done.

There is a safety issue in that data previously only visible internally is now also exposed to the customer/user and any unauthorized person successfully pretending to be them. The problem of "account compromised" now becomes a bigger (potentially much bigger) problem of "account compromised and juicy data is exfiltrated under a GDPR data dump request (and maybe followed by a request for deletion right after maybe making it so that the authorized user can't even know what was taken)".

That seems like a huge reach. Most of the data that affects users can be one way or another acquired if you're logged in. Furthermore GDPR requests are often handled outside the account itself, except by companies that have the resources to automate them (and those companies usually have a lot of security resources).

I'll give you though that the addition of human processes in there present more security risks. I'm doubtful about the addition of safety risks though.

I dunno, this all seems like an extension of the risks we already have. More data, what of it? If an account with sensitive data is compromised, you're most likely fucked regardless of whether the hacker gets a hold of that data.

It is kind of minor but still necessary to think about. The difference is that "sensitive data" now includes internal data that not even the account had access to or was aware of. You're right it's an extension of current risks rather than a new class, it's only one more attack vector against an existing surface. Before GDPR, the company itself would need to get compromised for that data to be exposed, and that happens often enough. After GDPR, the data for an individual can get exposed just from compromising that individual. Does that data matter? Maybe, maybe not, that's the question with all breaches too. In the good-spirited intention world, post-GDPR the company no longer gathers as much data in the first place, so they can actually reduce/eliminate the impact of that attack surface being broken in either way. I don't see this happening in practice, the desire for more and more data is strong.

I like the spirit of GDPR. I think it is important.

It also doesn't matter if people aren't educated and don't care.... or simply don't care if they are educated.

It's not clear to me that any progress has been made by GDPR in those areas.

Recently a company I trust was sold to a company I utterly dislike and have zero trust in.

Before the sale was executed, as a EU citizen I was informed that my consent was required for the transfer of my personal data to the new owners.

I did not consent. My data is not in the hands of the new owners. And under GDPR, I was able to request all the data they had on myself in order to make an archive of it before the execution of the sale.

None of this was possible a year ago. Know your rights, use them, you'll get to appreciate them.

I think that is great.

But I think it might be a case where Troy notes, you're educated on the topic, and like cookie tracking, you probabbly could have dealt with cookie tracking before GDPR too on your own.

I'm not at all sure that applies to more than a handful of people. If that's the case, GDPR is not helping most people.

I entirely agree with the premise that citizens don't know their rights well enough. But that doesn't mean they shouldn't be available to them.

Most people don't know how to read nutrition labels either; they're still there and it's a good thing they're there. Do you think they should be removed simply because people don't know how to read them?

I can make the same argument as to why I believe open source is important. Most people don't know how to read source code.

I'm not saying remove them, but I wouldn't argue they're useful if people did not read them....

I've seen nutrition labels reworked repeatedly.

Privacy laws aren't going to be helpful if most people don't know. Even if I opt out on say my phone... it doesn't matter if they get much of the same data form my friend's phone, about me...

I think there's a lot of GDPR banner waving and it's really not helping. People think any criticism of GDPR is a suggestion that it shouldn't exist. You can belive in the ideas, and think GDPR has failed too.

As I said in other parts of the thread, I agree GDPR still needs work and improvements.

> People think any criticism of GDPR is a suggestion that it shouldn't exist

Untrue; what I do repeatedly see though is people who think that just because GDPR has flaws, the whole thing needs to be ripped to shreds and we were better off without it.

People believe the GDPR is about cookie warnings. That's the problem. The GDPR is great and the annoying cookie warnings is about 1% of GDPR.

You can't say "I liked it better before GDPR because cookie warnings".

GDPR is actually 0% about cookie warnings, because that's an entirely separate piece of legislation. But yes, the online stuff in general is maybe 10% of GDPR tops, and half of that is what goes on behind your back.

> I don't know how to explain it any other way: These things are fucking important.

I think many people specially on HN understand the implications of using cookies and also understand the privacy concerns by 3rd parties taking their data. What I don't understand is why there are people who assume almost everyone has absolutely no idea or concern about any of these things and therefore advocate for pushing horrible and half-baked regulations like GDPR unto the dumb masses.

GDPR is neither horrible nor half baked. The word you're looking for is flawed. I don't know why you expected it to be perfect from the get-go when it's such a complex subject in the first place.

What it is however is a major step up from before. It's an excellent start. You won't do any better by scrapping the whole thing and starting over. You can improve it.

Explain to me why you're better off without it.

I don't get the hate either. I was AMAZED the first time I saw how easily I could opt-out to literally HUNDREDS of ad/tracking companies. And without breaking my browser, as I have to do sometimes (disable js or block all cookies-- see how long you can go without running into a completely broken website).

GPDR is both imperfect and awesome.

Cookie warning is probably the biggest thing for me, I can see the web slowly dying before my eyes little by little with dumb things like banners blocking 5% of all websites. All you need is 20 more dumb rules and there won't be anything to see on any website you first visit ever again.

I'm not saying cookie warning is 100% the result of GDPR but it as sure as hell is a side effect. We must be careful about possible outcomes of our actions no matter how noble our intentions. Go ahead downvote!

You beg the question by saying it's "their own data" in the first place.

The idea that, because it's about you it's therefore yours, is wrong.

The famous difference between citizen-first EU and corporation-first US. Over here, we do believe that our data is ours. This is reflected in our legislation and regulation.

You don't want these rights and protections in the US? Well good news, you don't have them. They still apply to us however.

You walk down the street and pass by me waiting for the bus. I write down in my diary "Today, scrollaway walked by me while I was waiting for the bus." Who owns what I wrote in my diary?

What you believe "over there" is wrong; data about you isn't yours. You can pass all the laws you like, that doesn't change the moral fact of the matter.

I hope one day you get to reflect on that sentence you just wrote.


Could you stop posting flamebait so we don't have to penalize your account again?

Sure thing, bud!

I wouldn't call GDPR "carefully designed" at all. It is ridiculously broad and vague, and so far all implementations (including the cookie warnings all over the internet) are best guesses.

Most of the cookie warnings are clearly against guidance which says that consent must not be a condition of service to be considered freely given, must be opt in not opt out and that even with consent the use of pii must be in the user's interests.

Almost no cookie warnings meet the law and many of the ones that do could use a different lawful basis and not show a dialog at all.

> consent must not be a condition of service

So what do you do if your website literally cannot function without cookies?

Then you do not need to ask consent to use them. You only need consent for cookies or data collection if it is not necessary to the service (and 'necessary for tracking ads' does not count as necessary).

Why not, if that's how you are paying for the site to exist?

Because that's what the law says. Your business model is not allowed to infringe on the rights of your users to control their data. You can pay for the site to exist in other ways, but not by collecting your users data without their consent.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact