Comment by MereInterest
5 years ago
Exactly this. Every time I read about GDPR compliance, it feels like a very well-designed set of guidelines that are easy to follow ... IF you aren't stalking users. The complaints about it have the same tone as the Guild of Assassins complaining that laws against murder are really hard to comply with in their industry. Of course they are, and that's the point.
--------------
Hypothetical conversation with a Malicious Advertising Website:
MAW: Can I stalk my users without telling them?
GDPR: No, you must have consent to track users.
MAW: So I can assume I have consent because they're using my site?
GDPR: No, the consent must be explicit.
MAW: Got it, I'll put it somewhere in the fine print of the terms of service.
GDPR: Uninformed consent doesn't count. Fine print doesn't count as informing users.
MAW: Okay, so I'll have a banner with an obvious "accept" button and several hidden steps to opt out.
GDPR: Nope, it must be just as easy to retract permission as to grant it. If it's a single step to accept, then it must be a single step to reject.
MAW: In that case I'll have the "reject" button kick them off the site.
GDPR: Consent must be freely given, and having a service be conditional on consent is coercion. Consent to track may only be given as a gift, and not as an exchange.
MAW: WAAAH!! This is so hard!!
---------
Hypothetical conversation with a Non-Malicious Website:
NMW: I don't track any information about visitors to this site, and only serve non-targeted advertisements.
GDPR: Sounds good, go right ahead.
NMW: Say, I want to make a "To-Do List" site. Do I need to warn users that I'm going to remember the to-do items for them?
GDPR: Nope, no issue there. That's necessary for the service to function.
NMW: Huh, this is really simple.
MAW: Nevermind, I'll identify users via browser fingerprinting.
GDPR: Browser generated information was ruled personal data and falls under GDPR.
MAW: Just let me stalk on my users without their consent, goddamit!
>Every time I read about GDPR compliance, it feels like a very well-designed set of guidelines that are easy to follow ... IF you aren't stalking users.
There's a difference between being compliant and being _in compliance_. There's a real cost to the latter. Why should sites that primarily serve non-European readers bother with it? The assumption that they don't because they're all greedily stalking users is a misguided, but popular, cynical take.
I'm not sure what the distinction is between the two. Is one of those having a verified system to ensure that you are compliant, while the other is merely being compliant but unprovably so?
it looks like great tl;dr, but I'm not expert on GDPR
nice
It's a nice summary of the GDPR, and following this TLDR in good faith will get you in compliance (at least enough to avoid scrutiny from the regulator).