Hacker News new | past | comments | ask | show | jobs | submit login

I find the clarification about cookie walls being out of compliance with GDPR to be a real headscratcher. Here's part of the Dutch authority's FAQs[0] thanks to Google Translate:

"At a cookie wall, website visitors have no real or free choice. It is true that they can refuse tracking cookies, but that is not possible without adverse consequences. Because refusing tracking cookies means that they cannot access the website. That is why cookie walls are prohibited under the AVG."

I find this fascinating. Is there really not a free choice to simply leave the website? A paywall is surely legal. But it is illegal for me to "pay" using something other than money.

Am I allowed to offer users additional functionality in exchange for access to their data?

[0] https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/interne...

Of course you have a choice, but in reality who leaves a site because they see that warning? I imagine almost no one. Hell, I understand the implications and I don't care because site X has what I'm after and perhaps no one else does (or they all have the same warning anyway.) I have no reasonable option but to accept whatever these sites want.

The warnings accomplish nothing. It's just another nag screen. It was a bad idea when it was thought up and it still is today. It's an attempt to seal a wound (misuse of personal data) with a piece of string. It wasn't even a half decent band-aid.

... and users appear to disagree on whether there's a wound to seal.

It's difficult for the average person to understand the long term implications of this sort of data collection. They don't realize how powerful all these little details can be when put together.

And there's another category of people that understand but don't care.

Not proud of it, but I fit somewhere in that bucket. I do consider it and I have made (slightly) inconventient choices in the name of privacy, but when it comes down to it, I typically say "screw it" because I want what I want.

Oh yeah, I'm definitely including myself in that bucket too.

The warnings under the old law were idiotic. Under the GDPR, however, you're required to have clear consent with an easy refusal option. But just like the cookie warning, so, so many sites are violating that requirement because, hey, you cannot go after everybody, right? I don't think there were really any consequences for violating the old cookie law, so the majority are maybe approaching the GDPR the same way (even though this time there are actual punishment options.)

That's how the GDPR is designed. I'm not a lawyer or a GDPR expert, but I believe this means that unless your service actually requires a particular type of data collection to function, you're not allowed to make access to that service contingent on that data collection.


> Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

In other words, people aren't allowed to sell their data in exchange for services. I suppose the argument is that people are really bad at valuing their own data. They don't know how it can be combined with other datasets and how it might be resold and repackaged and never go away. There are other things people can't legally sell, such as organs, votes and sex, so it's not an entirely brand new idea.

I am befuddled by your befuddlement.

Consumer protection laws regularly put limits on the freedom of contracts between companies and consumers. A rental car agency can’t give you a rebate for renting an unsafe car.

The fact that no money changes hands doesn’t change this. If you’re offering free taster portions of bread to passer-bys, you can not use lead as an ingredient. Neither being free, nor putting up a sign with the list of ingredients will change that.

Agreed, but these rules are clearly defined, make sense to the common man and actually lead to what they should lead to, namely that I can, with great confidence, eat anywhere without being poisoned.

GDPR is terribly vague and creates a barrier-to-entry. Draconian measures may hurt large companies, but they threaten smaller ones.

EU is saying they don't like Silicon Valley behemoths' power but they want valley-like companies in the EU (sometimes even calling for a 'European Google', as if you could just pass a rule to make that happen). And then they create laws that make it easy for the large players and harder for their competition.

Everyone here spent a great deal of money for some compliance boo-hoo. FAANG has your consent and upgrades their policy, done.

To me, this seems like ineffective and incompetent lawmaking, no matter if the intentions were sound.

I take it you have not read the regulation.

If you had you would know that the regulation isn't there to nail companies from other regions. Anyone doing business with Europeans is subject to the same rules of the game, and that naturally also includes European businesses.

No, it's not a free choice. You cannot pay with your personal data the same way that you cannot sell yourself into slavery, even if you wanted to.

These cookie notices are also almost invariably violating the GDPR. There must be a clear choice, and if you choose not to be tracked, you must be able to still use the service unimpeded; then there must be a clear and understandable description to the intents of data collection; and lastly, the opt-out choice must be accessible equally simply as the opt-in choice (none of this "Accept" vs. "Manage options" bullshit.) For example, one of the very few larger pages where I've seen it done right is Wikia/Fandom.

> Am I allowed to offer users additional functionality in exchange for access to their data?

In a way, yes, but you're phrasing it in a roundabout way. You can ask for personal data to enable additional functionality that requires that data. For example, you're allowed to ask for location if you want to show them some offers nearby. They are allowed to refuse and in that case they cannot use the particular function that's tied to their realtime location. If they've given permission to use their data, you, however, are not allowed to use that location data for any other purpose other than what they explicitly agreed to and what's actually needed to provide the service. I.e. you can ask for the location to provide a location based service but you don't need their age and income data; also you cannot use their location for other purposes they aren't informed about. And you certainly aren't allowed to sell it to someone else without an express permission.

In short - you need a clear and explicit permission for specific purposes, and you cannot deny access to those parts of your service that don't require personal data.

>You cannot pay with your personal data the same way that you cannot sell yourself into slavery, even if you wanted to.

