[lsmarigo]

To offer a non-dev perspective on Hn, it feels like tech companies are really trying to annoy us users with GDPR updates in an effort to nurture opposition to similar proposed regulations in the future. I hope it doesn't work.

I love GDPR, getting rid of the WHOIS database stuff alone is enough to make me a huge fan. The option to delete my data is also amazing.

[saagarjha]

Isn't this pretty much what happened with the cookie law? It states that cookies necessary for the functioning of sites were ok, but everyone ended up putting up those warnings anyways and it greatly diluted any benefit of the rule and it ended up like Prop 65: warnings everywhere, even when they weren't useful. Overall, it just led to the law being ridiculed.

[JumpCrisscross]

We just added an EU surcharge to our pricing model. This isn’t a hard law to comply with, but you need a lot of business in Europe for re-factoring and lawyering up to make sense. Even if you do nothing dodgy, you’re going to need to be ready to handle incorrect requests and misguided complaints.

[CreepGin]

Wait what? Really? All the annoying "cookie" popups I've seen were them telling me the cookies were used for necessary function. I always thought it was due to some European law. Are you telling me it's not even required by the law?

[mrweasel]

What no one want to do was read the law. I actually had to do that, and how you dealt with it depended on your mindset. It was pretty clear that you could just disable all tracking and you'd be fine. If you wanted to use 3rd party tracking, using cookies, you'd need consent.

Because people wouldn't give up Google Analytics, targetted ads and "re-targetting" they opted of silly pop-ups, often delivered by a 3rd. party that will scan your site to keep track of all the data collectors your marketing department added without considering the users privacy.

The GDPR is written the way it is because companies refuse to accept the intentions of the cookie law, and choose to look for loopholes. At least that's my take.

[saagarjha]

If you're using cookies for storing stuff like login information, you don't need a cookie notice. If you're using cookies for tracking, you do need a notice.

[Pulcinella]

Correct. The “necessary” function was that the website and advertisers wanted to track you all over the web. Login cookies and the like don’t require notices so if you see a notice it was because they wanted to track you.

[Eupolemos]

I didn't even know that - thank you :)

[alternate24]

>To offer a non-dev perspective on Hn, it feels like tech companies are really trying to annoy us users with GDPR updates in an effort to nurture opposition to similar proposed regulations in the future. I hope it doesn't work.

You think businesses are that forward thinking? You think there is some grand conspiracy to annoy users so that they hate regulation?

[lsmarigo]

You think businesses are that forward thinking?

Definitely. Adhering to new regulations costs man hours and $, companies understandably would rather not be forced to comply. No grand conspiracy just long term bus dev.

[alternate24]

>Definitely. Adhering to new regulations costs man hours and $, companies understandably would rather not be forced to comply. No grand conspiracy just long term bus dev.

The simpler explanation is that these ultra annoying pop-ups make it more likely for people to accept the ToS and allow the service to begin monetizing.

[kadenshep]

>You think there is some grand conspiracy to annoy users so that they hate regulation?

Yeah? U.S. companies do this all the time. They did it with the cookie warnings and tried to act like they didn't know they were creating an absolutely terrible experience.

Companies acting in bad faith against regulations is basically the default.

[tzakrajs]

In this case, the companies are following the prescribed rules of GDPR which requires them to not only publicize their privacy policy, but notify their users if it ever changes. This is a side-effect of a well intentioned law.

[Macha]

See also giant "install our app" banners on mobile sites, like Reddit

[merpnderp]

Don’t get your hopes up for the US. This would have to overcome some amazing first amendment hurdles in the US. Short of slanderous and violent content, saying truthful things is protected.

[pjscott]

You've got the incentive structure backwards! GDPR actually favors companies big enough to do something like that. They have the resources to comply without it affecting them much. Complying with vague, complicated laws is something they're used to, and they have legions of lawyers on payroll. For them it's no big deal. The ones who'll have the biggest problems are the little companies, the ones that are secretly just three extremely busy guys and a handful of EC2 instances.

Regulations usually favor big businesses at the expense of their competitors, and the GDPR is no exception.

[taysic]

> really trying to annoy us users with GDPR updates

Isn't that the law that required these updates, pop ups, and new consent forms? Not sure how the companies could be blamed for that.

[saagarjha]

No: the law wants you to not have to do this. The law wants you to stop collecting data for things that are not core to your business. The issue is that companies are trying to maintain the status quo as much as possible, and annoying users with these does that.

[taysic]

Personalized, targeted advertising is how many services make money. So what is meant by 'the law wants you to not have to do this'. The law wants these services to not make money to cover their expenses? Or scale back their operations?

[mrweasel]

The problem only arise when you out-source the tracking and personalization of the ads. You could do the profiling, aggregation AND anonymisation on your end.

You're still allowed to have personalization and targetted ads, but now you actually have a responsibility for the data you collect and I don't view that as unreasonable.

[taysic]

You can only have targeted ads if you ask users for their consent which is why these pop ups etc are necessary - going back to the original question.

[mrweasel]

No... I mean I see your point, but that depends on what data you use to target the customers. Staying with in the boundaries of your own site, tracking what a person is browsing isn't necessarily personally identifiable, so no need to ask.

If you use data that the user actually enter, or their IP for some reason, then yes, you do need to ask, but you could just ask when they are entering the data.

If you want to target based on activities across website, then you'll most likely need to ask, but that's already the case with the cookie law.

You do have me wondering if I'm correct, but I would still claim that if you noticed that browser with the "cookie XYZ1234" read five article related to child and then ask your ad partner for an ad for "people with children" would allow you to be GDPR complaint without any pop ups. It does flip the current ad tech model upside down though.

[darkkindness]

Sometimes personalized advertising makes money at the cost of privacy, e.g. selling of personal data. In the EU, data privacy is a right. So the law isn't maliciously making life hard for these 'services', but if your entire monetization strategy is breaching data privacy, then good riddance to you.

[taysic]

Commonly the data is used for targeted advertising which is why they need the pop ups and consent forms. Their appearance is not because the companies want GDPR to look bad.

[ascorbic]

No, most of them aren't required.

[zenovision]

You don't need GDPR to hide your WHOIS records. Almost any domain registry provides WhoisGuard that will hide all your WHOIS data.

[sheeshkebab]

It’s a racket business - private registeation should be default.

[jonknee]

Why? Property records are public in most countries. It doesn't seem ridiculous.

[tathougies]

No it really should not.