if there's a hosted image from a facebook domain (e.g. a like button), unless that image is loaded after consent is given, facebook can already associate that users' IP address with having visited that web site by nature of sending the image over. in other words, facebook is tracking pre-consent (unless those images are loaded post-hoc, which is just not happening in today's world)
as a result, it's fundamentally impossible to consent before visiting a particular website, because there's no way to know what other domains will be triggered by visiting that website.
the only way i've found to defeat this behavior is by using ublock's origin's default deny policy which prevents all 3rd party domains from being accessed by default. it's a bit of a usability pain as one often has to add e.g. stack overflow's CDN to use its website "well", but does prevent visiting a website which has an embedded image hosted on a FB domain from being loaded, which defeats the more nefarious FB tracking.
Yeah, but that's easy enough to deal with. You simply don't load any third party stuff (or allow them to see your content) until they click "OK". Some simple javascript is all it takes to delay loading of everything not on the current server.
So basically prior to serving any content, you do an IP check. If they are from a GDPR country, you serve the delay loading script. If they aren't, you just load as normal. Pretty straightforward. I don't think you'd want to do it universally for all users, as you'd be at a competitive disadvantage to other sites. But you can easily enough just do it for EU countries. The other option is to just block them entirely if you have no need for EU traffic. Many sites - US local businesses etc. have no use for EU traffic or the liability that comes with it.
On a side note, with all the walled garden stuff that will be going on due to GDPR, I'll be interested to see how badly the SERPs get fractured, since every site will have a different scheme to require consent and not all of them will have people behind them that are savvy enough to make it not ask Googlebot for affirmative consent. This will put smaller businesses in the EU that don't have the resources to hire someone to deal with these issues at a serious disadvantage if they can no longer be indexed.
what you've suggested seems OK technically, but i feel like you're making an assumption that originating source of traffic determines citizenship of the user.
it could very well be that an EU citizen in Asia or the US is collected upon given your algorithm. if that's the case, are you not in violation of GDPR?
but, at the risk of rabbit-holing, your suggestion would be a pretty fundamental change to how the web works. in effect, you'd be moving toward a splintered web, where content is basically region locked.
to be fair, i don't have anything else to offer here; it just doesn't seem so easy to me.
but, at the risk of rabbit-holing, your suggestion would be a pretty fundamental change to how the web works. in effect, you'd be moving toward a splintered web, where content is basically region locked.
I think you're spot on, but that was the danger of implementing heavy-handed legislation like GDPR all along. I believe that EU citizens are going to find themselves locked out of a whole world of content. But that's the world they've chosen to create for themselves. Further, if the overwhelming support that GDPR has on HN is representative of that of the entire EU population, they welcome this newly splintered world and its consequences - both good and bad (though I believe that this support is the product of the mistaken belief that the world will simply play ball and be dictated to by the EU, rather than the rest of the world simply taking their ball and going home).
Hmm. I'm not sure about that. If Apple and Google won't pull out of China even though China makes them do all sorts of business stuff they disagree with, I highly doubt they (web companies) would pull out of the entire EU.
It would be absolutely incredible if Facebook et al "took their ball and went home" throwing away 500 million customers.
Google did effectively pull out of China in 2010 [1].
But in the case of the GDPR, it probably helps Google and Facebook more than it hurts them -- they can afford to jump through all of its hoops while smaller competitors might have trouble. It's essentially a barrier to entry.
Of course not, because Apple, Google, Facebook et al have the resources to spend millions on attorneys to implement the GDPR. My comment comes from the perspective of an operator of several small sites that get a total of a few million visitors per month combined. I'm not spending millions on attorneys, and EU traffic is only incidental to my sites anyway, so I am indeed taking my ball and going home.
This will make a difference for some users on some of the forums I run, as they will be banned with an apology and an invitation to come back if they ever move out of the EU. But it's not worth taking on the liability of potentially millions of dollars in fines for accidental non-compliance with a heavy handed, massively complex law that is up for different interpretations in the courts of no less than 28 unique countries. Unless you're in the EU or are a multi-billion dollar company with a large legal department, accepting EU traffic post-GDPR is an act of insanity.
Are you hosted in Europe, and/or do you do business from the EU?
No? Don't bother instituting a stupid ban like that, then. And stop scaremongering.
GDPR applies to businesses.
Besides, compliance isn't too bad for something like a forum. Just purge the relevant user records and posts, if requested to or when a user deletes their account.
Source: I am doing GDPR compliance on web applications for a major telco.
I have a business. And yes, I have spoken to GSPR compliance people, so GDPR has already cost me enough money. Compliance is a murky proposition at best, since this law can be interpreted in different ways in 28 different countries - all of whom will be looking for ways to maximize the fines they collect under it from foreign companies.
Since you are in the GDPR compliance space, surely you know that it does apply not just to businesses that are hosted in the EU or do business there. Rather, anyone that knowingly accepts traffic/data from the EU is vulnerable to it.
You seem to have complected extensive indiscriminate data collection with simple advertising and the more fundamental point of connecting and serving people.
You can use a combination of advertising and payment to fund services that connect people and facilitate commerce without extensive privacy destroying data collection. This model worked fine previously and it will work fine in the future. If anything hardware and tools are damn near amazing compared to the bygone past.
I struggle to think of any service in the world that is impossible or even challenging to replace. If anyone decides to take their ball and go home they will be replaced by a competitor who will use that extra revenue to improve their positions in other market to the original fools detriment.
There is in fact no reason to believe other markets including the US wont ultimately discover the merits of protecting their citizens privacy considering that in the US perhaps 171k work in the advertising industry out of 300 millions.
How the 0.02% can do an effective job without trampling the rights of the 99.98% is an exercise I leave to them and if they can't figure it out, then I hope the food stamp program still exists so they wont have to stand outside 7-11 with placards reading "will lie for food".
>"the mistaken belief that the world will simply play ball and be dictated to by the EU, rather than the rest of the world simply taking their ball and going home"
And leave millions and millions in profit on the table for everyone else?
That the same argument used against changing the tax codes so companies would actually have to pay taxes in the countries in which they do business, by closing the loopholes.
They're not going to throw away profitable markets just like that. And if they do, good riddance.
if there's a hosted image from a facebook domain (e.g. a like button), unless that image is loaded after consent is given, facebook can already associate that users' IP address with having visited that web site by nature of sending the image over. in other words, facebook is tracking pre-consent
This just leads to a bunch of questions: where an image is loaded from FB by a site, who is the data controller? Surely it's the primary site, not FB? In that case, then is FB a data processor (and subject to more restrictions)? If FB is a controller in its own right then how does FB gather consent in this case?
You're actually wrong. It is the responsibility of the website to notify the user. Facebook has placed in its policies a rule that says that you cannot use its code/buttons/images on your site without obtaining consent by the user for FB to place cookies there. They have a reasonable expectation that you have complied with this, or the image/whatever would not have been caused to load by your site.
Otherwise, think of the havoc. You decide that you want to get Facebook in trouble. So you place a Facebook button on your site and don't notify users or ask consent. Then you go call regulators. In this case, you'd find yourself in trouble, not Facebook.
it's the controller's (in this case FB is def a controller) responsibility to ensure that their use of data has a legal basis
You're correct. They are ensuring it by placing it in their terms for the use of their code/images on other sites. Nowhere in the GDPR does it say that every third party whose content may be placed on a site must themselves obtain consent. What exactly do you envision? That each page you load have 40 different consent dialogs show up?
How about most sites don't load resources from 40 different sites. Alternatively how about facebook ask for the users consent once to track them all over the web and remember that users choice.
On ingress the data could be deleted if it didn't correspond to a user that had given consent.
FB doesn't get to use the data unless it's consented by the end user.
It is distinctly not GDPR compliant for FB to claim that their TOS requires consent so it's not their problem. Feel free to read the discussion about co-controllers (called as joint controllers) and particularly the A29WG guidance.
Again, under your (incorrect) interpretation of the GDPR, what exactly do you envision? That each page you load have 40 different consent dialogs show up - one for each tracker and external image that is on the page? Some have hundreds.
For each external tracker, you will have to consent that use. By name. Per discussions you can find via google, even naming a well-defined class of 3rd party controllers is not enough; they have to be individually named.
The fact that some page may have hundreds of co-controllers is immaterial, unless you envision "we don't want to" as a defense to the privacy regulators.
I think we'll have to agree to disagree. I expect that EU users won't be spending all their time on the web issuing 50 approvals for each page they load. You may so despise ad-supported services that this is your dream for the world, but unfortunately for your dream (and fortunately for all users that actually want to be able to use the Web), even the heavy-handed GDPR does not mandate this.
I don't know why you think me relating a correct understanding of the GDPR is my endorsement (or not!) . This is what the GDPR requires. You've cited no sources for disagreeing with the formulation of the GDPR as pushed by the very privacy orgs who are in charge of it in 6 weeks.
True! I don't think I ever claimed otherwise, just that they have to be individually consented. And nothing prevents someone from adding an approve all button, but it cannot be the default.
if there's a hosted image from a facebook domain (e.g. a like button), unless that image is loaded after consent is given, facebook can already associate that users' IP address with having visited that web site by nature of sending the image over. in other words, facebook is tracking pre-consent (unless those images are loaded post-hoc, which is just not happening in today's world)
as a result, it's fundamentally impossible to consent before visiting a particular website, because there's no way to know what other domains will be triggered by visiting that website.
the only way i've found to defeat this behavior is by using ublock's origin's default deny policy which prevents all 3rd party domains from being accessed by default. it's a bit of a usability pain as one often has to add e.g. stack overflow's CDN to use its website "well", but does prevent visiting a website which has an embedded image hosted on a FB domain from being loaded, which defeats the more nefarious FB tracking.
https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-de...