The number of people who are saying it’s no big deal to comply with this huge law, especially for very small startups, is mind boggling.
Let’s just take one feature: the requirement that you can permanently delete all of your information. Most early-stage startups use the (in 2008, when I did mine) best practice of “delete=1”. Changing your whole database over to permanent cascade delete is only easy if you’re a very experienced programmer or who knows what he’s doing. And that sets aside the fact that even if you know what you’re doing technically, there are lots of business logic problems with just deleting things out of the database and anonymizing users is very tricky.
I was not a great programmer when I started my first startup. I was learning as I went along.
We couldn’t afford a lawyer, and the amount of time for me (the only programmer) to go through and read all the regulations and make all the requisite changes in the product I would estimate might take on the order of a month or two, which if timed poorly would’ve killed our company. I say again: at an early stage startup with one programmer, you cannot have that one programmer spending two months on compliance.
It’s just gotten to the point that there’s one comment after another responding to this regulation or that regulation or this situation or whatever with “well, just call HR“, or “I can’t believe you don’t have a company policy for that!”
Or “well just ask your lawyers“. It ain’t that easy. Do you have any idea how much it would cost to have “your lawyers” go through the GDPR, tell you what you need to do, and deal with all of the edge cases and gray areas? $20k or $30k doesn’t seem too high.
My biggest fear is that all of these complex bureaucratic laws are just raising the bar for doing a startup. Maybe the days of two people doing a startup in someone’s garage should be in the past? If so, that makes me kind of sad.
Regardless it’s not obvious that GDPR is the right policy or that it’s well designed or clear.
I understand that because you are outside the EU you might feel like a target but that is not the point of GDPR. There is no way on earth that the EU as a whole has looked on your company/project or whatever and decided to screw you.
Have a look at the first few paras of this: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX... after it says "Whereas". Does the language look a little familiar? Do the sentiments look strangely familiar in some way?
GDPR is not about destroying people's livelihoods. It is about protecting basic, fundamental rights that say 30 years ago we never knew needed to exist.
After all the knee jerk reactions have calmed down a bit, you may find that you personally have benefited in some way from EU regs. If you find that, then I suggest you fight tooth and nail for similar to be enacted at home. I'll be the first to thank you for that.
Simply and brutally put: if you are incompetent and/or malevolent in your business practices and for that reason your business faces existencial threat from a piece of regulation that codifies the ideal setting for the industry, your business better dies ASAP.
I want that just like you can't have a random person design cars, architect buildings or teach our kids, similarly a random person cannot code up a commercial/government web site where they were "learning as I went along"; and an enterprise that can't afford to consult a lawyer can not get their hands on people's private data that they'd rather not change throughout their lives. Entrepreneurs to the hell, the amount of irresponsibility some people posting here want conceded to them is mind-boggling. I really hope that the upcoming decade will bring some sanity to this wild-west of an industry where who don't know what they are fucking doing can't just go out and handle stuff that they should not be allowed to even observe with a telescope from miles and miles away.
If all you do about my PII is “set delete = 1” (which one could argue isn’t even the best practice in every scenario), then I probably don’t want you to handle my PII at all.
To your example, you could easily not switch to a CASCADE, but instead set delete=1 and rewrite every sensitive field with a special value. Doesn’t even require a DB migration.
If your attitude to properly handling sensitive information is “it’s too complicated and costly, so we’ll just not handle it and YOLO”, perhaps GDPR is a good reflecting moment for you.
[edit:typo, edit:clarification]
If it is impossible for some startups to respect strong privacy practices maybe we simply don't need those startups.
This 'startupism' is almost an ideology. No mechanical engineer would complain about safety regulation just because it means that they cannot start a business in their garage. In other industries, strong safety standards and regards for customer privacy is simply the norm, not an annoyance.
I just want to roll my eyes when I see comments to the effect of, "Oh, it's so simple, just read the 80+ pages! The language is clear and straightforward, we promise! Also, you should have separated duties, full CI/CD that sanitizes any possible user data from leaving its hermetically sealed tier, and delete data early and often. If you don't, you'll be fined several tens of MegaEuros." The risk-reward ratio there is just insurmountably high for a small one- or two-person team.
I'm sure there are actually good parts of GDPR, and, hell, for all I know, the whole thing is the overarching achievement of Western civilization. But, unfortunately, reading 80 pages of dry foreign legalese when I'm not a lawyer is somewhere between a waste of time and a very bad idea (e.g. I think the regs are simple, make a mistake, then have huge legal liability). I will sadly be blocking the EU from any services I work on going forward until the point where I'm successful enough that I can actually have my lawyer look over everything.
The "best practice" you mention was already illegal if you have European users, the right to be forgotten was already a consequence of existing laws and directives (just ask Google).
As for startups the GDPR already takes company size into account, so unless their business is literally being a private NSA/Stasi/etc. they don't have much burocracy to deal with (https://ec.europa.eu/info/law/law-topic/data-protection/refo...)
It's getting worse, but it's generally been the case that it's impossible for an individual to bootstrap a company and be 100% compliant with every law and tax regulation. You would never have any time to actually provide a product and service customers. You just do the best you can and as you get bigger you become more complaint.
Even a one-year-old start up could have literally thousands of database dumps in different places if they followed best practice of triple redundant daily dumps.
"We couldn't afford a lawyer and the amount of time for me (the only chef) to go through and read all the regulations and make all the requisite changes in the kitchen I would estimate might take on the order of a month or two, which if timed poorly would’ve killed our restaurant. I say again: at an early stage restaurant with one chef, you cannot have that one chef spending two months on compliance."
Would you eat in a place like that?
A senior executive at a large bank once told me "that's the idea!". Specifically, complex and onerous regulation makes it a lot harder for upstarts and, while costly for large established players, they can bear it.
