Hacker News new | past | comments | ask | show | jobs | submit login

The omnipresent "Please accept our privacy policy (or leave)" is worthless cargo cult GDPR pseudo-compliance. If it's neither freely given nor informed, it's not consent under GDPR.

See Art. 7: "When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."

See Recital 32: "Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data ... This could include ticking a box when visiting an internet website ... Silence, pre-ticked boxes or inactivity should not therefore constitute consent."

If you want to use external tracking and be GDPR-compliant, you must offer a clear choice ("yes/no") and you must not use pre-ticked boxes (i.e. an opt-out approach).

Please feel free to downvote this if you don't like it, but I'm merely telling you what the law says. If you disagree factually, I'd appreciate a comment though.

> If you want to use external tracking and be GDPR-compliant, you must offer a clear choice ("yes/no") and you must not use pre-ticked boxes (i.e. an opt-out approach)

Exactly this. Basically what the GDPR says is: if your business doesn't require the data, you cant use it without the user's consent. And data used for better advertising is NOT essential to e.g. a news site.

What's more, the regulation syas that you can NOT simply say "accept or leave" in that case. You then have to provide the service to the user without storing that non essential data. You can't provide a service, even for free, that you condition on storing data not essential for that service. There is no "if you don't like it, leave" clause.

Basically: spiegel.de has to be prepared to show their news to anyone, including those that do not wish to be tracked by their ads. Right now we are in a period of denial where site owners believe they can have these "By entering you agree to..." banners. Once the first large fines are handed out, It'll be fun to watch.

This is the view of a US person: These are private owned and operated web sites. The site owner determines what is "essential." If you do not agree to to the terms, do not use the site. If you don't want to be tracked for advertising, that's on you to install ad blockers.

Are you allowed to sell your kidney in the US? (No, you aren't.)

This means that a site operator can't offer you access to a super awesome news site in exchange for your kidney. They can't get away by saying "but you can choose not to use the site".

Well, Europe does the same thing for your personal data.

Trading a kidney for access to a news site would obviously be insane, and we should have laws to prevent insane people from harming themselves.

On the other hand, if a person of sound mind decided they would rather have $1,000,000 than both of their kidneys, why shouldn't they be able to sell one, logically?

The idea of selling one's organs sets off the human involuntary disgust/outrage reaction ("of COURSE it should be illegal! how DARE you suggest such a thing?!"), but if we put that aside, is there a rational reason it shouldn't be allowed?

The news site was an obviously over-the-top example, but the more realistic $1,000,000 offer would be just as illegal.

The rational reason for that is that in the real world, not all choices are made by perfectly rational, superhumanely intelligent actors that have and consider all the information.

Also, not all decisions on a free market are truly freely made. If all standard housing/mortgage contracts contain that you have to sign away your kidney as a security deposit in case you can't pay your rent/mortgage rates, do you really have a choice?

With data on web sites, it's the same. Almost every web site collects data. You don't realistically have the option of going to a different news site if you don't like that deal.

>With data on web sites, it's the same. Almost every web site collects data. You don't realistically have the option of going to a different news site if you don't like that deal.

You have plenty of choice: make your own, feed them wrong information, feed them no information or find a site that doesn't. If enough people care about this niche then your website would succeed.

I don't agree. None of these is a real option.

- I cannot just make a website or service. It is usually a huge project that only few people can solve.

- I have no way to feed wrong information without diving very deep into that website's code. We are not just talking about data I enter, also about things that are collected without conscious effort on my part. It is not practical at all to feed false or no information. If they sell my IP address, how can I feed wrong or no information?

- Finding a site that does not act like this is the only way left, and it is exactly what the parent explained does not exist, because realistically, there are many topics for which virtually every site does act like this.

Use a VPN, sign up with a fake name, always browse in private mode, or regularly delete cookies. This will minimize your foot print.

Yes: it protects the poor and weak.

Thought experiment: a multi-billionaire wants to beat a human to death, and offers $10 million for it. A grandfather decides he would like to take that offer, for his children and grandchildren. Would you allow that?

If you also would not allow it (that's what I hope), then where is the proper boundary? What should we outlaw, and what allow?

If the grandfather consents to it, then what is actually wrong with him taking up that offer?

Your thought experiment (or at least your "hope" re: the "correct" answer) presupposes that suicide is wrong. Personally, I believe the only one who is allowed to dictate whether I live or die is myself; if I want to die, and have good reason to want to die (financial security for my children and grandchildren would certainly be compelling!), then that's my right, and it ain't your place to deny me that right.

No, it doesn't tell anything about suicide.

It is about the question: should one be allowed to buy everything, or are there limits? To emphasize: NOT should one be allowed to sell everything.

But those are fundamentally intertwined. If nobody's allowed to buy something, then how is anyone expected to be allowed to sell something? A purchase and sale are not independent events.

I fully agree. But still it makes a difference from a moral analysis point of view, because my aim is to condemn the buyer, and don't judge the seller.

So now you have to convince me that buying the right to beat someone to death is a morally justifiable action. It is not sufficient for you to judge selling as justifiable to make your point. I actually agree that selling is morally justifiable, and would never vote to make this a punishable offense.

Like I mentioned in another branch of this thread, if selling is allowed, then it would be immoral to not allow buying; punishing someone for buying something that's legal to sell would be entrapment.

In fact, doing so might even pass that immorality down to the grandfather seeking compensation for his suicide; if he's aware of the illegality of buying his life, and yet exercises his right to sell it anyway, then at best it's a meaningless gesture and at worst he's complicit in entrapping prospective buyers.

That's what I mean when I say buying and selling are intertwined. Without one, you can't have the other. If one is moral, the other must be moral as well. If one is immoral, the other must be immoral as well. Attempting to carve out an exception is inevitably going to run into all sorts of moralistic and/or logical snags.

Let me try to repeat your argument: whenever something is morally allowed for an individual, the moral system must ensure that the individual actually can do it.

This does not stand on its own, you need to provide a good argument why a moral system should be designed such that everything which is allowed can also actually be done. In particular, because our current system is not designed that way.

And even if you find such an argument, we end up with a moral dilemma, as long as you can't argue that buying is morally good in itself.

"whenever something is morally allowed for an individual, the moral system must ensure that the individual actually can do it"

More like "whenever one of an inherently-coupled pair of actions is morally allowed, the other of those actions is morally allowed". A moral system which allows one and not the other is self-contradictory.

In this case, a moral system which permits the right to sell a life but denies the right to buy a life self-contradicts; unless you believe that it's moral to trick someone into committing an immoral act (I do not), any attempt to exercise the right to sell one's own life would be inherently immoral because of the impossibility of doing so without causing someone else to perform an immoral act. The only way for the sale of one's own life to be moral is for the corresponding purchase to also be moral.

"we end up with a moral dilemma"

Only if you insist that buying is wrong while also insisting that selling is not wrong. When both are right or both are wrong, then there is no such self-contradiction.

> "whenever one of an inherently-coupled pair of actions is morally allowed, the other of those actions is morally allowed".

Why does that follow? I could understand it for actions you are morally obliged to do, but I fail to see why it follows for actions which are merely allowed.

A 6-year old boy is allowed to fall in love with his teacher, but she is not allowed to fall in love with him, so his love - even though morally allowed - can never be fulfilled. That is a perfectly fine situation, from a moral point of view.

A 6-year-old is not capable of informed consent. A 60-year-old man is.

Now you are discussing another topic.

They are intertwined, but the morals of buying are a lot clearer.

So what's your answer?

My answer is that if it can be sold, then it must be able to be bought. My right to sell my existence is meaningless without the right for others to buy it.

Amy attempt to assert otherwise - i.e. to try to sell something which nobody is allowed to buy - would be entrapment and - IMO - immoral. Either ban both sides or allow both sides; in this case, I'd vote the latter.