So, what you're telling me is that GDPR actually limits my rights as a private citizens because that think I'm too stupid to make my own decisions? I guess I shouldn't be surprised.

That's how the GDPR works - unless the data being collected is required for the operation of the service, you cannot make data collection a requirement of using the service.

What if the ads are required for the operation of the website, because without them the site has to close? People are rarely willing to pay for big sites, they surely won't pay for many small sites separately.

Smaller sites don't have the resources to curate their own ads, that's why they use ad networks. If we are strict about this then this rule will eliminate small sites while tightening the grip of the big sites on the net, because they have the resources to adapt.

> What if the ads are required for the operation of the website, because without them the site has to close?

That's why you ask people. If enough people agree to paying for your content with their data, your site lives on.

If too many opt to not pay for your content with their data, your site dies unless it can find another way of making money, such as subscriptions.

Yes, it absolutely can mean that the giants will expand and lots of small sites that use ad networks will die.

> That's why you ask people.

Most people don't care and just choose the default option to get to the site. If opt out is the default and opt in requires a conscious decision then the majority of users won't opt in, because most users don't read the options, only clicks on the default option or the close popup X.

> Yes, it absolutely can mean that the giants will expand and lots of small sites that use ad networks will die.

And we already see the current situation where Facebook is dominant. If more small sites die and the big ones get even stronger then the situation will continue to deteriorate.

It also can mean that small sites will expand and giants that use ad networks will die!

My understanding is that something being 'required for product to function' refers to technical requirements, not revenue requirements. So, yes I agree that it's a problem for small sites (or really anyone who tries to make money on ads).

So this is a bad rule, because enforcing it will result in eliminating independent small sites which have no other means for financing themseves than ads.

Advertising doesn't require recording detailed profiles of individuals without their consent. Think of magazines, billboards, television, radio, etc.

In case of the advertising availabe for small sites with a handful of staff (ad networks) untargeted ads pay much less (even 50% less or more) and that revenue may not be enough to keep the sites operational.

Is this necessarily a bad thing, or just a reality of operating a business?

Advertisement doesn't require profiling and surveillance. That is what GDPR and other efforts like some ad blockers are trying to protect against. The emerging consensus is surveillance capitalism is unethical and increasingly illegal.

> Advertisement doesn't require profiling and surveillance.

Targeted ads pay much more. Eliminating targeted ads can result in a revenue drop of 50% or more, effectively killing small sites which most of the time make not much more money from ads than what is needed for financing themselves.

The idea that a site should automatically generate revenue simply for existing, especially when it's relying on unwitting invasion of visitors' privacy in an increasingly illegal manner, is ridiculous at best; malicious and predatory at worst.

The site generates revenue by providing a service. That's why people visit it and that generates the revenue via ads. E.g. an independent news site provides news articles and people visit it.

People won't pay for many small sites separately, so until we have a viable alternative (e.g. automatic micropayments) eliminating targeted ads would effectively eliminate independent journalism as well (regular ads pay much less) and we'll only have sites financed by big corporations pushing their agendas.

I'm not a fan of targeted ads, but I rather have them if they allow independent publishers to operate, than having only new sites financed by big money.

The site does NOT directly generate revenue by providing a service to their visitors, nor even by selling space to advertisers. The site generates revenue by selling to 3rd parties intimate access to its visitors without the knowledge or consent of the "average" visitor. It is broken in principle, running afoul of the nature of marketplace regulation and privacy rights.

This is just "the ends justify the means", because the consequences fall on the visitors, not the site owners, advertisers, or data brokers. It's a disgusting, predatory rationalization for offloading the damage while reaping the rewards.

Patreon on its own delivers hundreds of millions of dollars of funding a year. Web ads existed long before individualized tracking, and still are that way in pretty much every other medium (print, billboards, broadcast media, product placement, etc). Independent journalism existed in websites, blogs, pre-monetization youtube, etc as well. Heck, SV investment is available and all about spending money without any real revenue plans anyway. :-P Just this one very particular ad model needs to be ended for everybody, big and small, and the advertising market still has everything else covered. The "big money" sites also still need to monetize somehow (and much more voraciously), and wouldn't be allowed tracking ads, either.

If you can't make money without violating your audience, then you don't get to make money at it, and all scales should be held to the same account if it is genuinely considered an issue of rights.

I, for one, am actively boycotting sites with invasive tracking technology. To a certain extent, I rely on Hacker News discussion to get the essence of many articles, even on prominent publications, where cinsenting to tracking technology is necessary to read the article. As soon as I see a tracking consent dialogue, I will often leave, and actiively avoid sites that I already know use tracker network tech.

If a sites business model depends on using their users' data without their consent/knowledge then why would we want regulation to protect it from being eaten and their seat at the table taken by facebook?

Because we need independent sites too, so we hear other opinions than just the agenda of big money.

It's not ideal that we need targeted ads for that, but currently there is no viable alternative and untargeted ads don't pay enough.

I think there is no alternative because it pays to much. It works both ways.

Again, earning increased revenue doesn't justify supporting unethical and/or illegal behavior from the advertising networks.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact