[andrewla]

Counterpoint: be annoyed at GDPR.

If a new regulation insisted that on entering a hotel room, a member of the hotel staff had to use a blacklight and you needed to explicitly approve every illuminated mark larger than a quarter, then you would be annoyed at that regulation.

There are supposed to be all sorts of other GDPR protections, about rights to be forgotten, about being able to access and selectively remove personal data from an online profile, that I have no idea how to activate. Instead all I get, as a user, is a bunch of consent forms, like the stupid cookie warnings, that I have no idea how to respond to, and no idea what I'm committing to when I click them.

[apexalpha]

>If a new regulation insisted that on entering a hotel room, a member of the hotel staff had to use a blacklight and you needed to explicitly approve every illuminated mark larger than a quarter, then you would be annoyed at that regulation.

How about this. For the past 25 years every hotel that you checked into has kept a record of:

- How often did you visit?

- How much money did you spend?

- What type of CC do you have?

- Did you watch porn?

- If so, what is your favorite type?

- Did you pass on dietary restrictions to the chef?

- Were you alone?

- Did someone other than the person listed as your wife on FB join you for the night?

- etc... etc... etc...

And then, without your consent, without even notifying you they sold this information to credit score companies, to advertising companies and to whoever the fuck will buy it.

Without. Your. Consent.

THIS is how the internet works today. Everyone grabs as much data as they can and then sells it to whoever wants to buy it. You have no vote in this. It just happens and it says so in weird legal terms on page 373 section 44 subsection 7a of their 700 page Terms of Service.

GDPR gives you this vote.

GDPR says: if you want to resell data you harvest you HAVE to get their consent, in clear and understandable terms. Can't bury it in your TOS.

GDPR says: you cannot make your website / app / service unavailable if people refuse this.

GDPR says: you can ask companies how much and which data they got on you and they have to provide it.

GDPR protects you from an invisible industry many people don't even know exists.

[anfogoat]

>GDPR gives you this vote.

>GDPR says: if you want to resell data you harvest you HAVE to get their consent, in clear and understandable terms. Can't bury it in your TOS.

>GDPR says: you cannot make your website / app / service unavailable if people refuse this.

>GDPR says: you can ask companies how much and which data they got on you and they have to provide it.

>GDPR protects you from an invisible industry many people don't even know exists.

And it does it by in effect forbidding you from interacting with parties that don't follow EU mandated criteria for what needs to happen for a packet to go from A to B. I don't care about what the EU thinks is good for me, I want to interact with server X whether or not it is GDPR compliant and whether or not it's over a protocol that lends itself to this nonsense; my data is supposedly mine, so fucking let me.

[apexalpha]

How does not selling your personal information to a third party block you from visiting a website?

GDPR is fine with the selling of information, as long as you have given consent in clear language and not buried in TOS.

[mrep]

I think he is referring to websites that are now blocking all EU users because of GDPR.

I'm surprised companies aren't just pulling the same move porn/alcohol websites use with age by asking the user if they are an EU citizen/in the EU and if they answer yes, send them to a static "we don't service the EU" page at which point everyone just lies so they can still access the page with the tracking.

[emteycz]

> And then, without your consent, without even notifying you they sold this information to credit score companies, to advertising companies and to whoever the fuck will buy it.

> Without. Your. Consent.

I'm really sure that every hotel has its terms of services. So does Facebook and every other site. What you described has always been illegal, and it has also never happened. What was sold was composed of data according to the terms of service that every person included agreed with. If agreement isn't consent, what is?

[TeMPOraL]

Did you read, or was even aware of, a ToS of a hotel on use of personal data? This is entering the "local planning department in Alpha Centauri" territory.

As a regular person, you should not need to be aware of such things. What GDPR tries to do is to restore some sane defaults into the process, just like customer protection laws do.

[mr_overalls]

This quote seems apropos:

“It is difficult to get a man to understand something, when his salary depends on his not understanding it.” --Upton Sinclair

[TomMarius]

Yes, I generally check ToS of whatever services I use, including hotels. And no, it's no "local planning department of Alpha Centauri" territory, it's available on their webpage and in paper form at the reception, usually framed and hanging on the wall. I check it to see what happens if I overstay, but skim through the whole thing.

As a regular person, if I want to use a service offered by someone, I should at least look into their terms - even with GDPR in place.

I'm not saying I disagree with you - but that's an opinion; on the other hand you said that consent was not given, which is simply not true - consent has a definition and that definition was fulfilled, the law doesn't treat ignorant people differently. If you want to say "I don't think <something> should be enough expression of consent", that's OK, say it - but don't lie.

[TeMPOraL]

Fair enough. I do read the regular ToS of the hotel that they frame and hang on the wall; it's usually standard stuff and not once I remember reading anything there about use of my data. It's just the usual "hotel night is from X to Y, please don't do <list of ridiculous stuff that some people apparently do in hotels>". So from your comment I assumed that there must be an extra ToS that covers use of personal data. If there is, I've never noticed it.

[TomMarius]

I don't think there are many hotels handling your personal data except for legal purposes, so they mostly don't need any data policy. So far I've encountered one that simply said that data might be shared with other branches of their company, which I'm happy about.

[daveFNbuck]

It sounds like you agree that forcing people to read and agree to individual portions of the ToS is not a downside of GDPR, since we should all be doing that anyway.

[TomMarius]

I don't agree nor disagree. The comment I replied to was talking about the past, and in the past, the laws were different and consent was given according to them. I deliberately didn't say if I support GDPR or not, it doesn't matter; the comment said "without your consent" which is simply not true.

[icebraining]

Freely given consent, as per the GDPR, must be explicit and optional (even if you have consent to use the data for the service being performed). A line buried in a ToS does not comply.

[TomMarius]

That's today, I replied to a comment talking about the GDPR-less past.

[icebraining]

My point is that you can simply change the previous comment to read:

"And then, without your freely given consent, without even notifying you they sold this information to credit score companies, to advertising companies and to whoever the fuck will buy it."

And the point still applies.

[TomMarius]

No, the original point doesn't apply. Your edits make it completely different, so of course my reaction would be nonsense. "Consent" is a well defined word, and its meaning was fulfilled in the examples the comment listed - of course that would be different today.

[microtonal]

There are supposed to be all sorts of other GDPR protections, about rights to be forgotten, about being able to access and selectively remove personal data from an online profile, that I have no idea how to activate. Instead all I get, as a user, is a bunch of consent forms, like the stupid cookie warnings, that I have no idea how to respond to, and no idea what I'm committing to when I click them.

This again, is the fault of most websites. GDPR requires opt-in for tracking, etc. A website could just, by default, not do tracking. Then provide the tracking options in the preferences. However, most sites have gotten so data hungry that they can't accept GDPR's privacy-by-default and have to bother you with pop-ups to try to get your consent to track you. Add some dark patterns, like designing these pop-up forms such that they are effectively opt-out.

I can't wait until some organization sues some big fish to send a signal that blanket data collection or using dark patterns to trick people into data collection is not an acceptable modus operandi.

Also, we as consumers of the web can also help to improve things. Contact companies and ask them to switch to opt-in (as required by the GDPR), encourage them to not collect data by default (avoiding popups), exercise your right to remove data and/or see what data is collected. If enough people request this by e-mail, companies will have to set up automated procedures (provide a webpage to see or remove data).

[dantheman0207]

> There are supposed to be all sorts of other GDPR protections, about rights to be forgotten, about being able to access and selectively remove personal data from an online profile, that I have no idea how to activate.

You don’t have to do anything to “activate” these rights under GDPR. You can just email the website in question and ask them to send an accessible copy of your data, or remove some or all of it from their servers. GDPR simply requires companies to adhere to certain consumer demands about my own data and respond within reasonable time frames.

Also I disagree with your analogy. Companies are allowed to track users for internal purposes Uber GDPR. But they are not allowed to sell your data to third parties without consent. The reason all these pop ups and consent forms are so complicated have nothing to do with GDPR, and everything to do with the fact that companies are trying to nudge you into making a choice against your own best interests.

[andrewla]

> You don't have to do anything .... just email the website ...

Okay ... let me try this.

> TO: cnn.com

> SUBJECT: Remove my data

Okay, let's send it!

> gmail: The address "cnn.com" in the "To" field was not recognized. Please make sure that all addresses are properly formed.

Oh. I've been around the block; maybe I can try admin@ or support@ or look at whois data, or browse around their website for a "Contact us" link, and maybe I can figure out how to properly assert that I do in fact own the account in question whose data I wish to remove, assuming I even have an explicit account rather than just a tracking cookie and a "shadow" profile. But isn't the GDPR supposed to be consumer-focused? What earthly consumer is going to go through these steps?

[icebraining]

What earthly consumer is going to go through these steps?

I have requested the removal of my personal data from multiple business, and I can assure you I'm quite earth-bound. Copy-pasting a template and filling in my name and account ID is not that hard.

[andrewla]

I'm going to go out on a limb and guess that you are a fairly technical user. My snarkiness in the previous reply was excessive, but reflected my frustration with being told that something is simple that is actually a multi-step process with questions that are not easy to find the answer to.

I guess the problem with email for this process is that you have a number of questions, all of which may not have an easy answer.

1. Identify an email address -- is this standardized? Searching "GDPR address for cnn" gives nothing, and similar more general queries yield little information.

2. Identify a template -- is there a standard one? I see a bunch of websites that claim to have them, looks like 'datarequests.org' is a good(?) one? It seems to have only a small set of sites that can be submitted. The template is incredibly verbose and it isn't clear how to request specific information; would that typically happen as part of a dialog?

3. Identify an account number/user name/verification of identity -- is there a standardized process for this? Could someone else send a request to remove my data? What is the process for this and how can I activate it?

4. Email is not a structured medium. I don't want to get into a whole conversation about this; I want to see the data about me and be able to remove bits of it.

Note that as a software developer #4 sounds kind of ridiculous to me, since user data can be represented in a variety of site-specific manners, and the existing pre-GDPR protections put in place for PII make this almost impossible. But to an end user it feels like it should be a natural thing and having to deal with a number of complex bespoke systems sounds like a pretty heavy load.

I can see the GDPR in this sense being useful for celebrities and the wealthy, who can afford managers or consultants to take this action on their behalf, but not for people like my parents, for whom even step 1 is daunting.

[icebraining]

I'm going to guess you're a technical user :) my parents would never think to search for standardized or GDPR-specific email addresses. What they did was find some generic way to contact the company (phone number, possibly Facebook or email) and ask them "where should I send a request for you to delete my data?"

Regarding the content, they would find some template they can mostly understand, then change/add a paragraph to include whatever specifics they need.

As for verification of identify, they would not even think much about it. They would sign with their name, and of course send from their email. The company would have to reply back to ask for whatever they need to verify it properly.

[Faark]

> 1. Identify an email address -- is this standardized?

Interesting, wasn't that addressed by GDPR? For that reason does german law requires information like this to be easily accessible, aka "Impressumspflicht". Lets compare for example amazon footers links.

Amazon.com

> Conditions of Use | Privacy Notice | Interest-Based Ads | © 1996-2018, Amazon.com, Inc. or its affiliates

Amazon.de

> Conditions of Use & Sale | Privacy Notice | Imprint[0] | Cookies Notice | Interest-Based Ads Notice | © 1998-2018, Amazon.com, Inc. or its affiliates

[0] https://www.amazon.de/gp/help/customer/display.html/ref=foot...

[TeMPOraL]

https://opt-out.eu/ is a service run by AFAIR someone on HN (spotted it today, can't find the source comment). Select a company, fill out a form, and you're done[0].

This is the template they seem to be using for erasure requests: https://github.com/opt-out-eu/opt-out/blob/master/src/email-....

--

[0] - Maybe. I'm not endorsing it, I just found it today. I wish someone (maybe the author) could say something more about the validity of such process, and whether this kind of e-mail is enough in practice.

[yoaviram]

One of the authors here. Thanks for mentioning us! I personally use the service and can testify it works. Just used it last week following the Apollo breach to have them remove me from their database. The service is free and open source. Happy to answer any questions!

[icebraining]

I have no idea how to respond to, and no idea what I'm committing to when I click them.

Actually, it's easy. You can say "NO" to everything and still use the service. If the site denies service, they're violating the GDPR.

[jancsika]

> If a new regulation insisted that on entering a hotel room, a member of the hotel staff had to use a blacklight and you needed to explicitly approve every illuminated mark larger than a quarter, then you would be annoyed at that regulation.

This analogy doesn't work because a) the vast majority of illuminated marks aren't harmful, b) the ones that are harmful aren't revealed by a blacklight, and c) you can take a shower after you leave to deal with the gross ones.

If, however, the light revealed signs of bed bugs we would be in the right ballpark.

Because:

a) everybody should want to minimize how much they deal with bedbugs

b) if you regularly sleep in places that have bedbugs you risk bringing bedbugs along with you to the other places you go

c) because of education and time constraints, people typically do not manually inspect each and every place in a hotel room that bed bugs could be. So if hotel staff could force the user to click a dialog that says, "This hotel room uses bedbugs for the following purposes..." that would be extremely useful for public health and sanity.