[manfredo]

> The even more ridiculous thing in my opinion is that these mom and pop sites are not already GDPR compliant. What could they possibly be doing that makes not abusing a handful of user's privacy an insurmountable issue?

You are writing as though not abusing people's privacy is all that is necessary to comply with GDPR. This is incorrect. GDPR has specific requirements for any company handling certain types of data, and extra requirements if it's handling this data "at scale" (though it doesn't actually define what this means). Any data revealing any of the following is considered protected by GDPR:

> racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

So, basically any user uploaded images or text can be argued to fall under this category since users might reveal their political, religious, or philosophical beliefs in this text. How about something as innocuous as a heart rate monitor? Well, apparently people have correlated 15-30 minute spikes in heart rates in the evenings to figure out people's sex lives so that's restricted by GDPR.

I could go on. The point is, it's not enough to just not abuse your user's data and cross your fingers to be GDPR compliant.

[kazinator]

You would have to go out of your way to collect any of that data.

> basically any user uploaded images or text can be argued to fall under this category

If you run a public forum and people choose to reveal things about themselves in posts, that obviously cannot be what GDPR is about.

Even if it is, it doesn't concern any mom and pop site that isn't running a forum.

[manfredo]

> If you run a public forum and people choose to reveal things about themselves in posts, that obviously cannot be what GDPR is about.

Yes it is what GDPR is about, the fact that people voluntarily share this information on a public forum doesn't nullify GDPR. Otherwise, Facebook wouldn't be under so much heat. Much of the data they collect comes from posts, comments, etc. all happening on a public forum.

> Even if it is, it doesn't concern any mom and pop site that isn't running a forum.

Say your mom & pop site has a comment section, where users can talk about blog posts they liked or disliked. Now all of a sudden you have to dedicate resources towards GDPR support.

[Too]

Facebook is under a lot if heat because they actively try to encourage the user to enter PII and even have policies such as no aliases and all accounts should belong to one person. Can't remember if I even needed a phone nr confirmation or if that was Microsoft. The sole purpose of a Facebook account is to be a one to one mapping to a person, and everything posted or visited is obviously tied to such an account.

Not like hacker news where you don't even need an email address to sign up, creating a throwaway account if you want to post something private takes one minute. Good luck with that on Facebook.

[kazinator]

The problem with forums is this: I'm upset with Jane Doe because she dumped me. I make an account called Jane Doe, from which I post some personal things about Jane Doe.

There is no way to police this stuff short of a total clamp-down on free expression.

The site operators must suspect every account is fake, and whatever that account says about itself is actually about someone else.

Since the protected information is extends to areas like political or philosophical beliefs and whatnot, nobody can discuss politics or philosophy.

[kazinator]

Whereas before this GDPR thing hit, you had to do no monitoring of the forum all?

[manfredo]

Probably not. Definitely not any proactive monitoring. A small website could get away with waiting for users to report posts, and then following up with manual inspection.

[dragonwriter]

> If you run a public forum and people choose to reveal things about themselves in posts, that obviously cannot be what GDPR is about.

The GDPR has explicit provisions for how covered information that is explicitly made public by its subject is treated (for instance, separate consent is not needed for processing such information); outside of those explicit rules for particular effects, though, such information is treated exactly like other personal information of the same subject matter under the GDPR.