"Simplification" consists in adding exceptions, which are in effect additional rules and special cases.
Simplification actually means everything gets more complex.
War is peace.
Freedom is slavery.
Ignorance is strength.
Simplification is complication.Peace is a lie, there is only passion.
Through passion, I gain strength.
Through strength, I gain power.
Through power, I gain victory.
Through victory, my chains are broken.
The Force shall free me.
Lie is Truth... sure, sure.
> Through passion, I gain strength.
Weakness is Strength
Sounds like a 1984 sequel from 1939.
"The Commission said previously that the simplification plan will focus on reporting requirements for organizations with less than 500 people, but will not touch the “underlying core objective of [the] GDPR regime.”
Adjustments could include limiting requirements to keep records of data processing activities, or reforming how businesses provide data protection impact statements — two rules seen as overly cumbersome to smaller firms."
Sounds pretty sensible to me.
Regarding Döpfner, he tried to fire an editor at Business Insider (another Axel Springer publication) because Wall St power player Bill Ackman didn't like their coverage of Ackman's wife. [0] He's taken positions such as, "I am all for climate change"; and ""Free west, fuck the intolerant Muslims and all the other riff-raff." [1]
Politico has published articles saying, "Time to Admit It: Trump Is a Great President. He's Still Trying To Be a Good One.", claiming "The most consequential presidents divided the nation - before “reuniting it on a new level of understanding." (by founding editor and global editor-in-chief John Harris). [2] And another that claimed, as news and not opinion, that disinformation concerns were a "panic" and now outmoded. [3] At least some of their coverage of American politics assumes - again as news fact, not opinion - that anything the left does is ridiculous.
I actually want to know the reality of things, as much as possible, so I will hardly read them anymore.
[0] https://www.semafor.com/article/04/21/2024/axel-springers-tr...
[1] https://www.theguardian.com/world/2023/apr/13/axel-springer-...
[2] https://www.politico.com/news/magazine/2025/01/21/harris-col...
[3] https://www.politico.eu/article/nobody-tricked-vote-donald-t...
Interesting timing with the digital sovereignty movement.
As an EU citizen, I'm not concerned about your need to observe my behaviour or to prevent ad-click fraud. What I care about is websites sharing my navigation history with Google or the rest of the advertising industry, so yes, I'd like to be informed of it.
Personally, instead of having banners, I'd just ban the practices altogether (e.g., targeted advertising, 3rd party analytics), which would certainly simplify business.
There's quite a lot between "engaged in spyware shit" and "service that the user expects".
For example if I want to add first party analytics to my site, the data from which I will use solely internally to try to figure out what pages people like and which they do not like, it is not "spyware shit" if I explain what I'll be using the data for and get permission from the user--and getting that permission needs a cookie banner.
Because true session-expiry times on cookies SUCK BADLY: https://stackoverflow.com/questions/4132095/when-does-a-cook...
This is not nefarious data collection, and it shouldn't need user consent - but it does, because EU lawmakers were overzealous and careless when designing their regulation.
There’s widespread misunderstanding of the law.
Here's the key distinction:
Strictly necessary cookies: No consent needed. These are required for the site to function properly (e.g., shopping cart cookies, login sessions).
Analytics cookies (including the case with a unique ID for tracking visitors): Not strictly necessary, so consent is required.
Even if the data is anonymous or pseudonymous (like a randomly generated unique ID), if the purpose is analytics and it involves storing or accessing data on the user’s device (like setting a cookie), you must ask for consent.
This is doable entirely on the server side, provided there is no caching or CDNs that get in the way.
What you lose with that method, however, is all the spyware-like shit that analytics tends to gravitate towards.
Surely people here are aware of that?
You don't have any privacy right to control data that belongs to other people and happens to relate to you. Privacy is about the state needing a warrant to enter your home and search it or to wiretap you. The idea it has anything to do with information you GIVE to websites by visiting them is a complete delusion.
The idea that you have the right to control eg. my opinions about you, just because they happen to concern you, is fundamentally contrary to the most basic right we all have: freedom of expression. The cornerstone of civil and political rights.
Unfortunately this is a really big "if" looking at typical businesses. They have no idea about how compliance should work and they also hire barely qualified people to marketing teams (often interns), who may accidentally add some privacy-breaking stuff. To prevent that they hire an external DPO and then deal with the paperwork for that DPO, who never visits the company onsite and never meets real people touching privacy topics.
So no, it's not a breeze, because there's generally no enough expertise and temptation to use American non-compliant MarTech is high.
One possible solution to that could be a pan-European registry of data processors with enough metadata to a) generate privacy policy, b) request correct consent, c) provide a compliance implementation checklist for non-trivial cases. There could be a small fee for adding services to this registry, but that would make maintaining compliance much easier.
Consider if wire fraud wasn't illegal before, but next week there is a new law coming into effect that makes it illegal. Of course all the companies who were doing wire fraud since before will struggle to be compliant, some might not even be feasible to run anymore if their core business becomes illegal.
Again, sounds like it works as expected, compliance for organizations who been ignorant for a long time is expected to be more cumbersome.
1. It is a problem for greenfield projects too. Not everyone has sufficient expertise to be fully compliant from the beginning. The accidental non-compliance is possible and there's usually a cost to prevent it.
2. It may work as expected from EU charter perspective, but current implementation is adding extra to an already high bureaucratic workload. My point is, it can be better than that.
Saying it's complicated because of missing experience or knowledge is like saying creating a CRUD application is difficult. Yes, it might be difficult if you've never done it before, but that doesn't mean the thing itself is complicated, just that you potentially lack experience.
Instead, I'd say it would be complicated if it's hard even if you have experience and knowledge about it. And for GDPR and safely storing data, it isn't difficult in a greenfield project if you have experience with it.
> but current implementation is adding extra to an already high bureaucratic workload
As someone who've helped SMEs become GDPR compliant, in terms of engineering, there really isn't a high bureaucratic workload unless you were already very careless with how you stored data. For the ones who considered how personal data was stored for more than half a second, becoming GDPR compliant was mostly about confirming things rather than having to shift things around.
Few companies though, had huge problems as they 1) were revenue dependent on selling user data or 2) never considered how they were storing or protecting personal data at all.
If you're speaking from the experience of those last companies, then again I think it works as expected.
> if you have experience with it
This must not be an expectation for any regulation that applies to business in general. Let’s say I just graduated from a college where I learned to be a plumber. I registered my firm and now want to acquire customers online, so I hire some local agency to build a website and an order form. You cannot realistically expect that I have any experience with GDPR or fully understand its requirements. It is the job of legislators to ensure that I can achieve compliance with minimum effort. But now I have to carry the burden, because no business can survive without digital marketing channels and I have to outsource the compliance work to ensure I don’t accidentally break the law. In comparison to pre-digital era doing any business today is more expensive and I‘d argue, it’s unnecessarily more expensive. It is not how it should have been done and it doesn’t work as expected from business point of view. Non-compliant businesses are not those who are malicious or ignorant, they can make mistakes because legislators did not help them.
1. People are doing things the “wrong” way in the first place. It’s already been established that compliance isn’t hard if you are doing things the “right” way.
2. Compliance is hard. It really isn’t if you are doing things already the right way
Ultimately GDPR is not the problem, it’s people getting into tech that either have no understanding or respect for the data of others wanting to to do business. You wouldn’t expect me to be building bridges without complying to bridge building standards would you? Why is this any different? Lives are not directly on the line here, but the consequences of being sloppy with data are still very bad. This whole paragraph puts the cart before the horse because it assumes the most important thing is that the person in question is supposed to be able to transact business, not that the most important thing is to protect the personal information of people.
I’m not expecting the plumber to be a technologist. If the plumber wants to roll his or her own technology, fine, deal with the compliance headache. I expect the plumber to instead pay someone to figure out how to build the thing properly, just like how I don’t go building load bearing structures on my home myself because I’m not a structural engineer and don’t want to spend the time learning how to do that.
This is fundamentally wrong expectation. To preserve the spirit of EU charter one does not need the law where every business engaging with customers online has to pay a compliance tax to another medieval guild of experts.
Do you practice your own medicine in the EU or do you pay someone to do it? Medical compliance is a medieval guild of experts, is it not?
This is not that. You’re making it sound like every business has to jump through all of these hoops as a matter of doing business. You know how to not be bound by GDPR? Don’t bother storing sketchy cookie data or PII. The plumber in your example could just… not do that and not have to worry about compliance. It’s only but for the plumber choosing to store that data that they opt to be bound by the regulation. It’s not a requirement for them to operate. If the business feels like they need to store the nuclear waste, then I need to know that they are storing it properly. They could just not take in and store the nuclear waste and then there’s no compliance burden. 9 times out of 10 they don’t need it to transact their business anyway, and the tenth business probably only exists but for the sketchy data.
In the end we have arrived at the same conclusion: probably the regulation itself, the baby, has some dirty bath water. Any regulatory framework of any significant complexity does, especially a landmark first of its kind in scope regulation in the world. So we should not toss both out. We should try to get rid of just the bath water.
With above said, the plumber is not absolved here. Why did they need to store my PII again? I very much value the fact that they have to think about and answer that question. So whatever improvement should just streamline that process and not get rid of it.
