I’m interested in how the vagraties of the law plays out. I’m working on software that won’t use ads or CDNs. All traffic terminates with my system. I will use cookies. I have no intent on putting up one of those cookie notification banner. All data I collect is to run the site. While that is valid under GDPR, I bet the EU will come a knockin for a fine if the site gets big enough
Yeah, has the EU actually fined any company that wasn't playing fast and loose with people's data? There's someone keeping a list[1], and they seem pretty reasonable to me.
I don't trust the EU. They seem to go after companies with deep pockets when they need money. Look at the Google Android controversy lately. Nokia, any EU phone creator (are there any?), any EU phone creator that wants to get in the market can all create a phone that is not Android. Google traded the OS for install preference rather than money. It's called bartering. The EU let this go for years. Now Alphabet has money and no one in the EU stepped up to take on Android, so the EU wants its pound of flesh.
Will my project run afoul of the 3rd party rules? No. May I have to spend money on legal protection from the EU when they erroneously come asking for money? Maybe. This is my issue. I don't know. The EU says it has policing power across the globe. If an EU citizen steps foot in the sovereign territory of another country, the EU says that all their privacy laws apply.
I find it shocking how quick some people are to denounce government intervention these days. Are you seriously not concerned about Google’s market clout and the amount of data they have? Thank god the EU is there to temper their entitlement a bit.
Meanwhile you’re sitting here daydreaming about how your startup is going to be so big EU regulators are going to come after you. Well that would be an excellent problem to have, in actuality you are far more likely to be killed by Google sucking the oxygen out of your market.
I don’t care about Google’s clout. I use them for less and less and where I use them I don’t care.
I use them for email. My email is essentially a curated spam folder. I seldom use it for anything of value. When I do use it, I could care less if the information was made public.
I use it for online storage,but again for nothing important. If I lost it all tomorrow my only care would be an outstanding, meaning not yet turned on, assignment for my ML class.
Everything else I accept in trade: my data for their service. I use Google Maps. I accept that when I’m driving they will track me. I hope they do. I want to know if I should get off the interstate due to a traffic issue.
I don’t watch TV. I have Ad Guard filtering at the network router level. I block Facebook and Twitter there too. I don’t use porn. All Google knows is that I’m a particularly boring human being that probably purchased a dobro given my uptick in how to play the dobro videos. They probably also infer I have mild body dismorphia given some Sapien Medicine videos/sounds I listen too regularly.
All this I, a consenting adult, allow them to know in trade for their service. If you don’t like them, there are free means to thwart them. Google will provide you the means to figure this out with their search. As a result, no I don’t care for this kind of worthless handwringing.
Go after the leaks at the credit agency. I have no choice but to participate with them. No banner would allow me to opt out.
Don’t go after some social media company that we all know is going to sell your data that you traded to get their service. We scientifically know that social media is bad for us all. Why regulate straws when that pandora’ Box of depression is allowed to continue? Grow up. Be an adult. Take responsibility for your choices and entitlement.
Are you really so sure of your views that you feel that those you disagree with must be less mature than you?
> I use Google Maps. I accept that when I’m driving they will track me. I hope they do. I want to know if I should get off the interstate due to a traffic issue.
You may well already do this, but to actually achieve only being tracked while actively using Maps, I believe you'd have to turn location services on and off each time you use Maps, otherwise Google is tracking you all the time, not just when Maps is open. Assuming an Android device, I'm less sure about how this would play out on iOS.
> All this I, a consenting adult, allow them to know in trade for their service. If you don’t like them, there are free means to thwart them. Google will provide you the means to figure this out with their search. As a result, no I don’t care for this kind of worthless handwringing.
i.e. you are A) aware of what they are doing B) understand that you can intervene and have the skills to put such efforts in place C) hold values such that the tradeoffs doing so implies is acceptable to you.
If everyone was similar to you in these regards, there wouldn't be an issue, but people's awareness of the issues, skills, and values are hugely variable across a population. So while it's worthless handwringing to you, people who hold different values could (and do) disagree.
> Go after the leaks at the credit agency. I have no choice but to participate with them. No banner would allow me to opt out.
Good idea. However, I don't think it's reasonable to assume that the efforts against misuse of personal data online are entirely fungible towards efforts of credit agency reform. i.e. not doing this doesn't mean more of that would happen, or that doing this keeps that from happening too.
> Take responsibility for your choices and entitlement.
AFAIK, telling people this isn't effective, so it can really only serve to make yourself feel superior, not really effect change (since I'm assuming you consider yourself to already follow this advice)
If I read correctly, GDPR does apply when non-EU companies market services specifically to people from the EU. For example a US based hotel deploying a targeted marketing campaign in the EU. I could be wrong.
Yes, you're right; the distinction I was making is that it's about their presence in the EU, not their citizenship. In fact, an American citizen living in the EU is also covered, whereas an EU citizen living in the US is not.
An in fact, it's even less than that: the site only has to care if they target people in the EU (not necessarily exclusively) or if they're tracking behaviours. Simply being accessible online doesn't mean it has to comply, whereas e.g. accepting Euro payments probably does.
You may disagree with their decision, but there's nothing surprising about it; it's pretty clearly a business model that the EU disapproves of, as the Microsoft case had shown, before Android was even a thing. Applying the same penalty for the same action is being trustworthy (which is not the same as "fair" or whatever you think of the decision).
That’s my issue. If I have a cookie for a refresh token, I have to now have a banner saying the site uses a cookie. I have to have a page that explains why. All the while I have the site now looking shady because the banner is synonymous with stealing your data and selling it to ISIS.
If the refresh token is only being used for authentication and expires in a reasonable time for the application then you would not need prior consent so you would not need a banner. You would still have to explicitly disclose what you are doing on some sort of easy to find cookie policy page.
The main defense against tracking used to be (in addition to more modern anti-tracking features) to configure the browser to remove cookies when exiting it.
With the big dialogs that one systematically finds at websites now, in practice you are being forced to accept those cookies, if only to avoid seeing those monster dialogs again.
So in practice the EU is massively driving people to accept permanent cookies. That's IMHO a valid reason to complain about GDPR.