Hey there – Brian from Instapaper here – we have a pretty clear and accurate privacy policy around the data we collect and how we use it, you can find it here: https://instapaper.com/privacy
It's worth noting that GDPR applies to EU citizens regardless of where they happen to be in the world (or if they're using a proxy), so an IP ban does absolutely nothing to help comply with the law.
You'd think a real company would have talked to a lawyer about this.
GDPR makes no mention of EU citizens or residents.
The 2 main groups it applies to are:
1. activities of an establishment of a controller or a processor in the Union (so if the company is in the EU, ALL processing has to be GDPR compliant regardless of where the user is)
2. processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union (if the company is not in the EU, processing of data of people in the EU - note they just have to be in the EU and not residents or citizens - so if you are from the US and on holiday in the EU and you order pizza delivery to your hotel, that personal data has to be handled in a GDPR compliant way, notwithstanding that the pizza company is probably in group 1 anyway but hopefully you get the point. And the converse of that, if you live in the EU and are on holiday in America and order pizza, that personal data does NOT need to be GDPR compliant as you are not IN the EU)
There are a few other scenarios included too.
Edit: It's worth pointing out that 1 seems to have been completed missed in almost all GDPR coverage I have seen, possibly because most of the coverage has been heavily US centric. If the company is established in the EU, it has to comply with GDPR for ALL users, not just people in the EU. This is why Facebook [1] and others changed their terms so that only EU users have a contract with Facebook Ireland, and everyone else now has a contract with Facebook Inc (US) - previously everyone had a contract with Facebook Ireland.
How would that even make sense? A country enacts some arbitrary rule such as "You are not allowed to provide access to social media for its citizens." How do you possibly enforce that for citizens visiting or living in the US? (Short of demanding all users to verify their citizenship to access the site.)
Hi Brian, thanks for replying to my post. I apologise for my reactionary tone above, but do you understand how by declining to share specifics your tweet aroused suspicion?
EDIT: I've just read through your privacy policy and I wish other companies had a privacy policy as clear, straightforward and detailed.
People in this thread saw the title "GDPR Hall of Shame", possibly read it. Now they are trying to discuss stuff relating to "General Data Protection Regulation". My wild guess is people who are commenting on this thread care.
As long as you are telling the truth about only sharing anonymous and aggregate data with publishers and advertisers, I can't see anything in your privacy policy that would preclude you from being GDPR compliant right now.
But what part of GDPR was it that caused you to have to close off European Union users?