[Silhouette]

One of the main points of the GDPR is that this sort of treatment is unlikely to be legal any more, to the extent that it ever was. Processing based on consent is now going to require active consent that can't be opted-in by default or hidden away in legal wording no-one ever reads. It's going to be tough to argue that tracking someone who isn't connected to your business/organisation has any of the acceptable bases other than consent. And without some clear basis, processing is going to be prohibited by default.

[sverige]

I wonder how many companies are waiting to see how this will be enforced before making the change. If GDPR is really actively enforced and causes some real pain to companies, then I expect your prediction will be accurate. If it isn't, I expect a lot of sites will do something less than what GDPR says.

[downandout]

I'm curious what about that notification is "hidden away in legal wording" or doesn't "require active consent". You have to agree with it to make that go away.

[freehunter]

At least the way my multi-national employer is interpreting it, under GDPR you can't get away with "click here if you agree with our privacy policy". You have to explicitly say everything that is tracked, everything that is stored, how long, and why it is required for use. If it's not required for use, you can't ask for it and you can't store it unless the person explicitly says yes. If they say no, you have to let them use it anyway, without the tracking and without the storing.

[ntoeiusn43stot]

> If they say no, you have to let them use it anyway, without the tracking and without the storing.

This is the part I'm most excited about. (Or would be if I lived in the EU.) I'll be very interested to see how that works out. I'd love to see something like that in the US.

[Silhouette]

I have to wonder whether at some point the EU is going to become so aggressive that the big US tech firms really do start calling their bluff. Stronger legal privacy protections may be long overdue in our modern, online world, but that particular measure is transparently aimed at undermining entire business models that have supported services evidently valuable to literally billions of people around the world, and that may be a bridge too far.

If the likes of Facebook and Google all turned off their services across the EU for a day, and replaced them with a SOPA-blackout-style message explaining that they can't afford to continue providing services without the ad model that pays for them, a lot of people would notice, and the EU probably wouldn't get nearly as easy a ride afterwards. I don't know how much damage would be caused if those same big tech firms cut off EU citizens permanently, but for better or worse, very many people now rely on the likes of Facebook and Google Mail for their everyday lives, and I'm betting the damage would be worse to the EU citizens than it would be to Facebook's and Google's financial statements (assuming the alternative is that they continue to operate but with a heavily damaged business model).

[TeMPOraL]

> but that particular measure is transparently aimed at undermining entire business models

Yes, but that's the entire point. That's why this regulation exists That's why it has so many fans here on HN.

Not sure if there's a qualitatively different way of achieving the same goal with a different method. There probably isn't, so it boils down to a careful balancing act - how to damage those business models without going overboard and having all US companies show EU the finger.

[KozmoNau7]

They can still make plebty of money from ads, they just can't track users who don't agree to be tracked.

[downandout]

> If they say no, you have to let them use it anyway, without the tracking and without the storing.

That part of what he said is incorrect. The EU may be able to do alot of things, but they can't make me give you access to private documents on my server that is not based in the EU if I don't want to. You can simply tell them to go away if they disagree with your terms, or you can block all EU users from the beginning.

[michaelmrose]

You can if you don't have holdings and offices in the EU and don't intend to travel there.

What are you going to do if the US adopts a similar law? Move all your holdings to mexico?

[downandout]

I'd be fascinated to see what that looks like.