Hacker News new | past | comments | ask | show | jobs | submit login
GDPR guide for developers (cnil.fr)
120 points by homarp 4 months ago | hide | past | favorite | 99 comments

I think the "Prepare for the exercise of people’s rights" part is critical.

If you are a software architect, you need to ask yourself: can I delete a single user data across all my infra easily? If not, you might be in trouble a couple a year later when you are hit with thousands of deletion request and technically can't honor them.

Another side of tech debt I guess!

You can answer no to that and still be GDPR compliant. You’re allowed to save personal information that is critical to your business. People can’t buy stuff from you and demand you have their payment data deleted before you charge them, or right after they do a charge back of money paid to you for instance.

It’s probably healthy to design systems that are build to let people manage their own data though. I think people will slowly start to expect that of you in the future as more and more solutions start to offer it.

In the public sector of Denmark we give people access to all their health data. When I have blood drawn for analysis (not English and I don’t know what it’s called sorry) I can log in and see the results exactly like the doctor sees them. When I’ve been to a doctors consultant and she’s written stuff in my journal I can log in and read it. People are going to want that stuff once they get used to it.

You can answer no to that if you only store information that you legally have to keep.

Chances are, that's not the case.

Companies legally have to keep a ton of information as soon as they process any payment. High chances are your company gets money from its customers so it can keep all kind of information almost indefinitely.

The only notable exception is ad business because "users" are not customers and do not enter any transactions.

There's actually 6 lawful bases for processing data https://ico.org.uk/for-organisations/guide-to-data-protectio... though deciding which is applicable in a given situation is not straightforward.

The legal basis is actually quite broad. For example, most companies need to keep records for accounting purposes for several years which would count as a lawful basis. Another example would be keeping client data in case you need to protect yourself against potential future litigation e.g. a gym may need to protect themselves against personal injury claims (otherwise you could injure yourself, ask them to delete the records and then sue them).

As the chart explains, only public interest and legal requirement trump the right to erasure. Legitimate interest does not.

A legal requirement is "you shall retain these data for N years or face prison time" not "this might be helpful in a lawsuit"

You are right. The rights of the user depend on the legal basis you choose.

This is covered here[1]


* The right to object is not applicable if your processing is based on contract, legal obligation or protection of vital interest

* The right to erasure is not applicable in case of a legal obligation or public interest


.. and since one is obliged to keep 10 years of history for tax auditing reaons, the whole point becomes moot.

Yes, you can ask that your avatar image be removed. But they can easily claim that your name, address, bank account number are needed for tax auditing and Know Your Customer purposes.


I wouldn’t say the _whole point_ becomes moot. As you have to have a legal basis for each type of data that you are storing or processing, relying on different legal bases can add complexity to the problem of a deletion request. Just because you have to retain some information does not give a free pass to retain everything.

Also, remember that data subjects have a right to limit the purposes for which their data is used – systems need to be able to cope with that.

This is where a well thought-out and documented approach to personal information makes everything easier, for internal users of that data too. For legacy systems it can be a nightmare because nobody seemed to care, but with a clean sheet, _why wouldn’t you_ address data protection and privacy from the outset?

Sure, but only if you you then never process that data for reasons not covered by your legal basis and privacy policy. It's not only the collection of data that is covered by the GDPR - it's any processing as well.

Easiest way to do this is probably to duplicate data into another table for tax audit purposes, that your "normal" applications have no permission to read. Then you can delete everything your application can access and still keep legal records.

One thing about GDPR that I've never heard answered convincingly - when a user requests deletion of all of their personal data, does that include also any history of the deletion request itself?

My understanding is keeping the deletion requests fullfills a legitimate business interest, so no -I would not delete the request. What we do is we keep those in a separate system, since the user records themselves (in my app, crm, etc) would be removed. That system is also how we "prove" that we executed the deletion requests in a timely manner

This all depends on what the legal basis for you processing personal data is in the first place.

There are several possible legal bases for processing personal data and legitimate interests is one; if legitimate interests wasn't your reason for processing personal data in the first place, then you couldn't rely on it later.

If legitimate interests were the basis for your processing, and a person requested their data be deleted, you have to be able to demonstrate that your legitimate interest overrides their rights. You should probably also demonstrate there aren't other steps you could reasonably take, eg partially deleting or anonymising the data.

Keeping the deletion request itself may actually be necessary to ensure that after you delete the requested data it stays deleted.

I didn't save the link but at least one country's privacy regulator has said that when processing a deletion request you do not have to go through all your backups and remove the data from them too.

If you ever have to do a restore from those backups you will need to re-apply past deletion requests to the restored data before you start using it.

It's a good question and I don't thing any DPA has said anything specifically on this issue. But if your logs contains personnal data related to the user which made the deletion request, you might be in trouble. And personnal data has a very broad definition.

But honestly this is a very minor point, if that's what is keeping you up at night, you are amongst the most compliant ones !

Yes, you can do even more, you can put all those user data to some offline storage as long as you can justify that you need this (which is very often the case).

GDPR is mostly about processing user data, not storing them. So user can execute "right to be forgotten", so the data will not be accessible in any way and you are not allowed to process them, however you have full right to keep those data if you believe that this user might show up five years later and try to sue you for a, say, undelivered order, etc.

In that particular case you need to be able to prove that user wanted to delete the data. Otherwise user might sue you that you've deleted those data without agreement and caused some business losses in that way.

Someone third party might also show up and accuse you that you deleted data as a part of conspiracy with the user (think of angry former wives/husbands).

>GDPR is mostly about processing user data, not storing them.

Storage is considered as processing.

But yes, you're right that the Right to Erasure is not absolute.

As everything with GDPR the question is - do you need that data for your operations? E.g. if you need to keep it to inform your infrastructure to not store the data anymore, then yes, you can. If you don't need to keep it, then no.

If you use it to block the user from using your service or punish them in some other way, that might be very problematic in legal sense.

The focus of the spirit of GDPR is PII at its core. Communications with the user such as email exchanges, transaction records, etc are fine to preserve as long as all PII have been scrubbed and are dissociated from the user.

To be more precise, the focus of the spirit of GDPR is processing of personal data.

When you receive a deletion request, you must delete the data and stop using it from anywhere you don't have a legitimate reason to continue processing it under one of the reasons for processing personal data without user consent.

Which is easier said than done, because it's against general development practice of having a single copy of any data that you use everywhere without much checking. Instead, you have to either check a flag before using data (do I have consent? Has it been revoked?), or keep several copies of the same data for distinct use (for example, one copy for your app, one copy for legal reasons). The first approach helps you to be able to prove consent. The second approach helps you when you need to archive data past its retention date.

GDPR personal data is any record pertaining to an individual. That definitely includes transactions and communications.

This is completely meaningless. PII as a term from US legislation and has nothing to do with GDPR.

Not "PII", personal data.

PII is a US legal term and means precisely nothing in the context of the GDPR.

If you remove PII, then whatever you are left with is no longer personal data.

No, the GDPR's definition is broader and has been in use in EU privacy regulations for a decade prior. It's every piece of information that can be linked to an individual, even indirectly.

Exactly - when you remove all PII, you are left only with data that cannot be linked to the individual, even indirectly.

It means remove any data that identifies the individual. So saving data that is not identifying is fine, saving a record of there having been a request is also fine, saving identifying that is part of the request is not fine.

There are also limits placed on this by other laws. For example tax agencies often require companies keep sales records for multiple years. A request for deletion doesn't remove all invoices from sales records with their name on it. I imagine there are more examples, but I think it gives a good indication that GDPR is not where the buck always stops.

Hope it's not off-topic: what I still don't understand is how with regulations like this an OS like Windows can get away with the things it does. I mean, maybe there's some legal reason, but my common sense can't process it.

There is very little interest in actually enforcing the GDPR, that's the problem. In the UK I've reported a dozen companies, (both big and small) to the regulator and it led absolutely nowhere.

There is a lot of interest, but EU DPA far prefer trying to educate and move the needle slowly than hit a lot of companies, killing them.

I would point out that, if not for Covid, the UK DPA had planned to kill multiple adtech company during the summer. They had announced it.

There is enforcement. It is just slow because the DPA prefer working with companies and the business side so they can become compliant instead of randomly hitting.

They are here to enhance everyone rights, not to collect fees to fill state coffers.

I'm confident Microsoft wouldn't be killed by enforcing the law on them.

As I understand it (from talking to people who have worked closely with the ICO in the UK) they're basically very understaffed and so prioritise the low hanging fruit e.g. big companies committing the most serious violations.

> so prioritise the low hanging fruit e.g. big companies committing the most serious violations.

Facebook and Google are still around and I haven't heard about them being investigated in the UK so something doesn't add up.

I can echo that.

AFAIK many companies specifically choose their country of hosting by the amount of understaffedness (one prominent host-country to many global tech giants has a staff size in the very-low single digits).

This is because the real purpose of GDPR is to prevent small startups with few financial resources and no legal team from being able to compete with big corporations with limitless financial resources and top legal teams.

This is part of a broader strategy by corporations to create an economic environment which smothers startups before they can even get started. Saves them acquisition costs later.

When when politicians get out of office, they have a nice highly paid corporate job waiting for them.

As governments keep introducing more regulations, eventually everyone in the world will be breaking some kind of law whenever they do anything at all. That will allow governments to selectively imprison anyone who is working against the personal interests of the political and financial elite.

This seems like a great case for Hanlon's razor ("Never attribute to malice that which is adequately explained by stupidity"). Rather than a huge high-level conspiracy between corporations and government, it seems much more likely that the people drafting the law just didn't realise (or didn't care) how much impact it would have on small companies.

Hanlon's razor is great. I feel it's important to always keep it in mind once you see something stupid (or evil) being done. Stupidity is the most likely explanation, but malice is the most satisfying.

I think politicians really care about these things. But these big sweeping laws and changes are because of hubris (but then again, the job selects for that).

Society is damn complicated, everything affects everything. Making a change in one small part propagates quickly and unpredictably. But politicians don't internalise that (of course, if they did they would never get elected on the platform of "stuff is complicated, I don't know if this will help!").

So they see a problem. Our information is being used maliciously! We need to stop that! Protect the people! So some massive law gets passed with tons of unintended side-effects and it's captured by big corporations at the speed of light.

Sure, a lot of people in government would also think that way. But there are also many very smart people behind the scenes who are using well-meaning but not-so-smart politicians for their own intelligent agendas. To suggest that armies of highly paid corporate executives are just a bunch of idiots who sit on board meetings and don't deliver any value back to their companies through political manipulation is not credible. We know that they fund think tanks and that they hire politicians after their term finishes - This is not some conspiracy theory, this is a fact. All the incentives are perfectly aligned towards that end.

Besides, I don't see how stupidity and evil are mutually exclusive. Historically, they seem to always go hand in hand.

Or, the law works just fine and "hey, I want to steal user data without any consequences" is just not a good business model. Millions of small companies work just fine and have zero problems with GDPR. Only a very specific subset (mostly web companies that don't want to ask people for money, but instead sell their data) have real problems and cry loud.

I think it's likely that some EU politicians saw how bad the data retention act was and how it'll only be getting worse. They decided to do something about it, but when it got time to put down the details companies got involved and the end result helps those companies without most of the politicians noticing. I'm sure a decade from now they'll be confused about how the EU is still lagging behind in tech.

This isn't the first time the EU has done something that screws small businesses. VAT on digital goods was another case (there was no minimum threshold). At some point it'll start to seem intentional.

Define "tech". I'm working on a tech company which does something novel and important and have no issue complying with the GDPR - I'm aware of what data I'm processing, and what third parties I'm integrating with. I don't store or process data in ways that aren't necessary for the use of my software. I make a copy of data that I need to keep for legal/liability audit purposes into a separate system, where there's a cron job which deletes it after it's unnecessary. Deleting a user's data is as simple as DELETE FROM users WHERE id = ?, and I'm happy to do that because it means one fewer user's data which might be accessed in a security breach. I don't need a GDPR consent dialog or a cookie popup, because I don't do anything which needs either of these - I don't have any cookies aside from a login cookie, and I don't process data in unnecessary ways. I have a document which specifies what data I store and what I use it for, from which I can derive a privacy policy.

So... define "tech". If you mean "adtech", say that.

So what do you do when you need to fix a bug and need logs and other information from users? How do you track all of that data on developer machines? How does your system delete data from all backups? Do you have an automated system a use can request all their data from? How do you validate that they are who they say they are? How sure are you that all your processes are legally enough? How much did all of this cost?

