If anything, it was the big players getting work to do. Thousands of people on mailing lists with no control of how they got there. Asked and kept insane amounts of not necessary data. Data floating in hundreds of database tables spread over various services and third party vendors and data centers with no control. Cleaning up that was a huge job.
Of course, they are unlikely to come after a startup for an infringement like that, but the point is that they could if they wanted to.
If you were storing IP addresses to track and market to users, you need consent.
If you’re using them for logging and security purposes, I think that falls under legitimate interest.
My point is: it's really not that easy. It should be easy to get clear guidance on something straightforward like this, and not have to resort to Stack overflow answers.
Where and how was that established? There are obvious operational and security reasons why the operator of a website might reasonably log access information, and there are lawful bases for processing data under the GDPR other than having the subject's explicit consent.
I highly doubt you as a non shady actor will be punished because of your server logs as such.
Start selling or otherwise sharing them with ad companies, directly or indirectly and you deserve and should expect a GDPR fine as soon as they can if you are in a jurisdiction where GDPR applies.
Same if you involuntary leak data because of gross negligence: passwords in cleartext, unnecessary data collected and stored and later leaked etc etc
In many cases I understand authorities will even contact companies first and try to guide them toward a compliant solution first instead of fining tjem right away.
That said I wish there were some clarifications given wrt to server logs and IP addresses; running without is in many cases gross negligence in itself.
Basic logging is first year defense against black arts curriculum.
Clearly we're not going to ask for consent to track someone who is systematically probing our site for vulnerabilities, or someone who is attempting to use us to validate presumably stolen credit card details, or a group who are obviously sharing a password to gain unauthorised access in violation of our terms of service.
Also, the purpose(s) of data processing matter, not just the data itself. It's not as simple as only gathering what you need. You also have to ensure that what you gather is used appropriately, and that you have the means to respond to the various rights that subjects have by law.
Thousands of people on mailing lists with no control of how they got there.
Actually, that was one of the tricky areas when the GDPR came in, and something almost no-one got right despite good intentions. Specifically, the widely accepted best practice for managing a mailing list had long been to use double opt-in, thus verifying that the subscriber really did intend to receive the messages, and to provide a simple, automated unsubscribe facility. However, unless you had kept all the confirmation replies, under the GDPR you might not have met the required standard for evidence of each list subscriber actively opting in to receive your mails.
That led to a wave of messages being sent out to mailing lists asking subscribers to confirm they still wanted to receive the mails. This was particularly ironic because if those subscribers hadn't already intended to consent then those messages were probably themselves in violation of existing law in much of the EU even before the GDPR came in. The difference was that before, no-one was seriously worried that a legitimately operated mailing list with double opt-in was going to be targetted for business-crippling penalties, but with all the ambiguity around the GDPR and the uncertainty around how it was going to be enforced, a lot of people panicked.
[] keep me informed about products
checkbox hidden somewhere in a purchase form, often pre-checked even though that's illegal. Recently I was somehow added to the mailing list of a car dealership after getting my car checked up there, and can't even unsubscribe without creating an account on their website.
I'm sure there are some legitimate mailing lists out there, but there are so many others that are scummy and in flagrant violation of the law. It's hard to shake the feeling that making things harder for mailing lists in general is going to be a net win for consumers.
More recently, it's more about web forms and hosted services and so on, but typically you can't add subscribers on popular mailing list management services without either having the service run that kind of double opt-in check automatically or going through some kind of alternative process that involves explicitly confirming to the service that you have the required consent from somewhere else when adding the addresses directly.
There are loads of legitimate mailing lists, and the software and services running them have worked reasonably for decades, you just apparently haven't come across them. Not that I disagree with you that there are plenty of scummy ones as well, sadly.
I can see how it’s a though pill to swallow that that was exactly the point.
