I really love the GDPR for just making the life for such business models way harder.
Implementing data, analytics, tracking and stuff in a way that is compliant with GDPR (or its local equivalents) is doable and from an architectural point of view even interesting imho.
I love building GDPR conforming data architectures with my clients right now.
Think of all the free apps: I was in a conference with startup founders bragging about the business they make selling the location data of app users by incorporating some third party libraries in their apps without the users knowing. Of course, everything is anonymized, is it?
Add-supported websites on the other hand have only to document what is going on and get the consent of the user. That's a simple notification bar with a button, like the cookie notice, plus a page detailing the privacy policy. The GDPR even mentions legitime reasons for collecting, storing and transmitting personal identifiable data like technical or business needs. And in addition, almost all ad networks are going to anonymize IP addresses by stripping some bits and have opt-out features for being profiled.
I rather think it gets a lot of hate because it leaves a lot to the discretion of the regulators. Overall, the SMEs I talk to don't have a problem with regulating data (most think it will pop the gangrenous ad-tech bubble). It's the lack of predictability that bothers them.
As I am still having 7 days to go and that is just a personal blog, I plan on using my free time to do that (would just take 3 - 5 minutes to disable everything if I wanted to by removing GTM and redeploying).
So removing everything is quite easy. It is way more difficult to selectively remove singular features - in this case the DoubleClick integration. As I am not doing that exact step all day (even being a data analyst with a focus on web data), I would have to look, where to configure that exactly. That would take longer.
So be snarky - I don't care, as I am already preparing for GDPR compliance and will have my house in order come May, 25th.
[Edit] Took 12 minutes in the end. Will take some time until caching catches up. Using a incognito instance all good to go regarding the trackers. "Only" the update for the privacy page remains for the weekend to do.
These so called cookie layers are not necessary for tracking. They are not even necessary for first party on site advertising. For that you also do not need consent if you read the GDPR/DSGVO (German version).
In the DSGVO it is §6.1f [1] you would want to read about. There is even an elaborate explanation from the German legistlation [2] what "Berechtiges Interesse" ( legitimate interest) exactly means.
So to make this short: direct marketing as well as tracking is totally fine even without consent. Give an option to opt out, explain why you need the data, what you do with it and how long you store it as well as a point of contact (for people wishing for their data to be deleted) and you are fine.
As long as you do not do profiling or stuff like that. A personal blog/website is then totally fine with GDPR. Btw. you would need to add all of this to your privacy page even if you had no web tracking installed, as your webserver probably would have logging activated. Having an IP address in there make this data fall under the GDPR (at least in Germany). So you would need to explain all that stuff because of the log files non the less.
[0]: https://schriftrolle.de/datenschutz [1]: https://dsgvo-gesetz.de/art-6-dsgvo/ [2]: https://dsgvo-gesetz.de/erwaegungsgruende/nr-47/
[Edit:] Ordered the footnotes
Internet advertising is a viper pit of privacy invasion. They didn't get their house in order, and let it turn into the horrible mess it is today, so they shouldn't be surprised that the regulators stepped in.
"You're making efforts to comply with the regulations, but could you have a look at how you're storing this and that?"
vs
"You're not compliant with the regulation so we have to impose a fine"
Are you really saying you'd prefer the second?
Second, are you sure about this? My understanding is that if you use third-party tags such as analytics you need to get consent from users and not to use them if they don't consent.
One other thing that is not clear to me is if we need cookie prompts, and how can we implement cookie opt-ins/outs without being able to set cookies.
People are rightfully worried about "you followed the law completely but we don't like it so massive fines!".
That seems largely independent of how precise/vague the laws are, if you're expecting the enforcing party to find a way to get you regardless.
The 'defence' here seems to be that you can make a decent argument that you've taken appropriate measures to conform with your [reasonable] interpretation of the rules.
The regulator can object (and possibly penalise you) if they think you're not acting in good faith, or you have a grossly unreasonable interpretation of those rules. You can object to an unfair interpretation of the rules by the regulator as well.
Either way, if The Powers That Be want you nailed to a wall, they'll find a way, this particular regulation or not.
At the end of the day, I am the one person who has to answer that question/is responsible for being GDPR compliant. I've spent hours doing research, figuring out what we need to do and implementing it -- and it's a hollow victory because even though I've said yes and have 100s of articles/white papers/opinions that back up the decisions I've made, the real answer is still "I don't know".
And I absolutely know I'm not alone in this. I got GDPR compliance dropped on my lap because I did security compliance -- if you contrast NIST 800-53/800-171 against GDPR you'll see why people are pissed off. One has clear guidelines with enough room for evolving best practices written by obviously competent/experienced professionals, the other is written as basically "we'll know it when we see it".
So many people are pro-privacy until it affects their bottom line.
Sounds like a win for the GDPR to me, we know rigid checkbox-ticking is ineffective.
Apart from that, NIST 800-53/800-171 are catalogs of "security controls and associated assessment procedures" for "Federal Information Systems and Organizations". GDPR is a data protection regulation in the context of the EU legal system. Apples to oranges.
Yes, so a law or rule or EO says "you must be compliant with this framework" - the GDPR just left off the part where they have controls/a framework.
It's not rigid box ticking, a control defines what you need to do. How you do that is up to you and should be updated often as things evolve. For example, in the GDPR I would say you must catalog data collected and perform a personal data assessment with justification for whether "piece of data" is personal data or not. I can comply with that, I have lots of supporting documentation that an IP address does not personally identify a person.
Then if a regulator releases a clarification that an IP address is personal data or the consensus of the security community changes or whatever happens, I just update my security plan and make sure the IP address is handled the same as all of the other personal data in our systems and I was never out of compliance.
It basically works the same in practice, you must make a good faith effort to comply -- but proving you made a good faith effort and documenting what you did and why is also part of the compliance framework. The GDPR doesn't have that, you're at the whims of the EU because there is nothing except internet opinions on how to comply.
When doing the ethical, moral, right, correct thing might still be considered falling short of "reasonable measures" by some bureaucrat? It might be kinda nice to have had more detailed guidance.
Hate? Try to think of it from a business in the US perspective that wants to know why they have to (for lack of a better way to put it) bogu to an entity that does not represent them in any way. And the fact that you might sell something or service customers in Europe does not mean you should have to answer to any rules that they setup either. Should the town that I live in and operate a web site out of be able to have rules in place and then go after citizens in the EU for not abiding by them?
And actually it's one step further since many of the procedures and rules are being taken broadly and universally even against entities (businesses and us persons) that aren't even covered by the GDPR.
And no it's not like 'oh if you want to sell a car in Europe you need to certify this and that' that is not the same thing. Why? Well for one thing the golden rule. If you want that car allowed through the port you need to do what they tell you to do or they have a right to not allow it on their land. In this case their citizens are utilizing US websites and therefore it's on them to determine if they feel the service or product they are getting is fit.
I am referring to US businesses that don't have an office or physical presence in Europe. To those that do the 'golden rule' applies.
Yes, because if I’m supposed to comply with something, I want to know exactly what I’m complying with.
Right now I think I’m already doing everything in good faith, but the enforces of the GDPR may think different.
This is why we have laws- so we can be held accountable exactly.
“You’re making efforts to comply, but even though this isn’t spelled out, we need XYZ done”
vs
“You’ve complied with all the requirements that have been spelled out”
What if my opinion of what is ethical differs from what regulators decide? Opinions are notoriously inconsistent, subject to bias, and easily used to discriminate.
I thought the GDPR required users to opt-in to tracking (if consent is used as the lawful basis for processing), and if they choose not to opt-in, you must disable the tracking while still providing the service. Are you sure just updating your privacy page is enough?
Then there are the requirements to allow users to download or delete their data.
For example, if you're a CDN business, and naturally need to fight DDOS attacks, then storing exact IP addresses for all requests for a few weeks easily falls under "legitimate interest" (GDPR 6.1.f). On the other hand, if you're a political news site, then storing IP addresses and URL for the purpose of determining political preferences of people without their consent is very clearly illegal, taking into account that IP address can often be static and so identify specific person.
Yes, it means that you have some decisions to do yourself, and the regulator might disagree with your decisions, but that's true about pretty much every new law, no?
If the legislation is principle based or overly broad so as to cater to the notion that it will be enforced in an ethical and moral manner the purpose shall be defeated.
As such, there shall be no manner in which the individuals who are regulated will have any sense of how to comply with the legislation and ultimately this undermines the rule of law as well as the respect of the public for such legislation.
Such legislation that sets out fines and penalties, especially the absolutely ridiculously high penalties provided for by GDPR, must be as precise as possible so as to ensure the public knows exactly what is prohibited and what is not. This is notwithstanding the fact that this marvelous bit of administrative madness has the ability to bankrupt any organisation up to and including developing countries.
To trust that the executive body will apply regulations in an ethical and fair manner is a rather paradoxical view especially when such regulations also include mechanisms for judicial review and public control. Thus, legislation which claims to be fair and ethical is also, by the same token, providing measures in case the system is abused, which is again rather paradoxical.
These are not apples and oranges, this is a massive administrative monster that container penal sanctions and as such must be rule based based on basic legal principles that apply in pretty much every jurisdiction, European or otherwise.
Laws and regulations tend to stick around for longer than expected, and they're static. Technology and "cyber criminals" are dynamic. For better or worse, the GDPR acknowledges this. I think that's a testament to the Article 29 Working Party, in a world where most politicians are clueless about technology.
You make reference to a legal system that precisely defines what is or isn't legal, and then give an example of a company who were legal, but who got prosecuted / sued anyway, and who lost.
Law is not just the acts and statutes, it's case law too. We have strong guiding principles in GDPR, and we have mostly clear direction for what is or isn't acceptable. And now we wait for regulation to happen.
> so massive fines!".
No. "We don't like it, so here's a letter telling you what we don't like, with suggestions for current best practice". At that point you either change to come into compliance, or you write back and explain why you think you are in compliance. European regulators (at least the ones in the UK) try to avoid fines. The UK's ICO has never used their maximum fine, and there have been some serious data breaches in the UK.
You're absolutely right! GDPR is wonderful for users as a ringing and clear statement of human rights.
Unfortunately, it also needs to be for companies because it affects companies just as much as users. I would go so far as to say GDPR rests almost entirely on companies to turn this stirring declaration of human rights into rights said humans can actually make use of. In this regard, it's a collection of opportunities for improvement of awe-inspiring proportions.
You're right. Technologies and threat landscapes change. Regulation needs to acknowledge this or be worse than useless. Yet, perhaps there are ways to deal with this that don't rest largely on handwaving away critical questions of what compliance actually might look like with weasel-words like "reasonable".
Does that seem possible?
The heart of the issue is that you're talking about trends rather than what's actually written in the law, i.e. legally binding.
Many of us are not comfortable staking our livelihoods on trends.
If you do linking of such stuff (like Google Analytics with DoubleClick) you need an opt-in. Only then the opt in cookie banner is really necessary.
Please excuse the late answer - was on holiday.