For example:
> And apparently typing your name, age and other information is not consent. How is this supposed to work by the way? I give you my name but I don’t consent to you using it or remember it?
The way it's phrased is misleading. If you need the data and are going to use it in the obvious way, e.g. for shipping a parcel to my address, legitimate interests works fine. If you're a scumbag marketer or data broker/reseller (etc), then yeah, it's going to impact you. That was the idea.
So instead of bikeshedding arbitrary scenarios, let's do something more productive with our day.
So, consent is given for a purpose, and you can't really do that with just an input box. Hence the fancy opt-in modal dialog wizard thingies, and the checkboxes at registration/payment time, and so on.
I saw the headline and thought I'd verify my suspicion here in the comments (Confirmation Bias!) before spending my time on the article.
Same thing here. Yes GDPR has no mechanism to enforce these things. It's up to everyone to respect the law and enforce it upon themselves. If you don't respect laws, then you don't respect 'em, simple as that. Eventually, you will get caught.
> But do you know what data I have access to when you come on my website ? Well only your IP and some information about your computer and browser. That’s all.
It's pretty well known by now that that's often more than enough to identify a specific user. "That's all" really undersells it.
> It’s true I can create an ID and save it on your browser (I can do much more but we will stay focus). Your browser, not your computer.
That's effectively the same thing -- the vast vast majority of users don't use more than one browser per device, and I'd be willing to be that the few who do use more than one mostly use them for different websites.
> So the very first thing you need to understand about data privacy is that YOU protect your own data by not giving it away without thinking.
And here it is. This article is basically just victim blaming. "You didn't want this website to identify you based on the unique combination of user agent, viewport, and feature detection? Then you shouldn't have visited this website with that user agent, screen size, and set of features enabled in your browser."
I think the public is divided on the issue and have no consensus nor common language for matters of privacy.
Another thing the author doesn't mention is that GDPR sets a minimum amount of cost/effort to run a website that's way beyond the actual hardware cost and the cost of making the website itself. It requires every website operator to be familiar with how GDPR works, because you need to know whether you're collecting personal data (you probably are) and how you need to handle it. Furthermore, if you are collecting personal data then you must respond to emails of users who request to know what data you know about them within a set amount of time. In the case of a small website, such as a forum or blog, I would consider the cost imposed by GDPR to be greater than the cost of making the website itself and renting hardware to run it. I think it disproportionately impacts smaller sites. It essentially leads to small sites simply breaking the law and hoping that nobody complains about them.
> [...] GDPR sets a minimum amount of cost/effort to run a website [...]
This is simply false. If you want to post something on the 'net, nothing changes. You want to count page downloads? (You know those old school CGI counters.) Nothing changes. You want to know how many individual visits you got? Well, you need to try to distinguish between new and returning visitors, hence you might put a cookie on the visitor's browser/client/useragent, now you need to ask nicely, because it's eerily easy to use that cookie for a lot of other purposes. (Similarly if you would try to use something else, like IP address, and/or browser fingerprinting.)
And so on. Yes, I like pretty graphs about visitors (browser screen size distribution, fancy geoip charts, etc), but so do the people that live off the not so innocent usage of this kind of data.
And yes, if you collect personal data, then you should be able to protect it. This was always the case, GDPR simply states this and tries to create a mechanism that forces data holders to act accordingly (via the mandatory data breach reporting). Again, similarly, if you handle a lot of data you should be able to accurately take a stock of what kind of data you have about whom, hence the requirement to respond to these inquiries.
> I think it disproportionately impacts smaller sites.
Agreed. But small sites were always at the mercy of random script kiddies. They always lacked resources to properly handle updates/upgrades, security, data, end-of-life termination, etc.
GDPR at least makes WordPress, discourse, and random blog and forum engines able to deal with the reality of how much value their databases represent nowadays.
No, as I read it excludes sites that do not engage in economic or professional activity. It is specific about what personal means and it's definition is not necessarily the colloquial definition of personal.
So, as a layman, by my reading getting donations makes your site covered, running ads make it covered, allowing people to sell things makes it covered, people connecting for jobs makes it covered, using it as advertising for your professional career (ie: blog post that says you're looking for a job) makes it covered, etc.
Or maybe it doesn't cover those but then I'd need (and thus need to pay) a lawyer to know wouldn't I? Layers aren't cheap compared to the cost of modern web hosting.
And next to no websites actually fall under this exemption. Furthermore, simply to know that your website falls under this exemption comes with the cost. You must know that your website falls under this exemption, requiring you to know GDPR and/or requiring a lawyer to look it over (high cost).
>This is simply false. If you want to post something on the 'net, nothing changes.
Simply having to know what GDPR is, what it covers, and whether you fall under it has a cost. So the statement that nothing changes is patently false.
Also, I'm pretty sure that by default most software that serves websites would already put you under GDPR, because it collects IP addresses and they're considered personal data.
>Agreed. But small sites were always at the mercy of random script kiddies. They always lacked resources to properly handle updates/upgrades, security, data, end-of-life termination, etc.
So, because there were other limiting factors for them we might as well make it illegal to run such websites? I guess I can understand why the EU's tech sector is doing so poorly.
>Again, similarly, if you handle a lot of data you should be able to accurately take a stock of what kind of data you have about whom, hence the requirement to respond to these inquiries.
But it's not about that. It's "if you handle any data then you must constantly be available to tell users what data you have about them". This, ironically, puts people's data at risk, because suddenly you forced website owners to reply to phishing requests. What's the chance that every single website owner everywhere never gives out personal data to the wrong person? I would say that that chance is effectively zero.
GDPR is a great step towards empowering consumers. Give the industry and regulators more than 1 year to change it's behaviors and set new standards.
it should be just as easy to agree as to decline. if not, then they are likely not adhering to the regulation, and eventually someone will/could alert them or whatever authority.
The author also points out the double set of cookies, which is how most sites deal with tracking. One set of cookies that do not collect PII, that just tell the other set of cookies to turn on or off.
I respect that the writers of GDPR did not confer with the industry insiders beforehand. However, with how poorly some of it understands the technology (implementation of cookies is a great example), I wish they would have had a bit more understanding and drafted a better bill.
That's cool. If something can identify me uniquely then it's personal data.
