This does not discuss whether nonusers will be asked to opt-in. Curious how GDPR will change tracking people w/out FB accounts.
IANAL. The only argument I'm aware of that data controllers can make for processing data without consent is if there is a legitimate interest: if the data controller needs to process the data in fulfillment of a contract/service. I wonder how this will play out for non-users. It would seem there's no legitimate interest there.
"In order to provide tagging service to our users, a key platform feature, we are required to maintain and process data about individuals with which Facebook, Inc. does not have a pre-existing business relationship ("Non-Users"). Failure to do so would cause substantive harm to our service, and should therefore be exempted from gathering consent from Non-Users under Article 21, Section 5 of the GDPR."
Something like that, I expect, although I'm not a lawyer either.
Processing without consent doesn't work for multiple parties.
You can't claim that because you need to provide service for someone else you need to process data of non-users.
The users of which you collect data is required to be part of the service or contract to fulfill unless you have a damn good reason not to and "we need to provide this service because we go belly up otherwise" won't fly, IMO. A legitimate interest would be stuff like "we will make backups of our data, ensuring that deletion requests are carried out upon restore, to continue providing service in case of disaster" or "we will log your IP temporarily because we need to provide essential network and information security"
You can already see it on many sites. They're basically just a more forceful version of cookie notifications with language about third party tracking thrown in that force you to say "OK" or tell you to leave. Here's an example:
FB, as with all third party trackers, isn't the one actually responsible for notifying you about the use of their pixels etc. on third party sites. The site operator using it is. See https://developers.facebook.com/docs/privacy
if there's a hosted image from a facebook domain (e.g. a like button), unless that image is loaded after consent is given, facebook can already associate that users' IP address with having visited that web site by nature of sending the image over. in other words, facebook is tracking pre-consent (unless those images are loaded post-hoc, which is just not happening in today's world)
as a result, it's fundamentally impossible to consent before visiting a particular website, because there's no way to know what other domains will be triggered by visiting that website.
the only way i've found to defeat this behavior is by using ublock's origin's default deny policy which prevents all 3rd party domains from being accessed by default. it's a bit of a usability pain as one often has to add e.g. stack overflow's CDN to use its website "well", but does prevent visiting a website which has an embedded image hosted on a FB domain from being loaded, which defeats the more nefarious FB tracking.
Yeah, but that's easy enough to deal with. You simply don't load any third party stuff (or allow them to see your content) until they click "OK". Some simple javascript is all it takes to delay loading of everything not on the current server.
So basically prior to serving any content, you do an IP check. If they are from a GDPR country, you serve the delay loading script. If they aren't, you just load as normal. Pretty straightforward. I don't think you'd want to do it universally for all users, as you'd be at a competitive disadvantage to other sites. But you can easily enough just do it for EU countries. The other option is to just block them entirely if you have no need for EU traffic. Many sites - US local businesses etc. have no use for EU traffic or the liability that comes with it.
On a side note, with all the walled garden stuff that will be going on due to GDPR, I'll be interested to see how badly the SERPs get fractured, since every site will have a different scheme to require consent and not all of them will have people behind them that are savvy enough to make it not ask Googlebot for affirmative consent. This will put smaller businesses in the EU that don't have the resources to hire someone to deal with these issues at a serious disadvantage if they can no longer be indexed.
what you've suggested seems OK technically, but i feel like you're making an assumption that originating source of traffic determines citizenship of the user.
it could very well be that an EU citizen in Asia or the US is collected upon given your algorithm. if that's the case, are you not in violation of GDPR?
but, at the risk of rabbit-holing, your suggestion would be a pretty fundamental change to how the web works. in effect, you'd be moving toward a splintered web, where content is basically region locked.
to be fair, i don't have anything else to offer here; it just doesn't seem so easy to me.
but, at the risk of rabbit-holing, your suggestion would be a pretty fundamental change to how the web works. in effect, you'd be moving toward a splintered web, where content is basically region locked.
I think you're spot on, but that was the danger of implementing heavy-handed legislation like GDPR all along. I believe that EU citizens are going to find themselves locked out of a whole world of content. But that's the world they've chosen to create for themselves. Further, if the overwhelming support that GDPR has on HN is representative of that of the entire EU population, they welcome this newly splintered world and its consequences - both good and bad (though I believe that this support is the product of the mistaken belief that the world will simply play ball and be dictated to by the EU, rather than the rest of the world simply taking their ball and going home).
Hmm. I'm not sure about that. If Apple and Google won't pull out of China even though China makes them do all sorts of business stuff they disagree with, I highly doubt they (web companies) would pull out of the entire EU.
It would be absolutely incredible if Facebook et al "took their ball and went home" throwing away 500 million customers.
You seem to have complected extensive indiscriminate data collection with simple advertising and the more fundamental point of connecting and serving people.
You can use a combination of advertising and payment to fund services that connect people and facilitate commerce without extensive privacy destroying data collection. This model worked fine previously and it will work fine in the future. If anything hardware and tools are damn near amazing compared to the bygone past.
I struggle to think of any service in the world that is impossible or even challenging to replace. If anyone decides to take their ball and go home they will be replaced by a competitor who will use that extra revenue to improve their positions in other market to the original fools detriment.
There is in fact no reason to believe other markets including the US wont ultimately discover the merits of protecting their citizens privacy considering that in the US perhaps 171k work in the advertising industry out of 300 millions.
How the 0.02% can do an effective job without trampling the rights of the 99.98% is an exercise I leave to them and if they can't figure it out, then I hope the food stamp program still exists so they wont have to stand outside 7-11 with placards reading "will lie for food".
>"the mistaken belief that the world will simply play ball and be dictated to by the EU, rather than the rest of the world simply taking their ball and going home"
And leave millions and millions in profit on the table for everyone else?
That the same argument used against changing the tax codes so companies would actually have to pay taxes in the countries in which they do business, by closing the loopholes.
They're not going to throw away profitable markets just like that. And if they do, good riddance.
if there's a hosted image from a facebook domain (e.g. a like button), unless that image is loaded after consent is given, facebook can already associate that users' IP address with having visited that web site by nature of sending the image over. in other words, facebook is tracking pre-consent
This just leads to a bunch of questions: where an image is loaded from FB by a site, who is the data controller? Surely it's the primary site, not FB? In that case, then is FB a data processor (and subject to more restrictions)? If FB is a controller in its own right then how does FB gather consent in this case?
You're actually wrong. It is the responsibility of the website to notify the user. Facebook has placed in its policies a rule that says that you cannot use its code/buttons/images on your site without obtaining consent by the user for FB to place cookies there. They have a reasonable expectation that you have complied with this, or the image/whatever would not have been caused to load by your site.
Otherwise, think of the havoc. You decide that you want to get Facebook in trouble. So you place a Facebook button on your site and don't notify users or ask consent. Then you go call regulators. In this case, you'd find yourself in trouble, not Facebook.
One of the main points of the GDPR is that this sort of treatment is unlikely to be legal any more, to the extent that it ever was. Processing based on consent is now going to require active consent that can't be opted-in by default or hidden away in legal wording no-one ever reads. It's going to be tough to argue that tracking someone who isn't connected to your business/organisation has any of the acceptable bases other than consent. And without some clear basis, processing is going to be prohibited by default.
I wonder how many companies are waiting to see how this will be enforced before making the change. If GDPR is really actively enforced and causes some real pain to companies, then I expect your prediction will be accurate. If it isn't, I expect a lot of sites will do something less than what GDPR says.
I'm curious what about that notification is "hidden away in legal wording" or doesn't "require active consent". You have to agree with it to make that go away.
At least the way my multi-national employer is interpreting it, under GDPR you can't get away with "click here if you agree with our privacy policy". You have to explicitly say everything that is tracked, everything that is stored, how long, and why it is required for use. If it's not required for use, you can't ask for it and you can't store it unless the person explicitly says yes. If they say no, you have to let them use it anyway, without the tracking and without the storing.
> If they say no, you have to let them use it anyway, without the tracking and without the storing.
This is the part I'm most excited about. (Or would be if I lived in the EU.) I'll be very interested to see how that works out. I'd love to see something like that in the US.
I have to wonder whether at some point the EU is going to become so aggressive that the big US tech firms really do start calling their bluff. Stronger legal privacy protections may be long overdue in our modern, online world, but that particular measure is transparently aimed at undermining entire business models that have supported services evidently valuable to literally billions of people around the world, and that may be a bridge too far.
If the likes of Facebook and Google all turned off their services across the EU for a day, and replaced them with a SOPA-blackout-style message explaining that they can't afford to continue providing services without the ad model that pays for them, a lot of people would notice, and the EU probably wouldn't get nearly as easy a ride afterwards. I don't know how much damage would be caused if those same big tech firms cut off EU citizens permanently, but for better or worse, very many people now rely on the likes of Facebook and Google Mail for their everyday lives, and I'm betting the damage would be worse to the EU citizens than it would be to Facebook's and Google's financial statements (assuming the alternative is that they continue to operate but with a heavily damaged business model).
> If they say no, you have to let them use it anyway, without the tracking and without the storing.
That part of what he said is incorrect. The EU may be able to do alot of things, but they can't make me give you access to private documents on my server that is not based in the EU if I don't want to. You can simply tell them to go away if they disagree with your terms, or you can block all EU users from the beginning.
This might not be a great long term strategy, I'm expecting one or two buzzfeed-like websites to be put up against the wall and shot over this. I've always dealt with the cookie notifications by using ublock to simply block that element, I never click "ok". I've never had a website actually stop me from using it when I do this until google changed their search page a few weeks ago.
If you're running a website with one of these, I strongly suggest you make sure you record whether people accept and actually boot them off the site of they don't. GDPR article 7 section one requires a website to be able to demonstrate that I have given consent, and recital 32 requires that that consent be specific and unambiguous. It's doubtful that "by continuing to use this site you agree..." statements will be satisfactory, especially if you start the tracking the instant they hit the page, before they can click that ok button.
I've always dealt with the cookie notifications by using ublock to simply block that element, I never click "ok". I've never had a website actually stop me from using it when I do this until google changed their search page a few weeks ago.
I imagine that you simply won't be able to use websites anymore if you are from the EU and don't give consent. You'll just be told to go away.
As are non-EU citizens while in the EU, in some cases, and possibly even non-EU citizens not in the EU while using a service centered on providing them with e.g. travel arrangements in the EU. As a lawyer specializing in GDPR recently told me.
Even investigative data journalists are going to have a lot of fun with the consequences of GDPR if she's right.
In that case, you won't have any reason to believe that they are an EU citizen unless and until they indicate otherwise, and there are provisions within the GDPR for it not to apply in those cases where you are not intentionally obtaining data from EU citizens. On my sites that don't get alot of EU traffic anyway, I'm simply blocking EU IPs, and on all registration forms, I've removed EU countries from the country selection for residence, and put a notice that says "You may not register for this website if your country is not listed above".
>there are provisions within the GDPR for it not to apply in those cases where you are not intentionally obtaining data from EU citizens.
I read the entire document a few weeks back and recall no such provisions. Could you cite one for me? I'm trying to be as informed on this as possible.
Article 3, "Territorial scope", lays out where GDPR applies, and it contains no derogations for "but I didn't know they were european, honest". It is not, in fact, specifically about european citizens. It covers the processing of data for "natural persons in the Union", which is a bit unclear to me but I interpret it as covering anyone physically located in a country that forms a Supervisory Authority under section 51.
How this will ultimately interact with your websites and/or businesses if you are not based in the EU is unclear at this time.
that part is true, the part about ads isn't. Also AFAIK GDPR doesn't let the companies to glue all possible data processing purposes into one consent and indefinitely - there should be a clear message also on the timeline of data processing, what data is collected (not just cookies) and informing that I can withdraw my consent at any time.
The screenshotted example is nothing new, I've seen that specific thing at least 6 months ago. I don't think it has anything to do with GDPR, and as others have already mentioned it is not likely to be legal under it.
IANAL. The only argument I'm aware of that data controllers can make for processing data without consent is if there is a legitimate interest: if the data controller needs to process the data in fulfillment of a contract/service. I wonder how this will play out for non-users. It would seem there's no legitimate interest there.