> A company can list an email address as their official GDPR contact in their privacy policy, and if their own spam filter eats your request, it legally never happened. There is no obligation to check. There is no obligation to ensure delivery. The burden is entirely on you to prove they received it.
That's you being silly. The correct way is to send a letter with a Reception Receipt https://en.wikipedia.org/wiki/Avis_de_r%C3%A9ception which is the way lawyers like to do
[1] https://en.wikipedia.org/wiki/California_Consumer_Privacy_Ac...
If you mean how CCPA/CPRA differs from GDPR there are lots of things. For example you are not entitled to know actual recipients of your data, only the categories. So you cannot really know who actually received your data which then prevents you from exercising your rights against those controllers (or covered entities in CPRA language). GDPR also requires companies to usually notify you if they receive your data as controller (though there are some exceptions), in reality that's not really happening though (e.g. how many payments processors or acquiring banks have notified you about your credit card payments?).
CPRA also allows selling your personal data if you do not opt-out, in GDPR that would generally require consent (except in certain situations where you can use legitimate interest as the basis). GDPR also regulates cross-border transfers a lot more closely as the idea is that the protections & rights travel with the data.
No wonder Europe is such a laggard in tech when even software devs write non sense like this.
One one hand they want independence from the evil US hyperscalers but on the other hand they are ready to kill any new company in the EU.
> (b) A business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General. The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.
$7,500 per intentional violation, $2,500 per unintentional.
[1] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
The CCPA applies to any business, including any for-profit entity that collects consumers' personal data, does business in California (regardless of where it is located), and satisfies at least one of the following thresholds:
Has annual gross revenues in excess of $25 million in its most recent tax year;[11] Buys, receives, or sells the personal information of 100,000 or more consumers or households; or Earns more than half of its annual revenue from selling consumers' personal information.[12][13]
https://en.wikipedia.org/wiki/California_Consumer_Privacy_Ac...
> satisfies one or more of the following thresholds:
> (A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
> (B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
> (C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
This alone is enough to apply to most non-trivial apps/businesses where large-scale data harvesting is a huge problem:
> the personal information of 50,000 or more consumers, households, or devices.
I usually hear the “we [europe] have some of the brightest minds, we can do anything” and sure, granted, but that’s not the issue and it has never been. Why would those bright minds want to build something in a place that’s so obviously against the very same idea of free competition? Of course they don’t, those who can just flee and those who can’t usually end up building some useless grant-ware in an endless cycle. That’s not to say that we don’t have great startups and entrepreneurs, we do, but I find myself fighting every day against a system that’s built for the state to decide what, when and how citizens must innovate (and live).
/s
1. Cookie popups. Enough said.
2. Its extraterratoriality claims. Yes, I know you also want it to apply to companies in, say, Japan. Bummer. Unless they signed a treaty agreeing to abide by it, their they're own sovereign entities and their businesses don't have to comply with remote EU laws.
3. The annual moderation report. I've lost an aggregate of several weeks of my life filling out reports where 99.9% of our moderation actions were to delete link farms, fake drug sales, phishing portals, and cockfighting fliers.
4. The misperception that GDPR means you have to delete everything. Uh, no. If we suspend joe.scammer@gmail.com's account for phishing, we're not obligated to purge every instance of that email address from our systems, especially not the one that gets to decide whether a new user is allowed to register for another account. And if "joe.scammer" deletes his account, we don't have to return "joe.scammer" into circulation so another user can register it, and simply saying that "joe.scammer is not available" is not disclosing sensitive data. And in any case, a company entirely outside the EU isn't compleleled to do it anyway (see #2).
Love the idea, strongly dislike the implementation.
It is not. They even list more types of cookies which do not need consent than the ones which do.
https://commission.europa.eu/resources/europa-web-guide/desi...
> The EU's official resources on data protection, for example, have a popup.
Because it’s mandatory for them, not because the cookies are invasive. See the top of the page of the link above:
> Use of the cookie consent kit is mandatory on each page of the DGs and executive agencies-owned websites, regardless of the cookies used.
Nonsense. It's easy to create a site that doesn't need a cookie pop-up. Indeed the mere existance of a cookie pop-up screams "we are tracking you and selling your info".
only if your site insist to use any of the widely used Ad networks
through there are Ad Networks which base ads on what is on your site instead of who visits
and the popup you link is _not_ a GDPR popup but is related to some other older and very misguided law(s). (Not EU wide laws, but EU sites want to be compliant with every member countries laws.)
Having a EU decision which requires countries to remove this older misguided laws has been on the agenda for years. It's just given that most sites anyway will have popups (e.g. for Google Ads) things move way way way to slow :(
https://commission.europa.eu/resources/europa-web-guide/desi...
> Cookies and similar technologies that generally do NOT need consent
> (…)
> Authentication cookies, for the duration of a session
I think you did need to explicitly tell the user about it.
But I think (not fully sure) they did relax that recently so just listing it in you Privacy Policy or similar should be enough by now.
But also due to how enforcement is designed it's not that you really had to worry about anything if you only have non-censent requiring cookies and list them clearly in the privacy policy. Worst case a privacy agency tell you to "improve on it" without penalty.
It's just which site (or app) today doesn't use something like Google Ad Network, or Metas Ad Network, or Apples Ad network. All of which do not support ads without tracking (which still are very viable, e.g. select ads based on what the side/ad is about).
For websites, Hacker News doesn’t seem to use any of that. For apps, Alfred doesn’t do any tracking, nor does Wipr, or Inkscape, or mpv.
That’s exactly what it does.
https://commission.europa.eu/resources/europa-web-guide/desi...
They list more types of cookies which do not need consent than the ones which do.
0: https://web.archive.org/web/20250301000000*/https://commissi...
(but some informational requirements have been slightly relaxed recently I think)
The page has existed for several years, it was just at a different URL before. Here’s a version from 2021:
https://web.archive.org/web/20210623122357/https://wikis.ec....
GDPR isn't unique in that. When HIPAA came out in the US, no one was sure what it actually meant. I personally talked to hospital administrators who were convinced that we'd have to put up a "take a number" device in waiting rooms and call out "#53? It's your turn #53!", which the owners of the practice I ran flat-out refused to do: "the waiting room is currently occupied by Mr. Smith and Mrs. Jones, who have known each other since kindergarten, and I'm not going to refer to them as numbers". It took several years to build consensus on how to comply with it.
In case it wasn’t clear, I wasn’t trying to “gotcha” you or anything. I took your message to be in good faith. I just knew the website used to exist on another page because I remember having it in my bookmarks and it breaking and having to search for the new one.
> but that's still several years after the law was deployed
Maybe, I do not know. I didn’t search for it before then, so for all I know it was available at some other domain too. Or maybe it wasn’t, that’s the earliest one I remember.
The text on that website does state that some DPAs have found some first-party analytics acceptable, but that's not something that is confirmed by CJEU. And ePD does not have single-stop shop so you need to follow every DPAs directions if you are offering services to that DPA's country.
it does have such exception, always did (as long as the cookies are not used for tracking or other non essential things etc.). It might not be supper explicit but it's explicit enough to have you on the safe side.
you do have to inform people, but there are very non intrusive ways to do so (as it's informational only, i.e. no user interaction like confirm/accept is needed at all). (I think? they also have removed part of the explicit informational requirement for some things recently, i.e. it's good enough to list it on your site in the TOS/Dataprotection section/sub-site.)
there are other (I think not EU wide but nation specific) laws which get confused with it and handle things different, based on sites storing their data on your computer (and with that any cookie)
the reason most sides don't do anything like that isn't because they can't. It's because they try to harass user endlessly until they always click on confirm and can be tracked. Or because they don't know better due to a endless slew of systematic misinformation spread by advertisement agencies like Google Ads.
Every time I read this point on Hacker News I got to point this out because it's an extremely common misconception.
Read the GDPR, at least the outline, it's not there.
What is your opinion concerning laws such as FATCA and other such laws that apply to non-US entities when working with US citizens abroad?
Other laws that apply to non-citizens abroad, I'm against, of course. We don't have the moral right to legislate what someone in China can and can't do. However, prosecuting them for that should they enter the US is a different animal. If you run a scam farm and defraud a million Americans, then go to Disneyland on vacation, you should plan on having a bad time. Similarly with GDPR and other EU-local laws: violate them outside the EU, but it'd be wise to skip Barcelona on your next world tour.
Both FATCA and GDPR apply to entities/companies that deal with citizens from their respective jurisdiction. FATCA applies e.g. to foreign banks handling US customers, GDPR to foreign data processors handling EU user data.
If you don't want either to apply to you, easy, just don't handle US customers money/process EU user data.
Also, even if "you're a credit union servicing a small town in Brazil" and even if the penalty was as limited as you think it is, I doubt even a smaller institution could survive loosing access to US securities, etc.
The EU jumping on that bandwagon was predictable but I don't think it's a good thing. We all ought to strive for a higher moral standard.
except a lot of the things related to cookie popups isn't GDPR but other (misguided older) laws
furthermore setting a (proper 1st party and HTTP only) cookie to remember you opted out of tracking doesn't require your explicit consent and as such any side which ask you again and again makes it extra hard to opt out in a way _not legally compliant with GDPR_.
also the do not track flag in a browser is a very clear unmistakable signal from the user that they don't want to be tracked, ignoring it and harassing the user with tracking dialogs is also not GDPR compliant
> 2. Its extraterratoriality claims.
It's based on your citizens data being owned by your citizens. Extraterritorial claims about your citizens is pretty normal. And only enforced things matter so basically it only matters if they do business in the EU. And requiring someone who does business in another country to comply with that countries laws is the norm. Just because you do it "through a website" doesn't mean you can doge responsibility. That would be absurd.
> 3. The annual moderation report.
if it's moderation deletion then that isn't GDPR but other laws, and the reports which are needed for GDPR can be trivially automatized.
> 4. The misperception that GDPR
any half way serious source is pretty clear about that and there isn't much law makers can do if people are to dump to read and then insist they know better
The main issues is still enforcement, or the systematic lack of it in all kinds of ways.
Due to that bad companies don't try comply with GDPR but with "what level of systematic intentional GDPR violation can we get away with" and that in turn leads to legal unreliability/unclear-ness.
Oh and that some business models are inherently incompatible with it and instead of judges being like "bad luck you had years to adapt" they are often hesitant to do much about it (like "pure abos" which deceive the end-user (and judges) with a false dichotomy about ads vs. no ads when the laws is about tracking vs. no tracking and you can have ads without tracking, just not google ads but that is a googles made problem not a fundamentally one).
I think the bigger problem is that the entire process is left up to the invidual, to both deal with the vendors (sometimes having to scavange the privacy policy for an email address, or follow multi step processes) and report to the local DPAs. And the local DPA could have as arbitraty rules for the process, and very involved form fillings.
It doesn't help when institutions smell as corruption, as likely seen in Ireland, where it took them almost 8 years to resolve a complaint against facebook and fine them.
Only line I always want to see go up https://www.enforcementtracker.com/?insights
Too much gets put into law/regulations and then ignored without any kind of retrospective with regards to undesirable effects and efficacy.
Companies have realised GDPR isn't really anything to be feared in reality. Don't quote issued fines at me - quote fines that have been actually paid at least (you'll find that harder to Google)
I am so very tempted to quote you sarcastically using mixed upper lower case text for how incredible wrong you are. Yes, there is less enforcement than I want of GDPR, but any insinuation that they do not bother is a lie.
Here is your proof:
The Chat Control threads are an easy example to demonstrate otherwise.
The biggest hindrance is that there is ZERO government desire to reign this in. Why? Because the government itself is one of the biggest customers of this data.
The government "fines" the company and immediately comes right back around to the checkout line and hands the same company piles of money for the exact same data they just fined them for selling. The company then just raises the price to make up the difference. I don't see any of this changing in the next 50 years.
This is IMO a bit shortsighted: laws impact culture, laws represent ideals worth striving for, and in a democracy, laws help define the type of society in which the people would like to live.
A law’s utility is not limited to its ability to be enforced. In fact, in a democracy, when a law is not enforced, it is a strong signal that the will of the people is not being carried out by those charged with enforcement. See: the current USDOJ.
It's hard to imagine a practice more hostile to starting and operating a business than such a policy
A true Hacker News and YCombinator moment.
Companies could also make clear before any registration, on one page, which data they will ask for and later collect. If they were honest. Then the user had a chance to opt out _before_ they have given any data to them.
Well, they are not honest, because what do they do instead? Page 1: "Please, your E-Mail". Page 2: "We also need your phone number (we may call you)". Page 3: "Great, nearly done. Now please, your address, your credit card, a fingerprint copy and a picture of your penis".
I am in favor of appending a zero to those 5.000 Euros.
> (b) A business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General. The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.
$7,500 per intentional violation, $2,500 per unintentional.
[1] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
That's a trivially small bar to clear in order to be regulated under the CCPA where large-scale data harvesting is the focus.
I agree that businesses who unlawfully sell your data or do not implement a minimum of security measures should be punished hard.
I also agree that a flat 5000 € is problematic. Not because I believe that breaking the law shouldn't be punished. It's because you also get punished if you protect the data and respect your customers, but you don't document the thousand things you must document as a small business.
I don't know if you ever looked at GDPR, but that does not distinguish between a company with five employees and 50,000 employees.
The company with 5 employees must exactly (!!!) implement the same audit trail and processes that the 50,000 employee company has to do. Or worse, there's literally no difference between you founding a company and Facebook.
This shit gets extremely overwhelming extremely fast and that's just killing small businesses.
For example, you put in a GDPR deletion request. Company ignores or otherwise does not comply with the law. Can you sue them directly over that?
In the USA, Ive seen a lot of various laws like CAN-SPAM act. But there are no remedies for citizens who were spammed to get statutory damages for being violated. Having that option to get money for being wronged would solve these sorts of problems.
There is no easy way out. The oversight to ensure that governments do what they're expected to without corruption costs real money. We haven't yet figured out how to balance good government with fiscal efficiency; but it would at least be an improvement if people could be educated on the actual cost of properly implementing a law before it gets voted on.
As usual for cases like this, the only chance for a person to force compliance is to have enough money/resources, putting it out of reach for the general population.
Which governments have immediately used to:
1) exempt themselves from GPDR (e.g. allowing the use of medical data in divorce cases, and then refusing deletion of medical data from public institutions "for that reason". Then of course this was extended to tax enforcement (some of you European bastards DARE to try to get dental treatment when owing back taxes! Some things CANNOT be allowed)
2) they used it to attack certain firms for entirely reasonable reasons. One example, one of the very first cases, before the law was even in force was against Google. You see there are some online articles about José Manuel Barroso, the communist non-executive chairman and senior adviser of London-based Goldman Sachs International (yes, really, communist, not a joke), ex-socialist, then EU commission president ... that according to him violate the "right to be forgotten" (which technically doesn't apply to public figures, but apparently EU commission presidents aren't public figures)
There were some articles he wanted deleted about how technically he is (was?) a murder suspect (he organized and participated demonstrations where some people were killed by a mob that he was part of, and probably the leader of), and how there were complaints against him by his students that allege he beat them up (as in physically), apparently in arguments about financial systems (yes, even when he was a pretty extreme communist he was a professor). He couldn't get the articles deleted ... and so he wanted them hidden. He got what he wanted, without court involvement.
In practice this means that companies will keep data, and are entitled to keep data, for the period a legal claim may be made. For instance in the UK that period is 6 years and so you will find that companies will keep data for 6-7 years.
I had a long, ongoing, and very upsetting interaction with a bigger German company. Since I have experience in data privacy and GDPR, I eventually started thoroughly crawling their entire online presence for infringements. I found a significant number of issues and compiled a very extensive report. At first, they were completely dismissive. It was only after I issued formal legal warnings that an actual lawyer contacted me and promised to fix the issues.
Most of the GDPR violations were simply sloppy, though some were genuinely ignorant. It’s wild that we are eight years past 'Year Zero,' and while everyone is constantly talking about data privacy, these gaps still exist.
Some of them eventually has been fixed after my report, silently of course. phhh...
The spam filter loophole is unlikely to be legal. It it contrary to other DPA rulings (like Norwegian DPA ruling on Mowi ASA), EDPB guidelines don't strictly define it but I would say tilt towards that excuse not being sufficient & my understanding is that there are also some court cases from Germany and Austria that treat messages routed to spam as recieved (https://www.nospamproxy.de/en/emails-in-spam-folders-are-con...). Of course if you want to actually enforce it you would need to appeal the decision in court, I have no clue how easy or hard that is in Germany.
Of course, who else would complain about this.
When my ex-wife just moved to Germany, she was extremely anxious about waste sorting. She spent an hour sorting trash according to video guides on YouTube. Regardless doing everything perfectly, some German neighbor snitched on her to her landlady. Then some other old neighbor was watching through her windows with binoculars (privacy my ass!). Germany is a terrible country, the sick man of Europe once again
oncallthrow•1h ago
Insanity•1h ago
zxcvasd•1h ago
if fines were levied and actually collected, itd be a pretty robust regulation for privacy. theres other issues with it, but nothing that requires gdpr to be wiped out -- just modified (and clarified) a bit.
SyrupThinker•1h ago
0123456789ABCDE•1h ago