Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Doing "tracking in-house" does not exempt you from GDPR requirements. The requirement is exactly the same: explicit and freely given consent is required to collect extra private information not specifically necessary to provide the service requested.


In this case, is github uncompliant now? They say they're not doing third-party tracking but the blog post seems to hint that they're doing their own tracking.


That depends on what personal data they're collecting and for what purpose, in the case that a person hasn't explicitly opted-in by giving consent freely. I don't think it's possible for us to figure those details out exhaustively merely by observation from the outside.


Yes, and it's not like the EU is going to send surprise inspections to go dig into Microsoft's code and databases to check whether they are violating this or not?


They don't send surprise inspections to your house to check if you're engaging in criminal activity, either.

My point is that you're moving the goalposts. Law enforcement generally always requires a complaint that justifies an investigation, and people and organisations get away with breaking the law all the time. However that has nothing to do with whether or not GitHub put their website behind a "consent" wall, or whether or not they're doing in-house as opposed to contracted-out analytics.


I'm not moving the goalposts. Aren't you aware that some businesses get regular inspections, which do not require any complaints?


Sure, but it's also likely that Microsoft's lawyers allowed the Github team to do this if they didn't think that Github was still in compliance.


What "private information", though? If GH is putting in a database the order of clicks that you made to navigate around their site, is that "private information"?


If there's an identifier that can be tied to you (like an IP address), then yes?


There is a lot of wiggle room in "provide the service requested"


> There is a lot of wiggle room in "provide the service requested"

There is, but it is so in any law, because laws can't be specified as precisely as computer code, and an attempt to do so would make them so rigid as to be unenforceable, and hence ignored. But it seems that companies aren't even trying to use this wiggle room, just ignoring it or plastering the damned cookie banners, so I think that it's a good thing for future privacy-oriented laws—when given even the most generous possible leeway, businesses would still rather track their users than attempt to colour within the lines.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: