Europe's General Data Protection Regulation Makes Privacy Global

Of course not. Persistent data is when data is passed on to other parties, and at the moment there is no solution I know of for this problem.

Marilyn

1 Like

Practical reality for most companies? Comply. Simply the easier and simpler thing to do. And the public, no matter where, benefit.

It’s easy? Really?!

Are you aware that this very forum is running on software that is not compliant?

Go ahead, go read that post and tell me again how easy it is.

1 Like

I’d love for somebody to explain how I can easily and simply keep backups for a website that will allow me to recover from a disaster by restoring to a previous state, and at the same time guarantee that if somebody asks to be “forgotten” that none of their data remains in my backups.

Uh. Yeah. It’s um… deleted.

If that’s what everybody means by “comply” then I guess I’d agree that the EU has “jurisdiction.”

All change is hard, without question. And we’ll be looking at all the stuff TidBITS does to see if it’s compliant, or how we’d deal with the possible requests. Luckily, things like Discourse will likely just solve some of those problems with updates.

That said, many businesses have long understood the need to abide by foreign regulations. For instance, when we owned Take Control, one of the reasons we worked with eSellerate on the sales was because eSellerate had an entire team of people who dealt with collecting and remitting VAT to European countries. Ebooks are subject to VAT in the EU and a number of other countries around the world. It was a cost of doing business.

Would anything bad have happened to us had we ignored the need to remit VAT for sales into those countries? We had no way of knowing, but the potential cost of being dragged into court as a result of ignoring VAT, or worrying if we wanted to travel to one of those countries, or even the effect on authors who lived in those countries, was enough to ensure that we collected and paid the taxes.

1 Like

Didn’t say it was easy… easier than court, that was all.

I was responding to this comment:

Anyway, I agree that it’s easier than being a test case in court. What I think is going to happen is the same thing that happened with PCI compliance. A lot of small business will make a couple of changes and claim that they are compliant, when they aren’t really, because nobody really knows what it looks like to truly be compliant. But with PCI, you had to at least claim you were compliant to do any credit card business. My guess is that greater than 50% of the businesses in the US do nothing to become compliant because the risk/reward tradeoff is too unbalanced, and nobody is forcing them to do anything to keep accepting money online.

In other words, the chances are so small that you’ll be a test case in court that a lot of people will just cross their fingers and proceed with business as usual.

The solution is the massive fines the EU will impose if you’re caught not complying. They are based on revenue (not profits) and a maximum fine would severely impact any company. this is no case of Corporation deciding it is cheaper to deal with lawsuits than fix the exploding products.

It really is pretty easy to comply, since what you need to be able to do in order to comply is delete a customer’s data when they request it be deleted.

Now, how complicated that specific task is depends a lot on how you store it, back it up, and how good your tools are, If you can restore a particular user’s files/data from backup, then removing them should not be difficult.

If you’ve settled on a backup scheme that makes this difficult (all your backups are drive images to physical media that are then stored individually) then it’s not going to be hard, but it’s going to be exceedingly tedious. If it’s exceedingly tedious, then it’s probably time to look at how you backup data.

And as for Discourse not being compliant, I am not at all surprised. But they will be if they want to survive.

It strikes me that you’re not very familiar with the way the vast majority of small businesses run. I guarantee that there are many thousands of businesses that will never even hear that the EU has declared they need to change the way they do business.

I’m guessing that your website wasn’t built to do data collection, analytics or content assembly, sophisticated e-commerce, or distribution. Your site probably is not being geard up for facial recognition or AI. If it was you would know that user data is stored and maintained separately from content. And the data crunching, storing and serving isn’t done on Macs or PCs. It’s done on heavy iron at mega server farms.

Smaller companies or individuals that do any of the above typically farm less sophisticated stuff than above out to a third party and it resides on their server farm. Or they participate in Google AdSense or Doubleclick, sell stuff or buy ads on Amazon, Esty, etc.

Marilyn

Correct. I don’t.

Incorrect. For the vast majority of businesses, the comments on their blog, which often include a name and an IP address, which are personal information, or a simple e-store that sells a couple of products, all have the user data mixed in the same database that their content is in. And yes, that might be hosted on a third party server, but all that does is make the process of getting compliant more confusing, not less.

I could be wrong on the details, but as I understand it, if you have a blog with comments, you now need to hire a lawyer to write you up some terms and conditions or you’re “breaking the law.” Oh, and you have to modify the comment form to have an opt-in checkbox explaining how you’re compliant with GDPR, and keep track of which version(s) of your policies that particular user has opted in to since you will probably have to make changes to them at some point, either because of a typo in your policies or because you need to make some changes because you’re moving from Mailchimp to Aweber.

This really reminds of the PCI compliance stuff. I remember everybody saying it was no big deal and that you just had to hire Authorize.net or whoever and you’d be compliant. But no. Sorry. It’s just not that easy.

Of possible interest, my very ordinary blog at blogger.com now has this attached:

Wonderful. So now every. Single. Stinking. Website. In. The. World. I’m going to have to click to dismiss a stupid pop up box before i can see the whole page. And this is for my protection.

Thanks EU. For making the usability of the web so much worse.

Tell me in 3 years whether you’re being tracked less online, everybody, or if you still get tracked just as much but you’re constantly forced to take extra, meaningless actions by a beauracracy, confirming that you want them to track you like this.

Peace out. I’m done with this.

P.S. You know what I would pay for? A GDPR blocking plugin on my browser.

This has nothing to do with GDPR.

Aha. So there will be a new and more elaborate notice coming?

For the vast majority of businesses, the comments on their blog, which often include a name and an IP address, which are personal information, or a simple e-store that sells a couple of products, all have the user data mixed in the same database that their content is in. And yes, that might be hosted on a third party server, but all that does is make the process of getting compliant more confusing, not less.

Basically, all the EU is requiring any website to do is to give visitors the opportunity to opt out of having their data collected, and if requested, to have and data that was collected permanently deleted. If data is compromised, it must be reported in 2 or 3 days.

I could be wrong on the details, but as I understand it, if you have a blog with comments, you now need to hire a lawyer to write you up some terms and conditions or you’re “breaking the law.”

There is no requirement to hire a lawyer. If a site does collect data, there are procedures they must follow that could be accomplished without a lawyer, though they are a big PITA.

Because I thought of Wordpress, and because there are millions of small Wordpress sites across the globe, and there are lots of paywall and subscription tools available for small sites, I checked out their site and they have good explanations about what needs to be done. The summary is:

  • "it applies to any website that deals with personal information of EU users,
  • it gives the user the right to control the flow of their personal information,
  • there are defined processes to monitor compliance and huge fines are in place for non-compliance.
    In a nutshell, to make your WordPress GDPR compliant, you should (1) look into all the different ways in which you’re collecting visitor data. Next, (2) put mechanisms in place to make sure that users can control their data. Additionally, (3) it’s probably a good idea to avoid collecting user data where it’s not necessary (like the contact form example from above). And most importantly of all, (4) even if you’re using third-party tools and solutions, you still need to make sure that those are GDPR compliant as well.

If you don’t have all of the above taken care of by May 2018, trouble."

The Complete WordPress GDPR Guide: What Does the New Data Regulation Mean for Your Website, Business and Data?

https://www.codeinwp.com/blog/complete-wordpress-gdpr-guide/

, and you have to modify the comment form to have an opt-in checkbox explaining how you’re compliant with GDPR, and keep track of which version(s) of your policies that particular user has opted in to since you will probably have to make changes to them at some point, either because of a typo in your policies or because you need to make some changes because you’re moving from Mailchimp to Aweber.

Like I said, it’s a PITA, but it’s doable. Who or whatever doesn’t want to go through the rigmarole can block people. IMHO, and I’m very concerned about privacy, I wish there were data regulations as strict as this in the US.

This really reminds of the PCI compliance stuff. I remember everybody saying it was no big deal and that you just had to hire Authorize.net or whoever and you’d be compliant. But no. Sorry. It’s just not that easy.

I had a problems from the Target hack, and I ended up jumping through hoops after the Equifax shebang. So I wish the credit card regulations were stronger.

Marilyn

I know I said I was done, but I can’t help myself.

You keep saying that you can block people. That’s explicitly and intentionally made not possible by the rules. The link I posted above that nobody has bothered to click explains this in detail.

Re: PCI: 1. That had nothing to do with Equifax. 2. My whole point is that it’s security theater, not actual security.

And as to this:

You sure? Because this site says that cookie popups are going to be heavily affected by GDPR.

This is like trying to explain that the TSA isn’t there to make you secure, it’s there to make you feel secure. It’s the same with this law.

The cookie popup has nothing to do with GDPR. That was an entirely separate (and entirely misguided and stupid) regulation.

1 Like

Won’t GDPR require a similar but more robust popup that gives the viewer an opportunity to act before any cookies are set on a first visit to the page?