1) Don't collect more information than is necessary to provide service. Why do you need to care about someone's physical address? "Shipping physical product" is a good answer. Why do you need to maintain historical usage data? "Providing user the ability to view their own usage history" seem acceptable. If any of your answers involve "Just in case", "because marketing said so", or "I don't know", then your plan smells. If you think you need to make money selling my data, think again: maybe you should be charging me enough to cover your costs and make a profit; or if you already are doing that and you still want to sell my data, the you should just stop being greedy.
2) Allow the user to fix incorrect data. I mean, you wrote it to a database at one point in time, you can issue UPDATEs to allow the user to edit information.
3) Remove data when it's no longer needed (e.g. when it's out of date, or when a user says "I'm outta here") If you can't be arsed to figure out how to properly delete data from your database, or hire someone who knows how, then I suggest you're not really dedicated to the business of creating software of value to customers.
4) Provide all of a user's data to that user. It's right there in your systems, and your software is accessing it to make decisions, provide service, etc. How hard can it be to put it all into some CSV files to download? You don't have to copy the users rows from your MySQL tables into a SQLite database that the user can download. Some files with basic explanation of content will suffice.
Yep, it raises the bar on what's "bare minimum" to get your company going. But keep in mind this is more 'line of business' than all the other requirements foisted on you by the law: things like corporate structure, taxes, occupancy permits, etc.
VC firms pair your technical ability with another founder who, presumably, has more of a business bent. That person should understand how to set your business up and how it's regulated - and if not, know where to find answers.
You sound to me like all the GOP whiners about how "regulations hurt business" who fail to see that lack of regulations hurts consumers.
Honestly that's a bad best practice if the data your collecting is sensitive, which PII is.
After GDPR: Everyone's required to do it, so at least you don't have to worry about your competitors.
That's what this is about: Self-regulation failed. Here's the externally imposed regulation. Be thankful it's as well-written and aligned with our interests as it is!
I don't think that blocking Europe with Cloudflare is a good idea. How is blocking Europe going to fix the problem of already having European data in your databases?
If you're a garage-startup, you're unlikely to be slapped with fines under GDPR. Let's be honest- if you're a garage startup you're lucky to be noticed by anyone, much less European regulators. The argument expressed here is sleight of hand: complaining about the supposed impact on "the little guy" when the regulations themselves are designed to target Facebook & Google (among others) specifically.
The regulations are not that complex, they just require a new standard of respect for users, one that we should have always had as an industry. The fact that we had to wait for regulators to force this on us is our shame, no one else's.
If GDRComplianceCost > EUVisitorProfitMargin Then BlockEUVisitors
A quick read of some of the provisions of GPDR immediately brought to mind this passage from Atlas Shrugged:
> “Did you really think we want those laws observed?" said Dr. Ferris. "We want them to be broken. You'd better get it straight that it's not a bunch of boy scouts you're up against... We're after power and we mean it... There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws. Who wants a nation of law-abiding citizens? What's there in that for anyone? But just pass the kind of laws that can neither be observed nor enforced or objectively interpreted – and you create a nation of law-breakers – and then you cash in on guilt. Now that's the system, Mr. Reardon, that's the game, and once you understand it, you'll be much easier to deal with.”
What's your system for dealing with COPPA then? You're required to have a way for permanently removing data of children.
The barrier to entry is so low that anyone with a credit card can setup complex IT environments quickly and collect valuable and sensitive information with no consequence to the principals.
They might not crash an economy but they can crash a democracy.
So really the regulation is somewhat deserved and levels the playing field with other industries that have the potential to damage society.
Personally I wish two people could start an internet company or a bank or an exchange or an investment fund without deep pockets for compliance and legal. But it’s no more. Mourn it and think about the next sector that is open for growth.
Next, something like the deletion right has to submit to other laws that mandate data retention, like having to keep sales and bookings records for 10 years due to tax laws. If you do a cascading deletion in your data set, you're probably breaking these, so flagging records as deleted, or moving them to an archive to comply with these other laws still is perfectly find.
So this is just another regulation a startup has to think about. It's way easier than, i.e., tax laws, so please. Just stop panicking -.-
Startups that specialize in easing the pain of compliance do help. I recently had to implement tax collection in an app and a third-party API saved me a lot of work. However, it was still a drain on resources and took over a month to implement and test.
I don't know a lot about GDPR, but the requirement to permanently delete all your information is absurd, especially if you need that information for a legal context. What if a customer sues you years later and you've deleted all their information? I don't get it.
If at some point I create something that is large enough to matter, I can worry about it then and will have the resources to do so. Until then I'll continue working on software as if it does not exist. It's hard enough to build a profitable product that is valuable to people, don't need to think about any laws handicapping my creativity and design decisions.
The worst thing is those who can afford the $300k lawyers to get away with doing whatever to my privacy.
I don't have a problem with that.
If the law has a side-effect of people who suck at understanding and organizing and managing data responsibly not starting companies and making money off of data, I'm also okay with that.
Maybe the days of two guys starting a company in a garage learning how to handle other people's information before they start a company dependent on it is just beginning.
I'm also okay with that.
You don't have a right to be incompetent. You don't have a right to be clueless when it comes to databases and information. You especially don't have a right to take advantage of other people who don't understand exactly what it means when they agree to a ToS page.
The reason there are so many comments to the effect that this is a non-issue is that it's just not hard to comply unless the business you're running is doing something shady. There is nothing technically difficult about complying with GDPR. If it's hard for you and everyone in your company, I don't know what to say. Hire someone who doesn't suck at this.
This is only difficult from a business point of view. Not a technical one.
If you can't handle cascading deletes, continue to set delete=1 and overwrite the other columns with random data / empty strings / whatever.
Less risky than implementing cascading deletes, but still effectively gets rid of PII.
Who are you people who can’t/won’t actually delete something from your db’s?
It’s true that compliance can sometimes be scary and requirements are not always clear. Big company ending fines probably keep some people awake at night.
The point is regulators don’t generally want to end your company, they want to see (proof of) reasonable efforts towards full compliance.
Compliance does take time and effort and can be technically challenging. It can be a constant overhead on regular technical / development efforts. But it also isn’t rocket science. It would help people to not overreact (also, there has been lots of time to prepare for it).
Back in the days we used to say that the Internet self-regulates. Well guess what, that's not happening anymore. Companies like FB or Google are actually breaking the web as we know it because they exploit our trust. If GDPR means that their business model will break then so be it. I have huge appreciation for Google, and none for FB, but enough is enough. And they're just the low hanging fruits. There are countless other companies out there working in unethical ways. If anyone's business model is to invade user's privacy then fuck off and die. That's not entrepreneurship, that's greed and a total disregard for human rights.
And by the way, we're not just professionals. We're also users.
The number of people who are saying it’s no big deal to comply with this huge law, especially for very small startups, is mind boggling.
You want it to sound like the second phrase is the observation that proves the first, but in my eyes the two sentences are contradicting.
You can very well be technical and/or entrepreneur and think it's "no big deal to comply with this huge law".
Because, in fact, one of the defining characteristics of being an entrepreneur is taking risk, including the risk to not comply 100% with all BS laws. And one of the defining characteristics of hackers and programmers is thinking they can solve a problem (and often underestimating how long it would take).
So your GDPR-related observation would in fact prove the opposite of what you're stating: that there are plenty of entrepreneurs and technical people on HN.
Now, if you wanted to say: "there are no conservative, risk adverse entrepreneurs, and by-the -book corporate software engineers in HN anymore", then yes, that would be something that your GDPR related observation would support.
P.S Note that I'm not making an argument either way. There might be many or few entrepreneurs and technical people on HN. I'm just saying that if the latter is the case, it's not at all supported by your observation re: GDPR.
The GDPR doesn’t fine small companies that aren’t making a lot of money. The fines also don’t apply fully to startups until they are a certain age, depending on country.
The GDOR doesn’t require you to delete user data that you need. That would be insane, you could obtain a loan and ask to have the record of it deleted if it did. The GDPR does require you to inform people that you keep their data, and it requires you to tell your national how you plan to keep the data safe.
You’re not required to have GDPR legal representation in one man - small companies or startups.
The GDPR is only really a problem if your business model evolves around selling privacy data. I won’t lose any sleep over it being harder to make a new Facebook and I’m looking forward to see what new business models spring up.
I work in the Danish public sector by the way. I have around 500 systems that need to comply, some of these systems run on mainframes and have bits of software that are older than me. I’m not worried, especially not when we haven’t seen a single case in the courts. Until that happens the GDPR is really just a piece of paper because nobody knows exactly how it’ll be interpreted by the legal system.
If anything, a reduction in the rate of new startups would indicate that perhaps the market is growing MORE rational, which corroborates the recognition of risk of PII that the GDPR manifests.
We can't get to full compliance, and in the timeframe with the workload we're working with, we didn't send out a message to all of our users asking them to reconfirm that we can email them.
That's just a hassle I don't think is worthwhile at this stage. So, we're risking it. Are we going to get a $4m fine for this. No, did we every implement the cookie law, which because we are an embed would create a brutal UI and result in some of our customers having multiple "accept cookie" messages on a single page? No, we said screw it, it's a stupid law.
If we listened to every stupid law on the books, nobody would have any fun.
BUT, in my opinion, we work within the objective of the law. The law is about protecting users private data. That is a good thing. Due to GPDR, we are taking extra steps to protect user data, and making it easier for users to delete their data. We have had to create Data Processing Agreements for our customers.
Take a look at the law, see what you can implement, understand why the EU has implemented the law as they have, and get as close to legal as you can.
Every start-up is making trade-offs, just because this is a big-bad LAW, does that mean it should get all the attention and that your customers should suffer while you implement.
Weigh the odds and get to work. If this kills a start-up, I suspect it is the start-up gave up or needed to act shady.
This is definitely doable for a one-man start-up with no lawyer.
Just like Terms of Use, take a look at what others are doing, and then copy what works for you and your busy.
The number of people who are saying it’s no big deal to ignore privacy rights that should be law, especially for sensitive information, is mind boggling.
Those seems like impositions on people who implement bad practice or work in fields that have morally questionable practices regarding people's data and identification. Many people I know don't engage or work in such industries because of the moral implications of doing so and what people are doing with data.
Its not about "just ask your lawyers" or "just call HR". Its about "well don't do dodgy/disrespectful stuff with customer data".
And if everyone is doing it or its regarded as "best practice" (as the old joke goes, best practice is just orwellian-speak for average), then that seems like MORE of an arguement why GDPR type activities and policies are required.
Let's take that feature because it's mentioned often, but it doesn't exist.
Read Article 17* carefully yourself. It doesn't say "permanent". It never even says the word "delete". Elementary, My Dear Watson.
* https://gdpr-info.eu/art-17-gdpr/
> at an early stage startup with one programmer, you cannot have that one programmer spending two months on compliance.
And then here's the other straw man.
An early stage startup in the US with one programmer has more to worry about from US regulation than European regulation. Nonetheless, if you want to trade with Europe then reading the ICO guidance on the GDPR for your business should take a couple of hours.
> My biggest fear is that all of these complex bureaucratic laws are just raising the bar for doing a startup.
There are so many things I care about more than whether you can create a startup with wilful disregard for people's rights.
Did you even notice that Equifax* lost control of personal data on pretty much every single American? Your name, date of birth, your SSN. Equifax did this because they are actually incentivised to make their systems as insecure as they can get away with.
The only thing you're right about is that real security has real costs, but you're not convincing me that they're not needed.
* https://www.sec.gov/Archives/edgar/data/33185/00011931251815...
You do not have to do cascade delete. Just invalidate the data that identifies the user (this includes also transaction dates).
Well, maybe it is possible to cross reference a person based on the transaction volume?
Getting a banking permit requires an awful lot of money and you have to go though a lot of bureaucracy to get it, do you also have a problem with that?
What if a startup leaked your private data, like Equifax did? would you still feel the same way about this?
If the industry would have been able to self regulate, big bad government wouldn't have dropped the hammer on them.
Sorry but this comment has been driving me crazy. The GBDR about 100 pages? Obamacare is 20,000.
This law may be a lot of things. It may have a huge impact. It may require companies to do things hugely differently. It may require a huge amount of work for some. It could do a huge amount of good or bad.
But, it is NOT a huge law.
I'm sitting through tons of GDPR meetings & there are quite a few conclusions amounting to "maybe we shouldn't have stored the data that way".
Can you point to the bit of GDPR that says I can have all my data permanently deleted?
> it’s getting to the point where I don’t think there are
> many entrepreneurs and/or technical people on here
> anymore.
Not sure, I tried my luck with co-founding 2 companies but I work now as an employee. I notice that the number of Stars on popular Github projects is rising every year, leading me to the conclusion there is an ever growing number of technical people. More over I realize it becomes easier every year to deal with more complexity.
That said, it becomes more feasible to handle more business logic - or compliance logic if you will.
I know that especially Lean Startup proponents say one should start with low tech solutions. Also I attended an accelerator program and was surprised that most startups there were not tackling exactly super complex things. In fact one Startup worked with some kind of modified Wordpress or so - which has GDPR logic already included.
So yeah, things become more technical and complex but I think it's for the good. Also when handling other people's data I guess there should be some responsibility. For the 2 companies I co-founded data-export would have been trivial to implement as the Web Apps were AJAX powered, I would have had just to provide a link to the user. In case of Startup #1 users were anyway only there to train for some test, so it would have been no problem to delete the user records. Probably delete cascade would have been fine as I worked with backups. Deleting data from backups would have been fine as well, they take up only precious space and use up bandwidth. Startup #2 was more about producing content that was not from users.
Also I want to note that in times where TDD is something even known to barely technical people, delete cascade is safe and a no-brainer.
Anyhow, the most challenging thing looking back would be all those 3rd party tools. To name some: Google Analytics, Mixpanel, managed DB/Redis/etc. I was never a fan of any of those tools and in times of Docker, we can run our software on whichever computers seem most suitable.
> My biggest fear is that all of these complex
> bureaucratic laws are just raising the bar for doing a
> startup. Maybe the days of two people doing a startup
> in someone’s garage should be in the past? If so, that
> makes me kind of sad.
GDPR isn't really complex, it's more like a collection of vague rules and recommendations. Basically most of them are like keep only the data you need, offer export and deletion following best practices.
It's not if you're actually thinking about what you should be doing with user data from an ethical perspective. Our company has had zero problems complying with GDPR.
>My biggest fear is that all of these complex bureaucratic laws
Allow me to be extremely blunt here. If you think these laws are complex and if you have to resort to meaningless U.S. connotations of bureaucracy, you shouldn't be handling user data.
Nothing has to be automatic as far as the deletion requests go. It's fine for you to go through the db manually and grant a specific request within 30 days.
If you're big enough to get enough requests to not be able to handle the load, you can afford a couple of days of dev work.
It's mind boggling the amount of people who's interpretation of GDPR is overzealous (to the max) based on third party interpretations. Get to the source of it and you might find it's not that bad.
You're only in trouble if your business model actually relies on doing things to the data your users would not want you to do (which could be argued is for the better good).
just blocking them doesn't seem like that bad of an idea, especially with the fines involved.
I think the things that bother me is:
1) A College student working on a side project with no revenue are treated the same as some massive multi-national.
2) It's a foreign requirement that feels like a violation of sovereignty. Most business/startup owners complain about there being too much domestic regulations, now we have to worry about things outside of our own countries -- that also can come into conflict with our domestic tax authorities on things like data retention. An international agreement would be entirely different.
3) The GDPR requires clear and concise language, but have done nothing of the sort when writing the regulations. For most websites outside of the EU, could they not have produced a concise 1-2 page infographic produced by the regulators themselves?
I have a profitable, bootstrapped SaaS business based in US. It's not based on ads or selling data. I don't even have a freemium plan. Only a limited free trial after which you have to start paying. It's a trivial application that stores mostly already public data. Only email is required to login so that I can send password reset and other such communication.
I've been talking to a very well known giant corporation (also based in US, but has many global offices) for months. The VP and director love my product and want to start using it right away for their department. But their legal team is scared shitless with 4% fines in GDPR. They are putting some draconian clauses, (various ISO certifications and such) in the contract that I, as a small company, cannot comply. That's their interpretation of GDPR. It doesn't matter whether it's right or wrong.
The VP and Director are really nice people and I've developed very good rapport with them. But I'm afraid their patience will run out soon and they'll go back to using spreadsheets. A lose-lose situation.
This is the side-effect of GDPR.
I'm all up for GDPR. I have uBlock, have blackholed all Facebook domains, etc. But don't assume that GDPR doesn't affect normal business transactions. Of course, blocking European users doesn't do anything for me since I want to do everything I can to protect user privacy.
But anyone who says, "Oh, how hard could it be?" has no idea what they are talking about.
As a dev though, I also understand the frustration. Creating startups is already time-intensive and stressful. A lot of us are on shoestring budgets. Most startups will fail. To a solo developer in the US, the idea of spending time understanding and complying with GDPR is daunting, it's more than just a hindrance to many. Still, I don't want to break European law, so maybe it's easier to block EU users at first and change policies later if profitable.
I think blocking is at least showing you respect the law, compared to just doing nothing and being non compliant.
It will also do just about nothing in regards to the major companies that everyone had such a big privacy issue with in the first place, so not only is the regulation vague but it's also ultimately very ineffective.
> I would be very wary of a company who claims this legislation is onerous. It is potentially life threatening to companies who do very shady things without your consent. That much is true. That is the entire point.
I somewhat suspect those companies hiding behind the 'oh lets just block Europe' excuse just don't want to admit the extent of what they are doing with the data.
US citizens should take note of this, because it's their data too.
[1] https://medium.com/tsengineering/the-gdpr-blog-post-9a571b13...
Blocking Europeans sounds a lot more reasonable than having to hire a lawyer and spend double the time and effort just to be compliant while writing a new JavaScript MVC Todo List app.
I have a site that I did this with. I also wish the US would pass a law like this. And I beg to differ. No, I don't believe this is self-contradictory.
The issue is risk. I'm a one-man band - the site in question does make money most of the time, but not much, and it has always been much more of a hobby/labor of love than a business[1]. And when any legal change means I might end up with legal grief or potentially not be visit European relatives again, even if I generally approve of the change, I'm going to knife it because there is no planet on which the site means more to me than the risk.
My plan right now is to let the big boys who can afford it take the initial lawsuits and let them shake out what the vagaries mean, then come back in a year or so and see what my exposure would be if I let ya'll back in.
[1] Oh, and it should already be complaint, at least as I understand 'compliant'; I added notices and rejiggered a few things for selective denial and whatnot. I never have and never will sell/rent/share user data, don't integrate with any surveillance/ad networks, etc. But I have no confidence that someone won't see me as a likely target to use to make some point, and hiring a legal consultant for something this size would take it from slightly profitable to a future break-even measured in many years.
Much like China, which has managed to develop a huge internet industry because it doesn't have to compete with the American competitors, the EU's huge market will provide a lot of space for EU startups if the American competitors refuse to do business in Europe. But unlike China, the GDPR will make those European companies more competitive on the world scene rather than less.
If the choice was between 2 services, one of which complied with GDPR and one which didn't, and explicitly excluded GDPR protected users, I'd assume the vast majority of regular consumers, but definitely businesses, would pick the GDPR compliant one.
In my limited view, this is pretty much the case. When I was telling our management team about the GDPR and how it relates to our new European-focused project, the first thing the CEO said was "how do we get around this?"
Management decided we're not gonna comply with the GDPR and just hope nobody notices.
What used to be a full opt-in to the content and business model of a site, the EU wants to only get the content and choose whether or not they want to support a sites business model. You cannot have your cake and eat it too. If you want the sites content, then you should also agree to their business model to actually support it.
Unsurprisingly, now that you cannot tie a sites value with their business model, many companies are choosing to leave the EU as they assume most people don't want to pay for the content they consume (in addition to other things).
I don't know about you, but I have learned a great deal!
I've mostly learned that Eurocrats can't actually write useful regulation. Blah blah blah human rights blah blah reasonable measures. Next chapter. Blah blah envisage blah blah reasonable measures. Blah blah blah inter-government communications protocols blah blah codes of conduct.
What's a reasonable measure? How do I know if I'm compliant? How do I know if a vendor is compliant?
GDPR is a wonderful, incredible, essential document for laying out human rights for the digital world. It's also terrible and incomprehensible regulation.
When you're in "move fast and break things" mode, getting stuff working for SOME users is better than having a complete solution for all users that come much later. It's not even just about ignoring Europeans. A lot of these products and software solutions start "only available in California", or hell, only in SF. That's even true for some stuff from big companies like Amazon.
Then as you grow, you can start tackling more barriers and regulations from other countries. I mean, there's plenty of companies that won't ship to my address because they don't do business with the US. Or when I lived in Quebec, I could not participate to a lot of contests because it wasn't worth it for these entities to deal with Quebec's gambling laws. That's ok.
Even if you agree with the general idea of GDPR, even if you want to implement the tightest privacy rules you can't in your software, there's more to it than that. I've watched lawyers duke it out over some of the details. My employer takes GDPR very seriously and we've done everything in our power to comply, not just with the letter, but also with the spirit of the law. But we're big, we have money, and we're actively trying to grow internationally. 10+ years ago when the company was barely afloat? I'm not sure they would have been able to deal with the fine prints even if they wanted to.
There's more to GDPR than sending a silly email and adding a "Delete all the things!" button.
As for SV seeing GDPR as more of a hindrance: SV was build on the freemium model of gathering as much data as possible. Companies were funded under the assumption that their user growth would lead to valuable data stores.
GDPR and an increased privacy aware public are existential threats to these companies, as there is little chance to pivot to a non-data-use company. You have to start over.
I hope we will look back at these companies as ugly centralizing dinosaurs, as little by little, the consumers realize the power they gained back (or always had) over their usage and data, does not justify these business models to exist.
(Also, GDPR, even when seen as an opportunity, _is_ a hindrance to implement. Regulation in response to market evils is known to be heavy-handed and clumsy).
Why would you think that SV would be interested in offering anything for its own sake? The vast majority of the model is to create new rent-seeking profit opportunities for investors, with internet users as a mere means to that end.
That’s the startup I’m presently working on. We’ll expand beyond the US borders (and implement GDPR) when we advance to a larger revenue stream. But right now, GDPR compliance is a distraction that interferes with gaining enough traction to help us afford the engineering and legal resources to ensure such compliance.
NOTE: we delete all client data when they cancel already. And we don’t do any creepy marketing.
This makes it difficult, if not impossible, to find links to living individuals. A ton of people have done a ton of work to build a shared public tree, and some 50-100 years of it are getting chopped off the bottom.
Don't take it seriously.
I would say this is also applicable in reference to the unintended consequences of regulations
It's a bit like a good forest fire. Out of the monocultural ash sprout (life sustaining) varieties.
To a lot of US-ians the GDPR is just some EU bureaucrat stopping them from making more $. Nothing matters apart from being able to do whatever you want and make $.
It’s just a different mindset.
Yet. Give it some time.
I guess they can afford it.
They will learn. It's a financial certainty.
On a separate note: I feel totally disgusted with the kind of people who are totally uninterested with the the fate of their users. It's not exactly uncommon in Silicon Valley. Fuck these guys.
You mean like America? That time when the USA decided to enforce their embargo against Cuba by intercepting a payment from one of the Nordics for a bunch of Cuban cigars? No, that's unlikely.
> Is the EU going to extradite owners of these businesses?
