How can Europeans use Stripe when they can't use Google Fonts and Google Analytics on the grounds that sending even a single IP packet to a server under the control of a US company violates the GDPR?
One aspect of this is that data processing which is necessary to do what the customer explicitly requested is permitted (GDPR article 6.1.b). Making the payment for your purchase is such a thing and this processing is lawful, but doing analytics or tracking who viewed the site through fonts is not, and generally requires explicit opt-in consent.
Is that how it works? I thought as long as the user gives explicit consent to that happening it's fine. Most checkouts I have seen have a checkbox you need to check before being redirected to stripe/paypal and the likes which asks for explicit consent to the privacy policy rules.
It's not even slightly how it works, and your interpretation is correct, so long as the customer has consented then you're fine. The issue with Google Fonts and Analytics is that the customer has very rarely consented to tracking (particularly with fonts), and in a great many cases even where there is a "I consent to tracking cookies" dialog the cookies were dropped before it was displayed.
With Google Font decisions have been about consent. With Google Analytics it's been about the transfer of data to a US org when a US court can issue a FISA letter. Basically, a privacy lawyer from the Netherlands has been hammering Google in court repeatedly.
I find them to be good indicators of how bad a website/service is. The harder it is to dismiss the dialog while rejecting everything, the worse the service tends to be in other metrics. I think of those dialogs as big bright banners which advertise loud and clear how disrespectful a website is of its users. Noticing the pattern means I waste considerably less time on websites which aren’t worth it.
Me too, I wish the companies would obey the law without putting in the consent banner. It's not like there's any law obliging them to put in the consent banners. They freely chose to piss us all off even though they had the alternative of behaving like perfectly profitable pre-internet businesses and ... not tracking us.
Yes, I can't believe we've created a system where those are the norm. But we also have real world cities plastered with billboards, so it's not like everything is clean, perfect and rational in our worlds.
The issue is not related to consent but to "safeguards".
GDPR requires that user data is guarded in certain ways, and European courts have ruled that no data can be sufficiently safeguarded if it is under control of a US company.
Google "analytics gdpr safeguards" or see here for example:
The issue is, giving a US org data is considered a transfer of data to that the US since a US court can force a US org to turn over the data no matter where in the world it is located. US data laws are not compliant with GDPR. It's basically just down to the spy laws they have, for FISA letters I believe, without those they would be fine.
No. Technically it's illegal to provide such service, not receive it.
Fun fact, this very website is not GDPR compliant. I've never ever seen a cookie notice on HN, which is legally required.
Of course, none of this is relevant, because AFAIK HN has no physical presence in the EU, but still, this site is not GDPR compliant, which just outlines how stupid GDPR actually is.
Cookie notices are required if you for example use them to pass data to third parties.
A login cookie that is just for auth is not that. It is specifically requested by the user and implies that the user's data is managed on that site and can be evicted.
Same with analytics. The problem is not that you're doing analytics. It's that the user doesn't know that your doing it and that you're passing on that data to a third party.
Would have assumed that anonymous logging is fine? Generating usage data? Error logs? As long as it’s not sold, private data or used to identify the user?
Highly doubt that kind of gathering is a problem. If it were you could close 95% of the web.
As I said, PII. So if your only PII is storing the IP one-way hashed and salted, keeping the salt only for a day as like (I think) Plausible does, it’s probably/possibly okay.
Besides that, intent also matters. For example, we had to start logging IPs for every newsletter change, or you can log IPs in your access log for security reasons without consent. Logging the same IP into your analytics tool becomes an issue.
> I've never ever seen a cookie notice on HN, which is legally required.
For clarity: it isn't always required. Only if you have third party (tracking) cookies.
I don't know about HN. But its perfectly possible to have analytics, ads and other functional cookies, without pestering your users with cookie popups.
Again: cookie popups and concent-banners aren't required. They are only required if you have "invasive" tracking in place.
e.g. I've worked on web-apps that were tracked by a selfhosted matomo, by plausible or some other tracking, that did not have any GTM or other tag-managers, that had no ads or only ads which were served from their own domain and without any 3rd party trackers, lacked all the GAFAM-pixels, had their fonts and other assets self-hosted (or on a simple, non-tracking CDN) and so on. Non of these needed any form of banner, popup or wizard.
I don't think you are right. Right now, the only cookie present is my session cookie. This should fall under obvious reason to have a cookie (it's not a tracking cookie). The sets of required and of all cookies are identical. Therefore, a dialog like this changes nothing.
> I've never ever seen a cookie notice on HN, which is legally required.
What for? The GDPR does not require consent for purely functional cookies, and the only data I see stored is my account cookie. So the existing privacy policy should cover them.
It's illegal for you to provide a service that isn't compliant. So if you use Stripe, therefore transfer data to a non-compliant country, you would be illegally providing a service that isn't complaint.
Also, the cookie notice is not GDPR it's a separate law. And if you only use functional cookies such as login cookies no notice is required.