[literallycancer]

Sadly the EU doesn't really communicate this very well, and doesn't care to call out outright propaganda from ad tech and surveillance businesses, but the regulation is not actually hard to be compliant with.

It literally just asks that you don't spy on people. That's it. Not spying on users? Great, you don't even have to do anything.

I would be extremely surprised to see any attempt at enforcement against a website that didn't collect PII on some technicality such as not having the right footer or a contact person.

[thayne]

It's more than just not spying on people. You have to be able to prove you don't spy on people. And any vendors or contractors you use also don't spy on people, and respond to requests from anyone about all the data you have on them. And delete all of the data you have for anyone who cancels their account. Sure in some cases, that isn't a huge burden, like if you have a website that doesn't handle any customer data. But if you have a non-trivial app where you need to handle a lot of customer data for your app to work, it is a significant burden. And deleting someone's data as soon as they cancel can be really bad if someone accidentally cancels, so you probably want some kind of delayed deletion.

[anonzzzies]

You don't have to delete as soon as they cancel; you can store it in an encrypted backup which you remove after 90 days (and throw away the key). There are a lot of 'for a reasonable period' things; meaning, you cannot store PII (including IPs) forever and you cannot store it at all in case you do not need it in the first place for your app to function (example; SaaS asking for my home address which they don't ship anything).

[thayne]

> you can store it in an encrypted backup which you remove after 90 days (and throw away the key)

Sure. But that is much easier said than done. Especially if your previous strategy was to just keep everything, because storage is cheap, development cost is expensive, and then the data will still be there if the customer decides to return in a few years.

And in many (most?) cases it's not like you just have a single file with all the user's data, that data is spread around in many different database tables , and possibly even multiple databases. The development work to figure out how to clean everything up, without accidentally deleting anything wrong or leaving anything out can be a considerable amount of effort.

It's also not always black and white who data belongs to. If I upload an image onto a document that was shared with me, should that image be deleted if I cancel my account? What about something I posted publicly on a social media platform? Or posted privately in a group chat or DM? Does it make a difference if the content of an image or text I wrote included PII? Hopefully you have a lawyer that understands the nuances involved.

[skjoldr]

I see this and I feel I must ask: why would you EVER engineer ANY application under the idiotic assumption that none of your users will ever want to remove the data that they had stored in it?! Absolutely baffling. Of course, if a business is that short-sighted and careless, it will struggle to implement GDPR.

[anonzzzies]

It might be more nefarious when companies do that, but on the other hand, Hanlon's razor.

[dns_snek]

It's slightly more involved than this, but not extraordinarily so.

For example seemingly innocuous implementations like loading fonts directly off Google Fonts without consent (i.e. providing Google with information about visitors' browsing habits) would technically be on the wrong side of the GDPR, but I think it's very unlikely that anyone would complain about it, legally speaking.

[MaulingMonkey]

> would technically be on the wrong side of the GDPR, but I think it's very unlikely that anyone would complain about it, legally speaking.

The American in me says that sounds like "someone will definitely complain about it, eventually, if only because they're hoping for a payout".

[seszett]

Maybe that's the problem, I thought the (mostly local media) companies that were blocking EU citizens were doing it out of spite or to make a point, because it doesn't make sense (for one, they're not subject to gdpr if they don't explicitly do business with EU citizens).

But maybe it's just because the US environment is so hostile that they assume it's the same in the EU.

But national regulators in the EU don't waste their time with foreign companies that might by oversight not be totally compliant since they're not even under their jurisdiction (worst is they could be fined and have to pay it if ever they incorporate in that country in the near future? Nobody's going to waste time in that).

And nobody can sue a company on gdpr grounds and get a payout. They're only fines, they benefit to central states and are a negligible amount in regard to national budgets.

[skjoldr]

There already exist ways to proxy those requests in ways that avoid exposing anything about the visitors to Google. It's in the grey area wrt Google's own ToS, but then, it's that or GDPR.