I already explained that most businesses are not experts in privacy and usually become non-compliant accidentally, without malicious intent. If a plumber goes to some advertisement platform to promote their services online, they are not making fully informed decision with regards to privacy implications. They buy promises of lower CACs. They do not buy the storage of PII, neither they fully understand that targeted advertisement involves storage and processing of PII. And regulation requires them to either fully understand the process or spend money on external consultant. That's stupid: GDPR moved the responsibility to protect human rights from those who aggregate a lot of data to a little guy. What really should have been done is requirement for MarTech to support "Do not track" on protocol level and risk being fined or banned from EU. It does not make sense to ask users again and again on different websites if they are ok with tracking by FancyMarTech LLC, when those users already gave the answer somewhere.
It's just one example. And then there's a case with storing PII in Google Spreadsheet: everyone does that. Nobody mentions that in their privacy policy, even if DPO is involved. And probably they should not. Regulation should also consider the public risk. If one of those millions spreadsheets with a hundred names is leaked, let's fine the owner, sure. But let's not make a big compliance process for every owner of those millions spreadsheets. Let's say: Dear Google, if you want to work in EU, you cannot share the data of EU users with NSA or anyone. Keep it safe. Figure this out, we don't care how. We really should put 99% of compliance burden on processors and spare controllers.
Your Google spreadsheets example is not, in my opinion, a good example of GDPR failure. I genuinely believe if people are dumb enough to keep PII in spreadsheets they deserve to be fined out the ass. “Everyone is doing it” is a poor justification for such risky behavior. The plumber in your example would never use the wrong pipe fittings or make dumb mistakes like that in their line of work. And if they did, they would understand that they would be on the hook for that. Why should they be absolved of responsibility in some other line of work simply because “everyone does it this way”?
Your example reminds me of HVAC technicians in the States who vent refrigerant into the atmosphere. “Everyone” does it because it’s way easier and more convenient to just do it and ignore the regulations, but the long term consequences for the environment are horrific. I’m sure if I asked those HVAC technicians they also would describe the regulations that they don’t want to abide by as onerous and not necessary.
Because they act in good faith and expect that consent is collected before their script is executed. This is usually written in their ToS, e.g. see Google Analytics. Google expects that you maintain compliance and if, because of your failure to stay compliant, they collect PII without consent, you are liable for the damages. See what happens? Every small business who wants to know something about visitors of their website is now on the hook. They are expected to understand GDPR, to understand legal details of Google ToS etc. Since you cannot avoid having digital presence today, this looks pretty much like a compliance tax.
>I genuinely believe if people are dumb enough to keep PII in spreadsheets
You are speaking about majority of population of this planet now. Everyone prepared at least once in their life a list of contacts to send wedding invitations, list of customers for a freelance job etc etc. People are not dumb. They just keep doing what they were always doing: having a sheet with a list of contacts. And honestly, they should continue, because why not? Why we should put significantly more thought in this simple task? Yes, the tools have changed and we now have implicit privacy and security risks associated with them. We should fix the tools and assign liability properly.
This is the unaddressed rub here. If the doctor commits malpractice in good faith, they’re still liable. If the structural engineer built a bridge that collapsed in good faith, they’re still liable. Why does the marketing firm get off the hook here?
The argument being presented here, that regular people should continue to be allowed to do Sloppy and Dangerous Thing, because it’s normal, is not sufficient. It also used to be normal and way easier for people to get on a plane without being strip searched and their privacy being violated. Society decided that forcing regular people to go through a ton of more hassle for safety was worth the trade off. The security is mostly theater, the implementation is burdensome, onerous and unpopular and a regular person is expected to navigate some kafkaesque nightmare with a bunch of rules and might unknowingly burn themselves. But we sure as hell don’t see a ton of plane hijackings any more, do we?
You may be surprised, but this is how this regulation is designed. Per GDPR it is the duty of controller to ensure compliance. Processor acts per instructions from controller. MarTech is not allowed to do anything outside of their contract with their users, but they are also not required to enforce consent collection, only to assist controllers with that when possible.
>The argument being presented here, that regular people should continue to be allowed to do Sloppy and Dangerous Thing
No, this is not the argument being presented here. Storing personal contacts or advertising is not "sloppy and dangerous thing" per se. The privacy risk is not that someone is processing your PII, but that this data may be used to harm you by processor or 3rd party. So the goal of regulation should not be to prevent processing, but to minimize such risks with minimal costs for society. If regulation focuses on just risk, but does not consider the costs, it must be fixed and solutions should be found that enable typical use cases.
Why not? We have that for a bunch of professions already, and for good reasons. You can't just claim to be a doctor, run a hospital or work as a electrician, you need to prove you're able to, before you can do certain things.
Engineers should already be data-aware by default, regardless of what regulations, since we do have the expertise to understand it. Then I guess the expectation was initially kind of that businesses would self-regulate, but seemingly not, so here comes the end of the cowboy developer days, if you want to build large companies that handle people's personal data at least.
> You cannot realistically expect that I have any experience with GDPR or fully understand its requirements
If you build websites where the idea is that you store people's personal data, then yes you should understand what that means and how that works. Like if someone called a plumber for a pressure problem, and the plumber says "How am I expected to understand how that works in your specific house?!", of course I expect the plumber to know their shit around their profession. If you don't understand the technology nor what rules you have to follow, then don't go into that profession.
> Non-compliant businesses are not those who are malicious or ignorant, they can make mistakes because legislators did not help them.
In my experience, the companies who had a hard time becoming compliant with GDPR were companies that either made their revenue by selling user data, and now had to make a lot of changes, or companies that were careless with data in the first place, not thinking twice about where to store things or who has access to what.
I'd be happy to see any sort of counter example of a company that A) doesn't make their revenue based on selling personal data, B) have a thoughtful architecture/design for data in the first place, together with C) had a difficult time becoming compliant with GDPR.
Most businesses in this world are not run by software engineers. Engaging with people for whatever reasons via digital channels is not a profession. I don’t really understand your point: as I said already several times, the law can and should be improved. Do you disagree with that? Do you insist that every plumber or relocation business should be an expert in GDPR?
They just introduce a needless bit of friction in the UX.
If the EU wanted to prevent digital identity triangulation or cross-domain advertising data gathering, it should have banned it outright. Rather than getting all users to click a stupid banner every time they visit a website.
That this is all a big conspiracy by nearly every company on the web against our precious overlords in the European Commission?
Consider basically any popup on a popular website which: takes over most of the screen, makes "accept" the highlighted action button, requires going through "customise" to reject, sometimes requires unchecking categories manually, puts "save and exit" and "accept all" that so the same thing next to each other, either hide or not provide "reject all", etc.
There is no conspiracy here. You can either not use third parties, or if you do, your approval system doesn't have to be obnoxious at all, but almost every page makes it a shitty experience to 1. Make you accept out of frustration. 2. Make your angry that this is asked in the first place.
I'm not sure why the government is needed to solve a problem that you've gone out of the way to inflict on yourself.
Thanks to the GDPR I cannot do this without the stupid cookie warning popup.
In this regard, the GDPR is clumsy lawmaking that results in companies having to behave defensively, hoping that users will accept a damaged UX in order that the company is not fined by the EU.
In which case, the GDPR doesnt even apply to you! Only if you collect/store PII the GDPR starts to apply!
> Thanks to the GDPR I cannot do this without the stupid cookie warning popup.
Again, the GDPR has nothing in it about cookie banners.
> the GDPR is clumsy lawmaking
It isnt, people are just complaining about it without ever actually reading it or doing much research.
Here's the key distinction: Strictly necessary cookies: No consent needed. These are required for the site to function properly (e.g., shopping cart cookies, login sessions).
Analytics cookies (including the case with a unique ID for tracking visitors): Not strictly necessary, so consent is required.
Even if the data is anonymous or pseudonymous (like a randomly generated unique ID), if the purpose is analytics and it involves storing or accessing data on the user’s device (like setting a cookie), you must ask for consent.
Again, nobody is actually reading the law here. Tech is 99% followers who blindly do whatever without understanding the motivation behind it.
Cookie banners aren't a requirement unless you wish to store cookies that aren't strictly necessary (statistics, marketing, etc)[0]. Cookies that are essential for the user to browse the site (login tokens) don't require consent.
It doesn't help the situation that a large number of sites seem to maliciously comply with these regulations.
So if I use telemetry to catch some dirty frontend blob throwing a hissy fit of an exception and that telemetry is tracking sessions rather than individual events (hello ms app insights) -- is that functional or, statistics or etc?
To be completely sure, you should eliminate anything that might be considered PII.
So unadorned exception counts would be anonymous, aggregated statistics, which is fine. But exception counts reports per IP address, or per session, or where the exception text mentioned the user's PII, would require consent from the user you're tracking by processing that data about them.
Non targeted ads pay 90+% less than targeted. Sure it's not 'required', but the vast majority of businesses would fail overnight if their revenue dropped 90%.
Websites just love to say "we have to do this" rather than improve their UX because the latter just means more work while the former gets people to be wrongfully upset at GDPR.
I have been suspecting for a while that the "consent" escape hatch was a concession to get GDPR past the advertising industry's army of lobbyists. Making the problem in-your-face-visible is hopefully only the first step in garnering support from the public. It's much easier for a politician to point to all the obnoxious pop-ups and say "look at this despicable behavior! These companies choose to nag you at every opportunity because abusing your privacy makes them a couple cents. They should just not be allowed to do that."
I don't think this is necessarily going to happen, but that would be the reasonable next step from where we are now: boiling the advertiser frog slowly and with changes that users would consider uncontroversially positive.
Ironically, if these companies didn't choose to make their consent UX so deliberately hostile and in-your-face, we might never have had this much visibility into how big of a problem it is.
All require approval that is just as easy to deny as it is to accept.
The browser may be able to block cookies, but that's not a solution for the other options.
Advantages:
1. A single UI in each browser instead of a different one on each website 2. The functionality would be built and maintained by someone with allied rather than adverse interests to the user.
Also you can disable cookies quite easily and whether your UI supports it or not is totally irrelevant anyway. If you use a web browser that sends cookies to websites then that you have authorised it to do so is your responsibility. Use a different browser or don't use one if you don't like it.
My understanding is that if your site doesn't use cookies, you don't even need that. Don't use cookies, don't collect or share personal data, and GDPR is complied with. Apparently from TFA it sounds like even then you have a lot of proving it to the government, and that's a hassle.
Move fast and break things - fuck that, anybody smart enough can project to what sort of society it leads down the road.
There is no such requirement. You're free to make a website that doesn't require cookies.
This very website on which we're discussing doesn't have a cookie banner, and isn't required to have one.
(I'm not saying HN is GDPR compliant though, it's missing a DPO mail address to allow edit/deletion of older PII messages and a privacy policy even though said policy would probably be max 10 lines)
> cut some generous but reasonable slack to small organizations.
I can't say for other countries, but in France there is already already a lot of slack even for bigger organizations. We have mainstream websites that are obviously violating the GDPR (most visited cooking site, most visited tv content provider, not allowing free choice of refusing tracking)
The privacy policy is here [1], linked in the footer. It also very clearly says: "For deletion requests, please contact us at privacy@ycombinator.com.".
To pre-empt the typical reply, yes you must serve a cookie banner even if you are only using functional cookies.
https://eur-lex.europa.eu/eli/reg/2016/679/oj
You are required to OBTAIN CONSENT from people you want to process the personal data of. Their consent must be INFORMED by telling them who you are and what you intend to do with their data. Their consent must be FREELY GIVEN and can be WITHDRAWN at any time.
That's what's at stake; not the cookies/state themselves, but how you intend to process the data of individuals. As long as you are not profiling natural individuals, no matter how they leave traces, then you don't need to ask for their consent.
It's bad-faith people, who clearly want to process personal data, who make a huge fuss and tell you everyone needs a cookie banner. Mainly because they are raging that they can't data-mine and monetise every last byte of data they can get, without the consent of the individuals they're profiting from.
> This site uses cookies. Visit our cookies policy page or click the link in any footer for more information and to change your preferences.
And then there are two buttons: "Accept all cookies" and "Accept only essential cookies".
The banner is doing two things. 1) It is notifying you that the site uses cookies. 2) It is requesting your consent for non-essential cookies.
Think about this for a moment, why is it doing both things? Why doesn't it just say "Do you consent to non-essential cookies? Yes | No"? Do you think this website added an extra sentence to their banner just for fun?
If you want to use essential cookies, you don't need to ask for consent. That is true. But you do still need to inform the visitor that you are setting cookies. Just as this banner does in its first sentence.
Feel free to (re)read the regulation, there is no such requirement at all.
> you must serve a cookie banner even if you are only using functional cookies
Specifically, where are you getting this from? It's a misunderstanding at best, but you're spreading it like it's confirmed information.
Most businesses are not actually GDPR compliant, even to this day. I assume this is a big reason the EU is willing to take another look at what is required for compliance.
I've also helped a bunch of organization become compliant, some were easier than others. The ones that were harder were the ones that generally didn't have good processes with data in the first place, where everything was scattered all over the place and everyone had access to everything. It makes sense to me that it's harder to be compliant if you were borderline malicious with how you treated personal data before GDPR.
The banners are the result of much earlier directives that predate GDPR by a lot...
I agree with you these cookie banners are not sufficient by the text, but in practice unless EU commission and courts make lawyers believe these banners are worthless, EU legal teams will still recommend them.
> What these two lines are stating is that cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR.
gdpr.eu is by the way not an official resource of the European Union but by the Swiss Proton AG. They note down the page that gdpr.eu doesn’t constitute legal advice. Although they are correct in this case and your misunderstanding was in reading for future internet discussions I'd recommend not using private sources.
Organizations, and typically lawyers, skew conservative and lazy. A little cookie-consent cottage industry popped up to handle GDPR, so instead of worrying about the regulations most companies pay the small monthly service charge for a third party to handle consent. The consent companies built the most compatible solution, a banner, with the most conservative options as default to prevent any legal quandary.
Most public facing sites do have analytics (usually LOTS of analytics) and ads, so the banner is mandatory for them. If you understand the regulations, and don't violate them, then consent is not necessary.
> While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
To me, it reads as you need some kind of banner/page explaining them. What you don't need is consent to store them.
Cookie banners where sites have to say "we're sharing your details with 287 partners" are okay because they should be shameful for the industry. Cookie banners where you're explaining basic technologies of the web -- "we store a cookie to create a stateful session with your browser" -- are obnoxious noise that do only harm.
Not a GDPR thing, and the reason you see the banner is because companies refuse to understand the regulation correctly.
> cut some generous but reasonable slack to small organizations
Some more slack you mean, since they already have a lot of slack compared to larger organizations?
What exactly is so cumbersome for a small business to comply with? They're generally "common sense" requirements, and most organizations who already take care of their data basically had to do nothing to be compliant. What are you doing that is so complicated or essential that it's hard to comply, as a SME?
Companies will never "understand the regulation correctly" because it's not in their interests. That is why the regulation should be bulletproof: as concise as possible while forcing the exact behaviour regulators intend.
That's what I'm seeing happened?
1. Companies store personal data willy nilly
2. Regulators create directives that force companies to stop doing that, or at least be upfront about it
3. Companies who still want to do it, are at least up front about it, telling users what is happening
4. Users now complain about regulators that companies are letting them know, missing the fact that the only companies who are adding those banners, are companies who are hellbent on doing these things anyways.
The blame seems misdirected to me.
They wont, since they were never "required" nor are they part of the GDPR
> cut some generous but reasonable slack to small organizations
They will, thats the whole reason they are changing it!
On most website that I've analyzed (and it's quite a lot - into hundreds), you can remove the cookie banner and the website would be just as GDPR (in)compliant as with the cookie banner.
i recommend everyone gets the chrome plugin that auto accepts these banners so you never have to see them again
You can read more about it and how to set it up here: https://consentomatic.au.dk/
So sounds like that should be somewhat supported.
Disagree must be as prominent as Agree.
Big news if true. They should do something about that.
I think the commission noted this behavior and malicious compliance is already factored into the DMA act. The "deregulation" of GDPR could as well be retrofitting all the lessons learned into the GPDR v2.
Worth noting first that this is not really the GDPR (nobody here has said that it is directly, but in other threads people are making that assumption), this is the ePrivacy Directive (which is probably what the EU should be revising in light of these universally hated popups).
The EU hands out arbitrary fines to large companies that range in the hundreds of millions of dollars, and ask companies to comply with these "technology-neutral" guidelines [1] which are so opaque that it is impossible to decipher when you are and are not in compliance with them.
> The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible
This is wonderfully clear and explains exactly when you will and won't be the victim of extortion-level fines from the EU.
You call it malicious compliance; sure, but when this is what everyone else is doing, and you decide that you want to go against "industry norms" for your website, you are painting a giant target on your back.
[1] https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX...
Tt's the GDPR (published in 2016) that mandates that consent must be freely given. Using a 2002 directive to justify your point is disingenuous. You could have selected instead the 2020 guidelines [1] that are extremely detailed and address this point explicitly:
[quote]Example 17: A data controller may also obtain explicit consent from a visitor to its website by offering an explicit consent screen that contains Yes and No check boxes, provided that the text clearly indicates the consent, for instance “I, hereby, consent to the processing of my data” […][/]
> You call it malicious compliance; sure, but when this is what everyone else is doing, and you decide that you want to go against "industry norms" for your website, you are painting a giant target on your back.
Non sequitur. Surely refusing to engage in malicious compliance paints _less_ of a target on your back, especially when that "malicious compliance" is actually non-compliant.
[1] https://www.edpb.europa.eu/sites/default/files/files/file1/e...
The guidelines you link to are advisory, not legal, and they trace back to the ePrivacy regulations (although the notion of "consent" was modified by the GDPR; it's not clear which interpretation applies -- ePrivacy regulations, which are still in effect, also require consent). "The obligation is on controllers to innovate to find new solutions that operate within the parameters of the law and better support the protection of personal data and the interests of data subjects." This is standard boilerplate shit that says "you have to follow the regulations, not whatever is in this doc".
I honestly don't know what to tell you. The cookie popups are an offense in every possible way; they fail to accomplish their intended purposes, they burden users with useless interactions that provide no protection, and they burden website developers with useless busywork to document compliance to hopefully avoid retaliatory punitive fines if you draw the attention of regulators or EU officials. That these policies find supporters on HN of all places is beyond my comprehension.
EU-US data transfers have been declared illegal numerous times [1], but instead of supporting European cloud providers those decisions are barely enforced and quickly circumvented by a new data transfer act.
Cookie banners are not hard to implement if you don't try to share user data with your "864 most trusted partners", there are clear guidelines [2] now on how they need to be designed, but instead of criticising these not being properly enforced, the requirement for them itself is criticised.
How is it that Meta can regular break the law, with 7 of the 10 highest fines (or probably around a third of all fines) going against them [3] with seemingly no action taken to prevent this from continuing onwards.
noyb has managed to achieve more than a billion euro in fines with only 6 million euros in funding, we could be focusing on supporting NGOs doing incredible work for their budget and getting our DPAs to probably enforce the law.
The issue with GDPR is not the law but the seeming unwillingness to enforce it leading to unclarity what is expected and what not. [4]
[1]: https://noyb.eu/en/23-years-illegal-data-transfers-due-inact... [2]: https://noyb.eu/en/noybs-consent-banner-report-how-authoriti... [3]: https://www.enforcementtracker.com/?insights [4]: https://noyb.eu/en/data-protection-day-only-13-cases-eu-dpas...
Because until now we've been treating American companies very leniently, with an occasional slap on the wrist. For example, when Poland wanted to regulate Uber, the American ambassador warned the Polish government that if they do that, they will regret it.[0] And because at that time the USA was in the business of of protecting the East NATO flank, the Polish government turned turned a blind eye on Uber.
Now that the USA turned away from Europe, nobody cares about the interest of American companies. When Trumps ambassador (Tom Rose) threatened the current government in the same way recently regarding planned "digital tax", the minister answered "We're nobody's fief".
[0] https://phys.org/news/2019-04-hundreds-cab-drivers-protest-u...
I consider this extremely bad! It should be based on revenue, not people.
I can imagine extremely big data trading companies with less than 500 people. I can even imagine Meta/Facebook doing various employee redistribution shenanigans and managing to fit inside that limit.
And employer will be finally allowed to know his employee name and address?? Without additional paper trail? No, they won't allow that, it will be to sane.
Really? Now I'm no bureaucrat, merely an engineer, but GDPR was relatively easy to read through, even the official document (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...) is only 88 pages long, this cannot realistically be "one of Europe's most complex pieces of legislation". A lot of privacy-conscious SME basically had to do nothing to be compliant, telling me it seems to hit the mark of being not too complicated.
Most of the cases I've heard people complaining about GDPR being "complicated" or "impossible to implement correctly" have been from people/organizations who are breaking GDPR, and have no way of reaching compliance without removing things they ultimately earn money from, which in my mind is the exact purpose of GDPR. Most orgs don't seem to be introspective enough to understand why they are having such a hard time with GDPR though.
I hope that their proposed "simplification package" doesn't actually remove what makes GDPR useful and good, but since they seem to be making a bunch of bad-faith arguments for this simplification, I'm not super optimistic.
> Most of the cases I've heard people complaining about GDPR being "complicated" or "impossible to implement correctly" have been from people/organizations who are breaking GDPR
For instance, there's this tiny, gnarly aspect of where you are allowed to store your customer data.
Hosting data on servers located in the EU isn't required by GDPR in and of itself, as long as you have a valid data processing agreement with the provider stating how and according to which provisions customer data is protected on their machines.
However, according to a 2020 European Court of Justice ruling you're not allowed to transfer any personally identifiable information to companies that are in any way affiliated with a US-based entity (e.g., by virtue of having a US-based parent company) anymore. Just being physically located in the EU isn't sufficient according to this ruling.
The reason for this is that with FISA US law enforcement can force US-based companies to hand over any data, even if that data is stored with an international subsidiary under a completely different jurisdiction.
This basically invalidates all of the provisions and legal frameworks for interacting with non-EU entities that used to be acceptable under GDPR before (e.g., Privacy Shield).
However, not interacting with any US-based or US-related entities at all anymore would be tantamount to ceasing almost all economic activity. So, until (or more pessimistically: unless) the US and the EU come to terms on a new agreement regarding privacy rules, there probably isn't anything a business can do on its own to completely address this issue. At this point, merely hosting data on servers physically located in the EU perhaps amounts to little more than window dressing.
As soon as a business has dealings with a US-based company or an EU-based company owned by a US-based company that potentially might have access to user data that business technically is in violation of GDPR. As of now, as a business you essentially have three alternatives:
1. Run the entire infrastructure you need yourself or have it run by EU-based companies guaranteed to have no relations with US-based entities whatsoever (Good luck with finding those ...). This, for example, includes payment systems and banking infrastructure, because guess where many EU-based banks host their infrastructure? That's right, AWS.
2. Go out of business.
3. Ignore this aspect of GDPR for now, document everything, continue to do your own due diligence, and hope for the best.
I can see why it was intended to be generic, but the lack of clear guidance and especially the lack of de minimis exemptions (one of the things mentioned to be addressed!) are a very real problem.
"What tests do I have to perform before asserting that I am CE compliant" is a similar, even vaguer question.
Exactly. You are unlikely to be personally liable for this.
This sort of thing starts becoming complicated when you are responsible for making sure a random government does not try to make an example out of your company for whatever reason.
At first it would only affect a couple of users, but sooner or later enough "life hack" videos would be out there informing plenty of users about how to get rid of those annoying cookie banners.
But as we see with Apple and DMA, they will instead do their best to drag it out.
The other EU-level regulation that needs to be either removed or completely rethought (since it will clearly not be enforced in a way that makes sense) is the cookie regulation. It was well-intentioned, badly implemented, and the GDPR addresses more of the core problems, it is time to do away with it.
But as a whole, I push back against the idea that deregulation is the primary way in which the EU can or should become competitive with the US on technology. Lack of public investment, worse ability for companies to offer equity incentives, and timid private investment are all much bigger problems than consumer protection regulations.
Well, they actually shouldn't. There are non-EU email providers that show exactly what would happen - customers wouldn't be able to transfer out their email from that service provider. Unlucky if they won't notice that limitation in time.
> The other EU-level regulation that needs to be either removed or completely rethought (since it will clearly not be enforced in a way that makes sense) is the cookie regulation. It was well-intentioned, badly implemented, and the GDPR addresses more of the core problems, it is time to do away with it.
Or simply start handing out fines for malicious compliance.
just have to lie as bit that i am a resident of EU though.
Any opposing views?
I'd also appreciate if the exception was conditional on not selling any data or using it for external advertising (i.e. "you might also like" suggestions would be okay, as long as they're part of the same service)
Meanwhile, this same community a few days back were discussing the idea of trying to abolish advertisement. That's truly bluesky thinking if we're still justifying user tracking in 2025.
It's accepted practice to only keep logs for e.g. 48 hours and respond to any request with 2 days delay "we've got no logs from that timeframe anymore".
Server logs are useful for debugging the site but also contain potentially identifying information (IP addresses) so I have my site delete them after 48 hours.
User submitted comments are obviously required for the usage of your site, so you are in the clear there.
64.62.202.82 "GET /library/Math/Mathematical%20Methods%20for%20Physicists_%20A%20concise%20introduction_%20Tai%20L%20Chow_%202000.pdf -" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Centurybot/1.0; +http://www.rightdao.com/bot.html) Chrome/131.0.0.0 Safari/537.36"
I guess I keep logs because I want to interact more directly with the internet as a whole and experience the serendipity that comes with that.
Tools for that exist, you don't keep unnecessary data, and you're in the clear.
At the end of the day, I create helpful and fun websites for free in my spare time because I enjoy it.
EU regulation created jeopardy and friction that meant I couldn't justify doing this anymore.
- accept all - necessary only - reject all
So many websites outside the EU have a mass of dark patterns for which I increasingly reject all or leave the website.
GDPR is really simple.
Only store data that you really need to service the customer’s needs, always permit the customer to correct incorrect data and allow them to delete it unless you have a legal reason to keep it. Report GDPR failures within 72 hours where customer data has been compromised and treat PII carefully.
In the US - fuck the customer.
I know which I prefer.
The GDPR does not prevent US big tech from operating in the EU.
As it stands, this is just another attack on EU citizens' rights. It is also the least of the EU's current problems. De-industrialization due to high energy prices is, but of course von der Leyen will not mention that.
what red tape? from what I understand you have your articles of incorporation, your id an register with chamber of commerce. I mean it varies from country to country and licenses and all the EU stuff exists, but what red tape is there when registering the company itself?
The thing really is that there is lot less readiness to simply burn money on anything and everything. And then keep doing that even further...
Of course it doesn't, that'd be stupid. But it does require them to be compliant, otherwise they'll face fines and eventually they'll chose to either be compliant, or exit the market.
As a EU citizen with rights, I love this, exactly what I want from my inter-continent union of countries.
Or declare war against the EU, which is the option they've gone for.
Europe needs to let Putin finish off Ukraine so he can turn the gas on again, amiright?
Maybe it's an argument for the other side though as well. The architecture of the system was designed to track people as much as possible so we could do A/B, app design, and marketing more effectively. It felt like it was the company's life blood.
I would say the law should at least make people get their architecture right when small so that when they're big it's not impossible to comply later.
One last thought: our company was small in head count but is getting much bigger right now in revenue. I've heard of small head count, billion dollar companies. What of them?
It got very little usage - maybe a few hundred to a thousand requests per year IIRC. I shudder to think what you could have been doing that would attract that volume of requests. Was it Clearview AI?