| It's not easy at all to understand. I'm a developer and have spent 40+ hours in meetings with lawyers because the interpretation of the law isn't easy at all. There is a whole team of lawyers looking into this. 40% of my team is working on GDPR implementation. Just figuring out if users are allowed to use my service is hard. There is a different age of consent in different EU countries, and apparently some haven't even decided on an age of consent yet. What happens if I am in a country that has age of consent of 14, but then they vacation and use the app in a country that has age of consent of 16? We are required to offboard users if they aren't of the age of consent. What is the support flow for letting those users back into the app if they accidentally said they were born in 2016? What if the company owns multiple apps, and the user users the same OAUTH account to login into each app? If in one app they enter their birthdate as underage, now I have requirements to delete the user from all apps. My default mindset is to avoid collecting any data that I don't need so my app stores almost no info about where users are located. But EU regulations have told me I need delete all EU user accounts who don't agree to the new terms in X days after May 25th. Does this mean I have to go delete all user accounts who haven't logged in since a certain date since I can't differentiate EU vs non-EU? Those users aren't going to be happy. Some users log in through email so we are able to email them, but other users use phone number login where we can't contact them. We are potentially deleting huge numbers of accounts. We host our help center site using a third party service. Does that third party service happen to store IP address in the logs? Now I have to care about that as well. Lets say my company built an Apple TV or Xbox 360 app two years ago. There is a small group of dedicated users but it doesn't make us any money and we haven't updated it. Now we have to go build an interstital making them agree to new terms before they can use the app. None of the developers who built the app are still around, I guess we need to just delete the app now. It turns out that there were a bunch of Russian accounts who tried to manipulate the election and we only found out months later. Good thing this happened before GDPR. After GDPR all they have to do is claim they are in the EU, and then delete their account, and there data won't be completely unaccessible 30 days later. I am a big advocate for privacy and a member of the EFF for a decade. Maybe my company just already has good privacy practices, these regulations are making development much slower, without providing additional privacy benefits. If you want to see some change, I would think massive fines for data breaches would be the way to go. |
Oh, and when asked for a date of birth, they don't know what to put because it's a company account and not a person.
So they put the founding date of their company.
Which is often less than 13 years old. So now the account is locked because they need "parental consent". Or maybe they're trying to create an account, in which case they need to be locked out from creating an account because they "lied" about their age. But they aren't logged in, so how do you do that?
The already existing account doesn't have a parent of course. And it's owner is already an adult. No problem, you think, the owner will just have to prove they're an adult and it's OK.
But COPPA specifies precisely how you can check if someone is an adult, and it was written by a bunch of US regulators who don't appear to know much about life outside the USA. For instance one acceptable age verification mechanism is a credit card, but lots of people around the world don't have credit cards. Everyone having 5 cards is a US thing. So that doesn't work. You could also do a video conference with them, but good luck hiring enough people to do that at anything like a workable cost (per user margins are ultra thin). And so on. Pretty quickly you realise there's no way to recover that is both cheap enough to be deployed, and globally usable. That ignores the fact that some techniques hurt privacy far far more than any website ever normally would e.g. demanding and verifying government ID.
So people just lose their business email.
I've never seen a government pass data related regulation that wasn't a complete disaster. All such laws I'm aware of are riddled with contradictions, collateral damage and total absence of evidence that it actually helped anyone, anywhere.