Hacker News new | ask | show | jobs
by Fargren 1598 days ago
> You could also say that the user is opting in to loading a font from google when he actively sends the request to google.

Consent is not consent unless it's informed consent. If the user was not made aware of the request in a clear way before the request happened, he did not have a choice. If the person (and by person we mean the human being, not their browser) did not make the choice, then he did not consent. There's no "technically" about it, the question is only if the person knew what was happening and was given an opportunity to opt in.
1 comments
bondarchuk 1598 days ago
So it is the responsibility of the website owner, to make sure that the user is informed about how his own browser works. Couldn't you make a case for shifting this responsibility to e.g. the browser vendor or the regulating bodies who decide on web standards?
link
maratc 1598 days ago
No.

The responsibility of the website owner is not to send users' personal data to third parties, OR to receive their users' informed consent to such sending BEFORE that sending occurs.

That's the law. It's enforced by courts.

Web standards aren't law. They aren't enforced. You can't sue anyone in W3C court for using non-standard CSS or forgetting to close a `<b>` with a `</b>`.

link
bondarchuk 1598 days ago
>not to send users' personal data to third parties

>receive their users' informed consent to such sending BEFORE that sending occurs.

Neither of these are what's actually happening in this case. According to this court's decision, the responsibility of the website owner is not to send instructions to the user's machine that might expose their personal data to third parties after the user's machine follows these instructions, OR receive informed consent before such instructions are sent. I'm not saying the GDPR doesn't apply here, but at least it's clearly a different situation.

link
maratc 1598 days ago
IANAL but

   For the purposes of this Regulation:
   (1)
   ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

   — Clause 26 of GPDR [0].
Whereas I would point out the directly or indirectly part, the latter of which happened here.

[0] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

link