[downandout]

You can already see it on many sites. They're basically just a more forceful version of cookie notifications with language about third party tracking thrown in that force you to say "OK" or tell you to leave. Here's an example:

http://prntscr.com/j67usw

FB, as with all third party trackers, isn't the one actually responsible for notifying you about the use of their pixels etc. on third party sites. The site operator using it is. See https://developers.facebook.com/docs/privacy

[maximente]

this is fundamentally insufficient, though.

if there's a hosted image from a facebook domain (e.g. a like button), unless that image is loaded after consent is given, facebook can already associate that users' IP address with having visited that web site by nature of sending the image over. in other words, facebook is tracking pre-consent (unless those images are loaded post-hoc, which is just not happening in today's world)

as a result, it's fundamentally impossible to consent before visiting a particular website, because there's no way to know what other domains will be triggered by visiting that website.

the only way i've found to defeat this behavior is by using ublock's origin's default deny policy which prevents all 3rd party domains from being accessed by default. it's a bit of a usability pain as one often has to add e.g. stack overflow's CDN to use its website "well", but does prevent visiting a website which has an embedded image hosted on a FB domain from being loaded, which defeats the more nefarious FB tracking.

https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-de...

[downandout]

Yeah, but that's easy enough to deal with. You simply don't load any third party stuff (or allow them to see your content) until they click "OK". Some simple javascript is all it takes to delay loading of everything not on the current server.

So basically prior to serving any content, you do an IP check. If they are from a GDPR country, you serve the delay loading script. If they aren't, you just load as normal. Pretty straightforward. I don't think you'd want to do it universally for all users, as you'd be at a competitive disadvantage to other sites. But you can easily enough just do it for EU countries. The other option is to just block them entirely if you have no need for EU traffic. Many sites - US local businesses etc. have no use for EU traffic or the liability that comes with it.

On a side note, with all the walled garden stuff that will be going on due to GDPR, I'll be interested to see how badly the SERPs get fractured, since every site will have a different scheme to require consent and not all of them will have people behind them that are savvy enough to make it not ask Googlebot for affirmative consent. This will put smaller businesses in the EU that don't have the resources to hire someone to deal with these issues at a serious disadvantage if they can no longer be indexed.

[maximente]

what you've suggested seems OK technically, but i feel like you're making an assumption that originating source of traffic determines citizenship of the user.

it could very well be that an EU citizen in Asia or the US is collected upon given your algorithm. if that's the case, are you not in violation of GDPR?

but, at the risk of rabbit-holing, your suggestion would be a pretty fundamental change to how the web works. in effect, you'd be moving toward a splintered web, where content is basically region locked.

to be fair, i don't have anything else to offer here; it just doesn't seem so easy to me.

[downandout]

but, at the risk of rabbit-holing, your suggestion would be a pretty fundamental change to how the web works. in effect, you'd be moving toward a splintered web, where content is basically region locked.

I think you're spot on, but that was the danger of implementing heavy-handed legislation like GDPR all along. I believe that EU citizens are going to find themselves locked out of a whole world of content. But that's the world they've chosen to create for themselves. Further, if the overwhelming support that GDPR has on HN is representative of that of the entire EU population, they welcome this newly splintered world and its consequences - both good and bad (though I believe that this support is the product of the mistaken belief that the world will simply play ball and be dictated to by the EU, rather than the rest of the world simply taking their ball and going home).

[freehunter]

Hmm. I'm not sure about that. If Apple and Google won't pull out of China even though China makes them do all sorts of business stuff they disagree with, I highly doubt they (web companies) would pull out of the entire EU.

It would be absolutely incredible if Facebook et al "took their ball and went home" throwing away 500 million customers.

[jonas21]

Google did effectively pull out of China in 2010 [1].

But in the case of the GDPR, it probably helps Google and Facebook more than it hurts them -- they can afford to jump through all of its hoops while smaller competitors might have trouble. It's essentially a barrier to entry.

[1] https://en.wikipedia.org/wiki/Google_China

[downandout]

Of course not, because Apple, Google, Facebook et al have the resources to spend millions on attorneys to implement the GDPR. My comment comes from the perspective of an operator of several small sites that get a total of a few million visitors per month combined. I'm not spending millions on attorneys, and EU traffic is only incidental to my sites anyway, so I am indeed taking my ball and going home.

This will make a difference for some users on some of the forums I run, as they will be banned with an apology and an invitation to come back if they ever move out of the EU. But it's not worth taking on the liability of potentially millions of dollars in fines for accidental non-compliance with a heavy handed, massively complex law that is up for different interpretations in the courts of no less than 28 unique countries. Unless you're in the EU or are a multi-billion dollar company with a large legal department, accepting EU traffic post-GDPR is an act of insanity.

[michaelmrose]

You seem to have complected extensive indiscriminate data collection with simple advertising and the more fundamental point of connecting and serving people.

You can use a combination of advertising and payment to fund services that connect people and facilitate commerce without extensive privacy destroying data collection. This model worked fine previously and it will work fine in the future. If anything hardware and tools are damn near amazing compared to the bygone past.

I struggle to think of any service in the world that is impossible or even challenging to replace. If anyone decides to take their ball and go home they will be replaced by a competitor who will use that extra revenue to improve their positions in other market to the original fools detriment.

There is in fact no reason to believe other markets including the US wont ultimately discover the merits of protecting their citizens privacy considering that in the US perhaps 171k work in the advertising industry out of 300 millions.

How the 0.02% can do an effective job without trampling the rights of the 99.98% is an exercise I leave to them and if they can't figure it out, then I hope the food stamp program still exists so they wont have to stand outside 7-11 with placards reading "will lie for food".

[KozmoNau7]

>"the mistaken belief that the world will simply play ball and be dictated to by the EU, rather than the rest of the world simply taking their ball and going home"

And leave millions and millions in profit on the table for everyone else?

That the same argument used against changing the tax codes so companies would actually have to pay taxes in the countries in which they do business, by closing the loopholes.

They're not going to throw away profitable markets just like that. And if they do, good riddance.

[edoloughlin]

if there's a hosted image from a facebook domain (e.g. a like button), unless that image is loaded after consent is given, facebook can already associate that users' IP address with having visited that web site by nature of sending the image over. in other words, facebook is tracking pre-consent

This just leads to a bunch of questions: where an image is loaded from FB by a site, who is the data controller? Surely it's the primary site, not FB? In that case, then is FB a data processor (and subject to more restrictions)? If FB is a controller in its own right then how does FB gather consent in this case?

[x0x0]

It doesn't matter if you load an image off fb.

per GDPR, without consent, fb cannot legally use that data (for EU residents).

And you don't need to trust that; fb knows they're going to be spending some quality time in front of their privacy regulator.

[downandout]

You're actually wrong. It is the responsibility of the website to notify the user. Facebook has placed in its policies a rule that says that you cannot use its code/buttons/images on your site without obtaining consent by the user for FB to place cookies there. They have a reasonable expectation that you have complied with this, or the image/whatever would not have been caused to load by your site.

Otherwise, think of the havoc. You decide that you want to get Facebook in trouble. So you place a Facebook button on your site and don't notify users or ask consent. Then you go call regulators. In this case, you'd find yourself in trouble, not Facebook.

[Silhouette]

One of the main points of the GDPR is that this sort of treatment is unlikely to be legal any more, to the extent that it ever was. Processing based on consent is now going to require active consent that can't be opted-in by default or hidden away in legal wording no-one ever reads. It's going to be tough to argue that tracking someone who isn't connected to your business/organisation has any of the acceptable bases other than consent. And without some clear basis, processing is going to be prohibited by default.

[sverige]

I wonder how many companies are waiting to see how this will be enforced before making the change. If GDPR is really actively enforced and causes some real pain to companies, then I expect your prediction will be accurate. If it isn't, I expect a lot of sites will do something less than what GDPR says.

[downandout]

I'm curious what about that notification is "hidden away in legal wording" or doesn't "require active consent". You have to agree with it to make that go away.

[freehunter]

At least the way my multi-national employer is interpreting it, under GDPR you can't get away with "click here if you agree with our privacy policy". You have to explicitly say everything that is tracked, everything that is stored, how long, and why it is required for use. If it's not required for use, you can't ask for it and you can't store it unless the person explicitly says yes. If they say no, you have to let them use it anyway, without the tracking and without the storing.

[ntoeiusn43stot]

> If they say no, you have to let them use it anyway, without the tracking and without the storing.

This is the part I'm most excited about. (Or would be if I lived in the EU.) I'll be very interested to see how that works out. I'd love to see something like that in the US.

[Silhouette]

I have to wonder whether at some point the EU is going to become so aggressive that the big US tech firms really do start calling their bluff. Stronger legal privacy protections may be long overdue in our modern, online world, but that particular measure is transparently aimed at undermining entire business models that have supported services evidently valuable to literally billions of people around the world, and that may be a bridge too far.

If the likes of Facebook and Google all turned off their services across the EU for a day, and replaced them with a SOPA-blackout-style message explaining that they can't afford to continue providing services without the ad model that pays for them, a lot of people would notice, and the EU probably wouldn't get nearly as easy a ride afterwards. I don't know how much damage would be caused if those same big tech firms cut off EU citizens permanently, but for better or worse, very many people now rely on the likes of Facebook and Google Mail for their everyday lives, and I'm betting the damage would be worse to the EU citizens than it would be to Facebook's and Google's financial statements (assuming the alternative is that they continue to operate but with a heavily damaged business model).

[TeMPOraL]

> but that particular measure is transparently aimed at undermining entire business models

Yes, but that's the entire point. That's why this regulation exists That's why it has so many fans here on HN.

Not sure if there's a qualitatively different way of achieving the same goal with a different method. There probably isn't, so it boils down to a careful balancing act - how to damage those business models without going overboard and having all US companies show EU the finger.

[KozmoNau7]

They can still make plebty of money from ads, they just can't track users who don't agree to be tracked.

[downandout]

> If they say no, you have to let them use it anyway, without the tracking and without the storing.

That part of what he said is incorrect. The EU may be able to do alot of things, but they can't make me give you access to private documents on my server that is not based in the EU if I don't want to. You can simply tell them to go away if they disagree with your terms, or you can block all EU users from the beginning.

[michaelmrose]

You can if you don't have holdings and offices in the EU and don't intend to travel there.

What are you going to do if the US adopts a similar law? Move all your holdings to mexico?

[downandout]

I'd be fascinated to see what that looks like.

[Sir_Substance]

This might not be a great long term strategy, I'm expecting one or two buzzfeed-like websites to be put up against the wall and shot over this. I've always dealt with the cookie notifications by using ublock to simply block that element, I never click "ok". I've never had a website actually stop me from using it when I do this until google changed their search page a few weeks ago.

If you're running a website with one of these, I strongly suggest you make sure you record whether people accept and actually boot them off the site of they don't. GDPR article 7 section one requires a website to be able to demonstrate that I have given consent, and recital 32 requires that that consent be specific and unambiguous. It's doubtful that "by continuing to use this site you agree..." statements will be satisfactory, especially if you start the tracking the instant they hit the page, before they can click that ok button.

[downandout]

I've always dealt with the cookie notifications by using ublock to simply block that element, I never click "ok". I've never had a website actually stop me from using it when I do this until google changed their search page a few weeks ago.

I imagine that you simply won't be able to use websites anymore if you are from the EU and don't give consent. You'll just be told to go away.

[Sir_Substance]

It's trickier than that for the website owner. EU citizens accessing websites through VPN's are still protected by GDPR.

[tpm]

As are non-EU citizens while in the EU, in some cases, and possibly even non-EU citizens not in the EU while using a service centered on providing them with e.g. travel arrangements in the EU. As a lawyer specializing in GDPR recently told me. Even investigative data journalists are going to have a lot of fun with the consequences of GDPR if she's right.

[downandout]

In that case, you won't have any reason to believe that they are an EU citizen unless and until they indicate otherwise, and there are provisions within the GDPR for it not to apply in those cases where you are not intentionally obtaining data from EU citizens. On my sites that don't get alot of EU traffic anyway, I'm simply blocking EU IPs, and on all registration forms, I've removed EU countries from the country selection for residence, and put a notice that says "You may not register for this website if your country is not listed above".

[Sir_Substance]

>there are provisions within the GDPR for it not to apply in those cases where you are not intentionally obtaining data from EU citizens.

I read the entire document a few weeks back and recall no such provisions. Could you cite one for me? I'm trying to be as informed on this as possible.

Article 3, "Territorial scope", lays out where GDPR applies, and it contains no derogations for "but I didn't know they were european, honest". It is not, in fact, specifically about european citizens. It covers the processing of data for "natural persons in the Union", which is a bit unclear to me but I interpret it as covering anyone physically located in a country that forms a Supervisory Authority under section 51.

How this will ultimately interact with your websites and/or businesses if you are not based in the EU is unclear at this time.

[downandout]

It's a massive document so I'm not going to go through and find it, but here's an interpretation of what I'm talking about [1]:

"The reach of GDPR is broad but is not unlimited. The mere fact that a U.S.-based website can be accessed in the EEA isn’t enough. If the company does not have a physical presence in the EEA, it must be determined whether that company engages in more than incidental contact with EEA residents."

So if someone is going out of their way to mask the fact that they are from the EU, and you aren't otherwise seeking out EU users, you're not going to get in trouble for that. One issue I have with it though is that translation may trigger GDPR exposure, and since Spain is part of the EU, many sites aimed at Spanish speakers (but not aimed at the EU) may have this beast of a law apply to them. I operate a few sites that have Spanish content, so that is deeply troubling.

[1] https://www.gtlaw.com/en/insights/2018/2/the-gdpr-deadline-l...

[Sir_Substance]

response to: https://news.ycombinator.com/item?id=16870636

This thread is now too deep for me to respond to your comment.

"The reach of GDPR is broad but is not unlimited. The mere fact that a U.S.-based website can be accessed in the EEA isn’t enough. If the company does not have a physical presence in the EEA, it must be determined whether that company engages in more than incidental contact with EEA residents."

This statement seems to have misinterpreted article 27, which states that if your processing is merely occasional, or if you are occasionally a processor for an EU controller, you need not specify a designated representative to the EU.

Read more here: https://gdpr-info.eu/?s=occasional

But the exception you think exists pretty much doesn't. It's got a small exception for occasional sharing of data without consent when it relates to active legal proceedings.

Naturally the EU has no jurisdiction over you if you don't live in the EU and you aren't based in the EU. They may be able to apply pressure on your partners though, be that advertising companies or others. This may flow through to you, in time. We're already seeing Facebook come under pressure to provide US citizens with the same protections that the GDPR provides EU residents.

[michaelmrose]

"You'll just be told to go away." I thought that too was disallowed if the data you collect isn't required to provide said service.

[polskibus]

That popup contains false statement though. How does personalizing ads make the site easier to use?

[013]

They could argue that keeping you logged in with cookies makes it easier for you to use.

[polskibus]

that part is true, the part about ads isn't. Also AFAIK GDPR doesn't let the companies to glue all possible data processing purposes into one consent and indefinitely - there should be a clear message also on the timeline of data processing, what data is collected (not just cookies) and informing that I can withdraw my consent at any time.

[matrixagent]

The screenshotted example is nothing new, I've seen that specific thing at least 6 months ago. I don't think it has anything to do with GDPR, and as others have already mentioned it is not likely to be legal under it.