I do mean tech. An industry tends to breed more of the industry. Adtech is part of tech and a lot of online businesses rely on ads. If you remove that you also remove a large chunk of people that would work on this type of tech. Then some of them instead end up working for some US company. Europe has a much larger population than the US. Europe is largely as educated as the US. Where's our Microsoft, Apple, Google, Amazon, Samsung, Sony etc? We have SAP and that's it.

Edit: I like the idea of GDPR, but I cannot stand how people think it has no cost. A large portion of the internet relies on the ad industry.

To answer your edit - advertising does not imply individual user tracking without consent. There was and continues to be advertising without individual user tracking. There are also plenty of businesses that are able to start up without relying on advertising for income at all.

There's a cost to not having the GDPR - that of our individual privacy.

> So what do you do when you need to fix a bug and need logs and other information from users?

Due to the minimal privacy implications, logs which (a) only store the minimal personal information feasible, (b) are deleted after a short period of time, and (c) are accessed in order to fix bugs or provide requested support are covered under the legitimate interests basis, according to my country's regulator.

> How do you track all of that data on developer machines?

I don't, it doesn't wind up on developer machines, it never gets copied out of the system where it's stored - it can be viewed "in situ". For the vast majority of personal data in the vast majority of companies, you're allowed to assume that employees who have a reason to access it are not stealing it. If you get to a point where you're not one of these companies, you know about it, because you're already doing things like "hiring a lawyer to write our privacy policy".

> How does your system delete data from all backups?

I don't, but my policy will state how long backups are stored for as recommended by my regulator, and my process for restoring from them will involve deleting data which has been deleted for legal reasons since the backup - basically, "re-run the DELETE FROM query for everyone who's asked for their data to be deleted".

> Do you have an automated system a use can request all their data from?

Nope, but that isn't legally required by the GDPR - it's an operational efficiency if you're the sort of company that gets a lot of GDPR requests. Manual processing is fine and likely operationally efficient, as long as you know where personal data is stored in your system.

> How do you validate that they are who they say they are?

My intention is to respond with "you can verify your identity by logging in at https://X/login with your username and password and sending us your 'support code' from the settings page", handle password resets via email according to industry standard, and anything else I can respond with "we cannot verify your identity using the information you have provided" because, well, I don't hold other information I can verify people with.

> How sure are you that all your processes are legally enough?

Given that I am not an adtech company and have documentation showing that I am attempting to comply, I expect that my regulator will follow the approach they've taken so far, which is to notify me of a potential breach of the regulations and allow me to fix it before attempting to fine me. By the time I am in court I will have known about a potential breach of regulations for several months, including communication with the user and regulator, and will have had an opportunity to either fix the alleged issue or talk to a lawyer about it.

Europe has a fair chunk of tech, btw. SUSE's here, Spotify's here, Adyen's here, BlaBlaCar is here, there's a variety of food delivery companies which are generally being far more sustainably successful than their US-based counterparts, Skyscanner are here. TransferWise is here. The difference is that our companies largely have a business model from an early stage, and US companies don't, so they take up huge amounts of the market for a short period of time and then go bust.

In what way does "Don't track people without clear permission, make sure you have a good reason to collect data, draw up a privacy policy and have someone be responsible for it" smother start ups?

Because that's basically all you need for compliance here.

The Sheet #16 about cookies and third-party trackers is quite interesting:

    ## To benefit from the exemption from consent
    **Subject to a number of conditions**, cookies used for audience measurement are exempt from consent.
    **These conditions, as specified in the [guidelines on cookies and other trackers](https://www.cnil.fr/en/cookies-and-other-tracking-devices-cnil-publishes-new-guidelines), are**:
        * To inform users of their use;
        * To give them the ability to object to their use;
        * To limit to the following purposes only:
            * audience measurement;
            * A/B testing;
        * Not to cross-check the data processed with other processing (customer files, statistics on visits to other sites, etc.);
        * To limit the scope of the tracer to a single site or application editor;
        * To truncate the last byte of the IP address;
        * To limit the lifetime of the trackers to 13 months.
    Provided that the conditions are met, **we therefore switch from an opt-in to an opt-out regime**.
    It is also possible for the same third party (subcontractor) to provide a comparative audience measurement service to multiple publishers, provided that **the data is collected, processed and stored independently for each publisher and that the trackers are independent of each other**.
    ## In practice
    **Most large audience measurement offerings do not fall within the scope of the exemption, regardless of their configuration**.