Let me try putting the question a different way. Suppose there is a way that society as a whole can make some of these purchases, designed to be as fair and moral as humanly possible. Now it's possible to have individual personal sellers without needing individual personal buyers.

Now you can answer this question by itself:

Is it moral to let a multi-billionaire buy someone's life?

If it's not moral for one person to do it, then is it moral for all people to do it collectively? The outcome is the same either way (an old man voluntarily dies and his children/grandchildren are significantly richer as a result); why would it matter who made that outcome possible?

So, then:

> Is it moral to let a multi-billionaire buy someone's life?

In the scenario you've now posited - i.e. one in which society is allowed to buy someone's life - it is moral for a member of said society to buy someone's life. Why would it not be?

There are lots of things it's moral for society to do but not a single person. Like run their own police for their benefit.

Yeah, but those things have a different outcome depending on whether it's a single individual or a society of individuals doing them (in that example: police being accountable to one person instead of the public as a whole).

This is different, since no matter what, an old man voluntarily dies for the financial benefit of his descendants. If the outcome is the same no matter who makes that happen, then I fail to see why one approach to doing so would be more or less moral than the other.

If anything, a single individual purchasing that old man's life would be more moral, since the alternative would be to compel an entire society (and specifically the members thereof) to bear that cost (both monetarily - i.e. via taxes - and the emotional cost of having killed someone). Given that the billionaire is (presumably) a member of society, the net impact is identical, but it's compartmentalized to a single individual who volunteered for those costs versus an entire society of individuals who might not have.

> If the grandfather consents to it, then what is actually wrong with him taking up that offer?

As it turns out consent[0] isn't enough in modern society (though, apparently, cannibalism is ok).

[0] https://www.theguardian.com/world/2003/dec/04/germany.lukeha...

You first -- on what principles do you think the grandfather's choice in your example should be illegal?

Illegal simply because it is murder, regardless how much money the murderer pays in advance.

Immoral because human life and dignity should not become a tradeable commodity. A society allowing this would quickly deteriorate into a system where the rich just buy the desired behavior from the poor, and we would end up with an oligarchy instead of a democracy.

Another angle to object would be Rawls's theory of justice: suppose you would have to design a society, but you wouldn't know into which place of this society you would be born into. You could be born as son of Bill Gates, or as daughter of the poor homeless beggar at the next corner. How would you design a society under these conditions?

Edit to state the central point clearly at the top: why do you think restricting their range of possible choices "protects the poor and weak" ?

If you have a shitty job, would you be better off getting fired? No, because presumably you already had the ability to quit. (Anticipating someone jumping on me for the analogy: I'm obviously not saying having a shitty job is equivalent to being in such dire straits that someone would consider selling their kidney. I recognize the a huge difference in degree. I'm just illustrating the point.)

> Immoral because human life and dignity should not become a tradeable commodity.

This is just restating your conclusion, not providing an argument.

> A society allowing this would quickly deteriorate into a system where the rich just buy the desired behavior from the poor

That's already the system we have. I can entice people to do all sorts of things that they would rather not do, because I have money, like cook food for me, build airplanes that I can fly in, and so on.

> and we would end up with an oligarchy instead of a democracy.

We're not talking about making it legal to spend money to influence voting or politics, so I don't follow this.

> How would you design a society under these conditions?

My argument doesn't even rely on this veil of ignorance! Even if I KNEW I was going to be reincarnated as a poor beggar, why wouldn't I design society to give myself more choices, rather than fewer? It's not like anyone would be forced to sell their kidneys if they don't want to.

The core idea is to limit the choices of the rich, not to limit the choices of the poor. You will be prosecuted if you buy a kidney, or if you kill a human, not if you sell a kidney or your life.

With respect to your interpretation of the veil of ignorance, if you knew you were going to be a beggar, why on earth would you want to design the society in such a way that selling your kidneys or life can become the best option left to you (or anybody else in that society)? And if you are able to design it in such a way that it is not the best option, then outlawing to buy such things would not impact your life as beggar negatively.

From your reply I think you did not entirely understand the parent's reasoning. I think you don't follow the consequences of your points to the end, where it becomes visible that they are not desirable. I believe that is what the parent is aiming at.

Instead of just saying that it's obvious, it's visible, etc., can you explain the reasoning?

One scenario is easy to figure out: Once it's simple for poor beggars to sell their kidneys, it becomes normalized and common. It's expected that you'll sell your kidney or you clearly don't need help that badly. The price drops from abundant desperate supply until it's only enough to live on for a few months. A few years down the road and you have just as many poor beggars but all of them are missing a kidney and less resilient to illness.

The root problem here is that if people are put in desperate situations, some amount of choice is forcibly removed from them. Certain agreements can't be fairly negotiated unless you remove the desperation first.

This may be so for 'some' US based websites or companies, but those of us with users worldwide tend to find it very essential to not violate the right and privacy of our users, in accordance with their countries' laws.

I don't believe any rights or privacy is being violated. That is the difference.

If you went to a privately owned and operated restaurant do you think it should be up to them whether the follow health codes or not? Do you think a consenting adult should be allowed to eat at one that chooses not to follow them? Do you think this consent should be explicitly granted or will a sign in the corner of the menu suffice?

No matter your answer to those questions I think we can all agree that just because they are a privately owned and operated company they have the right to do whatever they want.

We are all free to disagree with a law of course. It doesn't change it, however (and I like it).

If that's how you want to look at it ... you can consider the EU to be making the same offer to businesses "accept our terms or you can not use the EU".

Actually, Art. 6 GDPR does leave doors open besides consent, e.g. if "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."

In that case, it's simply not consent, so instead of collecting void consent, which will get you into trouble, you should display a simple privacy notice that links to your privacy policy, where you explain your legitimate interests. That is what you have to do for first-party tracking, for session cookies than can be associated with a specific person, and even for log files that contain IP addresses.

If you offer a free digital newspaper, you may argue in court that your ad-funded offering could not exist without third-party advertising and analysis tools, and that your legitimate interest (secure funding via ads) aligns well with the interests of the data subject (read free news). National Data Protection Authorities have suggested that they consider valid consent necessary for third-party tracking, so it's a somewhat bold strategy, but in the end, the ECJ will have to decide.

Until the ePrivacy regulation arrives with some clarifications, we're effectively living in a limbo. Cases of blatant abuse aside, I doubt that we will see waves of draconian fines regarding third-party tracking until then.

Recommended reading: https://ico.org.uk/for-organisations/guide-to-data-protectio...

There is also this in article Article 7.4 (https://gdpr-info.eu/art-7-gdpr/)

> 4 It shall be as easy to withdraw as to give consent.

If you prompt me to accept on every page then you must also prompt me to decline on every page, otherwise you fail this test. Hiding the option to withdraw consent in some random settings page is obviously not as easy as clicking yes when prompted.

Most sites have already created all their tracking cookies before the user even sees the opt-in form too, which isn't compliant with the GDPR or the old cookie law.

So you want more pop ups? Because I'm sure they're willing to oblige.

Well, no, if they're required to harass the "consenters" equally to the "nonconsenters", then that (a) removes the motivation for users to fake consent just to get away from the harassment; and (b) motivates the site developer to choose an amount of popups that's actually appropriate for the UX they want, since that'll affect all users all the time.

If a site doesn't wants to cover itself all the time with a popup regarding cookies, then they're not allowed to cover itself all the time for users who never consent to tracking.

> If you want to use external tracking and be GDPR-compliant, you must offer a clear choice ("yes/no") and you must not use pre-ticked boxes (i.e. an opt-out approach).

You can use absolutely no external tracking and be GDPR-noncompliant. In fact, an Apache web server running the default test page is technically noncompliant. Everyone loves to jump to the tracking ads and data selling, since they are easy targets, but the scope of the law is much broader than that.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact