Statement on 4 Years of GDPR

There are signs that it's getting better. I started seeing cookie dialogs with a Reject all button. Sometimes it's a big one, sometimes it's almost white on white, but it's there. Anyway the vast majority of those dialogs is still misleading. The usual We care about your privacy, accept all, settings thing.

This article is excessively negative on the effectiveness of the law.<p>I would say the biggest issue is inconsistent enforcement by DPAs. The other problems are overstated.<p>Believe me, as someone who sees things from the inside of european companies, compliance is still taken very seriously.

&gt; Companies realize that competitors do not comply and that acting legally does not pay off. The wider non-compliance spreads, the harder it will get for authorities to gain back control with limited resources.<p>This is what makes writing good&#x2F;effective law a non-trivial undertaking.<p>If the words on paper don&#x27;t make positive sense, and negative behavior toward the words isn&#x27;t backed up with punishment, then the effort corrodes and collapses.

We should get to a point where tracking requires users to install an app or a browser extension, I’m thinking of something similar to the ads toolbars of the 90s.<p>I shouldn’t have to tell people I don’t want to be spied, nor I should have to install privacy extensions and PiHoles and whatever.

The data protection act before it was not enforced and wildly broken by businesses as well. The law is always in at least two parts, the text as written and the enforcement. If the enforcement is mostly via government funded bodies then one way a government can undermine that aspect of law is simply to under fund the public organisation and that has been happening throughout Europe with strongly right wing governments. Many of these organisations have not been effective since the data protection act was introduced. The law is reasonable but the enforcement doesn&#x27;t function and never has.

This is an excellent quote that reflects a notable share of opinions that I see in the comments here on HN whenever the GDPR is discussed:<p>&gt; <i>Hardly any other area of law is politicized to that extent – at least I have never heard that building or tax codes were openly ignored with the argument that compliance would “undermine the business model” of a company. The privacy bubble accepts such narratives as a legitimate argument.</i>

As someone working in ad tech but not rooting for it to win at all costs: the biggest positive I see from GDPR is the fact that many ad tech data vendors have left Europe. I&#x27;m talking about vendors that aggregate personal data, track your location and the places you visit, the web sites you visit across multiple devices, etc.<p>i.e.<p><a href="https:&#x2F;&#x2F;www.adexchanger.com&#x2F;data-exchanges&#x2F;tapad-is-shutting-down-its-business-in-europe&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.adexchanger.com&#x2F;data-exchanges&#x2F;tapad-is-shutting...</a>

GDPR broke one of my websites that had tens of thousands of happy users.<p>Users loved it and expressed their delight that the website exists on a daily basis.<p>But when I tried to monetize it without ads and via Patreon instead, nobody paid. Nobody.<p>Recently, Google said they don&#x27;t think my cookie banner is GDPR conform. But gave no info why and how I could fix it. And turned off Adsense.<p>So I finally took the plunge and turned the site off.<p>My feeling is that the GDPR plays into the hands of the big web players. They have the resources to deal with it. While small one-man shows don&#x27;t.

In the context of the GDPR, I just want to remind people of this thread where a HN user invokes their rights in order to make Spotify back down on a change that would have locked user playlists into their service for no good reason - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=24764371" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=24764371</a><p>(can&#x27;t be 100% sure this is what made Spotify change direction, but it seems likely)

Background info: Noyb is <i>the</i> GDPR fan club (run by Max Schrems), trying to get governments to do their jobs to get proper enforcement. And you can join them! <a href="https:&#x2F;&#x2F;support.noyb.eu&#x2F;join" rel="nofollow">https:&#x2F;&#x2F;support.noyb.eu&#x2F;join</a>

<a href="https:&#x2F;&#x2F;www.enforcementtracker.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.enforcementtracker.com&#x2F;</a>

I don&#x27;t think the law has done much at all. I operate a business that serves as a data broker &#x2F; processor under GDPR.<p>I have had a total of 66 data requests in 4 years. I handle data requests and follow the laws, but I also understand the EU&#x2F;UK has zero grounds to enforce anything against my business if I were to flat out reject all requests.<p>They can&#x27;t fine me, I don&#x27;t have a physical or business presence in Europe, though I do have European customers.<p>The only reason I handle requests is to protect my customers, not myself.

What I do not understand about GDPR is analytics. If you are operating a website outside the US and EU citizens access that website, my understanding is that applicability of GDPR is limited to only uses where the site is capturing data from EU citizens. If the server statistics include standard analytics (e.g. client IP address, client browser, client screen size, etc), are not those analytics the capture of personal data from EU citizens? In this regard, don&#x27;t EU visits to all non-EU non-GDPR-compliant websites involve a violation of GDPR simply through accumulation of server analytics? Is there an exclusion for this? Or can any website operator anywhere in the world be fined for non-compliance on this basis?

GDPR is a good idea, but it seems to be top-down and pushing against megacorp and user alike. As it stands, the law is only making it more expensive to be in the data harvesting business. These extra risks and requirements raise the barrier to entry for new firms and so just ends up cementing the market position of existing players.<p>If people start caring enough to actually cancel services that harvest their data, then the harvesting would stop. But it is very easy to underestimate the power of machine learning and correlation, especially when the data being correlated is gently sipped over years.

Is anyone maintaining some custom NoScript or anything like that I could use to block GDPR&#x2F;cookie law popups and such EU nonsense? I&#x27;m not even a subject of Brussels

Cookie banner has ruined the whole web. - Does not protect people (99% are just fake. If you reject cookies you keep get them) - Cost money to company (so cost to customers). A simpler browser extension where you manage your preference once far all (default) with the possibility to personilize x site (think like you do for camera permission) would have solved the problem in a real way and without all the hussle.

GDPR is just about one more annoying popup you need to click away on each site you visit, and that some U.S. website became inaccessible without VPN at all. Good job.

I completely reject the premise of this, that one is somehow EU citizens are not personally responsible for the information they themselves put online.<p>The most hilarious thing is cookies!<p>For example, cookies exist, and they work a certain way... and despite not liking how they work.. they are here, and not going away, and imposing some kind of contract-law of cookies being accepted or rejected totally ignores that the user has, and always had, the ability to reject cookies at the browser level, unilaterally or with policies, without any contract laws.

Cookie banner alone has probably done more harm in terms of wasted human life than anything else combined. 4.66 billion active internet users, 92% of which are web users, spending 5 secs per day on clicking all cookies allowed. That&#x27;s 680 human years wasted per DAY on these banners.

Honestly, never saw the point of GDPR. You add additional expenses for something big abusers will just bypass, ignore or even worse just retract from the market.