"Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism."
It's 2020 and american websites still go the "We'd rather block you alltogether than tell you what we do with your data" route.
> "Unfortunately, our website is currently unavailable in most European countries."
- Lawmakers are happy that the company complies with regulations.
- Website builders are happy because they don't need to spend extra effort for no extra profit.
- End users are happy that their data isn't being harvested.
- The company is happy because they are complying with regulations at no extra cost.
Seems like a huge win for everyone involved. /s
TBH it's Chicago Tribune. I bet 99.95% of the articles there aren't interesting for someone in the EU. A good part of them aren't probably interesting even for an USer living outside the Chicago area.
I'd certainly never consider visiting normal US news sites unless - like in this case - they were linked to by HN or some other aggregator I do frequent.
Thus, it really makes no sense for them to comply with the GDPR.
I understand the logic, and can't say I'd take a different decision in their case. As a UK fan of another NFC North team, not being able to read the Chicago Tribune (without workarounds) is moderately annoying.
What I'm wondering about is: If you're not targeting an EU-audience, and you therefore might not even have servers in the EU, and certainly don't have EU-based revenue streams - why do you even care? Can an EU court even do anything in this situation?
IIUC, you can be a US expat living in the EU and the GDPR still applies.
Even then a non-EU company may not explicitly target a EU audience but EU moral or physical person may still find interest for whatever personal reason and still be protected by GDPR.
As for jurisdiction, I suppose such conflicts are resolved using international law, but if a company is reachable from the EU by individuals protected by EU laws I’m pretty sure there is applicable jurisdiction (not saying it’s an easy thing)
Sometimes it’s a matter of making a point. I mean, who likes the cookie law (and bear in mind that US people don’t even see it remotely as frequently as europeans). Some people just want to send the message that EU is going too far.
> 2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
> (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
> (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
This makes perfect sense from the perspective of some old politician: It's like shooting someone over the country border. It fails to address the fact that unlike in physical space, on the internet it's not that obvious to see where someone is connecting from (in fact, it's impossible to really say with complete accuracy)
But in my opinion, it's not the wrong choice to assume that, if you're operating on a scale where you can spy on your users and sell their data, you'd be capable of figuring out whether they're in the EU. And, honestly, it's not hard. There's third party software that you can just embed in your website and it automatically generates the cookie warning and even blocks cookies until you've accepted it.
It’s certainly much cheaper to simply block European users than to pay a lawyer to tell you what you need to change and then pay a programmer to implement these changes.
Blocking the few European users is probably the right decision from an economic perspective.
GDPR adds a lot of regulatory red tape to things that were previously simple. It is not only for nefarious reasons that you might want to avoid GDPR.
Want to store logs? Now you need to make sure you're scrubbing any type of personal information from the logs. Want to use a third-party service? Now you need to make sure that you are using their GDPR-compliant plan, and that you are using their Amsterdam endpoints. Maybe you need to renegotiate your contract with them.
Yes, but if you are logging the IP for spam prevention, security tracking, etc, then you are in the clear per Article 6, section 1, point f [1].
However, you can't also use the IP for fingerprinting, ad targeting, etc, without acquiring informed consent, per section 1, point a.
You can put the IP in your security logs because that is necessary to secure the service. Just have a routine to scrub the logs once they are too old to be useful anymore.
You can't put the IP in your shadow profile database and sell it to shady marketing companies, unless the user has explicitly agreed to that.
The question isn't only whether something is personal information or not, it is also a question of what you intend to do with the data.
Article 6 establishes lawful purposes for data processing that do not require consent from the data subject. All other provisions of the GDPR (including, but not limited to, the maximum time you are allowed to hold the data) apply, since it is still Personal Data. The only way to avoid having to deal with GDPR entirely is to collect absolutely no Personal Data, which is almost impossible unless your web server has no logs.
Not exactly; it's up to the judges to decide whether IP addresses count as personal information as defined by the GDPR (in my opinion they're not, but I can see why one would think differently), so the flaw isn't as much inherent to the GDPR as to the fact that people just don't understand the internet.
While the wording of the Recital leaves some ambiguity as to whether an IP is automatically Personal Data under the GDPR, its specific call-out would make arguing that it is not difficult. This would particularly be the interpretation of American lawyers, who tend to assume that no connection is too tenuous to be held against their client by a shrewd prosecutor or regulator and will thus advise their client to treat all IPs in all situations as Personal Data.
> Want to store logs? Now you need to make sure you're scrubbing any type of personal information from the logs.
What?! I'm not allowed to store my users name, address and credit card number in my unencrypted syslogs anymore? HOW DARE THEY, THOSE DAMN BEUROCRATS!
Seriously though, while there are problems (like IP address being considered personal information, which they really aren't), the general idea is very positive. You shouldn't be able to store just any information of a person that only gave you this data for a specific purpose. Servers do get hacked, employees do abuse their access to systems and old hardware doesn't always get disposed of properly.
When I'm done using a service, I want my data gone from their servers ASAP, no buts.
on the lighter side, I do a lot of cooking and I always laugh when I visit a baking website and I get a popup that warns me about the cookie policy. Because of the context, my brain first goes to "I wonder what the recipe is for those cookies."
It’s not obvious if a site is geolocked. I know Bbc is blocked in China from experience, but I wouldn’t expect that others would know. Hacker news is available in China (at least last time I was there).
The difference between BBC blocked in China and Chicago Tribune blocked in the EU I’m my opinion is CT actively block the EU because they don’t want to deal with the GDPR but China blocking the BBC is a decision outside of the BBC’s control.
I was just comparing the two sites. I'm not saying Geo-Blocked sites should be banned on HN, As I said in another comment, I think the same rule that applies to paywalls should be applied to to sites that geoblock themselves (Not being geoblocked by a goverment which the BBC is in China).
If their are workaround for a paywalled site then its allowed on HN. So if their are workaround for the geoblocking (outline, google cache, archive.today, etc)then I think they should be allowed.
As for how you will know if a sit is blocked, the same way people find out about soft paywalls, the comments will tell you. Its not like a crime to post paywalled sites to HN.
It’s like paywalled sites. If it’s a soft paywall with known bypasses they are generally allowed on HN. If their are known bypasses for sites that geoblock (outline, google cache, archive.today) then I think the same rule should apply.
I’m in Europe on vacation, and while GDPR seems to be a good thing, there is nothing more annoying than a cookie policy pop up for every single site you visit. I know what cookies are. I know how they are used. I don’t need a reminder every time I visit a site. I think they way over shot their goal there.
You don't need cookie banners; they're only mandatory when you want to track your users, so when you see one of those on every website, it just means every website wants to track you.
Also, if people are trained to just click them away, that's not really that bad, since tracking has to be opt-in, so if you click the banner away, you don't get tracked by default (that is, in theory; the reality is, many websites disregard this completely and have tracking cookies enabled by default)
> You don't need cookie banners; they're only mandatory when you want to track your users, so when you see one of those on every website, it just means every website wants to track you.
Why does the European Commission's website want to track me? They have a banner, too. In fact, I have yet to visit an EU government website that doesn't have a banner.
analytics are fine as long as you use GDPR compliant anonymision of the users data. But it’s easier to just ask permission.
You can also run ad’s asking as you are not using targeted ad (which you are allowed to use if you ask for permission)
There are invasive ways of asking for such permission. Sites that do full take overs of the site or persistent bars that follow you around are just trying to annoy the user into clicking agree.
It's training people to ignore those altogether and click "allow" on everything out of frustration. They should have gone with a strategy focused on browser controls. Mandating browsers block 3rd party cookies by default, for example, with explicit opt in.
The cookie policy popups are, at best, an intentionally annoying way of complying with the GDPR or not compliant at all at worst.
GDPR has the great idea that you shouldn't be tracked unless you consent. The popups are a way of forcing consent because users just click through them. However, the default should be that you're NOT tracked and opting in should be explicit, which possibly means all those popups that begin tracking you after one click are not compliant. Then I've also seen sites where opting out is difficult - there's a hard to find link that takes you to some settings page where you need a dozen clicks to disable tracking cookies. That's definitely not GDPR-compliant.
Despite the practical annoyances, I direct my frustration at the cancerous advertising industry that has turned the Web into a giant ad platform, and so the industry is very intentionally undermining GDPR protections.
Eh, no. Cookie warnings were a legislative failure that was fixed with gdpr. But they trained users to click without thinking. So now many companies do disguise the explicit consent to enable tracking to look like the old meaningless cookie pop up. But they're legally a completely different thing.
The stupid thing is that GDPR says nothing about requiring those policy pop ups, that law was discontinued (amended) when GDPR took effect. But no requirements for these pop ups remain
The main change GDPR brought to it (as I understand it) is that it introduced stricter rules about how consent works. But even though GDPR doesn't specifically require cookie warning, it does require that you get informed consent from people before you store personally identifiable information about them; in many cases this effectively means getting their permission before using tracking cookies.
So tl/dr, it's primarily PECR that covers cookie handling, but GDPR also plays a role.
It’s 2020 and the EU still thinks more bureaucracy is the way to go. I am not entirely sure US websites should necessary spend more to accommodate GDPR, which itself should be revised and made less inconvenient.
You only need those pop-ups if you are using cookies which are not "technical cookies".
If you are using tracking technology based on cookies or anything that collects information specific to a user, you will need to show the cookie banner and give an opt-in. Otherwise tracking/analytics is not allowed.
So... Every site you see this banner on has some dead bodies in their cellar and wants you to move on and not take a closer look. Just click "Accept all" and everything will be fine...
This is technically correct from a legal point of view. But it's a different story when Google threatens to delist your website for a missing cookie popup.
Sooo... the american megacorporation is a bigger problem than the european buerocrats? Who would have guessed (That's a rethoric question; I would have guessed, as well as most people from outside the USA)
If I don't want cookies, "technical" or otherwise, I'll browse incognito mode or block them by some other means. I don't need a European bureaucrat to get involved. Thanks.
If I don't want trichinosis, "medical" or otherwise, I'll just cook my pork extra well or remove parasites by some other means. I don't need a USDA bureaucrat to get involved. Thanks.
> I don't need a European bureaucrat to get involved. Thanks.
My 70 years old grandma or 12 years old cousin do though. Of course as tech people we know how to bypass most of the tracking happening on the web, that's not the case for the average user.
As others have mentioned these notices are not for "us". "We" are the ones that _love_ to setup their own PiHoles, tunnel everything through some self-hosted VPN spread over the world, running adblockers, script blockers, private mode browsers, do not track-settings and so on. We're just fine. But the others are fucked. And they need laws and notices so they don't get screwed.
This is not due to the GDPR, but the "cookie directive" (2009/136/EC) And there are a lot of ways site operators could avoid those popups or make them non-intrusive, but they choose to ...
The thousands of Euros spent on lawyers and development time to become compliant, plus all the time wasted.
Really a great accomplishment by the EU... in addition to clicking a shitty "I accept cookies" banner on every damn website I visit, I now frequently also have to click another popup for GDPR and multiple checkboxes for GDPR when I signup somewhere. As if anyone ever bothered reading those.
As far as I'm concerned, it's all just a huge waste and the internet was better off before politicians got involved.
I bother reading those, and it's my fucking right to do so, as well as to stop using a service if I don't think it's worth the data they're taking as payment.
Arguing that I shouldn't have that right, because it bothers some people is like arguing against price tags because "they're annoying" and "Who looks at those before buying something anyway?".
And no, you don't click "I accept cookies", you click something along the lines of "I accept necessary cookies plus everything I've explicitly enabled", otherwise site is not GDPR compliant and you can just report them.
The GDPR pop up is NOT just a pop up (not if you are following the law). If you are a data controller and you believe that the GDPR is just a pointless pop up you should consult your lawyer and see what they say.
Unless I remember it incorrectly, GDPR doesn't even apply to websites that don't target EU citizens; so it really doesn't affect US websites that are clearly aimed primarily at the USA, just because some EU citizen might use it as well.
And if a foreign website wants to expand into the european market, then yes, no matter its country of origin, it will have to follow EU rules.
So, in conclusion, geoblocking the EU is just plain stupid.
It’s a bit more complex than that. Are they doing business at all in the EU (for a news site, do they have correspondents in the EU?) are they selling extras to the EU (can you pay for no ads, can you buy and they will ship merch to the EU?).
Yes, there's nothing wrong with that. If you take money from EU citizens, then you can be expected to treat at least them in accordance with european standards. If you don't like it, then we don't want your busyness, as simple as that (even though that might not be the position of every citizen, it's essentially what GDPR states)
It's 2020 and american websites still go the "We'd rather block you alltogether than tell you what we do with your data" route.