I think that the basic issue here regarding privacy is that only the ones breaking it are writting. There are literally millions that wont give upvote but want it.
Google and Facebook already launched their lobbyists there and are trying to undermine it, I wonder what they will do to Japan.
You don't understand it. It is your site, your users. If you enable 3rd party illegal tracking of your users by ANY means, it is your responsability too. To cover your back, you need to sign a legally valid contract (or they need to send you conformation) that they respect GDPR and assess their way of doing it (at least in this early stages, as very often, they are just trying to workaround it, which puts you in danger) to be absolutely sure about them. Analyitics, ad providers, CDNs, SaaS... all of them.
Take it as, "I control the door to a bank vault, if I allow robbers in, I will be a complice to a crime as the crime couldn't be commited without your help". Negligence or direct intent, it can be costly. Assess your 3rd party sources very carefully, I have already removed GA and replaced them with local analytics (https://matomo.org/) as I can't trust them, they are trying to downplay GDPR and there is already a complaint written against them (https://noyb.eu not for GA though), and I have read the PDFs, they are right and quite objectively, they are guilty. I dont want to be in a same boat with them.
That is one possible interpretation, but like many things around the GDPR, it is not what the regulation literally says nor how the technology actually works in practice, so other reasonable interpretations are also possible. I am asking whether there is any official, authoritative guidance on this.
Look, GDPR is not about technical means, it is about a concept. If the ICO proves to you that you are conceptually violating the GDPR by enabling 3rd party to violate it and you don't have your back covered, you wont have much to defend you with. You need to have a proof that you have done everything in your power to defend your users right to privacy and you were cheated by 3rd party. This is why all the fuss about GDPR was in last 6 months, you can't downplay the concept as it isnt saying anything what "script" or "service" (or cookies as an ultimate abuse of "concept of law" and an example why GDPR was written this way) you can use or not, it is just talking about user right to privacy and for you as data contoller, it is your duty to defend it.
Yes there is a guidance, it is called GDPR, it is THE only guidance, just take the concepts, I can give you this link, it is the best I was able to find, it will help understand the GDPR, but for each and every site, owner needs to decide on its own: https://www.youtube.com/watch?v=-stjktAu-7k
Sorry, but it's not that simple. A lot of the fuss about the GDPR is because it introduces significant uncertainty combined with the potential for severe penalties if your interpretation differs from the regulators. It is not unreasonable to look for concrete, actionable guidance to reduce that uncertainty.
The modern web depends on embedding third party content for many reasons, most of which have nothing to do with invading anyone's privacy and many of which are directly in the visitor's interests. It is not helpful to undermine that whole ecosystem and expect everyone to start having formal contracts in place before they can take advantage of any of those services. Nor is it reasonable to expect services offered for free that aren't doing anything shady to take on significant liability and/or other commitments anyway through formal agreements with their users. Why would they do that, instead of just (as obviously quite a few places already have) geoblocking the EU to remove themselves from the scope of the onerous rules?
Silhuette, I am sorry, I have tryed to help you, thank others, maybe you/others will believe a lawyers in following months, but they wont be free. (And special thanks to HN, preventing me to answer with its policy of "answering too fast", I had an explanation for you, but I was unable to answer)
To the morons (no, it is not insult, it is empirical fact) downvoting me, it is not me, it is GDPR, face the reality, it is not my fault that you are too reluctant to understand it and biting people trying to help you out wont help. Downvoting me wont change GDPR or change anything, you will just loose a valuable source of information as you did just now. Go to the first psychiatrist and it will tell you that a reality will be as it is even if you close your eyes (or shoot the messenger =/).
Don't forget to upvote me, when you figure out I was right and you get a warning/fine.
That is exactly I was afraid of, google will have hard time defending this.
Check my post below, I would be glad if you have some idea, but as far as I am concerned, anonymising IP to keep getting uniform result is tehnically impossible.
Yes, you are right, the opt-out is violating GDPR (unless it is about changing mind after giving opt-in - this is again required and must be as easy as giving consent), you have to be preticked to "not giving consent" and user must actively click to give consent. Also you are missing explanation what giving consent means for the user including what data are used for what purpose.
Watch out with GDPR, this is not cookie law, and on top of it, you can't force it for user as a condition for entering site (like Forbes is doing - they will get a complain, already beeing finalized by some privacy organisation)
May I ask how GA anonymizes ip address? What algorythm do they have in place as doing sha-x over 4 numbers (0-255 with skipping some) separates by dots is reversable in seconds on average pc and I wouldn't call it anonymization, rather obfuscation.
I am asking this as a friend of mine is having hard time accomplishing exactly that and is really a hard nut to crack, anonymization is by default irreversable and making such algorythm for 4 numbers (actually even less due to known ip address ranges for EU users + reserved ranges) is not simple. You can seed it but that key must remain unknown to google, while this is again getting very hard with javascript. The only way I see is sending all the data to local proxy script, anonymizing the data on your side and then sending it to GA.
I thing that if GA is doing just some hashing, this opens all the sites, using it, to a GDPR responsibility as data controllers including HN. And this can't be hidden under capet (imho) as a "I can't offer service without it" (legitimate interest).
If you enable the Anonymize setting, the last octet (IPv4) or last 80 bits (IPv6) is set to zero by the analytics collector. The full IP is never stored or processed.
In victorian era, asbestos was used as a gods gift. Like plastic today, blooming bussiness. When they figured out that it hurts people, they forbid it. And? What's your point? Business will transform and something else will bring money. This was happening trough whole human history, nothing special.
And anyway, the marketing business was already going down, ads became so invasive and annoying that everyone is using ads filters today.
But I don't know why are we talking only about ads. What about people getting some bad credit rates as bank bought the data from ads network? Or things like Cambridge Analytica. Like the marketing and ads world is everything we know of and GDPR isn't bringing any positive effects as it hurts tracking. Tracking market goes down, human freedom and rights + democracy goes up. Who cares for targeted marketing in respect to that.
The high quality news will be gladly paid for, while there will be far less clickbait sites as the ads revenues will drop. We will have less garbage on the internet and this is actually great, on the other side, the real journalism (not news like how to enlarge your penis) will hopefully come back into spotlite.
The issue with paying for journalism is that quality journalism is spread out over many, many publishers on the web. I can't afford to pay for subscriptions to dozens of quality news sources. Until micro-payments or, more likely, a multi-publisher, subscription-based model is available, I would not be interested in moving to a payments based system.
Ironically, the most effective micro-payment or subscription-based system will probably come from Google or Facebook in the end.
I agree micro-payments are likely to be Google/Facebook/Apple driven. The EU has been pushing for a mandatory "link tax" that may help fund some news organizations. That'll force more media consolidation though.
I wouldn't be so sure. It's not just you that has to pay for the news and other websites, it's your entire family. Would your grandma pay for it? Would you pay for this for your children?
But there is not going to be a pulic outcry, I was asking people around, also those that were using the "I have nothing to hide" phrase in past and they are all satisfied with the GDPR. People want this, also in US, but there it will take some time to adopt some law like GDPR as US goverment is working in interest of industry, not people.
People don't want this is in the US. At least I don't. I would be strongly opposed to it as GDPR violates the rights of a person to pay for a product through personalized, targeted advertising.
>I would be strongly opposed to it as GDPR violates the rights of a person to pay for a product through personalized, targeted advertising.
How so? GDPR doesn't make personalized, targeted advertising illegal, rather it gives you (the targeted individual) the right to know how your data is being collected and sed, and to opt out of that collection if you want.
If you want to continue paying for content with your identity, fair enough, but not everyone does.
Simply because it forces companies to give the same service away without personalized ads. As long as the options are clear, most people would choose non-personalized because there is nothing they get out of handing their data over.
So under this system a user who doesn't mind personalized ads doesn't have the option to 'pay'. They have the ability to 'donate' their personal information but there would be no reason to do this.
Now if GDPR had allowed companies to either choose personalized ads or pay for the content, that would have been different.
If personalised ads are so marvellous, and people are happy with them, surely they will be happy to "donate" their data in order to receive these incisive topical ads purely as they give such a better experience? My experience is they are just as terrible - just sometimes terrible in different ways.
The inexorable rise of ad blocking, the increasing pace of adoption recently, and not solely amongst citizens of the EU makes me think most people's trust has been burnt out.
I suspect many people in the US would be in favour of more consideration of their privacy and data security if given a choice.
>So under this system a user who doesn't mind personalized ads doesn't have the option to 'pay'. They have the ability to 'donate' their personal information but there would be no reason to do this.
If a web business can still remain profitable with personalized ads being optional, then the targeting behind those ads was never paying for that content to begin with, it was always a 'donation.'
Not sure what 'can still function' means. If a business is unable to make enough of a profit from its new business model, it simply shuts down. It was certainly not always a 'donation'.
History suggests that every time a political entity chooses the winners and losers in a market that bad things happen -- usually in the form of a small number of increasingly larger companies capturing the market.
Google and FB (with their small army of lawyers) can afford to jump through all the hoops to make the regulators happy while "a small Belgian newspaper" will probably just get steamrolled.
>What's debatable is whether targeted advertising is necessary for a business to maintain that profit. The GDPR suggests it isn't.
You're right to a degree. You're right, because ad revenue from the EU is a lot lower than the US. Even if targeted ads in the EU aren't a thing, then a service that mostly gets US ad clicks and ad views will be able to handle it just fine. However, this means that EU viewers/readers will be treated as second class citizens.
It's hard to tell what fraction of websites have made shifts out of the enormous amount of businesses that exist on the web and serve EU consumers. On top of that, it's still too early to tell what the effects of the law will be. Many are waiting to see how it will be implemented.
I don't think the US can constitutionally adopt a law like this. Just the Right to Be Forgotten by itself violates the 1st amendment (and the EFF opposes it as it's generally used in Europe for censorship .. as we saw recently with the pulled NPR article).
Let me shed some light into this: I am having my own mail server and I am using a separate mail address (and now it will be close to 10 years of doing that) for every registration to any website, lets say domain_url@mydomain.com. As you can imagine, I can track who sent me the email and where it got my address from. 99% of addresses that I get spam on came from registering to small bussinesses, never from large sites. Get it?
So based on that some might argue, that the small bussinesses should be regulated more as majority of violations are comming from them, not well established bussinesses. It is probably not true, but it might also be.
