Based on the first link, that letter scares me a lot. I have a feeling that this level of regulation will destroy any social startup. You'd need a compliance department larger than engineering just to remain legal. This is clearly a win to Facebook.
Or you just build your permissions and opt-in platform as a base for the social app.
We wouldn't let a self driving startup ignore traffic laws because it's "too hard". Likewise we shouldn't let a social startup ignore privacy laws and auditing.
At least on the surface it doesn't seem that bad. You just have an opt-in data collection with (type-of-data, purpose-of-data) tuples and let users actually delete data on request.
Allow Socially to collect the following information for the purposes of providing you service:
- Minimal Account Information: email address and password
To prevent spam if you don't provide additional profile information you will be required to verify your account with a valid government ID. Only the expiration date will be stored.
- Information posted to your timeline.
Without this you will be unable to post updates.
- Messages sent to others.
Without this you will be unable to send messages.
- Profile Information: Name, Address ...
Allow Socially to collect the following information for the purposes of protecting your account:
- Network Addresses used to access the service.
- Login location
- Login times
After a short time using the service if we see a login that doesn't match the information on record we will notify the primary email for approval.
- Links to other sites you click.
We will check links you click against our list of known phishing sites and scams and warn you before redirecting you.
Allow Socially to collect the following information for running internal studies and improving our service.
- Features you use.
- Posts you read.
- Links to other sites you click.
Allow Socially to collect the following information to help make ads more relevant to you:
I would strongly recommend reading what Pagefair has been putting. They have been one of the few sources I've found that is take GDPR literally. It isn't even clear what level Google's compliance will be - https://pagefair.com/blog/2018/googles-nonpersonal-ads/
There are a lot of extremely serious questions that arise regarding network security, anti-fraud, and anti-abuse measures. Just looking at basic bot detection measures, all of the sophisticated methods are now illegal. It certainly requires a major re-think of how websites serve content as well as the sustainability of advertising as a revenue channel. I can't even wrap my head around how someone would run a GDPR-compliant dating website/app.
If you think Pagefair's interpretations of the GDPR are correct then Google and others are calling the EU's bluff. They are implementing part of the GDPR strictly but the parts which invalidate their business models are being interpreted more liberally or ignored altogether.
I'm not saying that the GDPR is a good idea, bad idea, morally right or wrong. Rather, a lot of things we have come to view as a given -- such as how we detects bots, fraud, and abuse -- are no longer valid. Infrastructure, both technical and business, will need to be re-designed either to comply with the GDPR or evade it.
I kind of feel like every question in the first link is entirely reasonable and people _should_ be able to get those answers, though. Nothing in there is onerous if you're following good practices anyway.
I really feel like the answers to all of those questions are going to be basically identical between people, and all you really need to do is be able to export whatever data you have on somebody quickly in order to be able to respond to that email in under quarter of an hour.
I guess it could make a decent DoS tactic against a small company, but lots of other things would too.
> respond to that email in under quarter of an hour.
Let's take an app like Instagram as an example. Instagram had over 1 million users within two months and 10 million within a year, and no profits. You're running on a shoestring trying to keep servers online without any serious budget to speak of. It's probably you and a few friends/associates working closely together.
All of a sudden with GDPR, you have to pay a lawyer to help you understand what you need to do to comply with the regulations. You also have to spend engineering time developing solutions to enable the queries in that letter, enable purging records from long-term backups, etc. And people have to spend the 15 minutes responding to each request.
Now, let's say each request does only take 15 minutes like you suggest (which I find highly unlikely). If a small fraction like 0.5% of your customer base sends such a letter, then that's 50,000 letters. At 15 minutes each, that's 12,500 hours which is over 6 full-time employees. Many small business don't even have 6 employees to conduct the entirety of their business right now!
If the concern is that business owners can no longer cut costs by being lax with people's data... isn't that the whole point of the GDPR? That we've collectively decided that letting people cut those costs is having too many negative concequences too often and that we need to stop?
thanks, wow responding to a letter like your first link could significantly bog down resources for a young company... you can imagine if you launched and even received moderate user growth early on, but then started receiving such letters, your productivity could go down the tubes.
I disagree. Here's an outline of what a response to the letter in that first link should look like for a small, well-meaning* startup:
The letter is nicely formatted into 9 bullets. All are optional for small companies, and all can be automated - the answer should be the same for all users.
1. This is a "yes" or "no" question. If the answer is "no", you can ignore the rest of the letter. If yes, the answer is the same for all users.
2. Simple, short, same for all users.
3. You can avoid doing if you want. If you are doing this, you're signing up to take on this additional burden of informing your users. Consider this when making this decision. This is the only bullet in the list that is in any way burdensome as you will need to update this text in your automated response whenever you take on 3rd-parties (if at all).
4. Simple, short, same for all users.
5. and 6. are "if" conditionals that you shouldn't be doing. The answer should be "No".
7. Amounts to "has my data been hacked". If yes, that's unfortunate, but obviously you have a moral obligation to respond here regardless. Presuming you're hacked once, you provide full details once and send automatically to any users who ask.
8. and 9. are out of place. GDPR doesn't require you to respond to these questions within this quoted 1 month time limit (you do have to have what's detailed within them in place to comply with GDPR but that's tangential to info requests). These seem to have been put into this blog post as extra scaremongering.
* by "well-meaning" I basically mean "not selling all of your users personal data to myriad nefarious 3rd-parties"
> 3. You can avoid doing if you want. If you are doing this, you're signing up to take on this additional burden of informing your users. Consider this when making this decision. This is the only bullet in the list that is in any way burdensome as you will need to update this text in your automated response whenever you take on 3rd-parties (if at all).
Pretty much everyone is going to. Google Analytics, Zendesk, Salesforce, and more all qualify. Hell, even AWS qualifies...
> 5. and 6. are "if" conditionals that you shouldn't be doing. The answer should be "No".
Why do you say that? Given that we're discussing technical companies, I fully expect that automated decisions will be made.
> 7. Amounts to "has my data been hacked". If yes, that's unfortunate, but obviously you have a moral obligation to respond here regardless. Presuming you're hacked once, you provide full details once and send automatically to any users who ask.
And "detail all your security measures". Which, for a small company that doesn't have an InfoSec group, probably means next to nothing. An admission that feels a lot like liability...
> 8. and 9. are out of place. GDPR doesn't require you to respond to these questions within this quoted 1 month time limit (you do have to have what's detailed within them in place to comply with GDPR but that's tangential to info requests). These seem to have been put into this blog post as extra scaremongering.
It's the sort of thing an angry consumer might do, and most startup founders subject to GDPR are not deeply knowledgeable about it.
> Pretty much everyone is going to [...] even AWS qualifies...
I worded this badly. This is optional on a case by case basis, i.e. there's a cost-benefit to using each 3rd-party, and this burden is worth considering for each. It's still not a massively onerous burden tbh if you do use a lot of 3rd parties.
> And "detail all your security measures". Which, for a small company that doesn't have an InfoSec group, probably means next to nothing. An admission that feels a lot like liability...
I'm sorry but if you're really defending companies with no competent security measures in place, regardless of size, I think you're in the wrong forum here. If you are a commercial entity of any size there should be moral hazard in ignoring security of your users' personal data.
> It's the sort of thing an angry consumer might do, and most startup founders subject to GDPR are not deeply knowledgeable about it.
Exactly. And unlikely to be more knowledgeable if they're reading misleading scaremongering articles like this on LinkedIn!
> I worded this badly. This is optional on a case by case basis, i.e. there's a cost-benefit to using each 3rd-party, and this burden is worth considering for each. It's still not a massively onerous burden tbh if you do use a lot of 3rd parties.
I'm up close and personal with a vendor assurance process right now. It's often a non-trivial amount of time for any given vendor.
> I'm sorry but if you're really defending companies with no competent security measures in place, regardless of size, I think you're in the wrong forum here. If you are a commercial entity of any size there should be moral hazard in ignoring security of your users' personal data.
I'm sorry, I worded this badly. I'm saying that small startups have a tendency to prioritize getting a product working and seeing if it's worth investing heavily in before standing up a strong information security unit. You're absolutely, completely, 100% correct that there should be incentives to be very careful with user data.
I think it's possible to see where some people might find the level of expense and expertise required to be appropriately careful somewhat scary. I can even see where some people might decide to not create a social media startup to challenge Facebook because of this fear.
Honestly, those questions should be pretty easy to answer especially if your company is small. If as a business you can’t answer these basic questions about the data you want to collect from me, I’m going to be hesitant to share it.
People keep sharing that “nightmare letter” link but won’t point out which question gives them nightmares and why.
A couple of things stand out to me as potentially scary. First, the hard one-month timeline. For a brand new baby startup, a month is a lot of time and any distraction potentially killer.
Second, a list of everything across all types of storage in any and all systems stands out. Even large companies often lack the ability to search ZenDesk, Salesforce, email, AWS S3, and Slack logs all at once.
Third, there's a clause that asks quite specifically for a thorough list of any and all potential future plans. That's a lot, especially given how startups are subject to pivoting.
Fourth, the section about third parties is essentially asking for the outcome of a vendor assurance process. A lot of small companies can't pass a reasonable vendor assurance process. They often can't afford the time and assurance specialists to manage one for their vendors. Even large companies often have trouble maintaining the level of control required for thorough vendor assurance. The bit about legal reasoning implies the involvement of a lawyer as well.
Fifth, there's a strong implication that no matter what you might say in response, it's not going to be good enough. There's always something that can be pointed to as not enough.
With all of the above combined, I can see where some might view GDPR as intimidating and favoring big companies over small ones through sheer costs.
> People keep sharing that “nightmare letter” link but won’t point out which question gives them nightmares and why.
There is a standard way in which "reasonable" regulations kill small companies. It works like this. You impose some small burden, something like an hour of labor a week. That won't destroy a small company, but that is not the only rule in the world. That rule takes an hour, another rule an hour and a half, a third rule a half hour. By the 60th rule, a two person company is past sunk. Even if every individual rule is nominally reasonable, the combination is hopelessly destructive.
The problem with tech companies is the rules don't just add together, they get multiplied by the user base, and it's entirely common for a very small company to have ten million users.
So you take a letter like that. The first time you get one it will take you a week to figure it out, but over time you get the response time down to an hour. Only with 10 million users, if 0.1% of the users make such a request per year, you're looking at 27 of those every day. That's more than three full time employees doing nothing but that. For this one "reasonable" regulation.
I'll point out which question gives me nightmares, as the founder of a EU startup:
- the requirement to have a DPO. Based on the requirements for the DPO, no one in the company can fill the role (conflict of interest), so we must hire an employee or consultant (expensive either way for a small startup)
- one month to respond. That's a lot of informations to collect the first time, and I might have other fires to put out (or I have to be pro-active and have a prepared respond, which has the take the place of something else important to do)
- the sheer amount of informations to collect. In the age of plug and play solutions, that's a LOT of things to audit (Mailchimp, AWS, GA, Heroku, various Wordpress plugins, logging solution I don't even remember the name, just to name a few)
- tracking every single PI of a user. If your systems are not built for this, it's going to be lengthy. If you were created before the GDPR, they are probably not.
- tracking down the usage of those PI may be complicated depending of the expected scope and usage you do (fortunately for me, there is no ad nor data resell, so really only the scope is the problem)
- some process asked for have a serious implication you should have some and do some sort of things. This is not feasible for a small startup.
It boils down to: it takes time, and time is something I'd rather use for something else, and it also requires to do things that have huge fixed cost that the size of a small company can't absorb (at least not until there is a ready-made solution).
I define small startup as startups with less than 20 employees, that might have received Seed funding but not more. Those points might not all be applicable to a new startup created with GDPR in mind.
Simply build a secure and private platform, don't be reckless with user data. Health startups already deal with this through HIPPA and it isn't really a big deal, just common sense practices for security and privacy
I'm going to be honest: I have no clue about social. I operate in socio-medical domain, we don't share by default.
We are mostly fine with the spirit of the GDPR, it's the work we have to do to follow it to the letter which is a problem (and the lack of process internally).