Extremely unlikely, besides that would require the cooperation of the other country. But - and this is interesting - the other countries typically expect the EU to cooperate with extraditions when the law is broken and we do. So who knows.
> Are EU courts going to issue default judgements on businesses and individuals?
Against individuals: Unlikely, but it could happen, against businesses, that's typically how things go when one party doesn't show up.
But note that for that to happen you first have to ignore the regulators for long enough to get them really pissed off, an action I would recommend against.
So while blocking the EU isn’t required, the other tests they use to determine whether or not you intended to offer services to EU residents are a bit murky. In light of that, what better way is there to make your intention to not serve EU users clear to all than to block EU users? That’s the main reason to do it. This kind of blockade will not prevent all EU users from accessing your site, but it doesn’t matter. You’ll have made your intent to not serve EU users clear, which will preserve your immunity to GDPR.
It's when you start collecting personal data on EU residents, send their personal data to third parties for analytics/targeted advertising, and so on, that things get interesting.
GDPR only applies if you are providing a service to a EU citizen. That also explains what EU will do if a company doesnt comply with GDPR (where it should); they will stop the company from providing those services to the EU citizen.
This is also why blocking EU traffic doesnt make you GDPR compliant (I can use a vpn or visit your site when travelling, and then you are still providing a service to a EU citizen).
If the case really is as you say, with just serving http request, then you have no issue with being GDPR compliant, because you dont store and information about the EU citizen. If however you are not just serving http requests, but track the user or otherwise store information on the site visitor, then you may have GDPR issues. But if you do store data about your users, you really should treat the data correctly.
GDPR is common sense, and if you bother to understand it correctly, its fairly easy to be compliant. Though I’d say, the bigger the company the more complex the implementation.
A) The law seems to extend beyond the borders of the EU.
B) It's extremely long and vague, doesn't really offer a lot of actionable advice, and nobody outside of privacy lawyers seems to really understand it fully.
C) The penalties are harsh.
Further muddying the waters, the EU and US already have some existing bilateral agreements with respect to data privacy [1], but does the GDPR supersede or unilaterally invalidate these...? Who knows?
[1] https://en.wikipedia.org/wiki/EU%E2%80%93US_Privacy_Shield
That being said, the starting point shouldn't be, "there's no need to imagine that I'm violating GDPR. I only serve Americans". The starting point should be, "I had better imagine that I might be violating GDPR even though I only intend to serve Americans. Are there things I haven't considered? Are there resources I should seek out? As a service provider of some kind, hadn't I better spend a day or two imagining the ways I might run into trouble and plan to avoid it?"
My biggest _fear_ regarding GDPR is that, to me at least, it seems like a one-size-fits-all regulation for a world where only organisations are allowed to run services, and where all services are centralized. Which is not the world we live in (yet).
Then, it is surprising to me that Americans are against a national id card, but are not OK with a privacy protection law.
How can you declare they're willing and eager, if you don't have their consent, and they're not informed about your actions?
Be annoyed all you want, the only people whining about the GDPR are those showing their true colors when it comes to user privacy and agency. If you're complaining that it hinders you from using user data as you please, that's precisely the point.
http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX...
I suggest you read the rest of it before opining.
Smells like another right+ forward from grandma.
We'll soon get used to websites following good privacy policies, so your SaaS will just look less appealing to Europeans.
Is it really hard paying attention to how you handle people's sensitive information without selling it to third-parties?
Dropping a IP block on the EU seems to be a pretty clear indication that you arent targeting EU users.
EDIT: Found the article https://www.troyhunt.com/free-course-the-gdpr-attack-plan/
I just wrote the post because if you want to overkill and you are lazy, you can follow our recipe to 'implement' GDPR. I just wanted to be sarcastic and also show how easy to implement Cloudworkers + Apility.io.
No. The law applies to people physically in the EU, not blanket to EU citizens. An American in Paris is protected by GDPR laws - a German living in NYC is not.
GDPR doesn't mention citizenship, it applies to any Data Subject who is a 'natural person'. The scope is stated as 'whatever their nationality or place of residence' which is universal.
So just blocking EU residents is not enough, one would have to also ensure that no other data is processed (1) within any country implementing GDPR or (2) anywhere in the world if you have a controller in the EU, his role being a sort of GDPR proxy.
Even saying 'within EU' is actually inadequate; the Isle of Man has implemented GDPR but isn't in the EU and there are probably other examples.
How the hell does the EU claim extraterritorial jurisdiction over the entire world? And people complain about America being “imperialist?”
In practice, GDPR is binding on businesses that operate within the EU. An EU citizen in the US doing business with a US-only company is not afforded any protections under GDPR.
https://ec.europa.eu/info/law/law-topic/data-protection/refo...
I love GDPR, getting rid of the WHOIS database stuff alone is enough to make me a huge fan. The option to delete my data is also amazing.
You think businesses are that forward thinking? You think there is some grand conspiracy to annoy users so that they hate regulation?
Regulations usually favor big businesses at the expense of their competitors, and the GDPR is no exception.
Isn't that the law that required these updates, pop ups, and new consent forms? Not sure how the companies could be blamed for that.
It's a Friday afternoon blog post to show how cool my product is with Cloudflare Workers and having fun at the same time!
At $200 a year there's no point spending even a few hours to figure out if I need to ensure GDPR compliance in the first place much less to do so. No point in figureing out how to erase users if I should ever be asked to, etc.
Last night I tried to log into AdSense and turn off targetted ads because I figure that handles most of my risk and is one of the evils people seem to be trying to kill. I couldn't find the option, only found old articles about it "coming soon" on Google, and got nowhere in a half hour or so.
Are there any limits to the sizes of companies that have to deal with this? Blocking EU might be the only real option I have (although some say that's not even enough).
/s, obviously
This is only slightly more hysterical and illogical than the typical fan of the GDPR on HN seems to be.
