[hansen]

> Seems to come down to having to protect users from their own lack > of understanding.

I had the impression that this is rather clearly regulated by the GDPR. A user has to consent to each use of her data. And you have to explain the use in an understandable way, no legalese. Just make a list where you explain in simple words how you want to use the data and add a checkbox to each item (default not checked). I don’t see how this could hurt any ethical business model.

[stef25]

If it's anything like the cookie consent, it will just be an annoyance and nobody will be anything wiser. The amount of "no clue what this is" among non technical people I know is 100%. But the EU pats itself on the back cause they're tackling privacy issues. It's a joke.

[kuschku]

The GDPR requires users to be able to say no, and not lose any functionality except that which absolutely requires this data.

If I refuse tracking for ads, then a newspaper can’t refuse me access to their articles.

[CryptoPunk]

>>If I refuse tracking for ads, then a newspaper can’t refuse me access to their articles.

This arbitrarily limits the range of businesses that can exist. For the sake of people who value their privacy having nothing denied to them, it reduces the services available to everyone.

[merb]

> If I refuse tracking for ads, then a newspaper can’t refuse me access to their articles.

they can. a business does not even need to do business with you. it's not a right that a business needs to service you. and btw. this is german law.

[cyphar]

The rules involve "degradation of service", which is related to existing customers not new ones. So if you have a newspaper subscription and you request that they no longer use your data for a purpose, they cannot cancel your subscription or degrade your service (unless it is impossible to provide a service without said data).

[merb]

they can cancel your subscription. because they can always say it is impossible to provide service without said data.

heck they can even rely on other laws to cancel your service any time they want.

in the next years GDPR will change nearly nothing. except that it will kill some smaller businesses.

GDPR is not strongly enforceable, if people think they have a right to something they still need to go to court.

the only thing which might change is that it will be easier to delete accounts and data (which is a good thing).

[hansen]

> The GDPR requires users to be able to say no

Even better, it requires the use to say “yes”.

[hansen]

> If it's anything like the cookie consent,

It won’t. It will just replace the common “no one reads but clicks” TOS. And the user can change her mind anytime she wants.

> The amount of "no clue what this is" among non technical people I know is 100%.

If you can’t explain a non engineer or scientist how personal is collected and used it’s probably not a bad idea to outlaw this practice.

> But the EU pats itself on the back cause they're tackling privacy issues. It's a joke.

It’s certainly not enough but a step in the right direction.

[iotscale]

But the GDPR itself is written in legalese. There are many interpretations like yours, but then, without a lawyer, it's a dangerous game to play. The cost of the lawyer may be prohibitive to some small businesses, let alone side-projects.

I'm actually pro-GDPR but this needs to be kept in mind.

[Silhouette]

A user has to consent to each use of her data.

This is a misunderstanding. Consent is only one acceptable legal basis for processing personal data under the GDPR. Almost everyone is going to use it as little as possible in future because of all the extra red tape involved. Ironically, that probably means a lot of organisations will now be straining to justify processing on some other basis and to minimise use of data subjects' explicit consent and exposure to the associated subject rights.

Just make a list where you explain in simple words how you want to use the data and add a checkbox to each item (default not checked).

It's not that simple, because for example organisations may have legal obligations or legitimate interests in processing data about someone even though it may not be in that person's interest. Consider these:

[ ] I agree that my bank may keep records of the money I owe them.

[ ] I agree that the car rental firm may keep a record of me borrowing their vehicle.

[ ] I agree that the school where I'm applying for a job may do a background check before trusting me to look after kids.

Obviously there are many issues like this where consent for the data processing can't be voluntary and independent of everything else that is going on.