GDPR
- Started
- Last post
- 25 Responses
- detritus
Yeah yeah, the horse has already bolted, but this is a thread for GDPR related shit.
.
I'm curious to know what, if any, upfront user warnings any of you have been involved in (or have seen in the wild and like) for this - anyone here care to share?
Apparently I've got to do something front-facing for one of my side projects, which is ..annoying.. as I'd thought my partner there had done an admirable job on sorting existing users/newsletter subscribers, etc. I didn't think we'd have to besmirch our homepage, but I was clearly wrong.
- detritus0
As an amusing aside, someone woke up to their fridge displaying a GDPR notice...
https://twitter.com/varjag/statu…
The future isn't quite what I expected, I must admit.
- fadein111
Facebook and Google hit with $8.8 billion in lawsuits on day one of GDPR
- zaq11
- lolKrassy
- !%% :Dsted
- lolzRamanisky2
- haha that's exactly how I feel.VectorMasked
- lol, it’s like junk mail ... glance and throw away ... not even a nuisance ffsmonospaced
- I enjoy this new meme. But I'm also reminded of all the times people lost their shit over surprise things in Privacy Policies that turn out to be invasive.jtb26
- ETM0
I've got a client that collects paper submissions for a conference each year. You submit the paper along with relevant details including personal ones (name, email, address) etc. but you have no actual account and the data is purged annually.
Anyone who's been reading on up GDPR know what they/we would need to do beyond outlining data use and data termination policy with some sort of TOS?
- Of course, 'paper submissions' meaning digital papers online, not actual physical ones.ETM
- I work for an org who is helping other companies onboard to GDPR. I've been involved in it... Did you all send an email out to the persons you hold data of?notype
- We haven't collected any this year yet. Last years' data has been purged.ETM
- feel4
everytime I see GDPR I kinda read RPDR
YAAAASS QUEEN
- kingsteven1
ETM Posted this the other day in the useful thread, GDPR 'nightmare' letter. Been dealing with clients interpreting the legislation in their own way, they either get it 100% or not at all. tempted to send this to a couple just for the fucks.
- sarahfailin1
God Damn Public Relations
- sted0
- sted1
and i'm paying for this :D (100/y not mutch but yet foff)
- notype0
- https://vignette.wik…notype
- new rule, these go on every homepage and all those things have to be toggled on before you can entermoldero
- ahaha you have to find the right sequence to enter! url? :Dsted
- zaq3
- sted0
- of courseprophetone
- it brings peace in your life. it's the first one where I didn't had suicidal thoughts.sted
- yuekit0
I have clients in the U.S. asking about this...
But after reading up on it I'm becoming convinced it only applies to companies actively marketing themselves to do business in the EU. Is that peoples' understanding as well?
- Yeah - companies trading to or having assets located in the EU, primarily.detritus
- tbh, I think a lot of the panic is totally overwrought and should only really be felt by nefarious cunts knowingly doing nasty things with people's datadetritus
- A U.S. client who runs a decent sized online business was under the impression that simply getting traffic from EU citizens would make them liable for this.yuekit
- But that can't possibly be right, can it? That would be ridiculous.yuekit
- If you're running a website in the US and have website visitors from the EU, the GDPR absolutely applies to you.mort_
- mort, read the article I posted which goes through the actual text of the law. I don't think it applies to that, in spite of what you may have been told.yuekit
- Or maybe not (see shoes' comment below)...who knows lol.yuekit
- shoes0
The framing and most of the arguments in the IAPP article are phish.
GDPR does not have a territorial scope. GDPR applies universally as soon as you fuck with personal data ("PII") of a EU citizen (or EU visitor). And fucking with in this case specifically means processing PII that you get from 3rd parties, irrespective of business type, industry, language, location, currency, etc.
I think what the author is trying to do is some kind of risk assesment or guideline to assert if an org outside of the EU should bother looking into compliance or ignore GDPR alltogether. From that perspective the piece makes sense at times, but still not much.
Since your clients are asking you instead of their DPO or legal counsel, I would assume that they're not large enough fish to warrant prosecution by the euro authorities, so perhaps the cost of compliance doesn't make sense from a risk/reward perspective (which doesn't mean that they're not technically subject and in breach of GDPR).
I agree with Kevin Kish's disclaimer that if in doubt you should get the take of a lawyer.
- ^ technically even an IP adress can be PII, depends on what they do with it (storage wise, etc.)shoes
- "GDPR does not have a territorial scope."
But "territorial scope" is a term pulled directly from the law itself.yuekit - The question is what the second criterion, "monitors the behavior of EU citizens", actually refers to. Is simply collecting anonymous IP addresses monitoringyuekit
- behavior, or would it have to be something more like Google and FB creating a behavioral profile on you?yuekit
- It's about as clear as mud right now which is why this is such a ridiculous law. They really need to clarify what it covers.yuekit
- detritus0
I contacted my gas company from within my online account about my bills suddenly doubling in price (again). As part of the process, I had to add in all my details - despite the fact I was logged into my account and writing from it - address, telephone email, etc.
It was a retarded system, I could already see back then.
A week and a half later I've finally received a response - an email asking me to re-confirm my address as they needed to ensure 'GDPR compliance' - despite the fact I contacted them from within a logged-in account.
There was a single letter difference between the address I'd typed in and the one they have on their system. The one on their system is slightly wrong - I have no idea why. The single letter difference is clearly not a distinctive differentiator - the address woul dbve the same either way.
I wrote and re-wrote my response three times, each time removing enraged bits, having exorcised each of them from my system.
Where did common sense go? It was contact from within a closed system, to respond either there, or to the email address they have associated with my account.
Infuriating. A week and a half to go nowhere.
- tl;dr - don't bother reading. This isn't interesting to anyone but me, and then not even.detritus
- yuekit0
If the EU can force everyone to comply with their privacy laws due to the mere fact of people from their part of the world accessing your site, does that mean every country in the world has the same power?
- detritus1
Think of GDPR as more of 'guideline legislation' than a hard and absolute law. If you're a cunt with clout and you fuck-over EU citizens, then you'll have the book thrown at you.
If you're a nonEnt running a small concern out of Wichita and couldn't give a hoot about users in the EU, the EU won't give a hoot about you.
There's a philosophical difference between 'laws' in on either side of the Atlantic.
- I dunno, I'd say that just creates massive confusion especially when it comes to something this technical.yuekit
- Not really - all it asks is that you disclose what you do with other people's data, don't be a dick with it or use it illicitly.detritus
- It's hard/impossible to 'Write-Once' laws that foresee and cater to every eventulity, otherwise you just have lawyered-up corps find loopholes and then you'redetritus
- ...back to square one again. Much 'better' - if less bluntly clear and absolutely-prescribe... - to create an explorable framework.detritus
- That was what I thought too at first. But it seems like a lot of people are interpreting it as you need to opt users into every cookie.yuekit
- i.e., you can't even use Google Analytics without getting the user's permission first.yuekit
- I'm all for protecting privacy, but including IP address and cookies (as with the previous EU cookie law) in that is silly.yuekit
- Yeah, because a lot of the people interpeting it incorrectly are in America and trying to cover what they presume is a litigious hellscape.detritus
- On my 'GDPR' note I actually mention that, as an aside, I've taken off Google tracking from my site - not because, just besides.detritus
- Right and it's probably no big deal for you or me -- but there are a lot of medium sized businesses that rely on those sorts of analytics.yuekit
- The crucial point is that a user to 'my' site would otherwise share their identifiable user imprint with a 3rd party such as Google - that *should* be stated.detritus
- having that as an optionable check in or otherwise is entirely up to the site owner - a simple statement that it is happening should suffice.detritus
- I take this as a global opportunity to scrutinize the debacle that has become user tracking on the internet. If things are tricky for a while, so be it.detritus
- I'm fed up with the Googleplex sticking its nose into every possible detail - ye olde webserver stats are fine enough for most needs. No NEED for 3rd partiesdetritus
- (Unfortunately) I spent a few hours earlier this week reading up on the law... and a common interpretation seems to be that this is NOT up to the site owner.yuekit
- You are now obligated to get user consent for every cookie if the person is coming from the EU. And you can see big sites such as CNN now doing this.yuekit
- Funny thing is, simply by geotargeting EU users you are gathering their IP. So arguably by attempting to comply with the law you are already breaking it.yuekit
- Again, I'm not sure how hard and fast things are - as a counter, I've seen lots of big organisations simply state what they do, and if you don't like it, leavedetritus
- That was how the old EU cookie law worked. The whole idea of GDPR is that you need to get consent from the user for everything.yuekit
- i_monk0
One of a few US news sites blocking EU readers because they haven't complied with GDPR.
