Our startup received GDPR violation “notice” (opens in new tab)

(jitbit.com)

32 pointsjitbit2y ago28 comments

28 comments

23 comments · 9 top-level

ajmurmann2y ago· 5 in thread

Would it be a crazy move for an early-stage startup to block access from the EU till product-market fit is established and one can focus on expansion and more compliance?

jitbitOP2y ago

I personally don't think you should.

The EU authorities have stated multiple times that they won't chase small startups and mom&pop shops with this. They explicitly target big-tech with this law (can't remember where I got this from, currently looking for a proof-link in another tab... will update the comment if I find one)

Currently the fines do seem to correlate with the company size. E.g. Amazon Ireland has paid 750 million, Google - 90 million... While this one-man webmasters form Germany and Austria - $50 bucks and $100 bucks

orwin2y ago

Not totally true. If you're working with public institutes (universities in my case), they will ask you to comply to the major points (and help you comply, they effectively gave us two man-day of an architect, which, for a company with 3 dev, is huge).

Dylan168072y ago

Which part of that post are you calling "not totally true"? I don't see any conflict between what they said and what you're saying.

1 more reply

consoomer2y ago

Unless you have nexus in the EU, there's nothing they could do anyway. Even if they wanted to fine you.

Arnt2y ago

It's a startup, it'll want to write a term sheet at some point. Term sheets have to mention this kind of thing.

kstrauser2y ago· 4 in thread

> After all I'm actually in the European Union, while he's just a little peice of... (that's where I inserted a bunch of Serbian curse words that I had to google).

That’s a bad look. Swap “United States” for EU there to see what I mean. If you’d said “you’re not in the EU so you don’t have legal standing here”, cool.

arp2422y ago

You omitted the bit before this, which is crucial context:

P.S. Oh, but you bet I replied to that Bosnian scammer. After poking around on his "europedataprotection.com" site using dev-tools, guess what I found? You got it, network requests to fonts.gstatic.com

I shot back a message, letting him know HE owes ME a thousand euros. Or better yet, a million. After all I'm actually in the European Union, you little peice of... (that's where I inserted a bunch of Serbian curse words that I had to google).

kwhitefoot2y ago

What's especially bad about it? Swearing at someone who has just tried to commit fraud against you strikes me as perfectly reasonable. It's what swearing is for.

kstrauser2y ago

Swearing at them that they're wrong: good.

Swearing at them that they don't have the same nationality: not good.

Dylan168072y ago

It's about location, not nationality. And mostly the scammer's location, not the author's.

Also I choose to swap “United States” for Bosnian, because the mental image of sending a bunch of US swear words from google is quite funny.

kwhitefoot2y ago· 3 in thread

> The tricky part is that it's not just for EU citizens, but anyone in the EU.

Why is this regarded as tricky? Laws generally apply to everyone in the jurisdiction not just citizens; why should it be tricky or surprising that this is also the case for laws regulating activities on the Internet?

twosdai2y ago

Correct me if I am wrong, but I believe this was meant to mean a technically more tricky problem.

If it was citizens I could see a case being made that protection implementation could be based on the inputted address that is required for billing or shipping. If it's solely based on if you're physically in a country, then you need to determine in your app if the user is currently in an eu country or not. Which to me at least is more technically difficult, than just going off of a user entered address.

chrismcb2y ago

Typically things like this go off the IP address. And while it is more difficult than going off of an inputted address, it isn't that difficult. But it is also what you need to do. As an American, if I travel to Europe I'm protected by gdpr laws (and one reason why I get spamed by the "accept cookie" popups even from sites I normally visit it have a US address associated.

SAI_Peregrinus2y ago

Someone physically located in the EU using a VPN with an endpoint outside the EU is still covered by the GDPR. Just going off IP address will miss this.

ericfrazier2y ago· 1 in thread

That's the trick, make yourself bulletproof from lawsuits by having no money or assets and you can do as you like.

varispeed2y ago

Or, conversely, just become rich and have all the money and assets you can have and do as you like.

In the end any fines are so small (if you are unlucky and your legal team has a slip up), you won't even notice them.

playday2y ago· 1 in thread

Using Google fonts is a type of fraud since most users don’t know that you’re giving Google some of their Pii.

Thankfully it’s easy to block with noscript. Too bad for people who don’t have technical knowledge or have other limitations that prevent them from protecting themselves from personal information theft.

interroboink2y ago

nit: using Google CDNs is the problem, not the fonts. You can self-host the fonts without issue, AFAIK. Google even provides a guide for it: https://fonts.google.com/knowledge/using_type/self_hosting_w...

brycewray2y ago

FWIW:

- https://github.com/google/fonts/issues/1495

- https://github.com/google/fonts/issues/5537

gochi2y ago

That's funny, demanding the scammer pay more after finding out their scam site uses google fonts too.

LaundroMat2y ago

If you're worried about GDPR or your users' privacy when using Google Fonts, someone wrote privacy-friendly drop-in replacement at https://github.com/coollabsio/fonts

varispeed2y ago

> In January 2022, a German court in Munich did establish a precedent - they deemed the use of Google Fonts a GDPR violation. The website owner had shared IP addresses with Google without getting users' consent first. And because IP addresses are apparently "PII" or Personally Identifiable Information, the result was... a whopping 50 euro fine for the webmaster.

As predicted. Busy bodies going after low hanging fruit and bullying small business while big corporations can basically ignore GDPR - the fines if ever comes to it is just a cost of running business.

j / k navigate · click thread line to collapse

28 comments

23 comments · 9 top-level

ajmurmann2y ago· 5 in thread

Would it be a crazy move for an early-stage startup to block access from the EU till product-market fit is established and one can focus on expansion and more compliance?

jitbitOP2y ago

I personally don't think you should.

orwin2y ago

Dylan168072y ago

Which part of that post are you calling "not totally true"? I don't see any conflict between what they said and what you're saying.

1 more reply

consoomer2y ago

Unless you have nexus in the EU, there's nothing they could do anyway. Even if they wanted to fine you.

Arnt2y ago

It's a startup, it'll want to write a term sheet at some point. Term sheets have to mention this kind of thing.

kstrauser2y ago· 4 in thread

> After all I'm actually in the European Union, while he's just a little peice of... (that's where I inserted a bunch of Serbian curse words that I had to google).

That’s a bad look. Swap “United States” for EU there to see what I mean. If you’d said “you’re not in the EU so you don’t have legal standing here”, cool.

arp2422y ago

You omitted the bit before this, which is crucial context:

kwhitefoot2y ago

What's especially bad about it? Swearing at someone who has just tried to commit fraud against you strikes me as perfectly reasonable. It's what swearing is for.

kstrauser2y ago

Swearing at them that they're wrong: good.

Swearing at them that they don't have the same nationality: not good.

Dylan168072y ago

It's about location, not nationality. And mostly the scammer's location, not the author's.

Also I choose to swap “United States” for Bosnian, because the mental image of sending a bunch of US swear words from google is quite funny.

kwhitefoot2y ago· 3 in thread

> The tricky part is that it's not just for EU citizens, but anyone in the EU.

twosdai2y ago

Correct me if I am wrong, but I believe this was meant to mean a technically more tricky problem.

chrismcb2y ago

SAI_Peregrinus2y ago

Someone physically located in the EU using a VPN with an endpoint outside the EU is still covered by the GDPR. Just going off IP address will miss this.

ericfrazier2y ago· 1 in thread

That's the trick, make yourself bulletproof from lawsuits by having no money or assets and you can do as you like.

varispeed2y ago

Or, conversely, just become rich and have all the money and assets you can have and do as you like.

In the end any fines are so small (if you are unlucky and your legal team has a slip up), you won't even notice them.

playday2y ago· 1 in thread

Using Google fonts is a type of fraud since most users don’t know that you’re giving Google some of their Pii.

interroboink2y ago

brycewray2y ago

FWIW:

- https://github.com/google/fonts/issues/1495

- https://github.com/google/fonts/issues/5537

gochi2y ago

That's funny, demanding the scammer pay more after finding out their scam site uses google fonts too.

LaundroMat2y ago

If you're worried about GDPR or your users' privacy when using Google Fonts, someone wrote privacy-friendly drop-in replacement at https://github.com/coollabsio/fonts

varispeed2y ago

j / k navigate · click thread line to collapse