IANAL, but if I were in your shoes, I'd either block the EU if that's easy, or just ignore this entirely. They can't enforce anything.
https://support.google.com/adsense/answer/9031649?hl=en
You can just turn off ads for a while and then turn them on again when Google has gotten their shit sorted out, or leave them on because honestly you're very unlikely to come to the attention of the regulators -- especially since they're not yet fully staffed and funded for this. :-)
Blocking EU users doesn't actually protect you, and will just piss people off -- not to mention look shady, and thereby increase the chances of you coming to the attention of regulators!
Commenters who work as 9-5 employees or have never started a company (or at least, don't mention as having done so in their profiles) tend to be more supportive of the GDPR.
Funny how that works..
I support GDPR. It's the first reasonable solution to privacy I've seen. And I hated the cookie alerts. The transition is tough and we're fighting to figure it out at the moment. But the basic principles in GDPR are solid.
Funny how that works...
I’ve been in the “online payment processing” space for decades. When I first got involved, there were no central guidelines for handling sensitive credit card data. And to be honest, there was a lot of neglect within the industry as a result. As I share memories with my colleagues of what was done in the early days it is laughable and a horror at the same time. We were all learning on our feet.
When PCI was introduced in the mid-early 2000s, it was not easy to undo / redo things to be compliant. It took time and cost money. At the time I wished I was working on features rather than “compliance”. But we got there. It didn’t kill us, and in the end we had a better service because of it.
Fast forward a decade and I found myself working on another startup in the payments space. PCI compliance was in the very fabric from which we started - we designed things from the very beginning with PCI in mind. And that made PCI much easier overall because every decision contemplated PCI.
I feel GDPR will be similar. It will be a transitional burden because existing businesses will have to undo some practices and that is hard. But going forward startups will build services with GDPR in mind from day one, weaving compliance into the fabric of the product piece by piece, and everyone will be better off for it.
I’m sympathetic to small businesses that face a difficult transition. But I do feel that the burden is in the transition, and not something that will hang overhead forever.
> Please don’t take us seriously
> This is an example of all the things you can do with Cloudflare Workes and our API. If you like it, please spread the word! But hey, don’t take us seriously. We just wanted to take the drama out from all the GDPR madness out there.
Anyway: just for academic interest I’m curious how much this increases the overall request latency, as there would be one additional blocking HTTP call at the beginning. Do you have any benchmarks for that API call to check the blacklist?
But Cloudflare has servers very close to our endpoints around the world, so I guess < 50ms if you don't use SSL could be a good estimation.
We are working hard to reduce the amount of time to establish the connection. It's about 80% of the time of the request.
When my ad-blocker tells me that 50 to 200 trackers are interested in me reading some innocuous, unparsable word-blob, or watching some throwaway video, I see that as a symptom of thoughtless hoarding and unreasonable prying. This is not gathering intelligence: quite the opposite.
Were there some demonstrable, substantial benefit to all this for the end-user it might make a bit more sense. But there are no upsides to seeing shark fins at the beach.
When I guesstimate the costs -- just those of energy usage, bandwidth and man-hours, not to mention the rest -- and compare that to the supposed results (only imaginary to me, the end-user)? Sorry, it looks like madness.
It's a symptom of people not paying for content and news. Also the fact that publishers want to provide equal and easy access to everyone regardless of affordability.
> demonstrable, substantial benefit to all this for the end-user it might make a bit more sense.
The content you're consuming.
Which brings up a question, is the complexity of building and offering a GDPR-compliant solution really any different than building a solution that conforms to best security practices? I wouldn't think there is much difference. What is the remaining overhead to comply with GDPR? I am sure just understanding it is a notable piece, but would the developers already be aware of all CWEs, BCPs, existing laws and standards for their components which would also be overhead?
This is a very weak and lame attempt at just getting people to use your service when it's already built in...
1. Collect only what is necessary for providing your service 2. Make clear what you store and for what reason 3. Ask consent and give the opportunity to retract this consent as easily
Deletion:
1. PII means information that makes a person identifiable. This is the type of information that you need to remove 2. So if you are storing PII information for the use of profiling you will need to disconnect the profile from the PII information. E.g. you could use user table where you would overwrite the PII information with generic information. You can still use the now stale profile withou PII information (for example in statistics, aggregations etc), but you cannot tie it to a single person anymore. Ie. You should not be able to reconnect the person to profile you have stored. 3. As technical possibilities evolve you need to improve the disconnection over time.
There are legitimate business reasons to store some PII information. E.g. for security reasons, other laws etc. So IP addresses don’t need to be deleted from your web logs, but if not given consent you cannot use them for ads, sell them etc.
The required clarity that GDPR will bring to your data is actually going to benefit you. Your data scientists will love it, because the tooling that helps with Gdpr also helps with discoverability, data quality etc.
Enjoy GdPR, there is a lot of business opportunity in it.
The rest of the world will continue on without them, especially as the ~middle class~ population explodes in countries where there previously wasn't one.
The US is really only the "center of the Internet" for primarily English speaking countries, as the others have regional variants of popular US based services. There is no real reason why things wouldn't just split out to Europe and Oceania even more.
- Agree to cookie
- Forced "Do you want our newsletter" prompt
- Request to show notifications
- Pop-up icon to subscribe to notifications
Edit: fix list formatting
https://github.com/donohoe/simple-gdpr-lockdown/
This does NOT solve the problem, its just (IMHO) a better alternative to blocking.
This is good for both companies and users. It gives companies clear goals and policies for how to treat users, their data, and what their users want to do with their data.
I think what we're seeing is a light shining brightly on some pretty scummy practices. It's understandable why developers who rely on user ignorance to make a profit/revenue would be bummed about this, because these regulations are correctly placing the burden on you, the developer, to be forthright and honest about what you're doing with people's personal and private information.
To developers who don't want to do business in an open and honest manner, who rely on low brow tactics with user data, who didn't have the good sense to know what was coming and plan for it: Good riddance. Try again.
As a victim of identity theft, I say that burden should be on entrepreneurs to learn and write good code. I have written a lot of bad code myself but back then everyone was writing bad code to get to market as fast as possible. People who wrote good code and followed best practices for their users’ privacy and security were at disadvantage. This regulation evens out the playing field, so now good guys/gals can compete too.
Also this is not hard if you were already following the best practices for security and user privacy. Sure there is some new stuff like real deletes instead of soft deletes. I can tell you from my experience that the people who are the most stressed about GDPR are those who are working at the companies where they had very bad dev practices. One of my friend who works at a decent-sized ecommerce shop, had to finally get rid of CC numbers in their logs. That guys had been pushing for better security and dev practices but would get overridden by managers and team leads.
I am glad that GDPR is finally forcing higher ups to finally improve their dev and security practices.
A more effective way might be to ask on page load if the user is an EU citizen. You know, like some financial website asking you if you are a US citizen on page load [0] (i remember marshall wace's old website doing it, it looks like they do not anymore).
And EU traffic being the "most malicious" ? Is this satire, irony, or something else ? Seriously, if I go on website W and they go through all the dark patterns possible to collect and share my data without me knowing about it and I'm the malicious one ? Better read that than being blind...
[0] https://www.quora.com/All-of-a-sudden-Bank-of-America-is-ask...
I was going to go to town on it until I did a quick pre-emptive search but I had no idea about this being a thing: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/451 - 451 Unavailable For Legal Reasons
I'll assume that 451 is designed to be available if a canary might be required at short notice.
http://webcache.googleusercontent.com/search?q=cache:xrEsOXE...
Judge for yourself!
No serious and earnest would/should consider this.
Your work affects lives. Period.
does the gdpr suggest that, if a "data subject" in the eu accesses my website without my consent, the eu will view me as subject to it's legal system?
But this thread and others just show how people will continually lie when it comes to the politics of GDPR. And when they don't want to lie, they partake in whataboutism. Even EU bureaucrats seem to be willing to partake in at least promoting the idea that it's a global law for their political agenda, when they know it's not.
I don't know why people continue to lie about the jurisdiction of this law, when everybody here knows it's not true.
Or is it really just identification details like name, address, etc.?
Here is a example of blocking all EU country codes without using any external API's.
https://gist.github.com/icodeforlove/9d22e44d0f227cb2740fd3d...
- This is insufficient for GDPR compliance. Besides the other points mentioned in this thread, you also need to delete any data about EU residents you have already collected.
- CloudFlare sets a geolocation header, you can probably just use that without consulting a third party, without adding any latency!
Block EU is totally reasonable for all these. Is it necessary?
https://gist.github.com/botsplash/bf494ea9e95d945229a0a667a5...
(Some of the more famous blocked websites are similarly misinformed, e.g. the chicago tribune tries to tell me I'm in the EU and blocks me.)
Not that we got the best UX from that one, where I'm constantly reminded cookies are a thing, via a large blocking box requiring user interaction, like a pop-up ad for something I already know and can totally control on my end.
There's a saying about how internet considers censorship damage and routes around it? Maybe better: the internet considers regulations information, and anycasts them, regardless of their quality.
China's a bit of a counterexample. Maybe the firewall is bidirectional, keeps democracy out and censorship in?
Maybe that's the endgame, balkanization. Some people will get to live under paternalistic maximalism, some under authoritarians hunting dissidents, some under anarchocapitalism, all dystopias in their own special way. And some of us will flee to Tor and .onion sites and encrypted signatures where we manage our own privacy and prevent third parties from auditing our communications.
Edit, "brevity."
I asked a data protection specialist, a real expert on the legislation, but they couldn't answer that question for me.
There is no possible way they can enforce any law, fine or penalty outside their borders. They won't even try.
Imagine if the law was layered, as in - below a certain size, you could get away with unintentional mischief.
Or is handling user data responsibly one of the new "three greatest challenges in computer science"?
In other words, an EU citizen residing in and accessing the Internet from the US has just as much right to invoke the GDPR with these sites as an EU citizen residing in and accessing the Internet from the EU. Blocking people accessing your site from the EU does not allow your site to not respond to such requests.
Or we get better privacy abroad.
Seems a win-win.
A simple, straightforward guide to GDPR compliance for small-medium size websites who otherwise would have difficulty complying, including FOS well-executed software extensions that make it even easier:
* Backup compliance
* Database deletion performance improvements
* Legal explanations à la tldrlegal [1]
Haven't done general population-facing web dev for a while, but it seems fairly straightforward. How to monetize it, if at all, I'm not entirely sure. Maybe charge a reasonable fee for short consultations which consist of essentially running down a checklist?
I'm not in the EU. You don't need to block me.
If you already have information on EU users, you may be violating GDPR anyways.
Maybe someday they will learn?
The law makes perfect sense, it's not that hard to be compliant, and businesses with good ethics will already be compliant!
If I have a user agreement that my users agree to, I don't particularly care what another country thinks about what kinds of privacy they think my users are entitled to. I would already have a legal agreement in that case.
Europe has got most of its wealth through imperialism back in time robbing countries of Africa and South Asian countries.
This is the primary reason countries of South Asia/Africa so poor today.
Before imperialism, most of Europe was poor while countries like China and India were way richer.
India is just 70 years old by comparison which is not long enough to make back the lost wealth due to its sheer size and diversity.
Now, American companies are able to an extract huge amount of money from European nations using mostly legal (maybe unethical?) using companies like Google and Facebook. They are set to make this illegal.
It's nothing more than a wealth preservation strategy. European nations can't compete against America and rising nations (India, China etc...) due to their aging population in near future.
So, they are going to shut off the market by making unreasonably harsh laws which are quite difficult to comply with.
You are finding compliance difficult because it's intentionally part of their design.
Keep an eye open and expect more unreasonable laws coming out of EU in near future. They are not going to stop here.
I am very disappointed in all of you guys, just got one thing to say: FUCK YOU!!!
Just use Content-Security-Policies to block your pages from loading anything but safe assets/services.
You will need to politely ask those not using browsers that support CSPs to switch/upgrade.
Hey, blame the ones who planned your project, not the EU.