That's what I though, when websites welcomes you with a giant popup "Manage your consent" with a gazillion third-party trackers all opt-in (and you need to disable them one by one) they are actually not GDPR-compliant.

Indeed they are not.

What they are hoping is that - a) Nobody is going to hold them to real compliance b) User fatigue and dark patterns will make you just click "OK, fine" to everything and then they can claim to have permission.

The problem is that 'b' there pretty much rules out the possibility of freely given, informed consent, and makes the whole exercise pointless.

Yeah, barely anything is compliant. Though I’ve recently encountered a bunch of sites that are, so maybe things are slowly changing.

What is the largest GDPR fine yet for a violation specifically about website consents?

I have seen some large fines but all seem to be of "backend" violations. It would be nice if there could be a handful of large high profile sites given a huge fine for having one of those annoying popups with everything opted in.

There seems to be companies selling blatantly noncompliant GDPR popup tech too. That has got to be the most snake oil thing ever.

> What is the largest GDPR fine yet for a violation specifically about website consents?

I don’t think anything big. Which is a shame, because as long as that continues, the fake-compliance popups will continue.

> There seems to be companies selling blatantly noncompliant GDPR popup tech too

We are using one of those (Sourcepoint [0], we don’t pay for it though), they are very configurable, you can be as compliant or non-compliant as you want with their settings. They support all variations.

[0]: https://www.sourcepoint.com/

> What is the largest GDPR fine yet for a violation specifically about website consents?

200 million for British Airways according to https://www.enforcementtracker.com/

Different type than what OP asked for.

> The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.

My bad, misread the reason. I looked for cookie and it seems to be 30k then to Vueling airlines:

> (...) for not giving users the ability to refuse their cookies and force them to use them if they want to browse its website. In other words, it was not possible to browse the Vueling page without accepting their cookies.

Nice find. There are 3 others related to cookies, seems only Spain is going after them so far and only after the violators who don’t even pretend to be compliant. I think some of those were already violating the GDPR’s predecessor.

Skimming, looks like a lot of these are generally good ideas regardless of GDPR. For instance:

"Assess the value of adding each dependency. Some commonly used software bricks are only a few lines long. However, each added element is an increase in your system’s attack surface. In the case where a single library offers several functionalities, integrate only the functionalities you actually need. By activating the minimum number of functionalities, you reduce the number of potential bugs that could occur."

The context is that an external library can mishandle personal info, but this is true even if you didn't care at all about security and privacy.

100% of our customers would not accept the costs of strictly follow this requirements. They are for sure good advice, but not much practical into everyday web dev life.

100% of your clients are fine with ignoring current laws?

Sounds dystopian

Maybe they run a fancy bittorrent tracker?

A competitor might be able to implement a conforming product quicker or easier than you can adapt yours.

So a competitor can charge customers less. That in turn will mean your business will disappear, and the conforming implementation will still be around.

This is part of the point, isn't it?

Currently our known direct competitors GDPR solution is not different from our own. It consist in a standardized policy that resume GDPR rights and adding a checkbox to every registration/contact form to accept that policy. That's all. And I'm sure no one will really read that policy before accepting it. Like no one reads cookie policy before accepting it to close annoying cookie banner in every site they visits.

> Like no one reads cookie policy before accepting it to close annoying cookie banner in every site they visits.

You shouldn't have to read anything, that's the point. GDPR is the law that recognizes that people will never read, so the only protection possible is to both a) make acceptance explocit and b) make opt out default.

That is - If I just "accept" the policy or click accept to enter the website, I must be sure that I only accepted to the minimum you need to perform the business task, and not e.g. 3rd party advertising cookies, regardless of whether those cookies is what keeps the lights on.

>100% of our customers would not accept the costs of strictly follow this requirements.

This seems to apply in pre-GDPR codebases which I'm not sure this guide has taken into account. It probably is a lot less costly to architect an application from scratch, therefore easier to justify to a customer.

Which costs? The costs of not having privacy-invading ads?

How much is it costing you to have all the ad cookies and trackers compared to their returns?

GDPR covers every database, replica, cache, log file, VM snapshot, etc. everywhere.

Do you know how to edit an individual out of the Postgres WAL in last week's full disk backup?

I don't. That's why that's not how it's usually done

You either maintain a deletion list for when you recover backups (which is tricky) or you keep data encrypted with a different key for each user, then delete the key to forget the corresponding information

Hence the importance of data minimization and governance

This site was made by an agency that sells privacy and compliance services. It is in their direct interest to sell the GDPR as an extremely complex problem that you need their help with solving.

Laws are generally complex, GDPR isn't really special in that sense; it's just newer than the rest. You can probably draft a similarly complex 16-page document for your country's/state's employment laws too, but that doesn't mean you need to work through all of that mess when hiring your startup's first five employees.

In reality, if you honor user data deletion requests, don't track people without asking (with easy "no"), and follow proper modern security practices, you're already so far ahead of the majority of tech businesses wrt the GDPR that you're good. Or at least, that's my impression.

cnil is https://en.m.wikipedia.org/wiki/Commission_nationale_de_l%27...

its name in french means 'National Commission on Informatics and Liberty', it is an independent French administrative regulatory body whose mission is to ensure that data privacy law is applied to the collection, storage, and use of personal data. Created in 1978. National data protection authority for France.

Thanks! I was wrong about that one.

This site is not made by an agency that sells anything (as far as I know). It is made by the French government agency which enforces the GDPR and which main mission is helping out companies complying with the GDPR (distributing fines is NOT their goal, they will only fine companies as a last recourse).

As such, it's one of the best guides you can find around, because everything you find in there is almost guaranteed to be exact (contrary to some companies selling compliance tools that are not compliant, or a random blog on the internet). And if there is any mistake there, well you can refer the CNIL to its own guide when they investigate you.

Obviously they want to make a guide to get to 100% compliance, but they as you said in your last phrase, they indeed don't have the manpower to investigate everyone, and if you are generally respectful of your users privacy, you don't handle sensitive data at a large scale and don't have any complaint against you, they have no reason to ask you for documentation (which is generally going to be the first step of an investigation).

This is a bit saddening to read your take on this guide.

The goal is specifically to make the GDPR less daunting and more accessible! I guess it missed the mark.

But yeah, the GDPR has to formalize a lot of common sense practices, if you don't consider your user as "data trove" you want to abuse, you will be mostly ok!

>you will be mostly ok!

But you won't. Mostly OK does not protect you from ruinous lawsuits or investigations. With the way the justice system works on the EU level I would never trust "mostly OK". We had an EU court find that posting factual information about a religion was blasphemy and not protected as freedom of speech as a human right.[0]

[0] https://en.wikipedia.org/wiki/E.S._v._Austria_(2018)

The ECtHR is not an EU institution. If you want to be angry at someone about that case, be primarily angry at Austria for their law. (Although I'd appreciate it too if the EU states gave themselves an updated set of protections in these areas, without some of the compromises the convention has)

Why would Austria's law matter? Freedom of speech is either protected as a human right in the EU or it's not. This case shows that the judicial system in the EU thinks it's not protected. If the officials can't even get something like this right, then how are they ever going to get anything else right?

Just because they aren't an official EU institution doesn't mean much. It's still largely the same culture and legal traditions running it and every EU country is under it.

Because they were sentenced in Austria, under Austrian law, and the ECtHR can merely check if that violates the convention (which is an agreement by states, which explicitly added a clause allowing local laws to add those restrictions). And given that the convention on human rights includes states like Russia, Turkey and Azerbaijan, there's some different standard to be expected. (which is why I think the EU should maybe have their own, narrower convention on top of it. Which again is something the states need to do in the end, and Austria could just fix their own laws first if they thought that needed doing)

I totally agree with your view. The same can be expanded for many services that sells cookie approval management solutions.

HN is not GDPR compliant. There's no way to get your account deleted. There are only anecdotal stories of someone getting it done via email and those are countered by claims of others of no success.

Does HN specifically cater to EU residents in any way?

Does that matter? As long as you collect data from EU residents, such as an email, then you have to comply. That is at least how I understood it, is that not the case?

It does, see recital 23: https://gdpr-info.eu/recitals/no-23/

YCombinator does business in Europe, so yes, they do cater to EU residents.

That might not mean that all its activities fall under the GDPR though.

GDPR is a massive inconvenience. in theory it sounds good, in practice you just have to click an annoying number of accept buttons. there should have been more debate around this set of rules not just a diktat top down that is disconnected from reality.

> in practice you just have to click an annoying number of accept buttons.

That's because those sites want to track you, for profit, and they usually want to confuse you into agreeing in the weakest way possible.

These popups are entirely unnecessary, if sites would just stop tracking you and allowing third parties to track you.

>These popups are entirely unnecessary, if sites would just stop tracking you and allowing third parties to track you.

Yeah, who needs money to operate a service anyway. Can't they just be happy that I'm even willing to consume their content?! These websites do that so that they can provide the website in the first place. If they didn't then there would be no website for you to complain about.

> If they didn't then there would be no website for you to complain about.

Oh no, my business model of selling everything I can glean about you in exchange for some recycled 'content' is under threat! Oh noes!

If you can't operate without tracking and you can't legitimately and consensually persuade people to participate in it without resorting to dark patterns and hiding controls, your business is no longer viable, sorry. Find a new model or make way for someone else that can.

You are entirely free to show adds and to charge money. The popups are only necessary if you additionally want to spy on users.

And by "spy on users" you mean "show ads that might at least remotely be relevant to the user"? The world is a lot bigger than the US. If there was no targeting of any kind then half of the ads you'd see would be in languages you can't even understand. Hell, that's the situation right now if you live in certain places in the world and this is with some tracking!

> If there was no targeting of any kind then half of the ads you'd see would be in languages you can't even understand.

Given I have zero interest in seeing ads in the first place, this sounds like a 'you' problem.

I'm not trying to be snarky here - this idea that relevant ads are important to users seems to be some sort of industry delusion. Why should I care if the people trying to sell me stuff while I read a news article are less able to target me? The ads are already an attention-demanding annoyance, it hardly matters what they're for.

As someone implementing data pipelines & doing enterprise integration (along with web work), I massively disagree.

GDPR is the best "needle mover" in terms of "we don't care about xyz" in the last 15 years.

In a meeting, even as an external contractor, you can now much more easily highlight privacy/security issues without being told that you are "too caring", and it will actually have an impact (because there is a widely known law & control body).

GDPR is a pretty big thing. Cookies, and cookie consents is a tiny tiny bit of it.

If there is an annoying popup on a website it's not compliant. E.g. if you need to switch OFF multiple accept switches, then it's blatantly in violation (default must be off). I have no idea why sites would even bother putting up a noncompliant GDPR popup instead of just ignoring it.

You misunderstand policy making. A lawmaker is not (and should not be) interested in providing a way of how to implement things, but how things should be, they are only providing the normative side. The executive and judicative branch of the state then specifies how things should be implemented.

Most GDPR implementations that are so annoying are actually wrong.

I agree that this is how most legislation does work: dream up something that would be great and ignore the facts on the ground and live with a predictable shitshow of implementations.

To me it's a stretch to say legislation ought to work like this.

Many of the "outlier good ideas" in legislation are those that integrate the facts on the ground and consider e.g. implementation complexity.

Are there annoying ones that are compliant?

Nope. If it is annoying, then it is not an informed consent acceptable opt-in because you are pushed into accepting to make it go away.

Nah its better push out something out, and then amend it over time, than spend 20 years discussing it and bikeshedding.

it would be great but i doubt it will be revised any time soon, the eu is very stiff.

There are already 2 text coming that significantly change it. Mostly to make it more protective. Search for "ePrivacy".

On top of that, there is a wide range given to the DPA which they are using. It is just that the EU agencies prefer to try to educate first before hitting companies hard, which makes sense.

In practice, if it had not been for Covid, the UK DPA would have killed multiple adtech company during the Summer. They had announced having planned it earlier this year.

> in practice you just have to click an annoying number of accept buttons.

The vast majority of those aren't GDPR-compliant, they're just attempts at paying lip-service while maintaining the old ways, and they're usually illegal.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact