Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This does not discuss whether nonusers will be asked to opt-in. Curious how GDPR will change tracking people w/out FB accounts.


This does not discuss whether nonusers will be asked to opt-in. Curious how GDPR will change tracking people w/out FB accounts.

IANAL. The only argument I'm aware of that data controllers can make for processing data without consent is if there is a legitimate interest: if the data controller needs to process the data in fulfillment of a contract/service. I wonder how this will play out for non-users. It would seem there's no legitimate interest there.


"In order to provide tagging service to our users, a key platform feature, we are required to maintain and process data about individuals with which Facebook, Inc. does not have a pre-existing business relationship ("Non-Users"). Failure to do so would cause substantive harm to our service, and should therefore be exempted from gathering consent from Non-Users under Article 21, Section 5 of the GDPR."

Something like that, I expect, although I'm not a lawyer either.


Processing without consent doesn't work for multiple parties.

You can't claim that because you need to provide service for someone else you need to process data of non-users.

The users of which you collect data is required to be part of the service or contract to fulfill unless you have a damn good reason not to and "we need to provide this service because we go belly up otherwise" won't fly, IMO. A legitimate interest would be stuff like "we will make backups of our data, ensuring that deletion requests are carried out upon restore, to continue providing service in case of disaster" or "we will log your IP temporarily because we need to provide essential network and information security"

[Laid out in https://gdpr-info.eu/recitals/no-40/]


You can already see it on many sites. They're basically just a more forceful version of cookie notifications with language about third party tracking thrown in that force you to say "OK" or tell you to leave. Here's an example:

http://prntscr.com/j67usw

FB, as with all third party trackers, isn't the one actually responsible for notifying you about the use of their pixels etc. on third party sites. The site operator using it is. See https://developers.facebook.com/docs/privacy


this is fundamentally insufficient, though.

if there's a hosted image from a facebook domain (e.g. a like button), unless that image is loaded after consent is given, facebook can already associate that users' IP address with having visited that web site by nature of sending the image over. in other words, facebook is tracking pre-consent (unless those images are loaded post-hoc, which is just not happening in today's world)

as a result, it's fundamentally impossible to consent before visiting a particular website, because there's no way to know what other domains will be triggered by visiting that website.

the only way i've found to defeat this behavior is by using ublock's origin's default deny policy which prevents all 3rd party domains from being accessed by default. it's a bit of a usability pain as one often has to add e.g. stack overflow's CDN to use its website "well", but does prevent visiting a website which has an embedded image hosted on a FB domain from being loaded, which defeats the more nefarious FB tracking.

https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-de...


Yeah, but that's easy enough to deal with. You simply don't load any third party stuff (or allow them to see your content) until they click "OK". Some simple javascript is all it takes to delay loading of everything not on the current server.

So basically prior to serving any content, you do an IP check. If they are from a GDPR country, you serve the delay loading script. If they aren't, you just load as normal. Pretty straightforward. I don't think you'd want to do it universally for all users, as you'd be at a competitive disadvantage to other sites. But you can easily enough just do it for EU countries. The other option is to just block them entirely if you have no need for EU traffic. Many sites - US local businesses etc. have no use for EU traffic or the liability that comes with it.

On a side note, with all the walled garden stuff that will be going on due to GDPR, I'll be interested to see how badly the SERPs get fractured, since every site will have a different scheme to require consent and not all of them will have people behind them that are savvy enough to make it not ask Googlebot for affirmative consent. This will put smaller businesses in the EU that don't have the resources to hire someone to deal with these issues at a serious disadvantage if they can no longer be indexed.


what you've suggested seems OK technically, but i feel like you're making an assumption that originating source of traffic determines citizenship of the user.

it could very well be that an EU citizen in Asia or the US is collected upon given your algorithm. if that's the case, are you not in violation of GDPR?

but, at the risk of rabbit-holing, your suggestion would be a pretty fundamental change to how the web works. in effect, you'd be moving toward a splintered web, where content is basically region locked.

to be fair, i don't have anything else to offer here; it just doesn't seem so easy to me.


but, at the risk of rabbit-holing, your suggestion would be a pretty fundamental change to how the web works. in effect, you'd be moving toward a splintered web, where content is basically region locked.

I think you're spot on, but that was the danger of implementing heavy-handed legislation like GDPR all along. I believe that EU citizens are going to find themselves locked out of a whole world of content. But that's the world they've chosen to create for themselves. Further, if the overwhelming support that GDPR has on HN is representative of that of the entire EU population, they welcome this newly splintered world and its consequences - both good and bad (though I believe that this support is the product of the mistaken belief that the world will simply play ball and be dictated to by the EU, rather than the rest of the world simply taking their ball and going home).


Hmm. I'm not sure about that. If Apple and Google won't pull out of China even though China makes them do all sorts of business stuff they disagree with, I highly doubt they (web companies) would pull out of the entire EU.

It would be absolutely incredible if Facebook et al "took their ball and went home" throwing away 500 million customers.


Google did effectively pull out of China in 2010 [1].

But in the case of the GDPR, it probably helps Google and Facebook more than it hurts them -- they can afford to jump through all of its hoops while smaller competitors might have trouble. It's essentially a barrier to entry.

[1] https://en.wikipedia.org/wiki/Google_China


Of course not, because Apple, Google, Facebook et al have the resources to spend millions on attorneys to implement the GDPR. My comment comes from the perspective of an operator of several small sites that get a total of a few million visitors per month combined. I'm not spending millions on attorneys, and EU traffic is only incidental to my sites anyway, so I am indeed taking my ball and going home.

This will make a difference for some users on some of the forums I run, as they will be banned with an apology and an invitation to come back if they ever move out of the EU. But it's not worth taking on the liability of potentially millions of dollars in fines for accidental non-compliance with a heavy handed, massively complex law that is up for different interpretations in the courts of no less than 28 unique countries. Unless you're in the EU or are a multi-billion dollar company with a large legal department, accepting EU traffic post-GDPR is an act of insanity.


Are you hosted in Europe, and/or do you do business from the EU?

No? Don't bother instituting a stupid ban like that, then. And stop scaremongering.

GDPR applies to businesses.

Besides, compliance isn't too bad for something like a forum. Just purge the relevant user records and posts, if requested to or when a user deletes their account.

Source: I am doing GDPR compliance on web applications for a major telco.


GDPR applies to businesses.

I have a business. And yes, I have spoken to GSPR compliance people, so GDPR has already cost me enough money. Compliance is a murky proposition at best, since this law can be interpreted in different ways in 28 different countries - all of whom will be looking for ways to maximize the fines they collect under it from foreign companies.

Since you are in the GDPR compliance space, surely you know that it does apply not just to businesses that are hosted in the EU or do business there. Rather, anyone that knowingly accepts traffic/data from the EU is vulnerable to it.


And that's a good thing. Privacy is a basic human right, and it's about time we got some regulation of this area.


You seem to have complected extensive indiscriminate data collection with simple advertising and the more fundamental point of connecting and serving people.

You can use a combination of advertising and payment to fund services that connect people and facilitate commerce without extensive privacy destroying data collection. This model worked fine previously and it will work fine in the future. If anything hardware and tools are damn near amazing compared to the bygone past.

I struggle to think of any service in the world that is impossible or even challenging to replace. If anyone decides to take their ball and go home they will be replaced by a competitor who will use that extra revenue to improve their positions in other market to the original fools detriment.

There is in fact no reason to believe other markets including the US wont ultimately discover the merits of protecting their citizens privacy considering that in the US perhaps 171k work in the advertising industry out of 300 millions.

How the 0.02% can do an effective job without trampling the rights of the 99.98% is an exercise I leave to them and if they can't figure it out, then I hope the food stamp program still exists so they wont have to stand outside 7-11 with placards reading "will lie for food".


>"the mistaken belief that the world will simply play ball and be dictated to by the EU, rather than the rest of the world simply taking their ball and going home"

And leave millions and millions in profit on the table for everyone else?

That the same argument used against changing the tax codes so companies would actually have to pay taxes in the countries in which they do business, by closing the loopholes.

They're not going to throw away profitable markets just like that. And if they do, good riddance.


if there's a hosted image from a facebook domain (e.g. a like button), unless that image is loaded after consent is given, facebook can already associate that users' IP address with having visited that web site by nature of sending the image over. in other words, facebook is tracking pre-consent

This just leads to a bunch of questions: where an image is loaded from FB by a site, who is the data controller? Surely it's the primary site, not FB? In that case, then is FB a data processor (and subject to more restrictions)? If FB is a controller in its own right then how does FB gather consent in this case?


It doesn't matter if you load an image off fb.

per GDPR, without consent, fb cannot legally use that data (for EU residents).

And you don't need to trust that; fb knows they're going to be spending some quality time in front of their privacy regulator.


You're actually wrong. It is the responsibility of the website to notify the user. Facebook has placed in its policies a rule that says that you cannot use its code/buttons/images on your site without obtaining consent by the user for FB to place cookies there. They have a reasonable expectation that you have complied with this, or the image/whatever would not have been caused to load by your site.

Otherwise, think of the havoc. You decide that you want to get Facebook in trouble. So you place a Facebook button on your site and don't notify users or ask consent. Then you go call regulators. In this case, you'd find yourself in trouble, not Facebook.


[flagged]


it's the controller's (in this case FB is def a controller) responsibility to ensure that their use of data has a legal basis

You're correct. They are ensuring it by placing it in their terms for the use of their code/images on other sites. Nowhere in the GDPR does it say that every third party whose content may be placed on a site must themselves obtain consent. What exactly do you envision? That each page you load have 40 different consent dialogs show up?


How about most sites don't load resources from 40 different sites. Alternatively how about facebook ask for the users consent once to track them all over the web and remember that users choice.

On ingress the data could be deleted if it didn't correspond to a user that had given consent.


nope, try again.

FB doesn't get to use the data unless it's consented by the end user.

It is distinctly not GDPR compliant for FB to claim that their TOS requires consent so it's not their problem. Feel free to read the discussion about co-controllers (called as joint controllers) and particularly the A29WG guidance.


Again, under your (incorrect) interpretation of the GDPR, what exactly do you envision? That each page you load have 40 different consent dialogs show up - one for each tracker and external image that is on the page? Some have hundreds.


Yes, this is (finally) correct.

For each external tracker, you will have to consent that use. By name. Per discussions you can find via google, even naming a well-defined class of 3rd party controllers is not enough; they have to be individually named.

This is the impact on adtech. See eg https://pagefair.com/blog/2018/granular-gdpr-consent/ . Or digiday, which is not exactly anti-adtech. https://digiday.com/media/gdpr-will-change-facebook-ad-targe... .

The fact that some page may have hundreds of co-controllers is immaterial, unless you envision "we don't want to" as a defense to the privacy regulators.


I think we'll have to agree to disagree. I expect that EU users won't be spending all their time on the web issuing 50 approvals for each page they load. You may so despise ad-supported services that this is your dream for the world, but unfortunately for your dream (and fortunately for all users that actually want to be able to use the Web), even the heavy-handed GDPR does not mandate this.


I don't know why you think me relating a correct understanding of the GDPR is my endorsement (or not!) . This is what the GDPR requires. You've cited no sources for disagreeing with the formulation of the GDPR as pushed by the very privacy orgs who are in charge of it in 6 weeks.


It still doesn't need to be 40 dialogs. It can be one dialog that provides information about all 40 third parties.


True! I don't think I ever claimed otherwise, just that they have to be individually consented. And nothing prevents someone from adding an approve all button, but it cannot be the default.

See even the IAB's (can't wait to hear how they don't support adtech either) consent dialogs http://advertisingconsent.eu/wp-content/uploads/2018/03/Tran...

page 16-18. And note the consent on page 16 is invalid; the GDPR is crystal clear that consent must disclose all co-controllers.


One of the main points of the GDPR is that this sort of treatment is unlikely to be legal any more, to the extent that it ever was. Processing based on consent is now going to require active consent that can't be opted-in by default or hidden away in legal wording no-one ever reads. It's going to be tough to argue that tracking someone who isn't connected to your business/organisation has any of the acceptable bases other than consent. And without some clear basis, processing is going to be prohibited by default.


I wonder how many companies are waiting to see how this will be enforced before making the change. If GDPR is really actively enforced and causes some real pain to companies, then I expect your prediction will be accurate. If it isn't, I expect a lot of sites will do something less than what GDPR says.


I'm curious what about that notification is "hidden away in legal wording" or doesn't "require active consent". You have to agree with it to make that go away.


At least the way my multi-national employer is interpreting it, under GDPR you can't get away with "click here if you agree with our privacy policy". You have to explicitly say everything that is tracked, everything that is stored, how long, and why it is required for use. If it's not required for use, you can't ask for it and you can't store it unless the person explicitly says yes. If they say no, you have to let them use it anyway, without the tracking and without the storing.


> If they say no, you have to let them use it anyway, without the tracking and without the storing.

This is the part I'm most excited about. (Or would be if I lived in the EU.) I'll be very interested to see how that works out. I'd love to see something like that in the US.


I have to wonder whether at some point the EU is going to become so aggressive that the big US tech firms really do start calling their bluff. Stronger legal privacy protections may be long overdue in our modern, online world, but that particular measure is transparently aimed at undermining entire business models that have supported services evidently valuable to literally billions of people around the world, and that may be a bridge too far.

If the likes of Facebook and Google all turned off their services across the EU for a day, and replaced them with a SOPA-blackout-style message explaining that they can't afford to continue providing services without the ad model that pays for them, a lot of people would notice, and the EU probably wouldn't get nearly as easy a ride afterwards. I don't know how much damage would be caused if those same big tech firms cut off EU citizens permanently, but for better or worse, very many people now rely on the likes of Facebook and Google Mail for their everyday lives, and I'm betting the damage would be worse to the EU citizens than it would be to Facebook's and Google's financial statements (assuming the alternative is that they continue to operate but with a heavily damaged business model).


> but that particular measure is transparently aimed at undermining entire business models

Yes, but that's the entire point. That's why this regulation exists That's why it has so many fans here on HN.

Not sure if there's a qualitatively different way of achieving the same goal with a different method. There probably isn't, so it boils down to a careful balancing act - how to damage those business models without going overboard and having all US companies show EU the finger.


They can still make plebty of money from ads, they just can't track users who don't agree to be tracked.


> If they say no, you have to let them use it anyway, without the tracking and without the storing.

That part of what he said is incorrect. The EU may be able to do alot of things, but they can't make me give you access to private documents on my server that is not based in the EU if I don't want to. You can simply tell them to go away if they disagree with your terms, or you can block all EU users from the beginning.


You can if you don't have holdings and offices in the EU and don't intend to travel there.

What are you going to do if the US adopts a similar law? Move all your holdings to mexico?


I'd be fascinated to see what that looks like.


This might not be a great long term strategy, I'm expecting one or two buzzfeed-like websites to be put up against the wall and shot over this. I've always dealt with the cookie notifications by using ublock to simply block that element, I never click "ok". I've never had a website actually stop me from using it when I do this until google changed their search page a few weeks ago.

If you're running a website with one of these, I strongly suggest you make sure you record whether people accept and actually boot them off the site of they don't. GDPR article 7 section one requires a website to be able to demonstrate that I have given consent, and recital 32 requires that that consent be specific and unambiguous. It's doubtful that "by continuing to use this site you agree..." statements will be satisfactory, especially if you start the tracking the instant they hit the page, before they can click that ok button.


I've always dealt with the cookie notifications by using ublock to simply block that element, I never click "ok". I've never had a website actually stop me from using it when I do this until google changed their search page a few weeks ago.

I imagine that you simply won't be able to use websites anymore if you are from the EU and don't give consent. You'll just be told to go away.


It's trickier than that for the website owner. EU citizens accessing websites through VPN's are still protected by GDPR.


As are non-EU citizens while in the EU, in some cases, and possibly even non-EU citizens not in the EU while using a service centered on providing them with e.g. travel arrangements in the EU. As a lawyer specializing in GDPR recently told me. Even investigative data journalists are going to have a lot of fun with the consequences of GDPR if she's right.


In that case, you won't have any reason to believe that they are an EU citizen unless and until they indicate otherwise, and there are provisions within the GDPR for it not to apply in those cases where you are not intentionally obtaining data from EU citizens. On my sites that don't get alot of EU traffic anyway, I'm simply blocking EU IPs, and on all registration forms, I've removed EU countries from the country selection for residence, and put a notice that says "You may not register for this website if your country is not listed above".


>there are provisions within the GDPR for it not to apply in those cases where you are not intentionally obtaining data from EU citizens.

I read the entire document a few weeks back and recall no such provisions. Could you cite one for me? I'm trying to be as informed on this as possible.

Article 3, "Territorial scope", lays out where GDPR applies, and it contains no derogations for "but I didn't know they were european, honest". It is not, in fact, specifically about european citizens. It covers the processing of data for "natural persons in the Union", which is a bit unclear to me but I interpret it as covering anyone physically located in a country that forms a Supervisory Authority under section 51.

How this will ultimately interact with your websites and/or businesses if you are not based in the EU is unclear at this time.


It's a massive document so I'm not going to go through and find it, but here's an interpretation of what I'm talking about [1]:

"The reach of GDPR is broad but is not unlimited. The mere fact that a U.S.-based website can be accessed in the EEA isn’t enough. If the company does not have a physical presence in the EEA, it must be determined whether that company engages in more than incidental contact with EEA residents."

So if someone is going out of their way to mask the fact that they are from the EU, and you aren't otherwise seeking out EU users, you're not going to get in trouble for that. One issue I have with it though is that translation may trigger GDPR exposure, and since Spain is part of the EU, many sites aimed at Spanish speakers (but not aimed at the EU) may have this beast of a law apply to them. I operate a few sites that have Spanish content, so that is deeply troubling.

[1] https://www.gtlaw.com/en/insights/2018/2/the-gdpr-deadline-l...


Given that there is an entire continent whose people speak mostly Spanish (and with the remaining Portuguese speakers vastly outnumbering the ones in Portugal, too), I don't believe that providing a service in Spanish will go far as evidence that you're targeting EU citizens specifically.


response to: https://news.ycombinator.com/item?id=16870636

This thread is now too deep for me to respond to your comment.

"The reach of GDPR is broad but is not unlimited. The mere fact that a U.S.-based website can be accessed in the EEA isn’t enough. If the company does not have a physical presence in the EEA, it must be determined whether that company engages in more than incidental contact with EEA residents."

This statement seems to have misinterpreted article 27, which states that if your processing is merely occasional, or if you are occasionally a processor for an EU controller, you need not specify a designated representative to the EU.

Read more here: https://gdpr-info.eu/?s=occasional

But the exception you think exists pretty much doesn't. It's got a small exception for occasional sharing of data without consent when it relates to active legal proceedings.

Naturally the EU has no jurisdiction over you if you don't live in the EU and you aren't based in the EU. They may be able to apply pressure on your partners though, be that advertising companies or others. This may flow through to you, in time. We're already seeing Facebook come under pressure to provide US citizens with the same protections that the GDPR provides EU residents.


The experts that I talked to in this space in deciding to close my sites to EU IPs have all said that the GDPR probably doesn't apply to incidental traffic - especially if someone is actively trying to hide the fact that they are in a GDPR area. But nobody can guarantee a single thing, because it's so broadly written and is up for unique interpretations in each of dozens of foreign countries. It meets the very definition of a bad law - too broad and will cause decreased economic opportunity for those that are subjected to it.

FYI you can reply to other posts when the thread is this deep by clicking on the "X minutes ago" thing on the comment your want to reply to.


Ah, neat.

Experts say a lot of things on GDPR, one of the really interesting things about reading it myself is that I've found a lot of them seem to be wrong. I've heard a few people talking about a "social media exception" that doesn't seem to exist, for example.

It's possible that there have been preliminary rulings on GDPR that I'm not aware of, because I'm not a lawyer. So I'm not by any means declaring that your experts are definitely wrong, but I am nigh on certain that their source of information for making such statements is not the GDPR text itself.

I disagree that GDPR is an overly broad law by the way. The GDPR text is actually fairly specific. It encompasses a large domain, but it clearly defines that domain (Article 9 is an example of a large but specific definition, although it is only one of multiple such articles) and tells you clearly what you need to do within that domain to be compliant.

People just /think/ it's overly broad because it impacts a lot of tech companies and none of them have actually read the text. The human brain interprets this as "inspecific", whereas it's actually carefully targeted at a handful of specific things that lots of tech companies are doing (or not doing).


> This thread is now too deep for me to respond to your comment.

It probably wasn't depth that blocked you. It was probably time. There is a short interval after a comment is posted during which the reply link is not available in the thread. (You can still reply without waiting, but you have to figure out how to get a reply button instead of a reply link. The reply button doesn't have the delay).

> This statement seems to have misinterpreted article 27

I believe that statement is summarizing recital 23, not attempting to interpret article 27.


"You'll just be told to go away." I thought that too was disallowed if the data you collect isn't required to provide said service.


That popup contains false statement though. How does personalizing ads make the site easier to use?


They could argue that keeping you logged in with cookies makes it easier for you to use.


that part is true, the part about ads isn't. Also AFAIK GDPR doesn't let the companies to glue all possible data processing purposes into one consent and indefinitely - there should be a clear message also on the timeline of data processing, what data is collected (not just cookies) and informing that I can withdraw my consent at any time.


The screenshotted example is nothing new, I've seen that specific thing at least 6 months ago. I don't think it has anything to do with GDPR, and as others have already mentioned it is not likely to be legal under it.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: