[mritun]

The section on “ How to avoid GDPR fines in 2022” is naïve to a fault.

My personal opinion is that after recent rulings startups need to be very careful. GDPR compliance is practically a nightmare for any entity that even so much implements visitor counter with default http logging turned on.

It will be interesting to see how solutions and landscape evolves once GDPR fines come to smaller companies and startups.

[thaway2839]

Maybe defaults should not be designed to capture personal information.

This indicates a massive need for GDPR or something like it, as opposed to the opposite.

The lack of disincentives to collect personal information is why so many softwares default to collecting it. GDPR flips the equation completely, where GDPR aware software (and lots of software now market their GDPR compatibility) will default to not collecting personal information.

[jacquesm]

GDPR compliance is totally doable, in fact, if you take 'don't screw your users and be careful with their data' as your guideline you will make almost all of the decisions the right way. Note that fines are almost exclusively for repeat offenders, and that were they were not there was clear evidence of malice rather than accident.

[yawnxyz]

just embedding a tweet from Twitter's official embed code makes you violate GDPR (e.g. if you have a blog and want to reference a tweet).

Twitter injects a ton of cookies and there's not much you can do about it

[tluyben2]

You should not do any tracking (in which case you do not need any pop-up and approval dialog) and if you put things like twitter feeds, Google analytics and Adsense, you need to have a choice for the user which, if they do not want this, will not put them on your site.

The thing is; most sites do not honour your choices or make them as hard as possible as analytics and Adsense are required for monetising. Analytics can be replaced by friendly versions that are gdpr compliant without personal info storage or cookie tracking, but then your monetising (Adsense) or internet marketing (AdWords and landing pages) are not integrated into funnels and a lot harder.

I have tested it with some of our assets (most of which do no tracking at all and only have 1 necessary cookie for login without SaaS cannot work) but a few have Adsense and analytics; we have a small and simply bar; accept or not accept; both is one click. ~90% (not exact as we try to compare the Google analytics which means they did say Accept vs the none cookie analytics which means both accept and not accept) clicks Accept which is enough. We use [0] by the way.

[0] https://plausible.io

[elygre]

Maybe the trickle down economy will work. First some web site operators get fined for not realizing that their subcontractor (twitter) captures personal data. They stop using said subcontractor, and at some point this trickles down to twitter, who will provide a compliant solution.

[atoav]

Good. If you want to quote text, copy it. Has the advantage that it still will be around once the tweet is gone or Twitter is offline.

With a little css it will look the same as the original tweet to which a simple link could lead you.

This is what you do if you value your users privacy. If not, then you have (under GDPR) at least give them the choice not to get these cookies. Which destroys the usability of your site for your privacy conscious users.

[Schroedingersat]

Good.

Don't foist untrusted code onto your visitors' devices.

[gundmc]

Using Google fonts is a violation now. It's a nightmare for web developers.

[unicornporn]

How could that possibly be a nightmare? Download the fonts and host them yourself.

[throwaway2048]

Maybe web devs should more carefully consider how much crap third party scripts and resources inject into their sites, rather than caring about a tiny bit of convenience.

[shukantpal]

Maybe users should be responsible for what they intentionally run on their machines.

[white_dragon88]

That’s absurd. That’s like saying car owners should be held responsible for how safe their car is to drive. It makes unrealistic assumptions about the competency of the end user to judge such things.

[shukantpal]

No it’s not. Rather it’s more like drivers should be held responsible for how they drive their car.

I’m not even saying responsible— just they cant reasonably complain when they drive somewhere new and they don’t like the road conditions.

Your original analogy is more like this: If a person's computer got hacked unintentionally, they shouldn’t be responsible for the damage it caused to others.

[Daishiman]

Nobody in their right mind is going to carefully peruse the cookies and injected JS scripts of every page they visit.

No, the onus is clearly on the developers, who are the ones with the professional responsibility to make software that abides by the laws.

[shukantpal]

I’m talking at the meta level. The laws can start nationalizing every company. But I think it shouldn’t. The law can put the burden on developers — but shouldn’t.

I shouldn’t have to abide by some stupid rules to plug my server onto the Internet and listen on port 80.

[hulitu]

When the law is not enforced, there is no hope.

[hulitu]

Your right. The best way is to filter at the firewall level everything Google, Microsoft, Cloudfare, Facebook, Twitter etc. The world would be a better place. Now try to do this on Windows 10 :)

[shukantpal]

I use NoScript on Google. Works fine. Most things work okay without scripts if you are just there to read.

[MrJohz]

Note that fonts from Google Fonts can be self-hosted which resolves that problem. It's a little bit more work to set up, but it does resolve this issue well, while also being slightly more efficient for the end-user (assuming that you've got a decent CDN setup).

[supermatt]

no less efficient hosting yourself.

cross-site resource caching has been unavailable in major browsers for a while - safari since 2013, chrome since 2020, firefox since 2021.

[MrJohz]

That's what I was trying to say, I think I got excited and used too many double negatives...

Theoretically, it should be more efficient hosting these things yourself - there are fewer origins to request, which means fewer lookups, fewer connections, etc.

[tluyben2]

You can put this in your build steps that it downloads everything; I have that and prefer it anyway; companies ‘tend’ to suddenly remove, change or switch things off or get hacked.

[kungito]

Can someone explain to me how GDPR makes you responsible for twitter collecting data? It's not your faukt if twitter has their own cookies... What matters is whi stores the data who in this case is not the person embedding twitter

[unicornporn]

Quite simple. You just facilitated Twitter's data collection. Without you it would not have happened.

Even worse, the user loading your page could probably not have known you embedded a Tweet (and sent their data to Twitter) before actually loading the page (if you didn't implement a consent dialog with a reject option).

[CodesInChaos]

The user only has a business relationship with the website they visit. The website is responsible for the services it employs, just like any other general contractor is responsible for their subcontractors.