[tzs]

Note: the following questions are not because I'm trying to figure out how to work around GDPR. They are to help figure out just what the meaning of it is. Imagining hypotheticals that try to work around a law is a common method in legal circles for clarifying the law. My employer does not keep any data that would be problematic, and compliance looks like it will be pretty easy for us [1].

> Explicit consent for non-essential data use, [...]

This raises a bunch of questions. Anyone know the answer to any of these?

1. Suppose that the data is used to pay for keeping the site afloat? Does that make it essential?

> [...] you always need to provide opt-out without degrading the service

2. Suppose my site is presented as a site that has basic and premium content. The premium content is behind a subscription paywall.

On the paywall, it offers to waive the subscription fee if you consent to non-essential data use. If you either do not consent, or, after consenting later change your mind and opt-out, is it "degrading the service" if I no longer let you have access to the material behind the paywall?

3. In #2, does it matter if that's how my site works for people that I can identify as being the EU, but works different for people elsewhere (e.g., for people in the US it collects data on everyone and does not offer the option to pay)?

4. Suppose I just say "the hell with this...I don't want to deal with GDPR", and have my site ask first time visitors if they are in the EU or EU citizens.

If they say that are not, I set a cookie that records this, and they get my normal site, which only follows whatever data collection rules my country imposes.

If they say they are, I just send them to a page that says EU people are not allowed to use my site.

What's the situation if someone inside the EU lies and tells me that they are not in the EU? Am I in violation of GDPR for keeping forbidden data on them, or does their lying to me count as consent?

[1] In fact, most of the data we keep on EU customers is data that we don't even want to keep, but the EU is requiring us to keep it for VAT MOSS reporting. Before VAT MOSS, all our EU sales went through a UK entity, and we paid UK VAT on all of them, which required much less information for reporting.

[tscs37]

>1. Suppose that the data is used to pay for keeping the site afloat? Does that make it essential?

If you use the data for bank transactions or paypal subscriptions it's essential.

If you sell the data for profit, it might be essential but it falls under "opt-in only" of the GDPR. So in this part; not essential in the above sense.

>2. Suppose my site is presented as a site that has basic and premium content. The premium content is behind a subscription paywall.

Subscription paywall is fine. What isn't fine is degrading the service if the user opts out of having trackers included in the website when they visit.

>3. In #2, does it matter if that's how my site works for people that I can identify as being the EU, but works different for people elsewhere (e.g., for people in the US it collects data on everyone and does not offer the option to pay)?

GDPR only applies when you target people currently in the EU (citizen or not) and EU citizens outside the EU.

>4. Suppose I just say "the hell with this...I don't want to deal with GDPR", and have my site ask first time visitors if they are in the EU or EU citizens.

If they say no, I would say that is okay to believe considering the GDPR also requires a "Are you 16" question. Ask a lawyer.

[icebraining]

EU citizens outside the EU.

Where is this specified? It's not what I understood from Recital 23†; as far as I can tell, it applies if the business is established in the EU or if the user is in the EU, but not to EU citizens outside the EU (if the business is foreign).

† https://gdpr-info.eu/recitals/no-23/

[majewsky]

I read your link, and I think it depends on what "being in" means in the phrase "data subjects who are in the [European] Union". It could refer either to physical location (as in "I am in Germany") or to membership (as in "Germany is in the EU"), or possibly to both. I would also expect it to refer to physical location after reading this, but I'm most definitely not a lawyer.

[icebraining]

Germany is not a data subject, so I don't think it can be read that way. Others agree: https://www.linkedin.com/pulse/gdpr-does-apply-eu-citizens-g...

[yardstick]

> What's the situation if someone inside the EU lies and tells me that they are not in the EU? Am I in violation of GDPR for keeping forbidden data on them, or does their lying to me count as consent?

I don’t know the answer (interesting idea though). One thought came to mind: If you do it this way, you can only monetise your EU customers indirectly. As soon as you bill them, you’ll probably need to capture their address info at which point you know for sure they are in the EU. Yes you could argue it’s a non-EU citizen using an EU address while not being physically within the EU at the point of the transaction, but I wouldn’t think that would get a free pass in court.

[xg15]

> 1. Suppose that the data is used to pay for keeping the site afloat? Does that make it essential?

IANAL, but intuitively, I'd say no.

In a technical sense, it's not essential: Even if your whole income is based on data reselling, your site wouldn't instantly become unusable the moment you can't collect any user data anymore. (Unless you deliberately make it so, but then that's your decision and not a technical necessity)

Yes, you will operate at a loss, but that is your problem as a business. It doesn't have anything to do with your ability to perform the service.

In a more general sense, basing your business model on data collection is your decision. There are other ways to make money on the internet. So if you have the option of finding other sources of funding, it's not "essential".