"The Commission said previously that the simplification plan will focus on reporting requirements for organizations with less than 500 people, but will not touch the “underlying core objective of [the] GDPR regime.”
Adjustments could include limiting requirements to keep records of data processing activities, or reforming how businesses provide data protection impact statements — two rules seen as overly cumbersome to smaller firms."
They are owned by Axel Springer, whose CEO and part-owner is extreme neo-capitalist Mathias Döpfner, and their news follows his philosophy (or similar ones) as if they are fact, at least at times. The headline depicting privacy regulation as a 'bonfire' is not surprising; I think they were different before the recent corruption of professional journalism by similar people (there is some good journalism remaining!).
Regarding Döpfner, he tried to fire an editor at Business Insider (another Axel Springer publication) because Wall St power player Bill Ackman didn't like their coverage of Ackman's wife. [0] He's taken positions such as, "I am all for climate change"; and ""Free west, fuck the intolerant Muslims and all the other riff-raff." [1]
Politico has published articles saying, "Time to Admit It: Trump Is a Great President. He's Still Trying To Be a Good One.", claiming "The most consequential presidents divided the nation - before “reuniting it on a new level of understanding." (by founding editor and global editor-in-chief John Harris). [2] And another that claimed, as news and not opinion, that disinformation concerns were a "panic" and now outmoded. [3] At least some of their coverage of American politics assumes - again as news fact, not opinion - that anything the left does is ridiculous.
I actually want to know the reality of things, as much as possible, so I will hardly read them anymore.
At the minimum I'd hope they a) do away with the worthless cookie banners requirement b) cut some generous but reasonable slack to small organizations.
Interesting timing with the digital sovereignty movement.
The cookie banners aren't worthless. The websites presenting cookie banners either don't know the law, or are engaged in spyware shit. You don't need a cookie banner if you need it to provide a service that the user expects (e.g., saving settings, login).
As an EU citizen, I'm not concerned about your need to observe my behaviour or to prevent ad-click fraud. What I care about is websites sharing my navigation history with Google or the rest of the advertising industry, so yes, I'd like to be informed of it.
Personally, instead of having banners, I'd just ban the practices altogether (e.g., targeted advertising, 3rd party analytics), which would certainly simplify business.
> The websites presenting cookie banners either don't know the law, or are engaged in spyware shit. You don't need a cookie banner if you need it to provide a service that the user expects (e.g., saving settings, login).
There's quite a lot between "engaged in spyware shit" and "service that the user expects".
For example if I want to add first party analytics to my site, the data from which I will use solely internally to try to figure out what pages people like and which they do not like, it is not "spyware shit" if I explain what I'll be using the data for and get permission from the user--and getting that permission needs a cookie banner.
Yes. For example, if you want to track unique users (for the most rudimentary analytics), you'll need to put a uuid in a cookie on their browser, and you'll need to damage your UX with a stupid cookie consent popup, thanks to EU Directives.
This is not nefarious data collection, and it shouldn't need user consent - but it does, because EU lawmakers were overzealous and careless when designing their regulation.
No, you dont! Only if you use third party services to do that or collect data thats not essential to your business. Its just coloquially called a "Cookie Banner", but the laws DONT require you to put up one as soon as you set one cookie!
It does if the cookie contains any uuid that might be linkable to a user's identity (which is obviously necessary if you want to perform rudimentary self-hosted analytics on unique user visits)
In the UK (and broadly under the UK GDPR and PECR – the Privacy and Electronic Communications Regulations), yes, you generally do need to get consent before setting non-essential cookies, even if it's just for rudimentary analytics like a unique visitor count.
Here's the key distinction:
Strictly necessary cookies: No consent needed. These are required for the site to function properly (e.g., shopping cart cookies, login sessions).
Analytics cookies (including the case with a unique ID for tracking visitors): Not strictly necessary, so consent is required.
Even if the data is anonymous or pseudonymous (like a randomly generated unique ID), if the purpose is analytics and it involves storing or accessing data on the user’s device (like setting a cookie), you must ask for consent.
> if I want to add first party analytics to my site, the data from which I will use solely internally to try to figure out what pages people like and which they do not like,
This is doable entirely on the server side, provided there is no caching or CDNs that get in the way.
What you lose with that method, however, is all the spyware-like shit that analytics tends to gravitate towards.
Cookies aren't spyware. If you want to disable them, disable them in your browser. It is something you send to the server. Not something they do on their end.
The issue is when you want to be able to stay logged in to a site, but do not want Google track you across the internet. Cookies do not differentiate between what they are used for, so sites have to make it clear only if they are going to track you. You do NOT need a cookie banner if you're not tracking your users
I don't see why small organizations should get to be more careless with my personal data than anybody else. The value of my privacy doesn't change just because of the size of the company.
It isn't "your data". Which pages you have viewed on my website is my data. It relates to you but is does not belong to you.
You don't have any privacy right to control data that belongs to other people and happens to relate to you. Privacy is about the state needing a warrant to enter your home and search it or to wiretap you. The idea it has anything to do with information you GIVE to websites by visiting them is a complete delusion.
Thankfully European statutes don't have anything to do with what words actually mean in the English language and don't override basic logic.
The idea that you have the right to control eg. my opinions about you, just because they happen to concern you, is fundamentally contrary to the most basic right we all have: freedom of expression. The cornerstone of civil and political rights.
If you're careful about how you store personal data in the first place, meaning you start a greenfield project today, being compliant with GDPR is a breeze. You make it sound like there is a ton of paperwork to fill out because of GDPR if you start a business today, which there isn't.
>If you're careful about how you store personal data in the first place
Unfortunately this is a really big "if" looking at typical businesses. They have no idea about how compliance should work and they also hire barely qualified people to marketing teams (often interns), who may accidentally add some privacy-breaking stuff. To prevent that they hire an external DPO and then deal with the paperwork for that DPO, who never visits the company onsite and never meets real people touching privacy topics.
So no, it's not a breeze, because there's generally no enough expertise and temptation to use American non-compliant MarTech is high.
One possible solution to that could be a pan-European registry of data processors with enough metadata to a) generate privacy policy, b) request correct consent, c) provide a compliance implementation checklist for non-trivial cases. There could be a small fee for adding services to this registry, but that would make maintaining compliance much easier.
Yeah, compliance for people who weren't careful before indeed is harder than for the rest. I think this works as expected?
Consider if wire fraud wasn't illegal before, but next week there is a new law coming into effect that makes it illegal. Of course all the companies who were doing wire fraud since before will struggle to be compliant, some might not even be feasible to run anymore if their core business becomes illegal.
Again, sounds like it works as expected, compliance for organizations who been ignorant for a long time is expected to be more cumbersome.
1. It is a problem for greenfield projects too. Not everyone has sufficient expertise to be fully compliant from the beginning. The accidental non-compliance is possible and there's usually a cost to prevent it.
2. It may work as expected from EU charter perspective, but current implementation is adding extra to an already high bureaucratic workload. My point is, it can be better than that.
> It is a problem for greenfield projects too. Not everyone has sufficient expertise to be fully compliant from the beginning
Saying it's complicated because of missing experience or knowledge is like saying creating a CRUD application is difficult. Yes, it might be difficult if you've never done it before, but that doesn't mean the thing itself is complicated, just that you potentially lack experience.
Instead, I'd say it would be complicated if it's hard even if you have experience and knowledge about it. And for GDPR and safely storing data, it isn't difficult in a greenfield project if you have experience with it.
> but current implementation is adding extra to an already high bureaucratic workload
As someone who've helped SMEs become GDPR compliant, in terms of engineering, there really isn't a high bureaucratic workload unless you were already very careless with how you stored data. For the ones who considered how personal data was stored for more than half a second, becoming GDPR compliant was mostly about confirming things rather than having to shift things around.
Few companies though, had huge problems as they 1) were revenue dependent on selling user data or 2) never considered how they were storing or protecting personal data at all.
If you're speaking from the experience of those last companies, then again I think it works as expected.
This is mostly true with security compliance in general from my experience. SOC II, for instance, is pretty straightforward if you were already doing things in a sane way. It’s only a lot of work if you were previously sloppy with security and need to rectify that
This must not be an expectation for any regulation that applies to business in general. Let’s say I just graduated from a college where I learned to be a plumber. I registered my firm and now want to acquire customers online, so I hire some local agency to build a website and an order form. You cannot realistically expect that I have any experience with GDPR or fully understand its requirements. It is the job of legislators to ensure that I can achieve compliance with minimum effort. But now I have to carry the burden, because no business can survive without digital marketing channels and I have to outsource the compliance work to ensure I don’t accidentally break the law. In comparison to pre-digital era doing any business today is more expensive and I‘d argue, it’s unnecessarily more expensive. It is not how it should have been done and it doesn’t work as expected from business point of view. Non-compliant businesses are not those who are malicious or ignorant, they can make mistakes because legislators did not help them.
This kind of line of thinking assumes a couple of things:
1. People are doing things the “wrong” way in the first place. It’s already been established that compliance isn’t hard if you are doing things the “right” way.
2. Compliance is hard. It really isn’t if you are doing things already the right way
Ultimately GDPR is not the problem, it’s people getting into tech that either have no understanding or respect for the data of others wanting to to do business. You wouldn’t expect me to be building bridges without complying to bridge building standards would you? Why is this any different? Lives are not directly on the line here, but the consequences of being sloppy with data are still very bad. This whole paragraph puts the cart before the horse because it assumes the most important thing is that the person in question is supposed to be able to transact business, not that the most important thing is to protect the personal information of people.
I’m not expecting the plumber to be a technologist. If the plumber wants to roll his or her own technology, fine, deal with the compliance headache. I expect the plumber to instead pay someone to figure out how to build the thing properly, just like how I don’t go building load bearing structures on my home myself because I’m not a structural engineer and don’t want to spend the time learning how to do that.
This is fundamentally wrong expectation. To preserve the spirit of EU charter one does not need the law where every business engaging with customers online has to pay a compliance tax to another medieval guild of experts.
Do you do your own structural engineering or do you pay someone to do it who is qualified to do so in the EU? Structural engineering compliance is a medieval guild of experts, is it not?
Do you practice your own medicine in the EU or do you pay someone to do it? Medical compliance is a medieval guild of experts, is it not?
What are you doing is a classical straw man argument. I‘m not disputing that plumbers, doctors etc should be aware of their professional regulations. However certain regulations aren’t job-specific and work like tax, e.g. if you look at notary costs related to registration of business in Germany. Regulations like GDPR apply to business environment in general and they have to be designed so that the costs of compliance and risks of non-compliance are minimized. They are supposed to be followed by non-professionals, because privacy is not a job of DPO, it’s everyone’s concern. What you fail to understand in my comments is that part. I’m not disputing the usefulness of GDPR. I‘m saying that rather than strangling businesses with high compliance costs and complaining that everyone is choosing to show cookie banner instead of not tracking, we should look at how to avoid this nonsense. As a matter of fact, non-compliance is rife, people do cut corners and take the risk, because DPAs cannot catch or punish everyone. GDPR is suppressing the most egregious behavior, but it certainly not working as expected. It needs some careful reform.
> However certain regulations aren’t job-specific and work like tax, e.g. if you look at notary costs related to registration of business in Germany.
This is not that. You’re making it sound like every business has to jump through all of these hoops as a matter of doing business. You know how to not be bound by GDPR? Don’t bother storing sketchy cookie data or PII. The plumber in your example could just… not do that and not have to worry about compliance. It’s only but for the plumber choosing to store that data that they opt to be bound by the regulation. It’s not a requirement for them to operate. If the business feels like they need to store the nuclear waste, then I need to know that they are storing it properly. They could just not take in and store the nuclear waste and then there’s no compliance burden. 9 times out of 10 they don’t need it to transact their business anyway, and the tenth business probably only exists but for the sketchy data.
In the end we have arrived at the same conclusion: probably the regulation itself, the baby, has some dirty bath water. Any regulatory framework of any significant complexity does, especially a landmark first of its kind in scope regulation in the world. So we should not toss both out. We should try to get rid of just the bath water.
With above said, the plumber is not absolved here. Why did they need to store my PII again? I very much value the fact that they have to think about and answer that question. So whatever improvement should just streamline that process and not get rid of it.
Can you please read my comments in this thread in full and not just pick some parts of them?
I already explained that most businesses are not experts in privacy and usually become non-compliant accidentally, without malicious intent. If a plumber goes to some advertisement platform to promote their services online, they are not making fully informed decision with regards to privacy implications. They buy promises of lower CACs. They do not buy the storage of PII, neither they fully understand that targeted advertisement involves storage and processing of PII.
And regulation requires them to either fully understand the process or spend money on external consultant. That's stupid: GDPR moved the responsibility to protect human rights from those who aggregate a lot of data to a little guy. What really should have been done is requirement for MarTech to support "Do not track" on protocol level and risk being fined or banned from EU. It does not make sense to ask users again and again on different websites if they are ok with tracking by FancyMarTech LLC, when those users already gave the answer somewhere.
It's just one example. And then there's a case with storing PII in Google Spreadsheet: everyone does that. Nobody mentions that in their privacy policy, even if DPO is involved. And probably they should not. Regulation should also consider the public risk. If one of those millions spreadsheets with a hundred names is leaked, let's fine the owner, sure. But let's not make a big compliance process for every owner of those millions spreadsheets. Let's say: Dear Google, if you want to work in EU, you cannot share the data of EU users with NSA or anyone. Keep it safe. Figure this out, we don't care how. We really should put 99% of compliance burden on processors and spare controllers.
Thanks for sharing some in depth examples. Why is the marketing firm/platform not on the hook for noncompliance in your first example? That’s kind of where the metaphor falls apart for the doctor and structural engineer examples, because in this case if you were found to be liable the responsibility would actually fall on the doctor/structural engineer. Like if I hire a structural engineer and they build a thing that fails, they’re ultimately on the hook for it, not me. Why is it not the same here?
Your Google spreadsheets example is not, in my opinion, a good example of GDPR failure. I genuinely believe if people are dumb enough to keep PII in spreadsheets they deserve to be fined out the ass. “Everyone is doing it” is a poor justification for such risky behavior. The plumber in your example would never use the wrong pipe fittings or make dumb mistakes like that in their line of work. And if they did, they would understand that they would be on the hook for that. Why should they be absolved of responsibility in some other line of work simply because “everyone does it this way”?
Your example reminds me of HVAC technicians in the States who vent refrigerant into the atmosphere. “Everyone” does it because it’s way easier and more convenient to just do it and ignore the regulations, but the long term consequences for the environment are horrific. I’m sure if I asked those HVAC technicians they also would describe the regulations that they don’t want to abide by as onerous and not necessary.
>Why is the marketing firm/platform not on the hook for noncompliance in your first example?
Because they act in good faith and expect that consent is collected before their script is executed. This is usually written in their ToS, e.g. see Google Analytics. Google expects that you maintain compliance and if, because of your failure to stay compliant, they collect PII without consent, you are liable for the damages. See what happens? Every small business who wants to know something about visitors of their website is now on the hook. They are expected to understand GDPR, to understand legal details of Google ToS etc. Since you cannot avoid having digital presence today, this looks pretty much like a compliance tax.
>I genuinely believe if people are dumb enough to keep PII in spreadsheets
You are speaking about majority of population of this planet now. Everyone prepared at least once in their life a list of contacts to send wedding invitations, list of customers for a freelance job etc etc. People are not dumb. They just keep doing what they were always doing: having a sheet with a list of contacts. And honestly, they should continue, because why not? Why we should put significantly more thought in this simple task? Yes, the tools have changed and we now have implicit privacy and security risks associated with them. We should fix the tools and assign liability properly.
> Because they act in good faith and expect that consent is collected before their script is executed.
This is the unaddressed rub here. If the doctor commits malpractice in good faith, they’re still liable. If the structural engineer built a bridge that collapsed in good faith, they’re still liable. Why does the marketing firm get off the hook here?
The argument being presented here, that regular people should continue to be allowed to do Sloppy and Dangerous Thing, because it’s normal, is not sufficient. It also used to be normal and way easier for people to get on a plane without being strip searched and their privacy being violated. Society decided that forcing regular people to go through a ton of more hassle for safety was worth the trade off. The security is mostly theater, the implementation is burdensome, onerous and unpopular and a regular person is expected to navigate some kafkaesque nightmare with a bunch of rules and might unknowingly burn themselves. But we sure as hell don’t see a ton of plane hijackings any more, do we?
>Why does the marketing firm get off the hook here?
You may be surprised, but this is how this regulation is designed. Per GDPR it is the duty of controller to ensure compliance. Processor acts per instructions from controller. MarTech is not allowed to do anything outside of their contract with their users, but they are also not required to enforce consent collection, only to assist controllers with that when possible.
>The argument being presented here, that regular people should continue to be allowed to do Sloppy and Dangerous Thing
No, this is not the argument being presented here. Storing personal contacts or advertising is not "sloppy and dangerous thing" per se. The privacy risk is not that someone is processing your PII, but that this data may be used to harm you by processor or 3rd party. So the goal of regulation should not be to prevent processing, but to minimize such risks with minimal costs for society. If regulation focuses on just risk, but does not consider the costs, it must be fixed and solutions should be found that enable typical use cases.
> This must not be an expectation for any regulation that applies to business in general
Why not? We have that for a bunch of professions already, and for good reasons. You can't just claim to be a doctor, run a hospital or work as a electrician, you need to prove you're able to, before you can do certain things.
Engineers should already be data-aware by default, regardless of what regulations, since we do have the expertise to understand it. Then I guess the expectation was initially kind of that businesses would self-regulate, but seemingly not, so here comes the end of the cowboy developer days, if you want to build large companies that handle people's personal data at least.
> You cannot realistically expect that I have any experience with GDPR or fully understand its requirements
If you build websites where the idea is that you store people's personal data, then yes you should understand what that means and how that works. Like if someone called a plumber for a pressure problem, and the plumber says "How am I expected to understand how that works in your specific house?!", of course I expect the plumber to know their shit around their profession. If you don't understand the technology nor what rules you have to follow, then don't go into that profession.
> Non-compliant businesses are not those who are malicious or ignorant, they can make mistakes because legislators did not help them.
In my experience, the companies who had a hard time becoming compliant with GDPR were companies that either made their revenue by selling user data, and now had to make a lot of changes, or companies that were careless with data in the first place, not thinking twice about where to store things or who has access to what.
I'd be happy to see any sort of counter example of a company that A) doesn't make their revenue based on selling personal data, B) have a thoughtful architecture/design for data in the first place, together with C) had a difficult time becoming compliant with GDPR.
> Why not? We have that for a bunch of professions already
…
> Engineers should already be data-aware by default
Most businesses in this world are not run by software engineers. Engaging with people for whatever reasons via digital channels is not a profession. I don’t really understand your point: as I said already several times, the law can and should be improved. Do you disagree with that? Do you insist that every plumber or relocation business should be an expert in GDPR?
This pretty much. I've had a lot to do with GDPR in the projects I'm involved with. It's largely trivial if you aren't already doing terribly risky things, in which case yeah, it's a pain, but it doesn't change the necessity of fixing issues that put user private data at risk (with or without the GDPR existing). GDPR just puts more incentive on solving issues in regards to privacy instead of just letting companies shrug and move on because it's not their problem if data is stolen or leaked or letting them do what they want with the data without permission.
The cookie banners don't make companies less "careless"
They just introduce a needless bit of friction in the UX.
If the EU wanted to prevent digital identity triangulation or cross-domain advertising data gathering, it should have banned it outright. Rather than getting all users to click a stupid banner every time they visit a website.
So, since they didn't ban it outright, doesn't it make it clear that the goal wasn't to remove it fully? The goal was to let users be informed about it, so they can make their own choice, not to remove the choice at all.
The core of the system is simple - you list the third parties you send data to, you make accepting and rejecting equally easy.
Consider basically any popup on a popular website which: takes over most of the screen, makes "accept" the highlighted action button, requires going through "customise" to reject, sometimes requires unchecking categories manually, puts "save and exit" and "accept all" that so the same thing next to each other, either hide or not provide "reject all", etc.
There is no conspiracy here. You can either not use third parties, or if you do, your approval system doesn't have to be obnoxious at all, but almost every page makes it a shitty experience to 1. Make you accept out of frustration. 2. Make your angry that this is asked in the first place.
Let's say I want to improve my site by recording basic user analytics like unique user counts, to produce actionable data. I'm not nefariously collecting their social security number. I'm just putting some uuid in a harmless cookie in their browser so I can track which requests are from a unique browser.
Thanks to the GDPR I cannot do this without the stupid cookie warning popup.
In this regard, the GDPR is clumsy lawmaking that results in companies having to behave defensively, hoping that users will accept a damaged UX in order that the company is not fined by the EU.
In the UK (and broadly under the UK GDPR and PECR – the Privacy and Electronic Communications Regulations), yes, you generally do need to get consent before setting non-essential cookies, even if it's just for rudimentary analytics like a unique visitor count.
Here's the key distinction:
Strictly necessary cookies: No consent needed. These are required for the site to function properly (e.g., shopping cart cookies, login sessions).
Analytics cookies (including the case with a unique ID for tracking visitors): Not strictly necessary, so consent is required.
Even if the data is anonymous or pseudonymous (like a randomly generated unique ID), if the purpose is analytics and it involves storing or accessing data on the user’s device (like setting a cookie), you must ask for consent.
Cookie banners are not a requirement in the first place. They are a convention set by giant risk-averse consequence-free tech companies, and followed by everyone else.
>At the minimum I'd hope they a) do away with the worthless cookie banners requirement b) cut some generous but reasonable slack to small organizations.
Cookie banners aren't a requirement unless you wish to store cookies that aren't strictly necessary (statistics, marketing, etc)[0]. Cookies that are essential for the user to browse the site (login tokens) don't require consent.
It doesn't help the situation that a large number of sites seem to maliciously comply with these regulations.
>Cookie banners aren't a requirement unless you wish to store cookies that aren't strictly necessary (statistics, marketing, etc)[0]. Cookies that are essential for the user to browse the site (login tokens) don't require consent.
So if I use telemetry to catch some dirty frontend blob throwing a hissy fit of an exception and that telemetry is tracking sessions rather than individual events (hello ms app insights) -- is that functional or, statistics or etc?
If you are monitoring the system but not its users, then that is not collecting PII.
To be completely sure, you should eliminate anything that might be considered PII.
So unadorned exception counts would be anonymous, aggregated statistics, which is fine. But exception counts reports per IP address, or per session, or where the exception text mentioned the user's PII, would require consent from the user you're tracking by processing that data about them.
If your salary would drop 95% tomorrow if you didn't tell everyone at the office 'I may remember this conversation' every time you see them, what would you do?
Non targeted ads pay 90+% less than targeted. Sure it's not 'required', but the vast majority of businesses would fail overnight if their revenue dropped 90%.
If you heavily rely on performance marketing, your business model is anyway in trouble. In the past businesses survived with non-digital marketing channels just fine.
The cookie banners are largely a cargo cult and don't have to be nearly as annoying as they are.
Websites just love to say "we have to do this" rather than improve their UX because the latter just means more work while the former gets people to be wrongfully upset at GDPR.
I think cookie banners are a not-so-subtle sabotage of the GDPR. The more annoyance they can associate with GDPR the more the customers will want to water it down. And bonus, it's completely deniable.
And it's largely working. Even on a site like HN where you'd expect people to be educated about this stuff, we have people claiming that GDPR (and not their own data collection practices) forces them to pop up a cookie banner.
On a site like HN you'd expect a significant proportion of people to be willfully ignorant and/or make excuses about this stuff because it helps them sleep at night.
I have been suspecting for a while that the "consent" escape hatch was a concession to get GDPR past the advertising industry's army of lobbyists. Making the problem in-your-face-visible is hopefully only the first step in garnering support from the public. It's much easier for a politician to point to all the obnoxious pop-ups and say "look at this despicable behavior! These companies choose to nag you at every opportunity because abusing your privacy makes them a couple cents. They should just not be allowed to do that."
Nah, next step would be to pull the UX noose tighter and tighter, limiting things like number of clicks to reject non-essential cookies, restricting data loss (like if you already filled in some form data, etc.), maybe even limiting how much of the screen they're allowed to take until the user clicks on "read more" or whatever, etc.
I don't think this is necessarily going to happen, but that would be the reasonable next step from where we are now: boiling the advertiser frog slowly and with changes that users would consider uncontroversially positive.
Silicon Valley has such an antagonistic view of user consent and user control, and when they're forced to acknowledge and respect it, they do it in the most tantrum-y, malicious-compliance way they can. It's like the Bob's Burgers meme: "OK, Fine. But I'm gonna complain the whole time."
Ironically, if these companies didn't choose to make their consent UX so deliberately hostile and in-your-face, we might never have had this much visibility into how big of a problem it is.
They definitely aren't cookie opt-in popups in any browser. Nor is there coarse-grained cookie management, like what websites implement. Nor fine-grained cookie management, like they should have.
Be the change you want to see in the world. It is supposed to be a user agent. Instead of imposing this cost on everyone else, if you think it is important to be able to have fine grained control over cookies, make it happen.
Advantages:
1. A single UI in each browser instead of a different one on each website
2. The functionality would be built and maintained by someone with allied rather than adverse interests to the user.
Also you can disable cookies quite easily and whether your UI supports it or not is totally irrelevant anyway. If you use a web browser that sends cookies to websites then that you have authorised it to do so is your responsibility. Use a different browser or don't use one if you don't like it.
>> a) do away with the worthless cookie banners requirement
My understanding is that if your site doesn't use cookies, you don't even need that. Don't use cookies, don't collect or share personal data, and GDPR is complied with. Apparently from TFA it sounds like even then you have a lot of proving it to the government, and that's a hassle.
Nope and nope, same rules are for all. You want to steal private data, you will be labeled. If it comes from libs, maybe don't use shitty private data stealing libs?
Move fast and break things - fuck that, anybody smart enough can project to what sort of society it leads down the road.
> do away with the worthless cookie banners requirement
There is no such requirement. You're free to make a website that doesn't require cookies.
This very website on which we're discussing doesn't have a cookie banner, and isn't required to have one.
(I'm not saying HN is GDPR compliant though, it's missing a DPO mail address to allow edit/deletion of older PII messages and a privacy policy even though said policy would probably be max 10 lines)
> cut some generous but reasonable slack to small organizations.
I can't say for other countries, but in France there is already already a lot of slack even for bigger organizations. We have mainstream websites that are obviously violating the GDPR (most visited cooking site, most visited tv content provider, not allowing free choice of refusing tracking)
> (I'm not saying HN is GDPR compliant though, it's missing a DPO mail address to allow edit/deletion of older PII messages and a privacy policy even though said policy would probably be max 10 lines)
The privacy policy is here [1], linked in the footer. It also very clearly says: "For deletion requests, please contact us at privacy@ycombinator.com.".
You are required to have a cookie banner if you use cookies, and you have to use cookies or an equivalent technology to persist state in a logged-in website (like HN).
To pre-empt the typical reply, yes you must serve a cookie banner even if you are only using functional cookies.
You are required to OBTAIN CONSENT from people you want to process the personal data of. Their consent must be INFORMED by telling them who you are and what you intend to do with their data. Their consent must be FREELY GIVEN and can be WITHDRAWN at any time.
That's what's at stake; not the cookies/state themselves, but how you intend to process the data of individuals. As long as you are not profiling natural individuals, no matter how they leave traces, then you don't need to ask for their consent.
It's bad-faith people, who clearly want to process personal data, who make a huge fuss and tell you everyone needs a cookie banner. Mainly because they are raging that they can't data-mine and monetise every last byte of data they can get, without the consent of the individuals they're profiting from.
Please take a close look at the cookie banner that loads on the page you linked. It says:
> This site uses cookies. Visit our cookies policy page or click the link in any footer for more information and to change your preferences.
And then there are two buttons: "Accept all cookies" and "Accept only essential cookies".
The banner is doing two things. 1) It is notifying you that the site uses cookies. 2) It is requesting your consent for non-essential cookies.
Think about this for a moment, why is it doing both things? Why doesn't it just say "Do you consent to non-essential cookies? Yes | No"? Do you think this website added an extra sentence to their banner just for fun?
If you want to use essential cookies, you don't need to ask for consent. That is true. But you do still need to inform the visitor that you are setting cookies. Just as this banner does in its first sentence.
I spent months implementing GDPR compliance with a set of EU-based lawyers.
Most businesses are not actually GDPR compliant, even to this day. I assume this is a big reason the EU is willing to take another look at what is required for compliance.
From my experience, companies taking months to get GDPR are ones that want to tick the box, but don't want to follow the law, so they have to go through the trouble of justifying gathering unnecessary data for themselves and their 873 trusted partners. They usually end up noncompliant anyway because GDPR is a pretty sensibly written law that you can't just work around with a crappy popup, but enforcement has unfortunately been lacking.
I've also helped a bunch of organization become compliant, some were easier than others. The ones that were harder were the ones that generally didn't have good processes with data in the first place, where everything was scattered all over the place and everyone had access to everything. It makes sense to me that it's harder to be compliant if you were borderline malicious with how you treated personal data before GDPR.
Practically speaking, if you’re running a website, you can’t implement compliance with the ePrivacy Directive without also considering GDPR, and vice versa.
No. The reason it exists is businesses get guidance from legislators and existing case law on what prevents you from running a foul of GDPR and the cookie banner is what we ended up with. If those banners did nothing, companies wouldn't include them. They are there as the lowest effort legal defense.
Again, the cookie banners have nothing to do with GDPR, where are people getting this misinformation from?! Was there a popular article saying we have those cookie banners because of GDPR, or what?
The banners are the result of much earlier directives that predate GDPR by a lot...
It's not misinformation. Yes ePrivacy predates GDPR but it had no teeth. The reason your replies are full of people saying, "Our lawyers told us to implement it for GDPR" is because it was a minimal thing you could do to meet GDPRs emphasis of receiving consent from users for data stored in cookies. Basically the fear of fines from not being GDPR compliant forced companies add them.
I agree with you these cookie banners are not sufficient by the text, but in practice unless EU commission and courts make lawyers believe these banners are worthless, EU legal teams will still recommend them.
> What these two lines are stating is that cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR.
gdpr.eu is by the way not an official resource of the European Union but by the Swiss Proton AG. They note down the page that gdpr.eu doesn’t constitute legal advice. Although they are correct in this case and your misunderstanding was in reading for future internet discussions I'd recommend not using private sources.
Consent for non-essential cookies, like analytics, is required. You must also provide a clear link to your cookie usage policy, and a simple way to opt-out. This notification is not necessary if you only use functional cookies; for example, using a cookie to only show an on-boarding tutorial once is acceptable.
Organizations, and typically lawyers, skew conservative and lazy. A little cookie-consent cottage industry popped up to handle GDPR, so instead of worrying about the regulations most companies pay the small monthly service charge for a third party to handle consent. The consent companies built the most compatible solution, a banner, with the most conservative options as default to prevent any legal quandary.
Most public facing sites do have analytics (usually LOTS of analytics) and ads, so the banner is mandatory for them. If you understand the regulations, and don't violate them, then consent is not necessary.
This is simply not correct. You absolutely DO NOT need to obtain consent for strictly necessary first-party session cookies (such as would be used by an online shopping cart, for example, or to maintain a persistent login) [1].
I didn't say "obtain consent," I said serve a cookie banner. If you are only setting essential cookies, the banner can just say "This site is using cookies," with no opt-out or preferences button. But it does need to appear.
Should is aspirational language, and is not legally binding or even coercing. It's like an encouraged practice.
Cookie banners where sites have to say "we're sharing your details with 287 partners" are okay because they should be shameful for the industry. Cookie banners where you're explaining basic technologies of the web -- "we store a cookie to create a stateful session with your browser" -- are obnoxious noise that do only harm.
> do away with the worthless cookie banners requirement
Not a GDPR thing, and the reason you see the banner is because companies refuse to understand the regulation correctly.
> cut some generous but reasonable slack to small organizations
Some more slack you mean, since they already have a lot of slack compared to larger organizations?
What exactly is so cumbersome for a small business to comply with? They're generally "common sense" requirements, and most organizations who already take care of their data basically had to do nothing to be compliant. What are you doing that is so complicated or essential that it's hard to comply, as a SME?
> Not a GDPR thing, and the reason you see the banner is because companies refuse to understand the regulation correctly.
Companies will never "understand the regulation correctly" because it's not in their interests. That is why the regulation should be bulletproof: as concise as possible while forcing the exact behaviour regulators intend.
> possible while forcing the exact behaviour regulators intend
That's what I'm seeing happened?
1. Companies store personal data willy nilly
2. Regulators create directives that force companies to stop doing that, or at least be upfront about it
3. Companies who still want to do it, are at least up front about it, telling users what is happening
4. Users now complain about regulators that companies are letting them know, missing the fact that the only companies who are adding those banners, are companies who are hellbent on doing these things anyways.
The GDPR does not enforce the use of cookie banners. Cookie banners is an IAB idea. My suspicion is that they were created to make people angry at GDPR, but they have nothing to do with GDPR.
On most website that I've analyzed (and it's quite a lot - into hundreds), you can remove the cookie banner and the website would be just as GDPR (in)compliant as with the cookie banner.
> Consent-O-Matic is a browser extension that recognizes CMP (Consent Management Provider) pop-ups that have become ubiquitous on the web and automatically fills them out based on your preferences – even if you meet a dark pattern design. Sometimes a website might not use standard categories, and in that case, Consent-O-Matic will always try to submit the most privacy preserving settings.
I believe uBlock Origin can automatically do this by enabling "EasyList – Cookie Notices" in the extension settings. If you have this extension installed, there's no need to install another.
Wait, are you implying that regulations are hard to comply with, poorly documented, and enforcement is extremely selective to the point where they no longer achieve their intended function?
Big news if true. They should do something about that.
it's not that it's hard to comply, it's fighting malicious compliance which is hard. nevertheless, it's a good damn question why every single operator that has "accept all" and doesn't have "reject all" right there on the consent banner isn't fined on the spot.
I think the commission noted this behavior and malicious compliance is already factored into the DMA act. The "deregulation" of GDPR could as well be retrofitting all the lessons learned into the GPDR v2.
Worth noting first that this is not really the GDPR (nobody here has said that it is directly, but in other threads people are making that assumption), this is the ePrivacy Directive (which is probably what the EU should be revising in light of these universally hated popups).
The EU hands out arbitrary fines to large companies that range in the hundreds of millions of dollars, and ask companies to comply with these "technology-neutral" guidelines [1] which are so opaque that it is impossible to decipher when you are and are not in compliance with them.
> The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible
This is wonderfully clear and explains exactly when you will and won't be the victim of extortion-level fines from the EU.
You call it malicious compliance; sure, but when this is what everyone else is doing, and you decide that you want to go against "industry norms" for your website, you are painting a giant target on your back.
I honestly don't see how your comment makes sense.
Tt's the GDPR (published in 2016) that mandates that consent must be freely given. Using a 2002 directive to justify your point is disingenuous. You could have selected instead the 2020 guidelines [1] that are extremely detailed and address this point explicitly:
[quote]Example 17: A data controller may also obtain explicit consent from a visitor to its website by offering an explicit consent screen that contains Yes and No check boxes, provided that the text clearly indicates the consent, for instance “I, hereby, consent to the processing of my data” […][/]
> You call it malicious compliance; sure, but when this is what everyone else is doing, and you decide that you want to go against "industry norms" for your website, you are painting a giant target on your back.
Non sequitur. Surely refusing to engage in malicious compliance paints _less_ of a target on your back, especially when that "malicious compliance" is actually non-compliant.
I mean, have you ever had to deal with regulators? Departing from industry norms will 100% be used against you in any regulatory proceeding, no matter how minor. It is naive to think otherwise. Regulators go after big pockets and
The guidelines you link to are advisory, not legal, and they trace back to the ePrivacy regulations (although the notion of "consent" was modified by the GDPR; it's not clear which interpretation applies -- ePrivacy regulations, which are still in effect, also require consent). "The obligation is on controllers to innovate to find new solutions that operate within the parameters of the law and better support the protection of personal data and the interests of data subjects." This is standard boilerplate shit that says "you have to follow the regulations, not whatever is in this doc".
I honestly don't know what to tell you. The cookie popups are an offense in every possible way; they fail to accomplish their intended purposes, they burden users with useless interactions that provide no protection, and they burden website developers with useless busywork to document compliance to hopefully avoid retaliatory punitive fines if you draw the attention of regulators or EU officials. That these policies find supporters on HN of all places is beyond my comprehension.
GDPR is not complex because it is hard to comply with but because seemingly no one wants to.
EU-US data transfers have been declared illegal numerous times [1], but instead of supporting European cloud providers those decisions are barely enforced and quickly circumvented by a new data transfer act.
Cookie banners are not hard to implement if you don't try to share user data with your "864 most trusted partners", there are clear guidelines [2] now on how they need to be designed, but instead of criticising these not being properly enforced, the requirement for them itself is criticised.
How is it that Meta can regular break the law, with 7 of the 10 highest fines (or probably around a third of all fines) going against them [3] with seemingly no action taken to prevent this from continuing onwards.
noyb has managed to achieve more than a billion euro in fines with only 6 million euros in funding, we could be focusing on supporting NGOs doing incredible work for their budget and getting our DPAs to probably enforce the law.
The issue with GDPR is not the law but the seeming unwillingness to enforce it leading to unclarity what is expected and what not. [4]
> How is it that Meta can regular break the law, with 7 of the 10 highest fines (or probably around a third of all fines) going against them [3] with seemingly no action taken to prevent this from continuing onwards.
Because until now we've been treating American companies very leniently, with an occasional slap on the wrist. For example, when Poland wanted to regulate Uber, the American ambassador warned the Polish government that if they do that, they will regret it.[0] And because at that time the USA was in the business of of protecting the East NATO flank, the Polish government turned turned a blind eye on Uber.
Now that the USA turned away from Europe, nobody cares about the interest of American companies. When Trumps ambassador (Tom Rose) threatened the current government in the same way recently regarding planned "digital tax", the minister answered "We're nobody's fief".
Let’s roll back the stupid cookie notification. Replace it with “sites must respect the user setting in the browser” so we can set it once and be done with all that nonsense.
> "the simplification plan will focus on reporting requirements for organizations with less than 500 people"
I consider this extremely bad! It should be based on revenue, not people.
I can imagine extremely big data trading companies with less than 500 people. I can even imagine Meta/Facebook doing various employee redistribution shenanigans and managing to fit inside that limit.
So cookie banners go first? As an obsolote "requirement" when all that tracking will be finaly banned? Right ? Just like paper journals - they don't do any identify-your-page-flipper...
And employer will be finally allowed to know his employee name and address?? Without additional paper trail? No, they won't allow that, it will be to sane.
> The GDPR is seen as one of Europe's most complex pieces of legislation by the technology sector
Really? Now I'm no bureaucrat, merely an engineer, but GDPR was relatively easy to read through, even the official document (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...) is only 88 pages long, this cannot realistically be "one of Europe's most complex pieces of legislation". A lot of privacy-conscious SME basically had to do nothing to be compliant, telling me it seems to hit the mark of being not too complicated.
Most of the cases I've heard people complaining about GDPR being "complicated" or "impossible to implement correctly" have been from people/organizations who are breaking GDPR, and have no way of reaching compliance without removing things they ultimately earn money from, which in my mind is the exact purpose of GDPR. Most orgs don't seem to be introspective enough to understand why they are having such a hard time with GDPR though.
I hope that their proposed "simplification package" doesn't actually remove what makes GDPR useful and good, but since they seem to be making a bunch of bad-faith arguments for this simplification, I'm not super optimistic.
> Most of the cases I've heard people complaining about GDPR being "complicated" or "impossible to implement correctly" have been from people/organizations who are breaking GDPR
It might be relatively easy to read, but for SMBs it's hard to actually implement in real life, because GDPR and the EU's stance so far often doesn't take economic reality into account. For small businesses, GDPR in many regards created a legal limbo while large corporations scoff at that regulation and have their legal departments deal with it however they see fit.
For instance, there's this tiny, gnarly aspect of where you are allowed to store your customer data.
Hosting data on servers located in the EU isn't required by GDPR in and of itself, as long as you have a valid data processing agreement with the provider stating how and according to which provisions customer data is protected on their machines.
However, according to a 2020 European Court of Justice ruling you're not allowed to transfer any personally identifiable information to companies that are in any way affiliated with a US-based entity (e.g., by virtue of having a US-based parent company) anymore. Just being physically located in the EU isn't sufficient according to this ruling.
The reason for this is that with FISA US law enforcement can force US-based companies to hand over any data, even if that data is stored with an international subsidiary under a completely different jurisdiction.
This basically invalidates all of the provisions and legal frameworks for interacting with non-EU entities that used to be acceptable under GDPR before (e.g., Privacy Shield).
However, not interacting with any US-based or US-related entities at all anymore would be tantamount to ceasing almost all economic activity. So, until (or more pessimistically: unless) the US and the EU come to terms on a new agreement regarding privacy rules, there probably isn't anything a business can do on its own to completely address this issue. At this point, merely hosting data on servers physically located in the EU perhaps amounts to little more than window dressing.
As soon as a business has dealings with a US-based company or an EU-based company owned by a US-based company that potentially might have access to user data that business technically is in violation of GDPR.
As of now, as a business you essentially have three alternatives:
1. Run the entire infrastructure you need yourself or have it run by EU-based companies guaranteed to have no relations with US-based entities whatsoever (Good luck with finding those ...). This, for example, includes payment systems and banking infrastructure, because guess where many EU-based banks host their infrastructure? That's right, AWS.
2. Go out of business.
3. Ignore this aspect of GDPR for now, document everything, continue to do your own due diligence, and hope for the best.
Eh, you can see in this thread how all sorts of things are confusing. What, exactly, requires a cookie banner? Does an IP address in a log count as personal information on its own? And so on.
I can see why it was intended to be generic, but the lack of clear guidance and especially the lack of de minimis exemptions (one of the things mentioned to be addressed!) are a very real problem.
"What tests do I have to perform before asserting that I am CE compliant" is a similar, even vaguer question.
Exactly. You are unlikely to be personally liable for this.
This sort of thing starts becoming complicated when you are responsible for making sure a random government does not try to make an example out of your company for whatever reason.
I see lots of comments supporting it but I can see they are mostly from the business side. What does "simplification" mean for users? I'm expecting companies to be given way more room for exploiting user consent for shady data collection practices.
If the GDPR is simplified, the fines should be drastically raised. (At least for companies) E.g. to minimum 20% of the global last years revenue, for bigger companies (FAANG-Scale) to minimum 70% of the revenue. The GDPR must make companies afraid of breaking the law.
Cookie consent banners might be one of the most frustrating aspects of modern web browsing. A better solution could have been a thoughtful extension or fork of HTTP, specifically for EU implementations, something that handles consent through HTTP headers instead. That would allow users to easily opt in or out, either globally or per tab, without the clutter. Ideally, technical regulations like these should be designed by people with a strong understanding of technology, to ensure practical and user-friendly solutions.
It would have been easy to write in generic wording that the "do not track" header must be respected by websites. I'be been wondering for ages why this wasn't implemented.
From the implementation and enforcement, it seems like GDPR was an attempt to make tracking visitors so expensive and difficult that it would eliminate targeted marketing, without negatively impacting consumer choices. The 'do not track' header would not achieve this goal.
It would if "do not track" had to be treated as an automatic "only essential cookies" choice to avoid cookie banners altogether.
At first it would only affect a couple of users, but sooner or later enough "life hack" videos would be out there informing plenty of users about how to get rid of those annoying cookie banners.
cookie consent banners are a workaround GDPR, not a requirement from GDPR. If companies just stopped trying to track people by default, then we'd have the best of both worlds.
But as we see with Apple and DMA, they will instead do their best to drag it out.
As a big GDPR fanboy, one thing I would be happy for them to remove is the portability between providers requirement: it was essentially dead on arrival, is not implemented, and could be done away with.
The other EU-level regulation that needs to be either removed or completely rethought (since it will clearly not be enforced in a way that makes sense) is the cookie regulation. It was well-intentioned, badly implemented, and the GDPR addresses more of the core problems, it is time to do away with it.
But as a whole, I push back against the idea that deregulation is the primary way in which the EU can or should become competitive with the US on technology. Lack of public investment, worse ability for companies to offer equity incentives, and timid private investment are all much bigger problems than consumer protection regulations.
> I would be happy for them to remove is the portability between providers requirement: it was essentially dead on arrival, is not implemented, and could be done away with.
Well, they actually shouldn't. There are non-EU email providers that show exactly what would happen - customers wouldn't be able to transfer out their email from that service provider. Unlucky if they won't notice that limitation in time.
> The other EU-level regulation that needs to be either removed or completely rethought (since it will clearly not be enforced in a way that makes sense) is the cookie regulation. It was well-intentioned, badly implemented, and the GDPR addresses more of the core problems, it is time to do away with it.
Or simply start handing out fines for malicious compliance.
I don't live in Europe. I still believe GDPR is god send. I just send a chat-gpt generated e-mail to the company to forget me citing GDPR and voila it just works.
just have to lie as bit that i am a resident of EU though.
Uh oh. I'm all for cutting the red tape, but (in my opinion) the GDPR is: 1) easy to comply with if you're not doing nasty stuff with people's data, 2) actually needed.
You're on a forum supported by a startup accellerator for entrepreneurs who want to get stuff up and running with as little friction as possible. It's fairly obvious that Sinclair's quote would ring true here.
Smaller entities should still be required to fix/delete your personal data on request, imho.
I'd also appreciate if the exception was conditional on not selling any data or using it for external advertising (i.e. "you might also like" suggestions would be okay, as long as they're part of the same service)
It's easy as long as you're a corporation. It's onerous for a human person. Like the EU's excellent Digital Markets Act, GDPR should be altered to only apply to corporations. It'd be better if like the DMA it only applied to very large corporations, but just corporations is still way better than the status quo.
It's also easy if you simply stop trying to track users and only store the most necessary data. Like, no one ever seem to consider this.
Meanwhile, this same community a few days back were discussing the idea of trying to abolish advertisement. That's truly bluesky thinking if we're still justifying user tracking in 2025.
I only "store" my webserver's logs and user submitted comments. But someone can still put the legal pressure on me, a random person, to force me to do work to turn over those logs/etc. It's wild. Like having a security camera, hosting a BBQ for the neighborhood, and having a neighbor demand access to the recorded video with legal threats. This whole thing really only makes sense in the context of for-profit incorporated persons. It should not apply to me, a random human person.
You have up to 30 days to respond to access/edit/delete requests.
It's accepted practice to only keep logs for e.g. 48 hours and respond to any request with 2 days delay "we've got no logs from that timeframe anymore".
Why do you store your webserver's logs? My reading of the GDPR (I am not a lawyer) is that it strongly encourages site owners to store the very minimum amount of data about visitors - something that I wholeheartedly agree with.
Server logs are useful for debugging the site but also contain potentially identifying information (IP addresses) so I have my site delete them after 48 hours.
User submitted comments are obviously required for the usage of your site, so you are in the clear there.
I read the logs with my human eyes manually because I am interested in learning about the web and internet. In fact today I found a whole new useful search engine because I saw it's spider in my logs.
It turns out that http://www.rightdao.com/ is a great old-style search engine that actually returns many tens of pages and thousands of results. As opposed to google that only ever returns <400, bing <900, and kagi <200.
I guess I keep logs because I want to interact more directly with the internet as a whole and experience the serendipity that comes with that.
I shut down a couple of my websites that provided a service for free (streetlend.com and cointouch.com) because the GDPR was too ambiguous for me to be 100% sure I complied with - and in the past online I have encountered vexatious people who have to tried to damage my reputation. On one of my other websites, those people used GDPR privileges (eg making vexatious SAR requests) simply to make my life more difficult.
At the end of the day, I create helpful and fun websites for free in my spare time because I enjoy it.
EU regulation created jeopardy and friction that meant I couldn't justify doing this anymore.
Whilst I don’t like cookie banner, I personally appreciate the EU GDPR simple style of cookie banners which are simply three options:
- accept all
- necessary only
- reject all
So many websites outside the EU have a mass of dark patterns for which I increasingly reject all or leave the website.
GDPR is really simple.
Only store data that you really need to service the customer’s needs, always permit the customer to correct incorrect data and allow them to delete it unless you have a legal reason to keep it. Report GDPR failures within 72 hours where customer data has been compromised and treat PII carefully.
The politicians cite competitiveness as the motivator for relaxing the GDPR. The real reason for the EU lagging behind the US in "big tech" is of course the lack of venture capital and the red tape in registering corporations.
The GDPR does not prevent US big tech from operating in the EU.
As it stands, this is just another attack on EU citizens' rights. It is also the least of the EU's current problems. De-industrialization due to high energy prices is, but of course von der Leyen will not mention that.
what red tape? from what I understand you have your articles of incorporation, your id an register with chamber of commerce. I mean it varies from country to country and licenses and all the EU stuff exists, but what red tape is there when registering the company itself?
> The GDPR does not prevent US big tech from operating in the EU.
Of course it doesn't, that'd be stupid. But it does require them to be compliant, otherwise they'll face fines and eventually they'll chose to either be compliant, or exit the market.
As a EU citizen with rights, I love this, exactly what I want from my inter-continent union of countries.
And complying with the GDPR isn't that difficult as a startup. You can build your systems from the ground up to be able to accommodate GDPR requirements. There is some documenting paperwork you are supposed to have internally, but enforcement is quite lenient if you show good-faith efforts to comply.
I think simplifying the law for companies smaller than the 500 person cutt-off makes sense. The Brussels effect is strong. I was just in a company of approximately ~150 people in America and a significant portion of our time went to GDPR/California law takedown requests. User data was everywhere, it was a nightmare. No one thinks of this stuff when everyone is still in sink or swim mode. We got it done though.
Maybe it's an argument for the other side though as well. The architecture of the system was designed to track people as much as possible so we could do A/B, app design, and marketing more effectively. It felt like it was the company's life blood.
I would say the law should at least make people get their architecture right when small so that when they're big it's not impossible to comply later.
One last thought: our company was small in head count but is getting much bigger right now in revenue. I've heard of small head count, billion dollar companies. What of them?
I spent four years working at a European fintech that serviced millions of end-users, and we had a self-service GDPR portal for users to export or request deletion of the data we had on them. (In some cases we were required to hold onto certain data due to other laws). Any feature that stored new user data had to get integrated into the tool, and then signed off from legal and the team that maintained the tool.
It got very little usage - maybe a few hundred to a thousand requests per year IIRC. I shudder to think what you could have been doing that would attract that volume of requests. Was it Clearview AI?
I think the title is clickbait'y. The EU proposes to simplify the law rather than abolish it, which makes sense to me.
And in the world of bureaucracy, "simplification" doesn't mean what you'd think it should mean.
"Simplification" consists in adding exceptions, which are in effect additional rules and special cases.
Simplification actually means everything gets more complex.
Not necessarily.
We live in an Orwellian world:
"Si vis pacem, para bellum"
we have always lived in that world.
Si vis pacem, para bellum - "If you want peace, prepare for war."
https://en.wikipedia.org/wiki/7.65%C3%9721mm_Parabellum
Alternatively:
Peace is a lie, there is only passion.
Through passion, I gain strength.
Through strength, I gain power.
Through power, I gain victory.
Through victory, my chains are broken.
The Force shall free me.
> Peace is a lie, there is only passion.
Lie is Truth... sure, sure.
> Through passion, I gain strength.
Weakness is Strength
Sounds like a 1984 sequel from 1939.
Seems to be the Sith Code :)
Oops... thanks.
Indeed. Relevant quote from the article:
"The Commission said previously that the simplification plan will focus on reporting requirements for organizations with less than 500 people, but will not touch the “underlying core objective of [the] GDPR regime.”
Adjustments could include limiting requirements to keep records of data processing activities, or reforming how businesses provide data protection impact statements — two rules seen as overly cumbersome to smaller firms."
Sounds pretty sensible to me.
politico is known for its clickbait titles.
They are owned by Axel Springer, whose CEO and part-owner is extreme neo-capitalist Mathias Döpfner, and their news follows his philosophy (or similar ones) as if they are fact, at least at times. The headline depicting privacy regulation as a 'bonfire' is not surprising; I think they were different before the recent corruption of professional journalism by similar people (there is some good journalism remaining!).
Regarding Döpfner, he tried to fire an editor at Business Insider (another Axel Springer publication) because Wall St power player Bill Ackman didn't like their coverage of Ackman's wife. [0] He's taken positions such as, "I am all for climate change"; and ""Free west, fuck the intolerant Muslims and all the other riff-raff." [1]
Politico has published articles saying, "Time to Admit It: Trump Is a Great President. He's Still Trying To Be a Good One.", claiming "The most consequential presidents divided the nation - before “reuniting it on a new level of understanding." (by founding editor and global editor-in-chief John Harris). [2] And another that claimed, as news and not opinion, that disinformation concerns were a "panic" and now outmoded. [3] At least some of their coverage of American politics assumes - again as news fact, not opinion - that anything the left does is ridiculous.
I actually want to know the reality of things, as much as possible, so I will hardly read them anymore.
[0] https://www.semafor.com/article/04/21/2024/axel-springers-tr...
[1] https://www.theguardian.com/world/2023/apr/13/axel-springer-...
[2] https://www.politico.com/news/magazine/2025/01/21/harris-col...
[3] https://www.politico.eu/article/nobody-tricked-vote-donald-t...
At the minimum I'd hope they a) do away with the worthless cookie banners requirement b) cut some generous but reasonable slack to small organizations.
Interesting timing with the digital sovereignty movement.
The cookie banners aren't worthless. The websites presenting cookie banners either don't know the law, or are engaged in spyware shit. You don't need a cookie banner if you need it to provide a service that the user expects (e.g., saving settings, login).
As an EU citizen, I'm not concerned about your need to observe my behaviour or to prevent ad-click fraud. What I care about is websites sharing my navigation history with Google or the rest of the advertising industry, so yes, I'd like to be informed of it.
Personally, instead of having banners, I'd just ban the practices altogether (e.g., targeted advertising, 3rd party analytics), which would certainly simplify business.
> The websites presenting cookie banners either don't know the law, or are engaged in spyware shit. You don't need a cookie banner if you need it to provide a service that the user expects (e.g., saving settings, login).
There's quite a lot between "engaged in spyware shit" and "service that the user expects".
For example if I want to add first party analytics to my site, the data from which I will use solely internally to try to figure out what pages people like and which they do not like, it is not "spyware shit" if I explain what I'll be using the data for and get permission from the user--and getting that permission needs a cookie banner.
Are cookie banners really a requirement in that case? I think as long as you don’t share the data with a third party you’re in the clear?
Matomo for example has an explanation how to gather data without having to display a banner: https://matomo.org/faq/new-to-piwik/how-do-i-use-matomo-anal...
If you have first-party session cookies that can last for weeks or years, are they considered “tracking cookies”?
Because true session-expiry times on cookies SUCK BADLY: https://stackoverflow.com/questions/4132095/when-does-a-cook...
Yes. For example, if you want to track unique users (for the most rudimentary analytics), you'll need to put a uuid in a cookie on their browser, and you'll need to damage your UX with a stupid cookie consent popup, thanks to EU Directives.
This is not nefarious data collection, and it shouldn't need user consent - but it does, because EU lawmakers were overzealous and careless when designing their regulation.
No, you dont! Only if you use third party services to do that or collect data thats not essential to your business. Its just coloquially called a "Cookie Banner", but the laws DONT require you to put up one as soon as you set one cookie!
It does if the cookie contains any uuid that might be linkable to a user's identity (which is obviously necessary if you want to perform rudimentary self-hosted analytics on unique user visits)
Only if it is a “tracking cookie”, and lasts for more than one day. But how do they define these terms ??
The website can also choose not to track me on an individual basis.
I'm talking about rudimentary analytics with no harmful consequences for you as an individual
You don’t require any for cookies that facilitate necessary site functionality, like login or, in this case, a uuid.
There’s widespread misunderstanding of the law.
In the UK (and broadly under the UK GDPR and PECR – the Privacy and Electronic Communications Regulations), yes, you generally do need to get consent before setting non-essential cookies, even if it's just for rudimentary analytics like a unique visitor count.
Here's the key distinction:
Strictly necessary cookies: No consent needed. These are required for the site to function properly (e.g., shopping cart cookies, login sessions).
Analytics cookies (including the case with a unique ID for tracking visitors): Not strictly necessary, so consent is required.
Even if the data is anonymous or pseudonymous (like a randomly generated unique ID), if the purpose is analytics and it involves storing or accessing data on the user’s device (like setting a cookie), you must ask for consent.
> if I want to add first party analytics to my site, the data from which I will use solely internally to try to figure out what pages people like and which they do not like,
This is doable entirely on the server side, provided there is no caching or CDNs that get in the way.
What you lose with that method, however, is all the spyware-like shit that analytics tends to gravitate towards.
Cookies aren't spyware. If you want to disable them, disable them in your browser. It is something you send to the server. Not something they do on their end.
Surely people here are aware of that?
The issue is when you want to be able to stay logged in to a site, but do not want Google track you across the internet. Cookies do not differentiate between what they are used for, so sites have to make it clear only if they are going to track you. You do NOT need a cookie banner if you're not tracking your users
I don't see why small organizations should get to be more careless with my personal data than anybody else. The value of my privacy doesn't change just because of the size of the company.
I wonder if the "modern" war in the ukraine is making people think about privacy.
It isn't "your data". Which pages you have viewed on my website is my data. It relates to you but is does not belong to you.
You don't have any privacy right to control data that belongs to other people and happens to relate to you. Privacy is about the state needing a warrant to enter your home and search it or to wiretap you. The idea it has anything to do with information you GIVE to websites by visiting them is a complete delusion.
I'm glad the EU and most Europeans disagree with you. Because this take is just wrong on so many levels and I'm not sure where even to begin.
ie. you have an instant emotional reaction but no actual arguments.
European law has established various rights regarding data concerning an individual since 1981.
Thankfully European statutes don't have anything to do with what words actually mean in the English language and don't override basic logic.
The idea that you have the right to control eg. my opinions about you, just because they happen to concern you, is fundamentally contrary to the most basic right we all have: freedom of expression. The cornerstone of civil and political rights.
[flagged]
They should not be careless, but they can be spared some paperwork as long as they stay compliant with the spirit of regulation.
If you're careful about how you store personal data in the first place, meaning you start a greenfield project today, being compliant with GDPR is a breeze. You make it sound like there is a ton of paperwork to fill out because of GDPR if you start a business today, which there isn't.
>If you're careful about how you store personal data in the first place
Unfortunately this is a really big "if" looking at typical businesses. They have no idea about how compliance should work and they also hire barely qualified people to marketing teams (often interns), who may accidentally add some privacy-breaking stuff. To prevent that they hire an external DPO and then deal with the paperwork for that DPO, who never visits the company onsite and never meets real people touching privacy topics.
So no, it's not a breeze, because there's generally no enough expertise and temptation to use American non-compliant MarTech is high.
One possible solution to that could be a pan-European registry of data processors with enough metadata to a) generate privacy policy, b) request correct consent, c) provide a compliance implementation checklist for non-trivial cases. There could be a small fee for adding services to this registry, but that would make maintaining compliance much easier.
Yeah, compliance for people who weren't careful before indeed is harder than for the rest. I think this works as expected?
Consider if wire fraud wasn't illegal before, but next week there is a new law coming into effect that makes it illegal. Of course all the companies who were doing wire fraud since before will struggle to be compliant, some might not even be feasible to run anymore if their core business becomes illegal.
Again, sounds like it works as expected, compliance for organizations who been ignorant for a long time is expected to be more cumbersome.
I think you did not understand my comment.
1. It is a problem for greenfield projects too. Not everyone has sufficient expertise to be fully compliant from the beginning. The accidental non-compliance is possible and there's usually a cost to prevent it.
2. It may work as expected from EU charter perspective, but current implementation is adding extra to an already high bureaucratic workload. My point is, it can be better than that.
> It is a problem for greenfield projects too. Not everyone has sufficient expertise to be fully compliant from the beginning
Saying it's complicated because of missing experience or knowledge is like saying creating a CRUD application is difficult. Yes, it might be difficult if you've never done it before, but that doesn't mean the thing itself is complicated, just that you potentially lack experience.
Instead, I'd say it would be complicated if it's hard even if you have experience and knowledge about it. And for GDPR and safely storing data, it isn't difficult in a greenfield project if you have experience with it.
> but current implementation is adding extra to an already high bureaucratic workload
As someone who've helped SMEs become GDPR compliant, in terms of engineering, there really isn't a high bureaucratic workload unless you were already very careless with how you stored data. For the ones who considered how personal data was stored for more than half a second, becoming GDPR compliant was mostly about confirming things rather than having to shift things around.
Few companies though, had huge problems as they 1) were revenue dependent on selling user data or 2) never considered how they were storing or protecting personal data at all.
If you're speaking from the experience of those last companies, then again I think it works as expected.
This is mostly true with security compliance in general from my experience. SOC II, for instance, is pretty straightforward if you were already doing things in a sane way. It’s only a lot of work if you were previously sloppy with security and need to rectify that
Ok, let me try to explain once again:
> if you have experience with it
This must not be an expectation for any regulation that applies to business in general. Let’s say I just graduated from a college where I learned to be a plumber. I registered my firm and now want to acquire customers online, so I hire some local agency to build a website and an order form. You cannot realistically expect that I have any experience with GDPR or fully understand its requirements. It is the job of legislators to ensure that I can achieve compliance with minimum effort. But now I have to carry the burden, because no business can survive without digital marketing channels and I have to outsource the compliance work to ensure I don’t accidentally break the law. In comparison to pre-digital era doing any business today is more expensive and I‘d argue, it’s unnecessarily more expensive. It is not how it should have been done and it doesn’t work as expected from business point of view. Non-compliant businesses are not those who are malicious or ignorant, they can make mistakes because legislators did not help them.
This kind of line of thinking assumes a couple of things:
1. People are doing things the “wrong” way in the first place. It’s already been established that compliance isn’t hard if you are doing things the “right” way.
2. Compliance is hard. It really isn’t if you are doing things already the right way
Ultimately GDPR is not the problem, it’s people getting into tech that either have no understanding or respect for the data of others wanting to to do business. You wouldn’t expect me to be building bridges without complying to bridge building standards would you? Why is this any different? Lives are not directly on the line here, but the consequences of being sloppy with data are still very bad. This whole paragraph puts the cart before the horse because it assumes the most important thing is that the person in question is supposed to be able to transact business, not that the most important thing is to protect the personal information of people.
I’m not expecting the plumber to be a technologist. If the plumber wants to roll his or her own technology, fine, deal with the compliance headache. I expect the plumber to instead pay someone to figure out how to build the thing properly, just like how I don’t go building load bearing structures on my home myself because I’m not a structural engineer and don’t want to spend the time learning how to do that.
> I expect the plumber to instead pay someone
This is fundamentally wrong expectation. To preserve the spirit of EU charter one does not need the law where every business engaging with customers online has to pay a compliance tax to another medieval guild of experts.
Do you do your own structural engineering or do you pay someone to do it who is qualified to do so in the EU? Structural engineering compliance is a medieval guild of experts, is it not?
Do you practice your own medicine in the EU or do you pay someone to do it? Medical compliance is a medieval guild of experts, is it not?
What are you doing is a classical straw man argument. I‘m not disputing that plumbers, doctors etc should be aware of their professional regulations. However certain regulations aren’t job-specific and work like tax, e.g. if you look at notary costs related to registration of business in Germany. Regulations like GDPR apply to business environment in general and they have to be designed so that the costs of compliance and risks of non-compliance are minimized. They are supposed to be followed by non-professionals, because privacy is not a job of DPO, it’s everyone’s concern. What you fail to understand in my comments is that part. I’m not disputing the usefulness of GDPR. I‘m saying that rather than strangling businesses with high compliance costs and complaining that everyone is choosing to show cookie banner instead of not tracking, we should look at how to avoid this nonsense. As a matter of fact, non-compliance is rife, people do cut corners and take the risk, because DPAs cannot catch or punish everyone. GDPR is suppressing the most egregious behavior, but it certainly not working as expected. It needs some careful reform.
> However certain regulations aren’t job-specific and work like tax, e.g. if you look at notary costs related to registration of business in Germany.
This is not that. You’re making it sound like every business has to jump through all of these hoops as a matter of doing business. You know how to not be bound by GDPR? Don’t bother storing sketchy cookie data or PII. The plumber in your example could just… not do that and not have to worry about compliance. It’s only but for the plumber choosing to store that data that they opt to be bound by the regulation. It’s not a requirement for them to operate. If the business feels like they need to store the nuclear waste, then I need to know that they are storing it properly. They could just not take in and store the nuclear waste and then there’s no compliance burden. 9 times out of 10 they don’t need it to transact their business anyway, and the tenth business probably only exists but for the sketchy data.
In the end we have arrived at the same conclusion: probably the regulation itself, the baby, has some dirty bath water. Any regulatory framework of any significant complexity does, especially a landmark first of its kind in scope regulation in the world. So we should not toss both out. We should try to get rid of just the bath water.
With above said, the plumber is not absolved here. Why did they need to store my PII again? I very much value the fact that they have to think about and answer that question. So whatever improvement should just streamline that process and not get rid of it.
Can you please read my comments in this thread in full and not just pick some parts of them?
I already explained that most businesses are not experts in privacy and usually become non-compliant accidentally, without malicious intent. If a plumber goes to some advertisement platform to promote their services online, they are not making fully informed decision with regards to privacy implications. They buy promises of lower CACs. They do not buy the storage of PII, neither they fully understand that targeted advertisement involves storage and processing of PII. And regulation requires them to either fully understand the process or spend money on external consultant. That's stupid: GDPR moved the responsibility to protect human rights from those who aggregate a lot of data to a little guy. What really should have been done is requirement for MarTech to support "Do not track" on protocol level and risk being fined or banned from EU. It does not make sense to ask users again and again on different websites if they are ok with tracking by FancyMarTech LLC, when those users already gave the answer somewhere.
It's just one example. And then there's a case with storing PII in Google Spreadsheet: everyone does that. Nobody mentions that in their privacy policy, even if DPO is involved. And probably they should not. Regulation should also consider the public risk. If one of those millions spreadsheets with a hundred names is leaked, let's fine the owner, sure. But let's not make a big compliance process for every owner of those millions spreadsheets. Let's say: Dear Google, if you want to work in EU, you cannot share the data of EU users with NSA or anyone. Keep it safe. Figure this out, we don't care how. We really should put 99% of compliance burden on processors and spare controllers.
Thanks for sharing some in depth examples. Why is the marketing firm/platform not on the hook for noncompliance in your first example? That’s kind of where the metaphor falls apart for the doctor and structural engineer examples, because in this case if you were found to be liable the responsibility would actually fall on the doctor/structural engineer. Like if I hire a structural engineer and they build a thing that fails, they’re ultimately on the hook for it, not me. Why is it not the same here?
Your Google spreadsheets example is not, in my opinion, a good example of GDPR failure. I genuinely believe if people are dumb enough to keep PII in spreadsheets they deserve to be fined out the ass. “Everyone is doing it” is a poor justification for such risky behavior. The plumber in your example would never use the wrong pipe fittings or make dumb mistakes like that in their line of work. And if they did, they would understand that they would be on the hook for that. Why should they be absolved of responsibility in some other line of work simply because “everyone does it this way”?
Your example reminds me of HVAC technicians in the States who vent refrigerant into the atmosphere. “Everyone” does it because it’s way easier and more convenient to just do it and ignore the regulations, but the long term consequences for the environment are horrific. I’m sure if I asked those HVAC technicians they also would describe the regulations that they don’t want to abide by as onerous and not necessary.
>Why is the marketing firm/platform not on the hook for noncompliance in your first example?
Because they act in good faith and expect that consent is collected before their script is executed. This is usually written in their ToS, e.g. see Google Analytics. Google expects that you maintain compliance and if, because of your failure to stay compliant, they collect PII without consent, you are liable for the damages. See what happens? Every small business who wants to know something about visitors of their website is now on the hook. They are expected to understand GDPR, to understand legal details of Google ToS etc. Since you cannot avoid having digital presence today, this looks pretty much like a compliance tax.
>I genuinely believe if people are dumb enough to keep PII in spreadsheets
You are speaking about majority of population of this planet now. Everyone prepared at least once in their life a list of contacts to send wedding invitations, list of customers for a freelance job etc etc. People are not dumb. They just keep doing what they were always doing: having a sheet with a list of contacts. And honestly, they should continue, because why not? Why we should put significantly more thought in this simple task? Yes, the tools have changed and we now have implicit privacy and security risks associated with them. We should fix the tools and assign liability properly.
> Because they act in good faith and expect that consent is collected before their script is executed.
This is the unaddressed rub here. If the doctor commits malpractice in good faith, they’re still liable. If the structural engineer built a bridge that collapsed in good faith, they’re still liable. Why does the marketing firm get off the hook here?
The argument being presented here, that regular people should continue to be allowed to do Sloppy and Dangerous Thing, because it’s normal, is not sufficient. It also used to be normal and way easier for people to get on a plane without being strip searched and their privacy being violated. Society decided that forcing regular people to go through a ton of more hassle for safety was worth the trade off. The security is mostly theater, the implementation is burdensome, onerous and unpopular and a regular person is expected to navigate some kafkaesque nightmare with a bunch of rules and might unknowingly burn themselves. But we sure as hell don’t see a ton of plane hijackings any more, do we?
>Why does the marketing firm get off the hook here?
You may be surprised, but this is how this regulation is designed. Per GDPR it is the duty of controller to ensure compliance. Processor acts per instructions from controller. MarTech is not allowed to do anything outside of their contract with their users, but they are also not required to enforce consent collection, only to assist controllers with that when possible.
>The argument being presented here, that regular people should continue to be allowed to do Sloppy and Dangerous Thing
No, this is not the argument being presented here. Storing personal contacts or advertising is not "sloppy and dangerous thing" per se. The privacy risk is not that someone is processing your PII, but that this data may be used to harm you by processor or 3rd party. So the goal of regulation should not be to prevent processing, but to minimize such risks with minimal costs for society. If regulation focuses on just risk, but does not consider the costs, it must be fixed and solutions should be found that enable typical use cases.
> This must not be an expectation for any regulation that applies to business in general
Why not? We have that for a bunch of professions already, and for good reasons. You can't just claim to be a doctor, run a hospital or work as a electrician, you need to prove you're able to, before you can do certain things.
Engineers should already be data-aware by default, regardless of what regulations, since we do have the expertise to understand it. Then I guess the expectation was initially kind of that businesses would self-regulate, but seemingly not, so here comes the end of the cowboy developer days, if you want to build large companies that handle people's personal data at least.
> You cannot realistically expect that I have any experience with GDPR or fully understand its requirements
If you build websites where the idea is that you store people's personal data, then yes you should understand what that means and how that works. Like if someone called a plumber for a pressure problem, and the plumber says "How am I expected to understand how that works in your specific house?!", of course I expect the plumber to know their shit around their profession. If you don't understand the technology nor what rules you have to follow, then don't go into that profession.
> Non-compliant businesses are not those who are malicious or ignorant, they can make mistakes because legislators did not help them.
In my experience, the companies who had a hard time becoming compliant with GDPR were companies that either made their revenue by selling user data, and now had to make a lot of changes, or companies that were careless with data in the first place, not thinking twice about where to store things or who has access to what.
I'd be happy to see any sort of counter example of a company that A) doesn't make their revenue based on selling personal data, B) have a thoughtful architecture/design for data in the first place, together with C) had a difficult time becoming compliant with GDPR.
> Why not? We have that for a bunch of professions already … > Engineers should already be data-aware by default
Most businesses in this world are not run by software engineers. Engaging with people for whatever reasons via digital channels is not a profession. I don’t really understand your point: as I said already several times, the law can and should be improved. Do you disagree with that? Do you insist that every plumber or relocation business should be an expert in GDPR?
[dead]
This pretty much. I've had a lot to do with GDPR in the projects I'm involved with. It's largely trivial if you aren't already doing terribly risky things, in which case yeah, it's a pain, but it doesn't change the necessity of fixing issues that put user private data at risk (with or without the GDPR existing). GDPR just puts more incentive on solving issues in regards to privacy instead of just letting companies shrug and move on because it's not their problem if data is stolen or leaked or letting them do what they want with the data without permission.
The cookie banners don't make companies less "careless"
They just introduce a needless bit of friction in the UX.
If the EU wanted to prevent digital identity triangulation or cross-domain advertising data gathering, it should have banned it outright. Rather than getting all users to click a stupid banner every time they visit a website.
So, since they didn't ban it outright, doesn't it make it clear that the goal wasn't to remove it fully? The goal was to let users be informed about it, so they can make their own choice, not to remove the choice at all.
The EU didn't mandate that annoying UI. That's malicious compliance from businesses who are trying to undermine the law.
You're suggesting that companies ruin their own UX to "undermine a law?"
That this is all a big conspiracy by nearly every company on the web against our precious overlords in the European Commission?
The core of the system is simple - you list the third parties you send data to, you make accepting and rejecting equally easy.
Consider basically any popup on a popular website which: takes over most of the screen, makes "accept" the highlighted action button, requires going through "customise" to reject, sometimes requires unchecking categories manually, puts "save and exit" and "accept all" that so the same thing next to each other, either hide or not provide "reject all", etc.
There is no conspiracy here. You can either not use third parties, or if you do, your approval system doesn't have to be obnoxious at all, but almost every page makes it a shitty experience to 1. Make you accept out of frustration. 2. Make your angry that this is asked in the first place.
No need for any "big conspiracy" when nobody is reading the actual law and instead everyone just copies everyone else.
You can eliminate friction in your UX by not collecting data you don't need. It's way less work to, you know, not collect that data.
I'm not sure why the government is needed to solve a problem that you've gone out of the way to inflict on yourself.
Let's say I want to improve my site by recording basic user analytics like unique user counts, to produce actionable data. I'm not nefariously collecting their social security number. I'm just putting some uuid in a harmless cookie in their browser so I can track which requests are from a unique browser.
Thanks to the GDPR I cannot do this without the stupid cookie warning popup.
In this regard, the GDPR is clumsy lawmaking that results in companies having to behave defensively, hoping that users will accept a damaged UX in order that the company is not fined by the EU.
> I'm not nefariously collecting their social security number.
In which case, the GDPR doesnt even apply to you! Only if you collect/store PII the GDPR starts to apply!
> Thanks to the GDPR I cannot do this without the stupid cookie warning popup.
Again, the GDPR has nothing in it about cookie banners.
> the GDPR is clumsy lawmaking
It isnt, people are just complaining about it without ever actually reading it or doing much research.
In the UK (and broadly under the UK GDPR and PECR – the Privacy and Electronic Communications Regulations), yes, you generally do need to get consent before setting non-essential cookies, even if it's just for rudimentary analytics like a unique visitor count.
Here's the key distinction: Strictly necessary cookies: No consent needed. These are required for the site to function properly (e.g., shopping cart cookies, login sessions).
Analytics cookies (including the case with a unique ID for tracking visitors): Not strictly necessary, so consent is required.
Even if the data is anonymous or pseudonymous (like a randomly generated unique ID), if the purpose is analytics and it involves storing or accessing data on the user’s device (like setting a cookie), you must ask for consent.
You don’t require the cookie popup for this.
Again, nobody is actually reading the law here. Tech is 99% followers who blindly do whatever without understanding the motivation behind it.
There is no such requirement, unless you want to steal peoples data or track them, and why would you want to do that?
Cookie banners are not a requirement in the first place. They are a convention set by giant risk-averse consequence-free tech companies, and followed by everyone else.
>At the minimum I'd hope they a) do away with the worthless cookie banners requirement b) cut some generous but reasonable slack to small organizations.
Cookie banners aren't a requirement unless you wish to store cookies that aren't strictly necessary (statistics, marketing, etc)[0]. Cookies that are essential for the user to browse the site (login tokens) don't require consent.
It doesn't help the situation that a large number of sites seem to maliciously comply with these regulations.
[0]: https://gdpr.eu/cookies/
>Cookie banners aren't a requirement unless you wish to store cookies that aren't strictly necessary (statistics, marketing, etc)[0]. Cookies that are essential for the user to browse the site (login tokens) don't require consent.
So if I use telemetry to catch some dirty frontend blob throwing a hissy fit of an exception and that telemetry is tracking sessions rather than individual events (hello ms app insights) -- is that functional or, statistics or etc?
If you are monitoring the system but not its users, then that is not collecting PII.
To be completely sure, you should eliminate anything that might be considered PII.
So unadorned exception counts would be anonymous, aggregated statistics, which is fine. But exception counts reports per IP address, or per session, or where the exception text mentioned the user's PII, would require consent from the user you're tracking by processing that data about them.
If your salary would drop 95% tomorrow if you didn't tell everyone at the office 'I may remember this conversation' every time you see them, what would you do?
Non targeted ads pay 90+% less than targeted. Sure it's not 'required', but the vast majority of businesses would fail overnight if their revenue dropped 90%.
If you heavily rely on performance marketing, your business model is anyway in trouble. In the past businesses survived with non-digital marketing channels just fine.
They should consider that it's playing against fines of up to 20m EUR or 4% turnover (not income)
The cookie banners are largely a cargo cult and don't have to be nearly as annoying as they are.
Websites just love to say "we have to do this" rather than improve their UX because the latter just means more work while the former gets people to be wrongfully upset at GDPR.
I think cookie banners are a not-so-subtle sabotage of the GDPR. The more annoyance they can associate with GDPR the more the customers will want to water it down. And bonus, it's completely deniable.
And it's largely working. Even on a site like HN where you'd expect people to be educated about this stuff, we have people claiming that GDPR (and not their own data collection practices) forces them to pop up a cookie banner.
On a site like HN you'd expect a significant proportion of people to be willfully ignorant and/or make excuses about this stuff because it helps them sleep at night.
I have been suspecting for a while that the "consent" escape hatch was a concession to get GDPR past the advertising industry's army of lobbyists. Making the problem in-your-face-visible is hopefully only the first step in garnering support from the public. It's much easier for a politician to point to all the obnoxious pop-ups and say "look at this despicable behavior! These companies choose to nag you at every opportunity because abusing your privacy makes them a couple cents. They should just not be allowed to do that."
Nah, next step would be to pull the UX noose tighter and tighter, limiting things like number of clicks to reject non-essential cookies, restricting data loss (like if you already filled in some form data, etc.), maybe even limiting how much of the screen they're allowed to take until the user clicks on "read more" or whatever, etc.
I don't think this is necessarily going to happen, but that would be the reasonable next step from where we are now: boiling the advertiser frog slowly and with changes that users would consider uncontroversially positive.
Silicon Valley has such an antagonistic view of user consent and user control, and when they're forced to acknowledge and respect it, they do it in the most tantrum-y, malicious-compliance way they can. It's like the Bob's Burgers meme: "OK, Fine. But I'm gonna complain the whole time."
Ironically, if these companies didn't choose to make their consent UX so deliberately hostile and in-your-face, we might never have had this much visibility into how big of a problem it is.
Browsers should be the things handling cookies, not websites.
The law doesn't care whether the tracking happens via cookies, localstorage, fingerprinting, or a private investigator looking through your window.
All require approval that is just as easy to deny as it is to accept.
The browser may be able to block cookies, but that's not a solution for the other options.
Not so sure they can be trusted to have the users interests at heart e.g Chrome and 3rd parties cookies, Topics/Fledge
They already are.
They definitely aren't cookie opt-in popups in any browser. Nor is there coarse-grained cookie management, like what websites implement. Nor fine-grained cookie management, like they should have.
Be the change you want to see in the world. It is supposed to be a user agent. Instead of imposing this cost on everyone else, if you think it is important to be able to have fine grained control over cookies, make it happen.
Advantages:
1. A single UI in each browser instead of a different one on each website 2. The functionality would be built and maintained by someone with allied rather than adverse interests to the user.
Also you can disable cookies quite easily and whether your UI supports it or not is totally irrelevant anyway. If you use a web browser that sends cookies to websites then that you have authorised it to do so is your responsibility. Use a different browser or don't use one if you don't like it.
>> a) do away with the worthless cookie banners requirement
My understanding is that if your site doesn't use cookies, you don't even need that. Don't use cookies, don't collect or share personal data, and GDPR is complied with. Apparently from TFA it sounds like even then you have a lot of proving it to the government, and that's a hassle.
Nope and nope, same rules are for all. You want to steal private data, you will be labeled. If it comes from libs, maybe don't use shitty private data stealing libs?
Move fast and break things - fuck that, anybody smart enough can project to what sort of society it leads down the road.
> do away with the worthless cookie banners requirement
There is no such requirement. You're free to make a website that doesn't require cookies.
This very website on which we're discussing doesn't have a cookie banner, and isn't required to have one.
(I'm not saying HN is GDPR compliant though, it's missing a DPO mail address to allow edit/deletion of older PII messages and a privacy policy even though said policy would probably be max 10 lines)
> cut some generous but reasonable slack to small organizations.
I can't say for other countries, but in France there is already already a lot of slack even for bigger organizations. We have mainstream websites that are obviously violating the GDPR (most visited cooking site, most visited tv content provider, not allowing free choice of refusing tracking)
> (I'm not saying HN is GDPR compliant though, it's missing a DPO mail address to allow edit/deletion of older PII messages and a privacy policy even though said policy would probably be max 10 lines)
The privacy policy is here [1], linked in the footer. It also very clearly says: "For deletion requests, please contact us at privacy@ycombinator.com.".
[1] https://www.ycombinator.com/legal/
You are required to have a cookie banner if you use cookies, and you have to use cookies or an equivalent technology to persist state in a logged-in website (like HN).
To pre-empt the typical reply, yes you must serve a cookie banner even if you are only using functional cookies.
This is definitely not the case.
https://eur-lex.europa.eu/eli/reg/2016/679/oj
You are required to OBTAIN CONSENT from people you want to process the personal data of. Their consent must be INFORMED by telling them who you are and what you intend to do with their data. Their consent must be FREELY GIVEN and can be WITHDRAWN at any time.
That's what's at stake; not the cookies/state themselves, but how you intend to process the data of individuals. As long as you are not profiling natural individuals, no matter how they leave traces, then you don't need to ask for their consent.
It's bad-faith people, who clearly want to process personal data, who make a huge fuss and tell you everyone needs a cookie banner. Mainly because they are raging that they can't data-mine and monetise every last byte of data they can get, without the consent of the individuals they're profiting from.
Please take a close look at the cookie banner that loads on the page you linked. It says:
> This site uses cookies. Visit our cookies policy page or click the link in any footer for more information and to change your preferences.
And then there are two buttons: "Accept all cookies" and "Accept only essential cookies".
The banner is doing two things. 1) It is notifying you that the site uses cookies. 2) It is requesting your consent for non-essential cookies.
Think about this for a moment, why is it doing both things? Why doesn't it just say "Do you consent to non-essential cookies? Yes | No"? Do you think this website added an extra sentence to their banner just for fun?
If you want to use essential cookies, you don't need to ask for consent. That is true. But you do still need to inform the visitor that you are setting cookies. Just as this banner does in its first sentence.
> You are required to have a cookie banner if you use cookies
Feel free to (re)read the regulation, there is no such requirement at all.
> you must serve a cookie banner even if you are only using functional cookies
Specifically, where are you getting this from? It's a misunderstanding at best, but you're spreading it like it's confirmed information.
I spent months implementing GDPR compliance with a set of EU-based lawyers.
Most businesses are not actually GDPR compliant, even to this day. I assume this is a big reason the EU is willing to take another look at what is required for compliance.
From my experience, companies taking months to get GDPR are ones that want to tick the box, but don't want to follow the law, so they have to go through the trouble of justifying gathering unnecessary data for themselves and their 873 trusted partners. They usually end up noncompliant anyway because GDPR is a pretty sensibly written law that you can't just work around with a crappy popup, but enforcement has unfortunately been lacking.
And what exactly is making it complicated?
I've also helped a bunch of organization become compliant, some were easier than others. The ones that were harder were the ones that generally didn't have good processes with data in the first place, where everything was scattered all over the place and everyone had access to everything. It makes sense to me that it's harder to be compliant if you were borderline malicious with how you treated personal data before GDPR.
I think you’re confusing the ePrivacy Directive, which regulates cookies, and the GDPR, which regulates PII.
Practically speaking, if you’re running a website, you can’t implement compliance with the ePrivacy Directive without also considering GDPR, and vice versa.
No. The reason it exists is businesses get guidance from legislators and existing case law on what prevents you from running a foul of GDPR and the cookie banner is what we ended up with. If those banners did nothing, companies wouldn't include them. They are there as the lowest effort legal defense.
Again, the cookie banners have nothing to do with GDPR, where are people getting this misinformation from?! Was there a popular article saying we have those cookie banners because of GDPR, or what?
The banners are the result of much earlier directives that predate GDPR by a lot...
It's not misinformation. Yes ePrivacy predates GDPR but it had no teeth. The reason your replies are full of people saying, "Our lawyers told us to implement it for GDPR" is because it was a minimal thing you could do to meet GDPRs emphasis of receiving consent from users for data stored in cookies. Basically the fear of fines from not being GDPR compliant forced companies add them.
I agree with you these cookie banners are not sufficient by the text, but in practice unless EU commission and courts make lawyers believe these banners are worthless, EU legal teams will still recommend them.
> What these two lines are stating is that cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR.
https://gdpr.eu/cookies/
Further down on the page they rightly notice that strictly necessary cookies don't require consent. This mirrors the opinion of European Union's Article 29 Working Party back then: https://ec.europa.eu/justice/article-29/documentation/opinio...
gdpr.eu is by the way not an official resource of the European Union but by the Swiss Proton AG. They note down the page that gdpr.eu doesn’t constitute legal advice. Although they are correct in this case and your misunderstanding was in reading for future internet discussions I'd recommend not using private sources.
Consent for non-essential cookies, like analytics, is required. You must also provide a clear link to your cookie usage policy, and a simple way to opt-out. This notification is not necessary if you only use functional cookies; for example, using a cookie to only show an on-boarding tutorial once is acceptable.
Organizations, and typically lawyers, skew conservative and lazy. A little cookie-consent cottage industry popped up to handle GDPR, so instead of worrying about the regulations most companies pay the small monthly service charge for a third party to handle consent. The consent companies built the most compatible solution, a banner, with the most conservative options as default to prevent any legal quandary.
Most public facing sites do have analytics (usually LOTS of analytics) and ads, so the banner is mandatory for them. If you understand the regulations, and don't violate them, then consent is not necessary.
This is simply not correct. You absolutely DO NOT need to obtain consent for strictly necessary first-party session cookies (such as would be used by an online shopping cart, for example, or to maintain a persistent login) [1].
[1] https://gdpr.eu/cookies/
I didn't say "obtain consent," I said serve a cookie banner. If you are only setting essential cookies, the banner can just say "This site is using cookies," with no opt-out or preferences button. But it does need to appear.
No. You really don't. Come on, burden of proof, show us where the GDPR says functional cookies require a banner?
How do you interpret this about strictly necessary cookies, from gdpr.eu?
> While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
To me, it reads as you need some kind of banner/page explaining them. What you don't need is consent to store them.
Should is aspirational language, and is not legally binding or even coercing. It's like an encouraged practice.
Cookie banners where sites have to say "we're sharing your details with 287 partners" are okay because they should be shameful for the industry. Cookie banners where you're explaining basic technologies of the web -- "we store a cookie to create a stateful session with your browser" -- are obnoxious noise that do only harm.
Just put it on the Privacy Policy page on your website, as many websites do.
Sure, you pop all that nonsense on the privacy policy page linked at the bottom of your page, down near that "terms of use" nonsense
This is correct.
> do away with the worthless cookie banners requirement
They wont, since they were never "required" nor are they part of the GDPR
> cut some generous but reasonable slack to small organizations
They will, thats the whole reason they are changing it!
> do away with the worthless cookie banners requirement
Not a GDPR thing, and the reason you see the banner is because companies refuse to understand the regulation correctly.
> cut some generous but reasonable slack to small organizations
Some more slack you mean, since they already have a lot of slack compared to larger organizations?
What exactly is so cumbersome for a small business to comply with? They're generally "common sense" requirements, and most organizations who already take care of their data basically had to do nothing to be compliant. What are you doing that is so complicated or essential that it's hard to comply, as a SME?
> Not a GDPR thing, and the reason you see the banner is because companies refuse to understand the regulation correctly.
Companies will never "understand the regulation correctly" because it's not in their interests. That is why the regulation should be bulletproof: as concise as possible while forcing the exact behaviour regulators intend.
> possible while forcing the exact behaviour regulators intend
That's what I'm seeing happened?
1. Companies store personal data willy nilly
2. Regulators create directives that force companies to stop doing that, or at least be upfront about it
3. Companies who still want to do it, are at least up front about it, telling users what is happening
4. Users now complain about regulators that companies are letting them know, missing the fact that the only companies who are adding those banners, are companies who are hellbent on doing these things anyways.
The blame seems misdirected to me.
The GDPR does not enforce the use of cookie banners. Cookie banners is an IAB idea. My suspicion is that they were created to make people angry at GDPR, but they have nothing to do with GDPR.
On most website that I've analyzed (and it's quite a lot - into hundreds), you can remove the cookie banner and the website would be just as GDPR (in)compliant as with the cookie banner.
> a) do away with the worthless cookie banners requirement
i recommend everyone gets the chrome plugin that auto accepts these banners so you never have to see them again
The plug-in is called Consent-o-Matic and was built by students at Aarhus University, Denmark.
You can read more about it and how to set it up here: https://consentomatic.au.dk/
Can it auto-reject them?
> Consent-O-Matic is a browser extension that recognizes CMP (Consent Management Provider) pop-ups that have become ubiquitous on the web and automatically fills them out based on your preferences – even if you meet a dark pattern design. Sometimes a website might not use standard categories, and in that case, Consent-O-Matic will always try to submit the most privacy preserving settings.
https://consentomatic.au.dk/
So sounds like that should be somewhat supported.
I have a Firefox extension that deletes all cookies after I close all tabs related to a site.
actually, you don't need to actively reject, it's the operator which has to obtain active informed consent, so default option is "no consent given"
It can.
I believe uBlock Origin can automatically do this by enabling "EasyList – Cookie Notices" in the extension settings. If you have this extension installed, there's no need to install another.
auto-accepts? We just go back to square 1 in 2011 in that case.
That's the idea. We didn't have banners all over the place in 2011.
Quite apropos that this article was cookie-walled with a "We value your privacy. Customize/Agree" modal screen
Which is not compliant with GDPR if those were the only two prominent options.
Disagree must be as prominent as Agree.
Wait, are you implying that regulations are hard to comply with, poorly documented, and enforcement is extremely selective to the point where they no longer achieve their intended function?
Big news if true. They should do something about that.
it's not that it's hard to comply, it's fighting malicious compliance which is hard. nevertheless, it's a good damn question why every single operator that has "accept all" and doesn't have "reject all" right there on the consent banner isn't fined on the spot.
I think the commission noted this behavior and malicious compliance is already factored into the DMA act. The "deregulation" of GDPR could as well be retrofitting all the lessons learned into the GPDR v2.
That's cute.
Worth noting first that this is not really the GDPR (nobody here has said that it is directly, but in other threads people are making that assumption), this is the ePrivacy Directive (which is probably what the EU should be revising in light of these universally hated popups).
The EU hands out arbitrary fines to large companies that range in the hundreds of millions of dollars, and ask companies to comply with these "technology-neutral" guidelines [1] which are so opaque that it is impossible to decipher when you are and are not in compliance with them.
> The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible
This is wonderfully clear and explains exactly when you will and won't be the victim of extortion-level fines from the EU.
You call it malicious compliance; sure, but when this is what everyone else is doing, and you decide that you want to go against "industry norms" for your website, you are painting a giant target on your back.
[1] https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX...
I honestly don't see how your comment makes sense.
Tt's the GDPR (published in 2016) that mandates that consent must be freely given. Using a 2002 directive to justify your point is disingenuous. You could have selected instead the 2020 guidelines [1] that are extremely detailed and address this point explicitly:
[quote]Example 17: A data controller may also obtain explicit consent from a visitor to its website by offering an explicit consent screen that contains Yes and No check boxes, provided that the text clearly indicates the consent, for instance “I, hereby, consent to the processing of my data” […][/]
> You call it malicious compliance; sure, but when this is what everyone else is doing, and you decide that you want to go against "industry norms" for your website, you are painting a giant target on your back.
Non sequitur. Surely refusing to engage in malicious compliance paints _less_ of a target on your back, especially when that "malicious compliance" is actually non-compliant.
[1] https://www.edpb.europa.eu/sites/default/files/files/file1/e...
I mean, have you ever had to deal with regulators? Departing from industry norms will 100% be used against you in any regulatory proceeding, no matter how minor. It is naive to think otherwise. Regulators go after big pockets and
The guidelines you link to are advisory, not legal, and they trace back to the ePrivacy regulations (although the notion of "consent" was modified by the GDPR; it's not clear which interpretation applies -- ePrivacy regulations, which are still in effect, also require consent). "The obligation is on controllers to innovate to find new solutions that operate within the parameters of the law and better support the protection of personal data and the interests of data subjects." This is standard boilerplate shit that says "you have to follow the regulations, not whatever is in this doc".
I honestly don't know what to tell you. The cookie popups are an offense in every possible way; they fail to accomplish their intended purposes, they burden users with useless interactions that provide no protection, and they burden website developers with useless busywork to document compliance to hopefully avoid retaliatory punitive fines if you draw the attention of regulators or EU officials. That these policies find supporters on HN of all places is beyond my comprehension.
GDPR is not complex because it is hard to comply with but because seemingly no one wants to.
EU-US data transfers have been declared illegal numerous times [1], but instead of supporting European cloud providers those decisions are barely enforced and quickly circumvented by a new data transfer act.
Cookie banners are not hard to implement if you don't try to share user data with your "864 most trusted partners", there are clear guidelines [2] now on how they need to be designed, but instead of criticising these not being properly enforced, the requirement for them itself is criticised.
How is it that Meta can regular break the law, with 7 of the 10 highest fines (or probably around a third of all fines) going against them [3] with seemingly no action taken to prevent this from continuing onwards.
noyb has managed to achieve more than a billion euro in fines with only 6 million euros in funding, we could be focusing on supporting NGOs doing incredible work for their budget and getting our DPAs to probably enforce the law.
The issue with GDPR is not the law but the seeming unwillingness to enforce it leading to unclarity what is expected and what not. [4]
[1]: https://noyb.eu/en/23-years-illegal-data-transfers-due-inact... [2]: https://noyb.eu/en/noybs-consent-banner-report-how-authoriti... [3]: https://www.enforcementtracker.com/?insights [4]: https://noyb.eu/en/data-protection-day-only-13-cases-eu-dpas...
> How is it that Meta can regular break the law, with 7 of the 10 highest fines (or probably around a third of all fines) going against them [3] with seemingly no action taken to prevent this from continuing onwards.
Because until now we've been treating American companies very leniently, with an occasional slap on the wrist. For example, when Poland wanted to regulate Uber, the American ambassador warned the Polish government that if they do that, they will regret it.[0] And because at that time the USA was in the business of of protecting the East NATO flank, the Polish government turned turned a blind eye on Uber.
Now that the USA turned away from Europe, nobody cares about the interest of American companies. When Trumps ambassador (Tom Rose) threatened the current government in the same way recently regarding planned "digital tax", the minister answered "We're nobody's fief".
[0] https://phys.org/news/2019-04-hundreds-cab-drivers-protest-u...
Let’s roll back the stupid cookie notification. Replace it with “sites must respect the user setting in the browser” so we can set it once and be done with all that nonsense.
> "the simplification plan will focus on reporting requirements for organizations with less than 500 people"
I consider this extremely bad! It should be based on revenue, not people.
I can imagine extremely big data trading companies with less than 500 people. I can even imagine Meta/Facebook doing various employee redistribution shenanigans and managing to fit inside that limit.
So cookie banners go first? As an obsolote "requirement" when all that tracking will be finaly banned? Right ? Just like paper journals - they don't do any identify-your-page-flipper...
And employer will be finally allowed to know his employee name and address?? Without additional paper trail? No, they won't allow that, it will be to sane.
> The GDPR is seen as one of Europe's most complex pieces of legislation by the technology sector
Really? Now I'm no bureaucrat, merely an engineer, but GDPR was relatively easy to read through, even the official document (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...) is only 88 pages long, this cannot realistically be "one of Europe's most complex pieces of legislation". A lot of privacy-conscious SME basically had to do nothing to be compliant, telling me it seems to hit the mark of being not too complicated.
Most of the cases I've heard people complaining about GDPR being "complicated" or "impossible to implement correctly" have been from people/organizations who are breaking GDPR, and have no way of reaching compliance without removing things they ultimately earn money from, which in my mind is the exact purpose of GDPR. Most orgs don't seem to be introspective enough to understand why they are having such a hard time with GDPR though.
I hope that their proposed "simplification package" doesn't actually remove what makes GDPR useful and good, but since they seem to be making a bunch of bad-faith arguments for this simplification, I'm not super optimistic.
On the spot
> Most of the cases I've heard people complaining about GDPR being "complicated" or "impossible to implement correctly" have been from people/organizations who are breaking GDPR
Yes I agree. A lot of the stuff in GDPR are things that companies should be doing anyway.
It might be relatively easy to read, but for SMBs it's hard to actually implement in real life, because GDPR and the EU's stance so far often doesn't take economic reality into account. For small businesses, GDPR in many regards created a legal limbo while large corporations scoff at that regulation and have their legal departments deal with it however they see fit.
For instance, there's this tiny, gnarly aspect of where you are allowed to store your customer data.
Hosting data on servers located in the EU isn't required by GDPR in and of itself, as long as you have a valid data processing agreement with the provider stating how and according to which provisions customer data is protected on their machines.
However, according to a 2020 European Court of Justice ruling you're not allowed to transfer any personally identifiable information to companies that are in any way affiliated with a US-based entity (e.g., by virtue of having a US-based parent company) anymore. Just being physically located in the EU isn't sufficient according to this ruling.
The reason for this is that with FISA US law enforcement can force US-based companies to hand over any data, even if that data is stored with an international subsidiary under a completely different jurisdiction.
This basically invalidates all of the provisions and legal frameworks for interacting with non-EU entities that used to be acceptable under GDPR before (e.g., Privacy Shield).
However, not interacting with any US-based or US-related entities at all anymore would be tantamount to ceasing almost all economic activity. So, until (or more pessimistically: unless) the US and the EU come to terms on a new agreement regarding privacy rules, there probably isn't anything a business can do on its own to completely address this issue. At this point, merely hosting data on servers physically located in the EU perhaps amounts to little more than window dressing.
As soon as a business has dealings with a US-based company or an EU-based company owned by a US-based company that potentially might have access to user data that business technically is in violation of GDPR. As of now, as a business you essentially have three alternatives:
1. Run the entire infrastructure you need yourself or have it run by EU-based companies guaranteed to have no relations with US-based entities whatsoever (Good luck with finding those ...). This, for example, includes payment systems and banking infrastructure, because guess where many EU-based banks host their infrastructure? That's right, AWS.
2. Go out of business.
3. Ignore this aspect of GDPR for now, document everything, continue to do your own due diligence, and hope for the best.
Eh, you can see in this thread how all sorts of things are confusing. What, exactly, requires a cookie banner? Does an IP address in a log count as personal information on its own? And so on.
I can see why it was intended to be generic, but the lack of clear guidance and especially the lack of de minimis exemptions (one of the things mentioned to be addressed!) are a very real problem.
"What tests do I have to perform before asserting that I am CE compliant" is a similar, even vaguer question.
That's part of the issue. A cookie banner isn't a requirement to begin with. It's their workaround to try and get some tracking data back
> merely an engineer
Exactly. You are unlikely to be personally liable for this.
This sort of thing starts becoming complicated when you are responsible for making sure a random government does not try to make an example out of your company for whatever reason.
I see lots of comments supporting it but I can see they are mostly from the business side. What does "simplification" mean for users? I'm expecting companies to be given way more room for exploiting user consent for shady data collection practices.
If the GDPR is simplified, the fines should be drastically raised. (At least for companies) E.g. to minimum 20% of the global last years revenue, for bigger companies (FAANG-Scale) to minimum 70% of the revenue. The GDPR must make companies afraid of breaking the law.
(looking at the DMA act) they know, they know.
Cookie consent banners might be one of the most frustrating aspects of modern web browsing. A better solution could have been a thoughtful extension or fork of HTTP, specifically for EU implementations, something that handles consent through HTTP headers instead. That would allow users to easily opt in or out, either globally or per tab, without the clutter. Ideally, technical regulations like these should be designed by people with a strong understanding of technology, to ensure practical and user-friendly solutions.
It would have been easy to write in generic wording that the "do not track" header must be respected by websites. I'be been wondering for ages why this wasn't implemented.
From the implementation and enforcement, it seems like GDPR was an attempt to make tracking visitors so expensive and difficult that it would eliminate targeted marketing, without negatively impacting consumer choices. The 'do not track' header would not achieve this goal.
It would if "do not track" had to be treated as an automatic "only essential cookies" choice to avoid cookie banners altogether.
At first it would only affect a couple of users, but sooner or later enough "life hack" videos would be out there informing plenty of users about how to get rid of those annoying cookie banners.
cookie consent banners are a workaround GDPR, not a requirement from GDPR. If companies just stopped trying to track people by default, then we'd have the best of both worlds.
But as we see with Apple and DMA, they will instead do their best to drag it out.
As a big GDPR fanboy, one thing I would be happy for them to remove is the portability between providers requirement: it was essentially dead on arrival, is not implemented, and could be done away with.
The other EU-level regulation that needs to be either removed or completely rethought (since it will clearly not be enforced in a way that makes sense) is the cookie regulation. It was well-intentioned, badly implemented, and the GDPR addresses more of the core problems, it is time to do away with it.
But as a whole, I push back against the idea that deregulation is the primary way in which the EU can or should become competitive with the US on technology. Lack of public investment, worse ability for companies to offer equity incentives, and timid private investment are all much bigger problems than consumer protection regulations.
> I would be happy for them to remove is the portability between providers requirement: it was essentially dead on arrival, is not implemented, and could be done away with.
Well, they actually shouldn't. There are non-EU email providers that show exactly what would happen - customers wouldn't be able to transfer out their email from that service provider. Unlucky if they won't notice that limitation in time.
> The other EU-level regulation that needs to be either removed or completely rethought (since it will clearly not be enforced in a way that makes sense) is the cookie regulation. It was well-intentioned, badly implemented, and the GDPR addresses more of the core problems, it is time to do away with it.
Or simply start handing out fines for malicious compliance.
I don't live in Europe. I still believe GDPR is god send. I just send a chat-gpt generated e-mail to the company to forget me citing GDPR and voila it just works.
just have to lie as bit that i am a resident of EU though.
Before tossing GDPR onto the bonfire, perhaps the EU should first look at DORA.
Uh oh. I'm all for cutting the red tape, but (in my opinion) the GDPR is: 1) easy to comply with if you're not doing nasty stuff with people's data, 2) actually needed.
Any opposing views?
You're on a forum supported by a startup accellerator for entrepreneurs who want to get stuff up and running with as little friction as possible. It's fairly obvious that Sinclair's quote would ring true here.
Smaller entities should still be required to fix/delete your personal data on request, imho.
I'd also appreciate if the exception was conditional on not selling any data or using it for external advertising (i.e. "you might also like" suggestions would be okay, as long as they're part of the same service)
It's easy as long as you're a corporation. It's onerous for a human person. Like the EU's excellent Digital Markets Act, GDPR should be altered to only apply to corporations. It'd be better if like the DMA it only applied to very large corporations, but just corporations is still way better than the status quo.
It's also easy if you simply stop trying to track users and only store the most necessary data. Like, no one ever seem to consider this.
Meanwhile, this same community a few days back were discussing the idea of trying to abolish advertisement. That's truly bluesky thinking if we're still justifying user tracking in 2025.
I only "store" my webserver's logs and user submitted comments. But someone can still put the legal pressure on me, a random person, to force me to do work to turn over those logs/etc. It's wild. Like having a security camera, hosting a BBQ for the neighborhood, and having a neighbor demand access to the recorded video with legal threats. This whole thing really only makes sense in the context of for-profit incorporated persons. It should not apply to me, a random human person.
You have up to 30 days to respond to access/edit/delete requests.
It's accepted practice to only keep logs for e.g. 48 hours and respond to any request with 2 days delay "we've got no logs from that timeframe anymore".
Why do you store your webserver's logs? My reading of the GDPR (I am not a lawyer) is that it strongly encourages site owners to store the very minimum amount of data about visitors - something that I wholeheartedly agree with.
Server logs are useful for debugging the site but also contain potentially identifying information (IP addresses) so I have my site delete them after 48 hours.
User submitted comments are obviously required for the usage of your site, so you are in the clear there.
I read the logs with my human eyes manually because I am interested in learning about the web and internet. In fact today I found a whole new useful search engine because I saw it's spider in my logs.
It turns out that http://www.rightdao.com/ is a great old-style search engine that actually returns many tens of pages and thousands of results. As opposed to google that only ever returns <400, bing <900, and kagi <200.I guess I keep logs because I want to interact more directly with the internet as a whole and experience the serendipity that comes with that.
Then keep your logs for 14 days, and remove IPs from them after 48h.
Tools for that exist, you don't keep unnecessary data, and you're in the clear.
I shut down a couple of my websites that provided a service for free (streetlend.com and cointouch.com) because the GDPR was too ambiguous for me to be 100% sure I complied with - and in the past online I have encountered vexatious people who have to tried to damage my reputation. On one of my other websites, those people used GDPR privileges (eg making vexatious SAR requests) simply to make my life more difficult.
At the end of the day, I create helpful and fun websites for free in my spare time because I enjoy it.
EU regulation created jeopardy and friction that meant I couldn't justify doing this anymore.
Whilst I don’t like cookie banner, I personally appreciate the EU GDPR simple style of cookie banners which are simply three options:
- accept all - necessary only - reject all
So many websites outside the EU have a mass of dark patterns for which I increasingly reject all or leave the website.
GDPR is really simple.
Only store data that you really need to service the customer’s needs, always permit the customer to correct incorrect data and allow them to delete it unless you have a legal reason to keep it. Report GDPR failures within 72 hours where customer data has been compromised and treat PII carefully.
In the US - fuck the customer.
I know which I prefer.
The politicians cite competitiveness as the motivator for relaxing the GDPR. The real reason for the EU lagging behind the US in "big tech" is of course the lack of venture capital and the red tape in registering corporations.
The GDPR does not prevent US big tech from operating in the EU.
As it stands, this is just another attack on EU citizens' rights. It is also the least of the EU's current problems. De-industrialization due to high energy prices is, but of course von der Leyen will not mention that.
> and the red tape in registering corporations.
what red tape? from what I understand you have your articles of incorporation, your id an register with chamber of commerce. I mean it varies from country to country and licenses and all the EU stuff exists, but what red tape is there when registering the company itself?
Registering corporations is pretty fast all things considered. Or reasonably affordable even for buying existing one.
The thing really is that there is lot less readiness to simply burn money on anything and everything. And then keep doing that even further...
> The GDPR does not prevent US big tech from operating in the EU.
Of course it doesn't, that'd be stupid. But it does require them to be compliant, otherwise they'll face fines and eventually they'll chose to either be compliant, or exit the market.
As a EU citizen with rights, I love this, exactly what I want from my inter-continent union of countries.
And complying with the GDPR isn't that difficult as a startup. You can build your systems from the ground up to be able to accommodate GDPR requirements. There is some documenting paperwork you are supposed to have internally, but enforcement is quite lenient if you show good-faith efforts to comply.
> otherwise they'll face fines and eventually they'll chose to either be compliant, or exit the market.
Or declare war against the EU, which is the option they've gone for.
> De-industrialization due to high energy prices is, but of course von der Leyen will not mention that.
Europe needs to let Putin finish off Ukraine so he can turn the gas on again, amiright?
I think simplifying the law for companies smaller than the 500 person cutt-off makes sense. The Brussels effect is strong. I was just in a company of approximately ~150 people in America and a significant portion of our time went to GDPR/California law takedown requests. User data was everywhere, it was a nightmare. No one thinks of this stuff when everyone is still in sink or swim mode. We got it done though.
Maybe it's an argument for the other side though as well. The architecture of the system was designed to track people as much as possible so we could do A/B, app design, and marketing more effectively. It felt like it was the company's life blood.
I would say the law should at least make people get their architecture right when small so that when they're big it's not impossible to comply later.
One last thought: our company was small in head count but is getting much bigger right now in revenue. I've heard of small head count, billion dollar companies. What of them?
I spent four years working at a European fintech that serviced millions of end-users, and we had a self-service GDPR portal for users to export or request deletion of the data we had on them. (In some cases we were required to hold onto certain data due to other laws). Any feature that stored new user data had to get integrated into the tool, and then signed off from legal and the team that maintained the tool.
It got very little usage - maybe a few hundred to a thousand requests per year IIRC. I shudder to think what you could have been doing that would attract that volume of requests. Was it Clearview AI?