[lenlorijn]

Well, for example, one of the mentioned points is about sending PII to a 3rd party where the startup didn't read the 3rd party's privacy policy. So how would the startup be able to accurately present me with information on how my data will be used if they don't even know? I think having an accurate and updated privacy policy is common sense handling of data, wouldn't you agree?

[Silhouette]

That's a reasonable point, but it's also reasonable to observe that businesses rely on other businesses all the time. As a small business, you usually have little meaningful oversight of the internal processes of outside services you use. You don't get to audit your bank's finances to make sure they're safe to trust with your money. You don't get to review your lawyer's office security arrangements to make sure no-one can break in and steal confidential data about your contracts. You don't get to review which products your office cleaning firm uses. At some point, you just have to trust that they do a decent job, and you change who you work with if you have reason to believe they aren't doing that.

If a privacy regime is going to have any value in practice, it has to work on the same basis. The emphasis has to be ensuring that each individual or organisation who actually knows about the way data is being processed and has the ability to influence that processing is behaving reasonably. Then you can have some sort of trust framework that can actually mean something, from the data subject to their direct contacts and right on through to the indirect service providers however far the chain goes. The rest is just CYA and box-ticking, no matter how many laws you write or what penalties you threaten.

[simion314]

> You don't get to review which products your office cleaning firm uses.

Seems a bad analogy, do you make a contract with them but not read it? I mean in the contract you will specify what cleaning products can or should be used(like in some hospitals strong cleaning products must be supplied and you ask for those in the contract if the supplier gives you bad quality ones then sure it is not your fault but it is your fault if you don't even want to read the contract terms)

I imagine the OP was thinking that he wants to embed in his pages some analytics or similar scripts, maybe some advertising scripts, use a few third party APIs and it seems a lot of work for him.

At least his US customers can now know that their data are could be shared with many third parties that could have weird terms like those third parties could sell it further.

[Silhouette]

At least his US customers can now know that their data are could be shared with many third parties that could have weird terms like those third parties could sell it further.

I guess my point is that just knowing of the possibilities isn't particularly helpful on its own. If we're interested in actual privacy and data protection, instead of merely paying lip service to them, what matters is not just what a data subject knows but what control they have and what protections against harm they automatically enjoy. So much of the discussion around the GDPR and privacy policies and this whole subject more generally is only about telling people how they're being exploited instead of just exploiting them quietly without them knowing as happened before. That might be a step in the right direction, but it's far from where I would like the emphasis to be.

[Klathmon]

Okay, but do you ensure the manufacturer of those cleaning supplies is making them correctly? Do you test the products coming from that facility to ensure they are of sufficent quality before allowing them to be used by your office cleaning firm? And do you vet the ingredients that the manufacturing facility uses to ensure they are pure and safe?

Because the commenter above makes a fantastic point that I hadn't thought about before, the GDPR requires that kind of knowledge and verification of user data. Not just in your company, not just in the companies you work with, but the companies they work with, and the ones that they work with, and so on.

It's akin to requiring the gas station to post legal notices that the computers it uses for the POS system are manufactured by a company which has verified that the parts that it uses were sourced from a place which was able to check that the materials used were mined by a company that treats their employees safely.

(i'm not against something like the GDPR, but I do feel it goes a bit too far in a handful of areas)

[simion314]

No, my point was about the OP that said he does not have the time to read the TOS of the third parties he uses.

About the cleaning example if you had a contract that asked for a certain level of quality and they sent you bad product or did a bad job then it is your duty to stop this if you are aware the contract requirements are not respected.

I would also do some tests on the quality of the cleaning products just because people are greedy and they could send me bad products and cost me later.

[Klathmon]

But again, this isn't the core aspect of your business. You might do this for the cleaning products, but will you do the same diligence for the lightbulbs you use? The paint on your walls? The apps on the phones of your employees?

That's a LOT to ask.

I shut down a side project that stored some cookies on the browser for some small settings, and allowed users to upload images of stuff they made in the browser to imgur if they wanted. After looking at the GDPR, I decided to shut it off. I don't have the time or ability to properly vet all of the possible places a users information could end up (user's information in this case is possibly an IP address which the hosting provider might have, but i don't know or have a way of knowing, and the image that they created in the browser which can optionally go to imgur), and the project made me a total of $11 of profit, and from a lawyer I talked to at my main employer, just blocking EU users isn't enough.

[simion314]

I agree that is a lot of extra work if you want to delegate part of your work to a third party, but in present you don't send credit cards info, secret api keys to any third party, so it is fair to try protect the other kind of data(not only credit card or medical data)

What I hope is that this third party services will advertise the fact they respect GDPR or put documentation on how to properly use this APIs and respect GDPR.

As a user when I get the GDPR prompt that has only the Accept button I just close that page or if I really want to see the content I use a private window, accept the popup .

If i would build my own product SPA I would avoid the third parties crap, if I can't because I really need the third party I would make sure to read the TOS since at my work I seen how much it sucks getting screwed by a third party.