just blocking them doesn't seem like that bad of an idea, especially with the fines involved.
I think the things that bother me is:
1) A College student working on a side project with no revenue are treated the same as some massive multi-national.
2) It's a foreign requirement that feels like a violation of sovereignty. Most business/startup owners complain about there being too much domestic regulations, now we have to worry about things outside of our own countries -- that also can come into conflict with our domestic tax authorities on things like data retention. An international agreement would be entirely different.
3) The GDPR requires clear and concise language, but have done nothing of the sort when writing the regulations. For most websites outside of the EU, could they not have produced a concise 1-2 page infographic produced by the regulators themselves?
> It's a foreign requirement that feels like a violation of sovereignty.
Sure, if you cater to users in your own country. If you cater (read: deal with data) to users from the EU, you should follow local consumer protection laws.
EU laws have always been more strict than US privacy laws: This caused unfair competition, where US companies were free to export their privacy-damaging business model overseas, while local companies were forced to respect privacy. Respecting privacy is just not very competitive/profitable at the moment.
Your viewpoint pushed to the extreme (sorry if you don't recognize your original view): China selling counterfeit goods or unsafe toys to the US, and feeling like any push-back is messing with their sovereignty of lax copyright -, trademark -, and health laws.
>Sure, if you cater to users in your own country. If you cater (read: deal with data) to users from the EU, you should follow local consumer protection laws.
If I have a brick and mortar business in the US and some one from the EU decides to do business, do I have to follow EU consumer protection laws? Unless I have an physical presence in the EU why should I have to follow their regulations?
Further, why cannot the EU just allow its citizens just do business with other extra-national companies if they choose to? Meaning, if an EU citizen chooses to do business with a non-GDPR compliant website, why does the EU care?
>EU laws have always been more strict than US privacy laws: This caused unfair competition, where US companies were free to export their privacy-damaging business model overseas, while local companies were forced to respect privacy. Respecting privacy is just not very competitive/profitable at the moment.
So what? If the EU wants to stifle competition, why should the US care. They are only hurting themselves.
> If I have a brick and mortar business in the US and some one from the EU decides to do business, do I have to follow EU consumer protection laws? Unless I have an physical presence in the EU why should I have to follow their regulations?
You don't.
If they're not In The Union, and you're not In The Union, then you're not required to comply with the GDPR.
> Further, why cannot the EU just allow its citizens just do business with other extra-national companies if they choose to? Meaning, if an EU citizen chooses to do business with a non-GDPR compliant website, why does the EU care?
It's impossible to give consent for something if you don't fully understand the ramifications of what you're consenting to[1].
What does it mean for a website to "cater" to just my home country? The internet doesn't know political boundaries and most sites cater to all visitors on some marginal level.
Even my simple blog with no ads has google analytics on it. I don't feel like I was doing anything wrong or abusive, but I guess there's a case to be made.
I assure you I have been against the DMCA since before it passed, though I don't think it's quite the same nor do two wrongs make a right.
DMCA is only one example. In the financial world, the extra-territoriality of US laws is widespread, such that for example even securities sold outside of the US, to non US customers, by non-US institutions, issued by non-US entities have long US laws compliance sections in their documentation. Non US banks outside of the US are reluctant to take US clients because of these laws (not dissimilar to the discussion on blocking EU IPs here).
I even read somewhere a while ago that the US claims jurisdiction on any financial transaction in the world as long as it's done using USD... Talk about overreach.
IP addresses are not PII unless you also have timestamps and a legal avenue for querying the ISP records to see which account and thus person was behind the IP address at that time.
As a small blog, no ISP is going to give you the time of day, so it's not PII because you have no avenue for converting it to a person. If you transmit that data (say to google analytics) it might /become/ PII because google (or any other person you transmit it to) may combine it with other data they have access to, to turn it into PII.
The reasons large organizations are fretting about IP addresses are thus:
a) They have IP/timestamp records going back years, maybe decades
b) They may have ISPs willing to talk to them about who had the IP address at a specific time
c) They can't confidently allow that data to pass to partners in case their partners have access to ISP records
d) That data is a ticking timebomb, because even if they don't have an agreement with an ISP now, if an ISP offers that service for free to all takers in the future, their trove of IP/timestamp pairs could suddenly become PII overnight through no action from them
So yeah, for businesses operating at a certain scale, IP/timestamp combos are now a toxic asset. That doesn't mean your log files for your blog are suddenly a GDPR violation, unless you share them with people or have an inside track with a local ISP.
> Tell that to this US law the whole world has to comply to called DMCA.
If a site has no US presence and blocks all users in the US, what negative repercussion can violating the DMCA incur? Maybe their domain can be siezed, but that can be avoided by not having a domain hosted in the US. The US could block all traffic to the site, but that should be moot if the site has no US users.
With the DMCA, if a US judge determines that a foreign company has broken the law, and someone associated with the company ever visits the US, that person is at a high risk of being orange-jump-suited in a barbaric punishment system.
This is outside the scope of my previous comment. If someone visits the US then they have a physical presence in the US.
I'm still failing to see how the original claim, that everyone has to abide by the DMCA, is true. This seems like claiming that everyone has to abide by Thailand's Lese Majeste laws (laws criminalizing insults to the monarchy). Yes people may face repercussion if they have an economic or physical presence in the country. But if they don't, then theres nothing Thailand can do to enforce this law .*
* not without cooperation with other countries at least. Some nearby countries are known to enforce Thailand's Lese Majeste laws abroad and extradite people. But in most countries, this isn't the case.
The "Pirate Bay guys" were persecuted in Sweden, nothing I can find on the coverage of their arrests and trials mention American copyright law. Extradition treaties are voluntarily made by the countries that establish them.
Again, if a country doesn't want to abide by the DMCA then they don't have to. Extradition treaties and the Pirate Bay do not disprove this claim.
The internet doesn't know, but e-commerce/data business pretty darn well knows where their customers/users are situated.
The old web was mostly static websites. We spoke of visitors. The new web is app-ified/interactive, walled off to logged-in agreement-abiding geolocated users, and even a single logged-out "visit" broadcasts this to 100s of trackers who will remember your every move online.
If you aren't collecting and storing PII, you have nothing to fear from the GDPR. Even if you are, you're fine as long as you only collect what you legitimately need to offer your services.
IANAL, but if your company is a targeted marketing company (think Groupon) and users sign up explicitly to get sent offers, then you're probably in the clear. If your company offers some other service, but you also want to sell your users' data for targeted marketing, the GDPR requires you ask for and get real consent.
I find it odd that people take issue with regulation, perhaps its been ingrained into the cultural consciousness of the west that regulation is always bad, but historical analysis shows that regulation has always had an overwhelmingly net positive effect for the members of a given society. You can link the stage of a country's development to how effective their government is in protecting it's constituents.
1. when you open a restaurant nobody cares you're a collage student. You have to have all the checks and permits to serve people food. It's not because somebody hates small businesses, it's because the right not to be poisoned is more important than the right to do business hassle-free. Why should internet be different?
2. Fuck your souvereignty. Seriously. USA has no problem violating secrecy of correspondency worldwide, and argues in length for years whether wiretapping its citizens is OK, because everybody agrees wiretapping others is perfectly fine. USA forces poor half of the world to follow ridiculous copyright law, including software patents and art becoming public domain after a century or more. There's no good will earned there, so don't expect a free pass cause of your feelings. Want to serve customers from other countries - have to obey the law there.
3. they probably could. Still - I'm sure there will be "GDPR as a service" soon. Maybe some libraries, frameworks and standards how to handle personal data will finally be created? This should have been done decades ago.
Equivocating mishandling user data on a project that some kid in a dorm made for fun, which collects maybe an email address. With putting someone in the hospital with food poisoning is beyond a dishonest comparison.
So? Projects like that aren't forbidden now that the GDPR is in force. Just put up a paragraph explaining why you need that email address, an unchecked checkbox if you want them to agree to send irrelevant emails, and you're done.
When corporations like Equifax or Cambridge Analytica have engaged in identity theft to the tune of basically half the continent of North America, you want to repeal one of the few laws fighting against it with an argument about kids in dorm rooms? It's basically the tech equivalent of "won't somebody think of the children?"
> Just put up a paragraph explaining why you need that email address, an unchecked checkbox if you want them to agree to send irrelevant emails, and you're done.
Oops, seems you’ve forgotten about the “right to be forgotten”, and several other requirements. Better prepare yourself for those >$20 million fines — how dare you negligently handle personal data, college software engineering student!
I’m all for strengthening privacy protections and punishing bad actors in this domain, but designing strong regulations that don’t have seriously bad unintended consequences, is a really really difficult task. I’m not necessarily saying it shouldn’t be done; just that I don’t envy the jobs of those trying their best to do good for the world via regulations without accidentally destroying some really good things.
It may turn out that GDPR has few unintended negative consequences, or it may turn out the harmful side effects are far more severe than anyone predicted. Only time will tell, I suppose.
Personally, I wish there were a technical solution to privacy concerns — something akin to DRM, but applied to each individual’s personal data to prevent it from being used in unauthorized ways. That’s about the only kind of DRM I think I could really get excited about :)
I agree. My point wasn’t that the right to be forgotten is bad or wrong, but that the parent post ironically said “just add a checkbox and you’re good!” about GDPR compliance, and was not just wrong — but $20 million wrong!
Those kind of fines are simply not compatible with low quality advise like “Just add an opt-in checkbox, and you’re good to go for GDPR! What’s the big deal?”.
Overall, I like GDPR a lot (though as a disclaimer, I should say I haven’t read all ~80 pages yet).
Still, I am not as confident as many here that GDPR will have no serious unintended side effects.
Imagine for example if Google, Microsoft, Facebook, etc. all get hit with huge fines despite genuine best attempts by them to be compliant, after which they decide to cut their losses and exit the EU market entirely. Stock markets could crash globally, a new recession would occur, etc.
I very much doubt anything like that would happen, of course. But until things settle post-GDPR, I don’t think anyone can say for certain how this will economically affect the EU, and the world.
> Equivocating mishandling user data on a project that some kid in a dorm made for fun, which collects maybe an email address. With putting someone in the hospital with food poisoning is beyond a dishonest comparison.
Nobody’s saying both are treated equally under the GDPR. The law stays the same, the way it’s enforced is adapted to the case, like any juridiction. Whatever the situation, you always get a warning before being fined.
While I agree with your point 2 (remember CAN SPAM and DMCA!), that's called "whataboutism" which is usually seen as a bad argument. I wonder if it's only called a bad argument because people are on the receiving end of it or whether it really is faulty in some way.
I don't get the complaints about how hard GDPR is and having to understand it all. If you're based in the US, have you read the actual DMCA document? CFAA? California S.B. 1386? TWEA? ADA? Or at least any interpretations of them and validated that you comply?
If not, then worrying about GDPR which is mostly not enforceable in the US sounds disingenuous.
Not saying anyone thinks it's a good idea. I'm saying I haven't seen that many comments, annoyed people, and general discussion about other laws, which actually impact US people and can be enforced there.
I'm guessing they also ignore those laws, because of posts like this one. If you're running a business complying with regulations, you likely already know how to block a country. I mean, you keep track of the current embargoes and block relevant countries, right?
You are speaking as if the European Union spit out this legal document and nothing else, when in fact loads of supplementary material have been released, for consumers as well as for enterprises. Of course, the actual act must be written in formal legal language.
> A College student working on a side project with no revenue are treated the same as some massive multi-national.
Am I reading this wrong? If the college student creates just a simple page, he/she is already complaint with GDPR.
If the student starts collecting personal information, then they need to know what's allowed or not. There are already things that are not legal to do, GDPR just adds private information into that.
The treatment of privacy is one of issues where it's pretty much impossible for individual protect from, GDPR tilts the scale in favor of individuals.
If a kid makes a meme generator site where you can create a profile and organize your dank memes, then now they have to have a data protection officer, build a system to purge user data, and build a system to get user consent, etc.
I can easily see small websites just ignoring GDPR and hoping they fly under the radar. Or, using something like this Cloudflare configuration to block all EU users until they reach a size where achieving GDPR compliance is feasible and worth the effort.
DPO is only needed in specific cases. Dank meme sites don't fit in any of: a) public authority b) monitoring subjects on large scale c) dealing with criminal conviction data.
> build a system to get user consent
It's called a checkbox. They likely use one to agree to TOS anyway. If you don't have that one, DMCA and COPA is what you should be worried about before GDPR. (If you're based on the US anyway)
Article 37 1.a and 1.b are extremely vauge. Hiring a DPO becomes necessary once your service "requires regular and systematic monitoring of data subjects on a large scale", or processing personal info specified in article 9 "on a large scale".
However, nowhere does it actually specify what sort of scale constitutes "large". I don't see any user count threshholds or anything like that.
Also, it's possible that someone's list of authored memes is personal data. If somebody creates a lot of political memes then this could easily be covered by article 9, since political affiliation is explicitly covered there.
Additionally just saying "have a checkbox" isn't going to cut it. GDPR forbids blanket opt in or opt out schemes. You would have to build a system to track what the user has consented to and refactor all features to abide by each user's consent configuration.
I'm not saying every these tasks are hugely onerous - just that I can see the use case for blocking EU traffic to avoid having to abide by their regulations.
They only apply if it's your core activity though. If dank memes are your core activity, you're not "processing personal data" on a large scale, regardless of how many memes you store.
Again, only if you assume that these memes aren't covered by article 9. You might be able to infer a lot about someone from their authored or favorites memes. Article 9 doesn't just cover the personal data itself, it covers personal data revealing ethnicity, political opinion, etc. If I look at a user's list of authored memes, and it's full of pro gay rights memes have these memes revealed their political opinion? Many would argue yes, and processing memes is definitely the core activity of our hypothetical site.
> If a kid makes a meme generator site where you can create a profile and organize your dank memes, then now they have to have a data protection officer, build a system to purge user data
No, because that website doesn’t collect personal information.
> and build a system to get user consent, etc.
You need user consent to send emails or do something with their personal information (i.e. nothing since you don’t hold that information).
> No, because that website doesn’t collect personal information.
Yes it does. It a least records an email address and password to create profiles. And any features like tagging memes, marking memes as favorites, etc. could be argued to constitue personal data.
> You need user consent to send emails or do something with their personal information (i.e. nothing since you don’t hold that information).
Again, I specified a meme generator site that has at least some user specific personalization.
What about all the comments on those memes? Do those go too? What about the people who hot-linked to those memes? Do you just nuke the images and break all the content people linked to?
You sign up for a website and upload and share a bunch of memes.... honestly... the shit isn't really your data anymore. It is the publics. You shared it and yanking it back is kind of a dick move.
It really isn't as "simple" as a DELETE statement that some people argue it is.
You are just making s*it up. Meme is something you publicly posted it is not your personal info, you possibly agreed to transfer copyright to the site, if you still own it, of course you have right to delete it.
As for personal info, most meme websites don't require any accounts to create them, because it only makes the site less usable, but if the site do have accounts, you do have right to see/update your account, you have right to delete your account and be sure that if your account is deleted the data is actually gone.
> Meme is something you publicly posted it is not your personal info,
Very generous assumption on your part. Article 9 specifically says that anything revealing personal info like ethnicity, political affiliation, etc. is covered by GDPR. If I look at a Adam's list of authored memes and there's a bunch of pro-Democrat memes and I look at Bob's and it's all pro-Republican memes, then it's very easy to see a court ruling that a memes reveal political affiliation.
I can easily see small websites just ignoring GDPR and hoping they fly under the radar.
This is my plan. What are they going to do, extradite me over claims that my access logs includes IP addresses? Claim that I do business in the EU when I don't take payments, every side project I've made is in English, and I've never set foot there?
There is nothing non-compliant about that. You seem to misunderstand essential vs. data hoarding for advertisement purposes. If you were to keep that data forever, sell it to third parties or profile users based on that logging data, not tell them about it, then yeah, you'd be violating the GDPR.
For normal operation system logging is pretty much a requirement for essential operation. That includes most properties of a connection like IP, UA, date, time, URI etc.
Which is the answer I see all of 50% of the time. Then, I see "Well, actually it is non-compliant because yadda yadda". My company isn't going to hire international compliance experts to review the operations of every public website we run, and we don't have any that need European visitors. So, best to just block them.
Meaning what? Our time is finite. Time we spend trying to comply with European regulations, when we have no European presence and seek no European customers, is time taken away from everything else we need to do—including complying with the actual laws we live under.
Without it documented why I am collecting it, how I use it and how I store and delete it, it is non-compliant that I am collecting it at all. I think that you are assuming that they know it is being collected and that they are supposed to use it for something. They don't. It is not essential at all to the operation of the service if you don't actively monitor it. Saying it could potentially be used for some kind of security function seems like a CYA if you aren't actually doing that.
Without a bunch of work that hasn't been done I seriously doubt that they can give Right to Access, Right to be Forgotten, Data Portability, Privacy of Design and it does clearly state it is Personal Data.
Notwithstanding any opinions of the contents of the directive itself, as Canadian citizen, the schadenfreude of the United States getting its comeuppance is not nearly worth another foreign federal government imposing its will on our domestic activities.
> 1) A College student working on a side project with no revenue are treated the same as some massive multi-national.
That's false. The GDPR repeatedly refers to evaluating the risk with regards to various decisions. The ICO even has separate guidance for small businesses and big businesses.
> 2) It's a foreign requirement that feels like a violation of sovereignty. Most business/startup owners complain about there being too much domestic regulations, now we have to worry about things outside of our own countries -- that also can come into conflict with our domestic tax authorities on things like data retention. An international agreement would be entirely different.
This one I can appreciate, but perhaps look at it from our point of view:
You're violating our laws that protect our citizens.
Why would we possibly have any sympathy for that?
> 3) The GDPR requires clear and concise language, but have done nothing of the sort when writing the regulations. For most websites outside of the EU, could they not have produced a concise 1-2 page infographic produced by the regulators themselves?
The GDPR is easier to read than many US laws, and you don't have to read it anyway. The ICO has written extremely high-quality guidance for most businesses which will suffice. It should take no more than a few hours to determine how your business would be affected.
And in the situation that it’s no more complicated than a EU citizen visiting a website that doesn’t sell to European businesses, that’s probably fine.
But when you want to trade with Europe, you have to abide by our standards for human rights.
> " It's a foreign requirement that feels like a violation of sovereignty."
How about you look at what bs comes out of the US gov't? That is the worst foreign requirement and violation of sovereignty so far, and it keeps on giving.
> 1) A College student working on a side project with no revenue are treated the same as some massive multi-national.
I hear you, but the argument is that the data doesn't care who caused the leak. A college side project leaking an SSN does the same amount of damage as a multinational leaking an SSN, so the law is going to want them to treat them equally seriously.
My understanding (I could be wrong - IANAL and I haven't read the 80 pages) is that GDPR takes a somewhat countervailing view. SSN data breaches would be treated the same way as, say, whether someone likes the Beatles. The problem with GDPR from my perspective is its Draconianism.
This is by the way the same problem with the various restaurant analogies. It makes some sense for the health department to inspect large restaurants. It would make no sense for them to subject neighborhood cookouts to the same degree of scrutiny.
GDPR seems to be based not on actual harm that could occur based on invasive, sketchy or otherwise bad data storage practices; instead, it seems based on a subjective idea that people have "fundamental rights" to various forms of state-mediated protection in relation to technology. Rights are unequivocal and almost entirely uncompromising.
No, it's not the same. The lack of proportionality is precisely why the UK/EU is such a hard place to conduct business.
These rules don't stop anything about ads, they just make them less targeted. Not a big deal, but it will increase the costs of serving users and thus decrease the total amount of commercial projects started.
I find it funny to claim that the US could be more proportionate than the EU.
Less targeted ads are exactly what we need. That's what the regulation aims for!
Your argument is like claiming that unfortunately, due to car dafety regulations, we cannot enjoy as many fatal accidents as we once did.
And to make my point of view clear: not all businesses deserve to exist. We as society decide which business models and behaviours are okay. "Decrease the total amount of commercial businesses started" cannot ever be a persuasive argument.
Nobody reasonable is arguing that it's a bad idea to let customers control their data. The actual issue is that the rules are vague and thus create a lot of confusion and waste that affects all companies, while not providing any real protection against the massive conglomerates that abuse data in the first place.
>The #1 complaint about ads is that they are not relevant, so this does nothing but increase that problem.
The #1 complaint about advertising is that in 2018, it has evolved into a shadowy, insecure brokerage of surveillance data that it obtains using all kinds of under-handed tactics. If the GDPR curbs this in the slightest, it will be a net positive for people of Europe.
It will not curb it. Facebook and Google who control 90% of the ad industry will already have consent from billions of people by the end of the day, and the increased regulation will only increase their market share as the safe and reliable avenue for advertisers and further strengthen their monopolies and data activities.
> Sure, one of the most valuable companies on the planet with an army of lawyers doesn't know what it's doing.
This a fallacy, not an argument. [1]
> Or maybe it's because the rules are confusing and messy and you have a different interpretation?
Please point out which rules are confusing and/or messy. Virtualy every single blog post about GDPR points out how it’s well written compared to other juridictions on the same subject. The language is clear and the website provides a Q/A section as well as concrete example for every point.
Yes, a company worth over half a trillion dollars with access to the best legal teams around the world has authority on whether it has done what it can to be compliant or not. And authority is how the legal system works, not everyone can just practice law without going through the proper education and licensing.
> Please point out which rules are confusing and/or messy.
The comment thread you just replied to -- the one where you seem to saying that random HN commenter is more accurate than Facebook's entire legal team on regulation that is supposed to be unequivocal -- is a start.
> Yes, a company worth over half a trillion dollars with access to the best legal teams around the world has authority on whether it is compliant or not.
You've made this personal twice now, signaling a lack of any real argument.
You do not know my history, and sadly you didn't even bother to do some basic research or you would recognize that I'm one of the few in our industry that has called for regulation and data protections for years. [1] Instinctive has been on the forefront of this as well with our most recent push for net neutrality. [2]
And surprisingly you seem to miss that B2B marketing is rather unaffected by GDPR since everything we do has always been contextually targeted, consent-based, and 1st-party relationships anyway. If you want to have a discussion, base it on the ideas and not the person.
As for Facebook breaking laws, I find that incredibly hard to believe given their resources, recent legal , 1st-party data and consumer connections in their walled garden, and the fact that consent is already given by billions of users who just want to use FB products and don't care about the rest. They have nothing to gain from skirting regulations that only serve to strength their relationship.
>Less targeted ads are exactly what we need. That's what the regulation aims for!
I have nothing against targeted ads. I am against targeting ads and collecting/distributing my data without my explicit consent. E.g. mobile companies selling my real time location because there's some obscure sentence in their 90 page terms of service.
Please learn from the experience of dealing with side effects of GDPR in EU first, before trying to push it to the US.
The side effects would include:
1) Reduced number of services available to EU customers.
2) EU users will be trained to click "Agree" without reading, because web sites would ask them for permission very frequently, and users do not have time to read web site policies anyway.
> EU users will be trained to click "Agree" without reading, because web sites would ask them for permission very frequently, and users do not have time to read web site policies anyway.
From what I've read, opt-in is only supposed to be used when there's an actual voluntary choice, and "allow us to share your data with 3rd party trackers or we block you" doesn't count as a real choice.
It should be treated in the same way as opting into marketing emails. Totally optional. Not opting in shouldn't totally break a site.
Not allowing businesses to fire customers who don't want to share anything sounds like a massive problem for companies who's revenue model depends on user info. Think of all the people who don't want to share anything but still aren't willing to type in CC info for facebook, are they entitled to free facebook use on the companies' dime?
Because consent must be "freely given". As soon as you start attaching consequences unrelated to the utility itself, you're making a decision less and less freely.
The greater the power imbalance, the less free the choice. Social networks are a great example of this. You can choose not to use a particular one, but what's the alternative if everyone is already on that platform? You can go without, but what if it's LinkedIn, and there can be a real impact on your career?
The rest of what you wrote is silly. Social media websites are not charities. They don't have to provide you with a service if you are not willing to compensate them with your data.
Personal data is not the only form of compensation, and GDPR is a direct response to the situation that attitude has created.
Nobody is suggesting companies provide free services. We're saying that personal data is more than commodity, and we should be looking to more ethical business models. And we won't be sad to lose companies that can't adapt.
edit: And I don't think my point was silly, but I'm also not really libertarian. So I don't think it's acceptable for companies to abuse their dominant position to make things worse for society at large.
You're making a philosophical argument about what is a "real choice", precisely the problem with the "based-on-principle" GDPR. All this will do is create a big mess if/when this gets into real litigation.
> 1) Reduced number of services available to EU customers.
That’s not a bad thing. If services that don’t want to protect their users’ privacy can’t operate, that’s a good thing.
> 2) EU users will be trained to click "Agree" without reading, because web sites would ask them for permission very frequently, and users do not have time to read web site policies anyway.
> 1) Reduced number of services available to EU customers.
because everyone knows that it is better to not make no money at all, than just a slightly less than normal because your ads are not targeted.
> 2) EU users will be trained to click "Agree" without reading, because web sites would ask them for permission very frequently, and users do not have time to read web site policies anyway.
Sure, and it is their absolute right to do so, but other people finally have some control over their data, I especially like the fact that finally user can also remove/change the data about them.
>And this is exactly what GDPR does, you then have an option to opt-in.
I mostly like GDPR. Ability to opt-in and being of charge of your data, i.e. removing it from a service if you want to, and the right to export and move it to another service are great and long due.
What I don't like is that it's a principle based regulation and thus it can be applied arbitrarily and selectively.
It's not the same. There're companies which intentionally collect and exploit private data. There're companies which are just behaving negligently with users data. There should be different penalty for intentional and negligent violation.
And there's a lot of room for choosing the fine/punishment. There should be some rules, i.e. fines for intentionally violating privacy of millions of people should be very different from fines for unintentional violation of privacy of 10 people.
just blocking them doesn't seem like that bad of an idea, especially with the fines involved.
I think the things that bother me is:
1) A College student working on a side project with no revenue are treated the same as some massive multi-national.
2) It's a foreign requirement that feels like a violation of sovereignty. Most business/startup owners complain about there being too much domestic regulations, now we have to worry about things outside of our own countries -- that also can come into conflict with our domestic tax authorities on things like data retention. An international agreement would be entirely different.
3) The GDPR requires clear and concise language, but have done nothing of the sort when writing the regulations. For most websites outside of the EU, could they not have produced a concise 1-2 page infographic produced by the regulators themselves?