[HN Gopher] 3 years of GDPR: The biggest fines so far
___________________________________________________________________
3 years of GDPR: The biggest fines so far
Author : alexanderdmitri
Score : 58 points
Date : 2021-05-24 20:26 UTC (2 hours ago)
(HTM) web link (www.bbc.co.uk)
(TXT) w3m dump (www.bbc.co.uk)
| TazeTSchnitzel wrote:
| If you're surprised there haven't been many big fines against
| large tech companies yet, that may be because there's a large
| backlog of cases that are bottlenecked by the budget of Ireland's
| DPA: https://www.euractiv.com/section/data-
| protection/news/europe...
| Dah00n wrote:
| Some will say "I told you so, they still do not get fined harshly
| enough to make any difference" while others will say "this is
| just unfair money grabbing governments" and while everyone argues
| back and forth with the same arguments as the last ten
| discussions I sit here on the sidelines, a normal internet user,
| who by the simple mentioning of GDPR have gotten big companies,
| like Epic, and powerful people, like a CEO of a pretty big
| company, to actually _do_ something where they before would
| totally have ignored me. GDPR is not perfect at all but it does
| do a heck of a difference already.
|
| _Edit: Downvotes, really? : /_
| jchw wrote:
| It still basically does not differentiate between Epic Games
| and me. And I _can't_ handle the fines. The chilling effect
| this will have on people is being downplayed pretty harshly by
| people who are basically suggesting you should just pray that
| you don't get put into massive debt because you made a mistake
| on a side project.
|
| For that reason, GDPR will always draw some ire from me.
| hkh28 wrote:
| GDPR fines are set among other things according to the
| resources of the entity that broke the rules. As a private
| person making a side project, you won't be liable for
| millions.
|
| The most recent examples of individuals being fined have been
| fines around EUR200 [0]
|
| [0] https://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fi
| ne_...
| jchw wrote:
| The maximums however, are absolutely insane. Am I supposed
| to just hope that in the range of 0 to EUR20 million, it's
| something I can afford?
| tgsovlerkhgsel wrote:
| No, you're supposed to hope that the legal system will
| apply the law fairly and correctly. The law does NOT say
| that they can fine you 20 million Euro. The 20 million is
| an upper limit on a fine, but the law also specifies how
| that fine is determined, which _by definition_ is
| "something you can afford", because that's literally one
| of the factors.
| tephra wrote:
| Getting a maximum fine not only means that your handling
| of personal data was especially egregious but that you
| probably didn't cooperate in any ways with the relevant
| DPA and refused to rectify the problem.
|
| I.e the maximum fine is highly unlikely for anyone to
| get, and if you get it you have done some very bad
| things.
| jchw wrote:
| Yes, and what the GDPR crowd is telling me is that I
| should just trust the EU to always act fairly and never
| engage in any kind of politically motivated subterfuge.
|
| And not only that, my concerns and dissent regarding GDPR
| piss people off so much, that at this point, every
| comment I post just gets downvoted immediately. Now I
| realize it's against HN guidelines to discuss this, but
| when I post a comment and the delay it takes for me to
| return from the post page is enough for my comment to
| already have a downvote, I feel discouraged. It's _very_
| clear the person who did that had no good faith intent on
| a discussion nor intent to even minimally read my
| comment. And I'm supposed to try to argue my points in
| good faith despite this.
|
| The pro-GDPR crowd may be winning the mindshare but they
| are inheriting the cancer of something not allowed to be
| criticized. And if we ever do see an egregious fee driven
| by political motivations, am I supposed to feel smug for
| having predicted the possibility or sad that my mere
| expression that the default maximum fines are so
| ridiculous that they basically terrorize anyone who is
| not a multinational corporation turned out to be well-
| founded?
|
| All I ever asked for was for people to recognize the
| chilling effects that this regulation can have. The
| internet used to have so many small websites, forums and
| wikis, and many of these fall under the umbrella of GDPR.
| And this is basically the treatment I get for trying to
| represent this dying breed of website: as some corporate
| shill worth being buried and not considered.
|
| It's not like I care that much about being with the mob,
| but it pains me that as the open internet gradually dies,
| people flat out just don't care. GDPR as it is today is
| just represents a huge amount of risk for anyone that is
| not a multinational corporation, and it only gets scarier
| the further down you are. I'm sorry but just telling
| people to not worry about how the law is written will not
| work. Some people will ignore it, some people will try to
| follow it, and some people will just stop trying
| altogether deciding the risk simply isn't worth it. And
| that latter part is most likely to occur for websites
| that are more objectionable, since they will likely face
| harsher treatment just due to cognitive biases alone,
| since we're talking about considerations that humans make
| rather than the word of law.
| Ekaros wrote:
| Maximum fine is there for large corporations. If it
| wasn't specified at atleast that range many of them would
| ignore or knowingly break the legislation. And in general
| checking for many crimes the upper end of penalty is
| pretty big. Like DUI here could mean 2 years in prison.
| Though that is exceedingly rare.
| amichal wrote:
| This[1] site seems to track actual fines. I found maybe a
| dozen fines of individuals. Here is the largest fine of a
| 'private person' I could find:
| https://www.enforcementtracker.com/ETid-69. If the database
| is at all accurate and the description of the violation is
| correct I would say they were well into Criminal territory
| and not civil fines. [1] https://www.enforcementtracker.com
| t0mas88 wrote:
| The fines are based on your revenue and the impact. So they
| do differentiate between Epic Games and you.
|
| And for me as a user, it sucks if your side project leaks my
| credit card and SSN, because I'll be dealing with the
| identity theft and fraud. If you're not competent enough to
| keep them safe, then use a vendor that is or don't process
| then at all.
| jchw wrote:
| If it were only SSN or credit card data, this would be
| understandable. But I assume you're aware GDPR is far
| broader than this.
|
| And as well, GDPR, again, doesn't guarantee the safety of
| your data. It just adds fines to some circumstances where
| your data is misused. But an honest breach doesn't lead to
| fines as far as I can tell, so you just have to live with
| that possibility either way.
|
| As best as I can tell, there is no legally binding texts
| anywhere that limits the fines. The maximums start at EUR20
| million and go higher if you're huge. In the mindset of
| "hope is not a strategy," this maximum fine being the only
| legally binding limit is enough to make you go home. Maybe
| small companies can hope for preferential treatment, but as
| an individual even small fees could do serious harm.
| jokethrowaway wrote:
| Work behind a limited company and let it fail.
|
| Escape to Mexico in the worst scenario.
|
| South America is anyway becoming more and more appealing
| the more the West progress.
|
| That said, not that it changes much but I stopped taking
| EU customers (I take businesses and not customers)
| because of vatmoss and gdpr.
| sealeck wrote:
| Don't let people enter their data onto your side projects
| unless you're willing to treat it responsibly?
| jchw wrote:
| Intent doesn't matter; the fear is the same: life-
| destroying fines. If that's the choice, I'd just opt out of
| taking EU customers.
| Hamuko wrote:
| How many examples of life-destroying fines do you have?
| jchw wrote:
| So basically, you're in the "No, it's fine -- this will
| only ever get used against bad guys!" camp. We had 9/11
| here in America and the BS that followed and I don't
| humor this line of thinking. (Nor humour.)
| Hamuko wrote:
| No, I'm in the "prove that the thing you are claiming to
| happen actually happens" camp.
| jchw wrote:
| I'm not claiming something happened -- do you understand
| how chilling effects work? The threat of potentially
| massive fines with very little legal bounds for not
| following regulations that individuals basically can't
| follow means that people who want to follow the rules but
| aren't big enough don't play anymore.
| Hamuko wrote:
| So no one's life has ever been ruined by the GDPR? But
| you're still sure that this will happen? What is this
| based on?
| jchw wrote:
| I can get fined between 0 and EUR20 million at any moment
| because I am an individual and have no means to fully
| understand GDPR nor hire a DPO for my stupid personal
| websites. I make no money in ads or otherwise, but I am
| still treated like Epic Games if I collect sign up emails
| or logs. I only still run this stuff now because I've
| been running it for over a decade. I can tell you right
| now I am hesitant to run websites anymore.
|
| If you don't understand how "ambiguous threat of a fine"
| isn't calmed by "it hasn't happened yet," I can't help
| you. What if my site was politically controversial?
| Should I trust all EU governments to act responsibly and
| not take advantage of their power ever?
| anoncake wrote:
| If there is a real danger that EU gouvernments start
| abusing their power like that, why is it only Americans
| that are afraid of it? Not EU citizens, who actually are
| familiar with how their states behave?
| jokethrowaway wrote:
| I'm a EU citizen in Europe and you can count me scared
| jchw wrote:
| Clearly, nobody is afraid by it: I am getting buried
| insanely any time I criticize GDPR in any way. It is a
| thing you are not allowed to critique on HN.
|
| So I wouldn't say americans are particularly more
| bothered by it. But why shouldn't we be? I have no
| representation in EU law.
| anoncake wrote:
| > Clearly, nobody is afraid by it: I am getting buried
| insanely any time I criticize GDPR in any way. It is a
| thing you are not allowed to critique on HN.
|
| Not if your criticisms are entirely unfounded and
| bordering on paranoia, no.
|
| > But why shouldn't we be? I have no representation in EU
| law.
|
| What? Do you think only EU citizens have rights in the
| EU?
| jchw wrote:
| > Not if your criticisms are entirely unfounded and
| bordering on paranoia, no.
|
| I am not a lawyer and I do not have access to a lawyer. I
| can't afford it. Therefore, I have to assume that I
| simply do not have the expertise to understand GDPR
| fully. And unlike most laws, it is not a matter of "do
| things right and nothing will happen", and it has very
| vicious teeth on top of that.
|
| So from my PoV, the risk profile of GDPR is HUGE. If I'm
| running some pre-existing software stack written in the
| early 2000s, it simply doesn't have the necessary data
| provenance tracking that is needed to be GDPR compliant.
|
| For what it's worth, I make no money from things I run,
| not even on ads. Zilch. However, I've spent at least
| hours processing GDPR requests, and I have absolutely no
| idea if they are being done correctly, because I'm not a
| lawyer, and I do not have access to a lawyer.
|
| > What? Do you think only EU citizens have rights in the
| EU?
|
| I'm talking about representation in the sense of a
| democracy. I am part of the system in the U.S. - I can
| vote. I have no representation when it comes to laws made
| in the EU. The reverse applies too, but as far as I know
| there's nothing quite as scary as GDPR from the U.S.
| side.
| orwin wrote:
| I don't understand. You can contest your fine if it is
| really too big, but honestly, at my last job we had one
| client project that got "caught". The CNIL (GDPR watchdog
| for France) was really helpfull, gave them 6 month to get
| into shape and proposed them a plan on what to do with
| the data to meet their goals. The kind of plan that cost
| a company 5-10k euros to elaborate (2 man/day of a good
| architect), and 10k (10 man/day of a junior db dev) to
| implement. So between a third and half the price to make
| the business legal again was basically paid by the CNIL.
| I think that's fair tbh.
| jchw wrote:
| That's the thing: I'm not a company, I'm a person, who
| happens to run websites, that make no money. A 10k euro
| fine would run me off the internet.
| danhor wrote:
| The point of the comment is that the CNIL handled the
| part that the "good architect" would have needed to do,
| thus saving the company 5-10k. The company "only" needed
| to implement it, the other part was handled for them. The
| GP didn't mention fines, so I guess none were given out?
| tgsovlerkhgsel wrote:
| Can you show me _one_ example where there was a "life-
| destroying" fine?
|
| Not "a big company was fined an amount of money that
| would be life destroying if I had to pay it for a
| personal project", because revenue/economic means are a
| key factor in GDPR fine calculation.
| anoncake wrote:
| Maybe it doesn't in America. Here it does.
| Hamuko wrote:
| My name, my address, my phone number and my credit card
| details are the same regardless whether you or Epic Games is
| storing them in a database.
| jchw wrote:
| A data breach alone is not a GDPR violation as far as I
| know. Your data is just as at risk of being exposed no
| matter what. As far as I can tell the intent of GDPR is to
| prevent companies from selling or using your data in ways
| that you did not consent to. However, the bookkeeping
| requirements quite literally break the internet that
| existed where one person could run a website. As it turns
| out, I do not have a Data Protection Officer for my wiki I
| started in 2008. Does that mean I am not GDPR compliant?
| amichal wrote:
| And you dont need to have one:
|
| .... hiring an actual Data Protection Officer is only
| required by the GDPR if you meet one of three criteria:
| * Public authority -- The processing of personal data is
| done by a public body or public authorities, with
| exemptions granted to courts and other independent
| judicial authorities. * Large scale, regular
| monitoring -- The processing of personal data is the core
| activity of an organization who regularly and
| systematically observes its "data subjects" (which, under
| the GDPR, means citizens or residents of the EU) on a
| large scale. * Large-scale special data categories
| -- The processing of specific "special" data categories
| (as defined by the GDPR) is part of an organization's
| core activity and is done on a large scale.
|
| https://gdpr.eu/data-protection-officer/
| jchw wrote:
| This is good to know. But while I will admit my mistake,
| the problem points to a bigger issue, which is, as a
| layperson and not an expert on European law, I simply do
| not have the expertise necessary to understand the law
| and its implications. This is of course true of any
| website under any jurisdiction, but most laws don't come
| with such absurdly vicious teeth, and therefore the risk
| profile is a lot different. So perhaps my example was
| misinformed. But that's kind of the problem: _you need to
| have a lawyer to really be sure of these things_. I don't
| have a lawyer.
| amichal wrote:
| I think the fines/penalty headlines are a big
| misunderstanding/distraction (which got me too until I
| had to spend the time on reading the actual law for an
| actual EU client). They are what happens if you
| continually, willfully disobey the principal of the laws
| AND are also proportional to you income (see
| https://en.wikipedia.org/wiki/Day-fine which are common
| in some EU countries)
|
| If you are a small operator who messes up AND you are in
| the EU and you ignore strongly worded letters of warning
| with instructions on what you need to do to comply then
| you MIGHT be fined/penalized.
|
| If you are not making money in the EU than you are
| seriously unlikely to even be noticed messing up.
|
| If you miss-configured the logs on your blog or small
| non-EU business and kept user ids and IP addresses AND
| are outside the EU no one will bother you.
|
| If a privacy conscious EU citizen contacts you to close
| an account they made with you or delete your data you
| have many weeks (90 days i think ultimately) to respond,
| negotiate and do your best to get it done (and provide
| them whatever data you may have collected on them)
|
| If you have any of a dozen legitimate reasons to have
| personal data and you clearly explained this to the EU
| citizens you collected data from you are not going to
| hear from anyone. e.g. a EU company I work with has
| extensive logs of their employees changes and updates to
| data (imagine git commit messages). These are required
| logs for the business, an ex-employee cannot ask you
| delete that history under GDPR. Same for their b2b
| customers. The existence of these logs are made clear up
| front. It's a regulated requirement that they exist etc.
|
| If you decided to sell the log data to a third party as
| part of some profile of the citizen and you didnt say you
| intended to do that then you ABSOLUTELY would hear from
| someone. But I would think you very much should and this
| is the point.
|
| Same principles apply for California Consumer Privacy Act
| (CCPA) in the US.
| tgsovlerkhgsel wrote:
| > As it turns out, I do not have a Data Protection
| Officer for my wiki I started in 2008. Does that mean I
| am not GDPR compliant?
|
| Do you have more than 250 employees? Are you a public
| authority or body? Are you performing activities that
| "require regular and systematic monitoring of data
| subjects on a large scale"? Is your core activity
| processing on a large scale of special categories of data
| pursuant to Article 9 or personal data relating to
| criminal convictions and offences?
|
| No? Then no need to have a data protection officer or
| data protection impact assessment.
|
| You still need to implement appropriate safety measures
| and efforts to follow GDPR, where "appropriate" takes the
| scope of your processing into account. https://gdpr-
| info.eu/art-24-gdpr/, need a legitimate reason for using
| the data, etc., but all of this is very doable, and
| you're probably already in compliance if you care the
| smallest bit about your user's privacy and follow normal
| best practices like rotating your logs.
|
| IIUC (there are two directives and I'm less familiar with
| the other one) you don't even need a cookie dialog as
| long as you aren't setting any unnecessary cookies.
| Hamuko wrote:
| I actually made a GDPR request to my insurance company. Turns
| out that not only did they have documents about me before I had
| ever signed a contract with them, they had documents about me
| before I was even born.
| donatj wrote:
| > They had documents about me before I was even born
|
| Can you elaborate?
| Hamuko wrote:
| Turns out that my parents took on some kind of a life
| insurance policy in an insurance company that no longer
| exists in the strict sense but the documents have carried
| on through fusions and when a couple of decades later I got
| car insurance, a bunch of old medical records and contracts
| were linked with my account.
| 77pt77 wrote:
| > they had documents about me before I was even born.
|
| This needs some explanation.
|
| Also, what's stopping them from just lying?
| Hamuko wrote:
| > _Also, what 's stopping them from just lying?_
|
| Well, hopefully the prospect of fines if they're caught.
| I'm hoping that the local data authorities won't be lenient
| if a company is caught outright lying.
| temporalparts wrote:
| I'd be curious of a detailed analysis of the cost of GDPR to EU
| consumers. There are websites that shut down or no longer
| servicing European customers because of the concerns around GDPR.
| moooo99 wrote:
| I know that's only anecdotal and no evidence at all, but the
| only time I encountered a website that is not serving European
| users anymore was a link here on HN.
|
| I think most users didn't even notice and for the people who do
| and are really bothered, there are workarounds such as VPNs
| Hamuko wrote:
| I've only anecdotally ran across half a dozen local US news
| sites that claim how their EU visitors are very important
| (clearly they're not) and also a Japanese lyrics site.
| anoncake wrote:
| A local US news site that doesn't care about its few EU
| visitors obviously doesn't fall under GDPR. I wonder if one
| that targets them by putting up a non-compliant popup does?
| ydnaclementine wrote:
| I use this addon to hide the opt-ins: https://www.i-dont-care-
| about-cookies.eu/
|
| >In most cases, it just blocks or hides cookie related pop-ups.
| When it's needed for the website to work properly, it will
| automatically accept the cookie policy for you (sometimes it will
| accept all and sometimes only necessary cookie categories,
| depending on what's easier to do). It doesn't delete cookies.
| makomk wrote:
| It remains somewhat, ah, interesting that the biggest GDPR fine
| is for not being able to withstand a targeted attack by a
| motivated attacker. The British Airways compromise seems to have
| involved someone getting access to their systems (which basically
| just requires one employee screwing up, once) and hiding
| malicious code in their website so custom-tailored to them that
| an uninvolved outside expert in the malware family involved had
| trouble ientifying where it was _after_ he knew it was there due
| to the news coverage. That 's the kind of "gross negligence" that
| leads to a record fine and I don't think IT security as it
| currently stands is even remotely capable of preventing it.
| vmception wrote:
| 1) Subscribe via email!
|
| 2) Accept our cookies and let us track you! (with a delay for
| choosing anything that's not accept all)
|
| 3) Surprise! There might be a paywall whether subscribed via
| email or not! Schrodinger's paywall
|
| 4) Oh hey! I saw you paused scrolling or moved your mouse in the
| general direction of the back button, check out this other thing!
|
| 5) Okay lol, here's the article. Maybe. Depending on the deal we
| cut with the creators of your specific browser and geographic
| location and how many other articles you've read this month.
|
| and thats _with_ adblock
|
| Europe and California, we are counting on you to fix the
| internet!
| midasuni wrote:
| 1) don't track visitors
|
| Then there you go, no popups, no consent to ask for, job done.
| zibzab wrote:
| Well, who do you folks think should be fined next?
|
| Also, can't we just agree that "Legitimate interest" is
| noncompliance and fine BBC too while at it?
| t0mas88 wrote:
| Facebook, they're refusing the right to access your data:
| https://ruben.verborgh.org/facebook/
|
| And Google for the whole Doubleclick Ad Exchange, they're
| sharing lots of user details with hundreds of bidders on every
| pageview that has ads. As well as storing all of that
| information in Google Cloud as part of their Ads Data Hub
| product. All without permission.
| tgsovlerkhgsel wrote:
| 1. Every single web site that uses dark patterns that make not
| saying yes impractical. Start with the ones that required more
| than 3 clicks, then clarify that "the request must be clear,
| concise and not unnecessarily disruptive" means "equally sized,
| equally highlighted buttons for 'accept all' and 'reject all'".
|
| 2. Every single company that knowingly processed data based on
| such invalid consent.
|
| 3. Every single website and company that processed data for
| advertising based on "legitimate interest"
| alkonaut wrote:
| The largest site (by revenue) that currently uses a a two
| button consent dialog with "accept and continue" vs "manage
| options".
|
| That's not making opt-out the default choice.
|
| If multimillion fines were given to just a few hundred of these
| sites things would change pretty quickly.
| tomcooks wrote:
| Now if only they forced websites to have a single, standardized,
| accessible, unobtrusive popup~
| paxys wrote:
| I'm surprised there is no standard for this yet. Just build it
| into the browser like all other privacy-related requests
| (location, webcam etc.) are handled. If sites don't implement
| it, don't accept their cookies. That way I can also manage a
| blanket yes/no list without getting an obtrusive popup every
| time.
| Hamuko wrote:
| Expecting another smash success like the Do Not Track header.
| paxys wrote:
| Do Not Track didn't work because (1) it was not enforced at
| the browser level, (2) it had no legal backing and (3) it
| was not granular enough to be useful. With GDPR, CCPA etc.
| in place the online privacy landscape is very different,
| and a new standard is very much possible today. Why did
| every site in the world implement all the consent popups in
| the first place when they could have continued to do
| nothing?
| atoav wrote:
| If you could sue people for real money when they violate
| said header it might be taken more seriously pretty
| quickly.
| Hamuko wrote:
| I don't believe that you can sue under the GDPR. I've
| always understood it to be something that you can lodge a
| complaint against someone with your local authorities. No
| idea about the CCPA but I wouldn't be surprised if you
| could considering how lawsuit-happy Americans are.
| cm2187 wrote:
| Do not track is a gentleman's agreement in a world of
| thugs. But you could block cookies at the browser level if
| the user clicks No.
| djxfade wrote:
| The problem is that I can't possible imagine Google
| implementing this, as it would hurt their data hoarding
| lostcolony wrote:
| Why? The browser has access to it at all times, and you can
| still ask for it anywhere. So Google (via Chrome) isn't
| losing anything.
|
| In fact, everyone else (including Google via analytics) is
| probably get more data; make it so that in the same way the
| browser form fills address and phone number and things
| automatically based on past fills, have a standard API in
| the browser to handle that. Now users just have to click
| "okay" to share all that data, rather than enter it in.
| skohan wrote:
| Well seeing as a lot of sites use dark patterns to
| confuse users into accepting more liberal tracking, I'm
| not sure I would agree that this would lead to more data
| collected
| zibzab wrote:
| It may surprise you, but Google was not the villain here:
|
| https://www.cnet.com/news/apache-web-software-overrides-
| ie10...
| eli wrote:
| Everyone's talking about DNT, but P3P from Microsoft circa
| 2002 is probably more instructive:
| https://en.wikipedia.org/wiki/P3P
|
| Privacy is nuanced. It's' really hard to encode all ways you
| may or may not want your data used into a few boolean
| questions.
| Hamuko wrote:
| One of my favourite Stack Overflow answers still is making
| your privacy policy a potato.
|
| https://stackoverflow.com/a/16475093
| seoaeu wrote:
| The problem is that sites will just pretend that any such
| standard doesn't actually exist. All of these sites could
| suppress cookie popups for clients that send a do-not-track
| header, but choose not to.
| kmeisthax wrote:
| They did. It was called Do-Not-Track and Microsoft had the
| bright idea to pull an iOS 14 and turn it on by default in
| IE. At that point the few ad companies that had supported it
| basically told the browser vendors to pound sand and it
| became entirely useless for anything but fingerprinting.
| zibzab wrote:
| The point of that is to make you click and maybe by mistake
| give them their consent.
|
| We already had do-not-track in the browser, why do you think
| companies refuse to honour it?
| Quarrelsome wrote:
| because they're not getting fined 200m for it?
| [deleted]
| tgsovlerkhgsel wrote:
| Even better, force them to respect something like
| https://globalprivacycontrol.org/
|
| and _prohibit_ showing an obtrusive popup.
| sharken wrote:
| So much this, I'd actually rather opt-in if that meant the
| cookie popup would go away once and for all.
| amelius wrote:
| Or force websites to obey the Do-Not-Track HTTP header.
|
| https://en.wikipedia.org/wiki/Do_Not_Track
| cm2187 wrote:
| that's a lot of trust in the fly-by-night ad industry
| vmception wrote:
| They should fine organizations for providing a worse experience
| while people choose what settings to accept
|
| Basically I see a quick experience for accepting everything,
| and a degraded experience for not clicking that but getting a
| list of what to accept or denying all
| belorn wrote:
| What about having a law that makes it clear that an popup does
| not create informed consent, and then have companies decide to
| ignore that part of the law because it would be super
| inconvenient if they had to actually get informed consent.
|
| Maybe EU should write a new law by copying the GDPR text that
| defines consent and make it bold, all in caps, and underlined.
| cm2187 wrote:
| The worst is that it punishes the most privacy conscious of us,
| who clear cookies on every session, and are forced to click and
| reclick again on the same popups. I think the law should have
| been enforced at the browser level, mandate browser makers to
| prompt for authorization and once it has been refused, to never
| ask again.
| comboy wrote:
| In other words you want to delete a cookie and still have a
| cookie.
| TheCoelacanth wrote:
| They should have mandated treating the Do Not Track header as
| opting out of all tracking.
| dmayle wrote:
| In France, we're starting to see sites where they give you two
| options:
|
| 1) accept advertising/tracking cookies
|
| 2) pay a monthly subscription
|
| I've seen this on AlloCine (French IMDB), and "aufeminen" which
| is a random forum that a Google search led me to.
| kybernetikos wrote:
| I believe that this is likely not GDPR compliant, although
| this view doesn't seem to be shared by many. My basis for
| saying it's not is https://www.privacy-
| regulation.eu/en/recital-43-GDPR.htm
|
| > Consent is presumed not to be freely given if it does not
| allow separate consent to be given to different personal data
| processing operations despite it being appropriate in the
| individual case, or if the performance of a contract,
| including the provision of a service, is dependent on the
| consent despite such consent not being necessary for such
| performance.
|
| I take this to mean that you cannot rely on consent that a
| user has given you to process their personally identifiable
| information if they did it in order to access a service you
| wouldn't let them have access to otherwise.
| toffi-fee wrote:
| But the provision of the service is not made dependent on
| the consent if you can alternatively pay the monthly
| subscription. So I would assume, "accept all cookies or
| enter paid subscription" is Gdpr compliant.
___________________________________________________________________
(page generated 2021-05-24 23:02 UTC)