[iseletsk]

It doesn't matter where you are as long as you serve someone in the EU. So, if you are in the USA, but your website is serving cookies / collecting logs for the visitors, and one of your visitors is in the EU, you must comply with GDPR. GDPR also requires explicit consent to collect information such as IP addresses (logs) or tracking cookies.

I have seen sites just banning all the EU IPs, but I don't think that would work anymore, as California & India have similar laws. I am sure a bunch of other jurisdictions have it by now, as well.

[jinushaun]

The problem is not GDPR. It’s that websites are addicted to Google Analytics and things like it. Like the article states, the cookie banner is not in the GDPR law. The banner is malicious compliance.

The only way to explain it is mass hysteria. Someone did the banner first and everyone thinks that’s what you need to do to comply and everyone copied.

[wkat4242]

> Someone did the banner first and everyone thinks that’s what you need to do to comply and everyone copied.

I don't think so. Most sites have teams big enough to know what they are doing, and they know this is the only way to "comply" while still being able to continue business as usual.

[unmole]

> The banner is malicious compliance.

That must be why https://gdpr.eu has a cookie banner /s

[ninkendo]

> you must comply with GDPR

The EU doesn’t have jurisdiction over American companies, there’s no way to enforce this. If your company has a European legal presence, that legal entity may see enforcement, but if you’re an American site operating under American jurisdiction, the EU cannot compel you to do anything. America is a sovereign nation that is not subject to EU laws.

[orwin]

Bear in mind that a case that isn't really clear are advertiser networks who work in the EU. Them collecting EU citizen data w/o explicit permission is illegal, and punishment is enforceable. Candy advertising network push girl the cookie banner?

[SAI_Peregrinus]

The advertising network is then responsible for getting consent. Not the company using the network with no legal presence in the EU.

[wkat4242]

But they can't. Because if the user doesn't consent, the advertising network is not allowed to even be involved.

And most sites don't just use one tracking network but they use many (see some of the convoluted cookie banners where you have to turn off data sharing with several hundred "partners")

[chomp]

> So, if you are in the USA, but your website is serving cookies / collecting logs for the visitors, and one of your visitors is in the EU, you must comply with GDPR.

You need to heavily asterisk this because this is not true in all cases.