back to article GDPRmageddon: They think it's all over! Protip, it has only just begun

The big day has finally arrived, Europe's General Data Protection Regulation is now in force – but as the calendar flicked over last night, those breathing a sigh of relief will be sorely disappointed. For a start, it is a naive company that has treated 25 May as a deadline, thinking it won't have to worry about data …

  1. Anonymous Coward
    Anonymous Coward

    I received my first GDPR-era cold-call sales call today, the first day of GDPR ! It was from an online backup company.

    Boy are they in for a surprise. I am going to exercise every single one of my rights under GDPR.

    Plus, added bonus ... they rang a number listed on TPS !

    Having spent the last few years getting various company systems and procedures ready for GDPR, I'm certainly not going to "let it go" when some slimy greasy scum calls me up. Especially when they are ignorant of not one, but two pieces of legislation, the first of which was introduced in 1999 !!!

    1. Anonymous Coward
      Anonymous Coward

      And I received a call from John who works at Microsoft. He had a very strong accent but eventually I realized he was informing me that I had a virus on my computer. Well there goes a sizable percentage of their global revenue.

      1. matjaggard

        Good luck with that, got to find them first.

        1. Anonymous Coward
          Anonymous Coward

          > Good luck with that, got to find them first.

          Not difficult.

          In my case, 99.99999% of time, it is some company I've never heard of.

          But the person on the phone normally has the courtesy of giving their name and company name on the phone to introduce themselves, and normally I am infront of my computer and hence $insert_name_of_favourite_search_engine takes about three seconds of typing.

          If their details don't come up on the search, then before slamming down the phone on them, I make sure they give me their website address which I validate.

          Once I have a validated company name and/or website, I slam the phone down on them (sometimes accompanied by a few "wise words of advice") and the rest, as they say, is history.....

  2. Daedalus

    If you're not with us...

    Can we assume that this is going to be one of those situations where begin exempt from the rules means you have to prove you're exempt? In other words, even if you run even the most harmless and non-data-gathering business, you still have to jump through hoops to prove your right not to be hauled up before the beak?

    1. Richard 12 Silver badge

      Re: If you're not with us...

      Nobody is exempt from the rules. Nobody at all.

      Every business and every organisation holds private data that is covered by GDPR.

      That's because every business has customers and every organisation has members.

      You need a data controller and you need to justify holding the personal data that you hold.

      That's trivial to do if you're sensible - you need employee names and bank details so you can pay them, and you need supplier contact details so you can contact them about the stuff you buy.

      But your marketing dept really needs to look at what they do and store, and if you have a "Big Data" dept... Close it down, quick.

  3. Anonymous Coward
    Anonymous Coward

    CGTrader.com

    "Due to new regulations coming into force in the EU on May 25, we will no longer be able to contact you without explicit consent. We'd hate to lose touch with you, which is why we ask you opt-in to our email campaigns ... based on your activity ... special promotions and deals from our partners."

    The last part is what this is really about... They'd hate the lose the referral revenue! Of course the 'Unsubcribe-URL' is broken. Takes you to a link that fails and just redirects back to the main webpage. In a word: Feeble! They probably left everything 'ticked-on'! -GDPR-? Nah, slurp'em to death!

    1. Alan Brown Silver badge

      Re: CGTrader.com

      "Of course the 'Unsubcribe-URL' is broken."

      They've admitted they don't have your explicit consent, therefore the only thing they can offer is a "subscribe me" function, and if that's broken they've just shot themselves in the foot if they send you anything more.

      A broken unsubscribe is serious in its own way (can't remove previously given consent)

      Make sure you _keep_ all those GDPR missives as they're effective admissions that the outfits in question been ignoring marketing laws and ASA rules for the last however long. The laws just got teeth and such emails are "evidence" in a court case.

  4. Anonymous Coward
    Anonymous Coward

    GDPR Territorial Scope: Location, Location, Location

    Personally I like the fact that websites are in region lockdown and are breaking. It signals the new laws are having an immediate impact. The worst outcome would have been that firms failed to act and just tried to keep stalling fines (like Facebook / Google appeals that last years etc).

    It also shines a spotlight on the source of data that might get a few internet 'dumb fucks' to wake up and look at where the source of their favorite shinny is coming from. Pinterest being a high profile example!

    Lastly, it might foster more support for EU based services and sites. But the problem is, no one fully knows what designates EU Citizen / Location. This all has to be legally tested... Fingers-crossed there are no 'Swiss holes' in the implementation. Some interesting fringe cases covered here:

    ------------------

    https://www.securitynow.com/author.asp?section_id=613&doc_id=740638

  5. Anonymous Coward
    Anonymous Coward

    I think I understand why some US news sites blocked the EU

    There seems to be so much confusion about what is required, that waiting a while and seeing what gets a pass by the courts and what gets a company in hot water is probably the safest strategy for now.

    I doubt the Chicago Tribune, for example, has a lot of readership in the EU, and expats who really want to see it will just use a VPN to get around it and therefore absolve the Tribune of their GDPR burden. I mean, if they don't know you are in the EU, and take active measures to block use in the EU, they can hardly be held to account for violating the GDPR!

    1. Destroy All Monsters Silver badge

      Re: I think I understand why some US news sites blocked the EU

      It just means they are selling readership clicktracks to .... whomever.

    2. Alan Brown Silver badge

      Re: I think I understand why some US news sites blocked the EU

      "I mean, if they don't know you are in the EU, and take active measures to block use in the EU, they can hardly be held to account for violating the GDPR!"

      Actually it means that they're blocking EU data subjects' attempts to find out how much information is being held about them - which is a criminal matter. The only safe way to proceed would be to purge the marketing databases and start over.

  6. Anonymous Coward
    Anonymous Coward

    My first post GDPR spam!

    It's 19:39 Uk time, and I've just received my first post GDPR spam, from Blizzard asking me to install and play Overwatch because it's free this weekend. I haven't consented to them sending me marketing emails about free gaming weekends, so they must have opted me in.

    The first email I'm forwarding to the ICO!

    1. This post has been deleted by its author

  7. Anonymous Coward
    Anonymous Coward

    And it's down!

    It looks like the ICO has fallen over on the first day of GDPR! I guess there's a lot of naughty people ignoring the rules out there!

    "We are currently experiencing an unprecedented number of visitors to our website and calls to our helpline. Because of this, the reporting tool is currently unavailable. We apologies for any inconvenience. Please check back later today."

    https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/

    1. Anonymous Coward
      Anonymous Coward

      Re: And it's down!

      > It looks like the ICO has fallen over on the first day of GDPR!

      First day, and by the looks of their Twitter feed, first hour ... their first post about "unprecedented volumes" was made 10 hours ago.

      Looks like they're going to be busy.

      But hey, like the rest of us, they've had two years to prepare !

      1. Alan Brown Silver badge

        Re: And it's down!

        " like the rest of us, they've had two years to prepare"

        Yup - according to several ex-staffers I've spoken to that meant slashing salaries and cuttting staffing numbers.

        The ICO has always been the UK's smoke-and-mirrors version of compliance with EU requirements. Underfunding it and restricting its powers were deliberate acts to prevent it actually being useful.

        One of the more ironic results of Brexit is that the government will be _forced_ to properly fund and support the ICO in order to maintain trading relations with the EU.

    2. The Nazz

      Re: And it's down!

      Wise up guys, of course it's down. Did you expect anything different?

      You've had two years to realise that it's the last Friday before a Bank Holiday weekend.

    3. Cederic Silver badge

      Re: And it's down!

      For the record (and because I can't sleep for some ungodly reason) it's still giving that error at 5.31am.

  8. Anonymous Coward
    Anonymous Coward

    Yahoo! Did! it! All! Wrong!

    Let me count the ways:

    - If you don't accept GDPR T&Cs which are already legally rightfully yours within a certain time they close the account.

    - Huge list of opt-out ad tracking buried behind three clicks.

    - Opt-out email offers.

    - Ah, that's why you need to accept the T&Cs...

    - Click through OK button is large, button to manage the slurp is small.

    - Their privacy dashboard is an avalanche of unreadable crap with links which go round in circles.

    - I haven't actually managed to find the opt-out page which appeared on first login within the depths of the dashboard.

    Who the hell are they paying to advise them?

    1. Anonymous Coward
      Anonymous Coward

      Re: Yahoo! Did! it! All! Wrong!

      >Let me count the ways:

      I'll add one more.

      The surprising number of websites operated by companies that should know better who still operate under the default opt-in ("tick this to opt-out") box basis on their web forms.

      1. Tomato42

        Re: Yahoo! Did! it! All! Wrong!

        not to mention using 3rd party mailers to send all those queries

        no effing wonder ICO website is down; of the 20 emails I received in just last two days begging me to agree to receive "offers from our partners", probably 3 or 4 were actually what I'd call GDPR compliant

      2. Alan Brown Silver badge

        Re: Yahoo! Did! it! All! Wrong!

        "... who still operate under the default opt-in box basis on their web forms."

        I brought this very subject up with the ICO a few weeks ago.

        The response was that they regard this behaviour as perfectly fine - it gives you an opportunity to opt out before you click through.

        I await the first legal challenge to that determination.

    2. tfewster
      Facepalm

      Re: Yahoo! Did! it! All! Wrong!

      It's particularly annoying as I effectively pay for that service anyway, through my Sky broadband subscription (Yes, I have plenty of other addresses, so wouldn't miss it anyway).

      The appropriateness of the name of their parent company, "Oath", continues to amuse me.

    3. katrinab Silver badge

      Re: Yahoo! Did! it! All! Wrong!

      I found it, and got RSI from opting out individually from all the data-sharing things.

      Which is definitely not allowed, because I am supposed to explicitly opt in.

      1. John Brown (no body) Silver badge

        Re: Yahoo! Did! it! All! Wrong!

        "I found it, and got RSI from opting out individually from all the data-sharing things."

        Not having signed into my Yahoo account in some months I thought on seeing the comments here I'd better go have a look. All the ad stuff was off by default with both per site opt-in toggles and global opt-in toggle.

        I wonder why I'm seeing something different to you?

        1. Cpt Blue Bear

          Re: Yahoo! Did! it! All! Wrong!

          "Not having signed into my Yahoo account in some months I thought on seeing the comments here I'd better go have a look. All the ad stuff was off by default with both per site opt-in toggles and global opt-in toggle.

          I wonder why I'm seeing something different to you?"

          Call me cynical but maybe management backtracked on the threat to close accounts when they saw how many hadn't responded at all.

          The success of services like this are judged by the number of accounts (as a proxy for the number of users). Would you want to be the Yahoo exec responsible for tanking what remains of the share price by owning up that half your "users" aren't really? Its (probably) just as easy to bulk reset privacy options as to batch delete accounts...

  9. Anonymous Coward
    IT Angle

    ACs ACs everywhere, yet ne'er a comment to worthily remark upon

    Is RegAuth down? Every comment here so far is AC. (OK test done and "no"). So wtf is going on? Am I really going to have to ditch my Private Eye sub?

    On balance I think that a set of regs with aims like this might be useful:

    This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.

    http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

  10. Rustbucket

    Microsoft Windows 10 and GDPR

    How does Microsoft with their outrageous and largely secret spying facilities built into Windows 10 fare in the time of the GDPR?

  11. streaky

    Brexit.

    The EU hasn't stopped data flows to the US with FISA, secret executive orders and congress in the US not recognising the right of privacy (or any constitutional measures for that matter) for non-US citizens outside the US. Germany also has similar legal fabrications in their legal system, which FWIW the UK does not have - a UK court treats a Philippine person in the Philippines the same legally as a British person in the UK.

    If the EU has a problem with UK data protection they can fuck right off even more than they already can honestly. At least what we do is basically out on the table. The same can't be said for the French or German security services.

    1. SImon Hobson Bronze badge

      Re: Brexit.

      If the EU has a problem with UK data protection they can fuck right off ...

      Ahh, but there's a difference between Privacy FigleafShield and any future EU-UK arrangement. With the EU, they desperately need to not kill transatlantic data traffic - and regardless of what anyone might say, to kill off transatlantic data traffic would have caused massive hurt all round.

      With the UK, the high up people will be keen to "make it painful" for us (some have publicly said they would, to discourage any other countries from trying to leave) - so I suspect we can look forward to being forced to jump through lots of hoops and play much much better than everyone else.

  12. m0rt

    "At least what we do is basically out on the table. The same can't be said for the French or German security services."

    Sooo...what you are saying in the French and German security services are better at keeping secrets?

    Saying publically: 'We are going to do this questionable moral activity in the name of (insert catchy soundbite here)', doesn't make it any less questionable.

    Human nature at work. It won't improve. The game will stay the same but the goals will shift.

    It has ever been so, it will ever be so. Start with your own personal moral compass and work from there.

    1. streaky
      Mushroom

      No but I might be saying that other countries are hypocritical when it comes to this stuff, especially certain EU states I already named. Actually not might be, they just are.

  13. Mr Han

    DVLA

    Does GDPR now mean the DVLA are no longer permitted to sell my data to the highest bidder?

    1. Doctor_Wibble
      Devil

      Re: DVLA

      It would be nice to think so but I can't help thinking DVLA et. al. are either exempt or will be granted exemptions because they are the warmly embracing arms of the glorious state who have only ever had our best interests at heart.

  14. a_yank_lurker

    Hype vs Reality

    Many companies already operate under stringent personal information requirements such HIPPA (US law protecting patient data and privacy) and the like. Basically, they have written procedures in place as to who, what, where, and why for accessing this information. And these procedures have been in place for many, many years. All GPDR really does is extend this to basically all companies operating in the EU to have similar procedures in place or potentially face some very significant fines.

    I suspect much of the hype is coming marketing PHBs who are now finding themselves actually having to worry about protecting privileged information for the first time and not abusing it. Since many of these weasels (insulting weasels) have no ethics at all this is a real shock to them that someone actually cares. As someone who works in an industry with these requirements in place, welcome to the real world. An aside, when I was being interviewed I was basically asked if I had enough sense to keep my mouth shut when I needed to see live personal information.

  15. flibble

    HSBC not wanting to comply with GDPR

    I've already made my first GDPR data portability request, to HSBC - requesting nothing more than all the readily available transaction data from my current account. The GDPR requires them to supply this in a 'structured, commonly used and machine readable format' - I suggested csv.

    They've replied saying I have to either sent the request via snail mail to their DPO or make the request whilst physically in a branch - whilst the ICO is quite clear you can make your request in any fashion (including via social media!), and other than verifying your identity a company must accept requests made in pretty much any fashion. (I made my request via secure messaging after logging into HSBC's online banking portal including 2FA, so my identity is in no way in doubt.)

    I've replied pointing out that their attempt to delay my request is contrary to the law, and eagerly await they next delaying tactic.

    All I want is my transactions in a way I can put them into Excel so I can search/filter them, as that makes it simpler to complete my tax return. If the banks hadn't insisted on almost completely crippling midata then I'd have been able to get this data without a battle. There's so many different ways that banks could have easily make customers data accessible that they just have themselves to blame if they receive many GDPR related fines over the coming months.

    1. Adam 52 Silver badge

      Re: HSBC not wanting to comply with GDPR

      "eagerly await they next delaying tactic"

      The clock is still ticking from when you made the first valid request, delaying tactics shouldn't work.

      Lloyds are trying the same thing. In fact the banks seem to be taking a remarkably coordinated approach.

    2. Cederic Silver badge

      Re: HSBC not wanting to comply with GDPR

      Barclays online banking already offers a 'download CSV' feature.

      Although to be fair, it only offers the past few weeks of transactions. If I want everything from the day I opened my account with them they'd probably have to retrieve paper archives.

      Although, now that I've had that idea..

  16. Giovani Tapini

    So what is the deal with behaviour tracking

    Lots of business models do indeed rely on this.

    Can I, even if I wanted to, consent to this within the rules?

    Seems to me that this could get vey complicated.

    Note, I am absolutely not an expert on GDPR!

    1. a_yank_lurker

      Re: So what is the deal with behaviour tracking

      @Giovani Tapini - I am no expert either but I understand the main emphasis is explaining what, where, why, and who for one's data collection in the appropriate local language not shyster with several stipulations. One is the user opts in, two the user has access to all the information you have about them on demand, three the user can opt out at any time, four the user can demand all the information you have about them is deleted, five data breaches must be reported within 72 hours. The implications of GDPR is make companies more careful about what they collect and how they handle it. One cardinal rule information security is: 'you can not blab what you do not know'. But this one too many ignore by hoovering up much more than they need.

    2. Anonymous Coward
      Anonymous Coward

      Re: So what is the deal with behaviour tracking

      >Can I, even if I wanted to, consent to this within the rules?

      The point is its all about explicit and granular consent.

      Explicit in that they need to spell it out succinctly, not hidden in waffle.

      Granular in that they need to provide you with break-out of options, they can't bundle a whole bunch of consents into one or two options.

      So, in your scenario, if a website had a box saying "I consent to behaviour tracking" and you tick it. Then that's absolutely fine. They spelt it out, they gave you a granular option and you took the action of ticking the box, hence giving your explicit consent. There must also be a mechanism for you to opt-out at any time.

      What they could not, for example, do is have something like "I consent you to passing my details to the card company for payment, to the delivery company for delivery and to behaviour tracking" . That would not be acceptable.

      1. Alan Brown Silver badge

        Re: So what is the deal with behaviour tracking

        > What they could not, for example, do is have something like "I consent you to passing my details to the card company for payment, to the delivery company for delivery and to behaviour tracking" . That would not be acceptable.

        And yet this is exactly what many of them are doing.

        I foresee much gnashing of teeth in the next few months.

  17. Florida1920
    Black Helicopters

    Confused

    I own a phpBB-based discussion group. Hosting, registration and the owner himself are in the U.S. But I have users in Europe. I could sift through the member list looking for EU IPs and request they opt-in, but I lack motivation. I mostly use PMs to contact users, and most of the time, users initiate contact with me, to complain about something over which I have no control. So I posted a Privacy Notice and let it go at that. I mean, really, what are my risks? Will the EU send a hit team after me? Now, extradition to Paris I could handle. There are a lot of non-commercial phpBB boards over here. I'd be interested in knowing what others are doing to comply, or if they even care.

    1. Anonymous Coward
      Anonymous Coward

      Re: Confused

      > I lack motivation

      Wishing to keep this conversation polite and civil, I will just put this out there :

      You have had two years to find the motivation to implement GDPR measures in your systems.

      The clue is in the name: "The General Data Protection Regulation (GDPR) (EU) 2016/679"

      1. Florida1920

        Re: Confused

        Wishing to keep this conversation polite and civil, I will just put this out there :

        You have had two years to find the motivation to implement GDPR measures in your systems.

        I appreciate your courtesy. People in Europe justifiably get angry when they think the U.S. is sticking its nose into their affairs. As a money-losing, U.S.-centric site that extends the courtesy of association to people all over the world, I fail to see why I must exert myself to track down EU users to comply with the EU's declaration. I don't get to vote in Europe.

        The site costs me something like $100 a year plus time spent installing updates, approving new members and fixing broken links in posts, and I get nothing from it but the pleasure of providing a place for like-minded hobbyists to hang out and compare notes. I never asked anyone from Europe to sign up anyway. Worst case, I click the little check-box that shuts down the board and go do something else with my time. Requiring non-commercial, non-EU-based sites to comply is BS.

        1. Anonymous Coward
          Anonymous Coward

          Re: Confused

          @Florida1920

          Doesn't feel nice the US getting a taste of its own medicine does it ?

          At least the Europeans don't bully you into submission in relation to GDPR, unlike the yanks and FACTA and other BS they insist on imposing on the other side of the pond where the US are such bullies that European banks, for example, just prefer not to do business with anyone who has any sort of ties to the US.

          If your website delivers data to Europe, then you must comply with GDPR. Its not difficult and its not expensive.

        2. Muad'Dib

          Re: Confused

          <quote>

          "I get nothing from it but the pleasure of providing a place for like-minded hobbyists to hang out and compare notes. I never asked anyone from Europe to sign up anyway."

          </quote>

          @Florida1920

          Subject to the usual IANAL disclaimer, I would say you are over-thinking this. Unless you have misappropriated email addresses to add users without their knowledge & consent (unlikely) then European members have already elected to "opt-in" to your BB by explicitly signing up to join. As such, there is no special requirement to re-request subscription or suchlike as you already have the user's consent to the existing relationship.

          Henceforth, provided you take all practical measures to:

          1. secure European users personal data from unauthorised access or misappropriation (including on-selling details to third parties)

          2. provide a clear way for European users to request access to such information as you hold on them and,

          3. provide a clear way for European users to unsubscribe from your BB and be assured that all their personal data is expunged

          you will be complying with the spirit of the GDPR. In your case this could be simply catered for by a prominent sticky giving a way for users to contact you with their requests if you haven't already incorporated this.

          To be honest, anyone worth their salt handling personal information in such circumstances should be applying these principles no matter the user's location.

    2. a_yank_lurker

      Re: Confused

      My non-shyster understanding of the key points of GPDR is you should have a written document, readily accessible describing what you collect, why you collect, what you do with it, and who has access to the information. Also, users have explicit opt in, opt out, know what you have on them, data deletion rights, and data breach notification rights. Depending on what your site does and how it is done you may have very little to do in reality. This particularly true for a site that collects minimal information from users. From what it sounds like your site may have a login requiring a username, contact email, and password to post on the BB as well as storing user posts.

      The primary target of the legislation is not small hobby sites but semi-criminal outfits like Failbook and Twatter who abuse the information they collect. Also, the notification rules requirement, which sounds scary, means that what Equisuck did when sitting on the breach for several weeks/months is now illegal. There is a lot of hype over the law without understanding why it was done and who the real targets are: Silly Valley idiots who abuse their users to squeeze out a few more pennies.

      From someone in an already privacy regulated industry, this is mostly an extension of what is already done in many industries even in the US. Other than the fines, I have not seen any thing in it that is much different than what I already must obey. In some respects it is less demanding than what my industry already must do.

  18. Derichleau

    Small claims court

    I got fed up with the ICOs incompetent so I've been suing companies for the past eighteen months for targeting me with direct marketing. I'm going to continue under the GDPR.

    1. Alan Brown Silver badge

      Re: Small claims court

      " I've been suing companies for the past eighteen months for targeting me with direct marketing."

      Please enlighten us as to the success rate. one of the things that puts most people off is the series of horror stories from the other side of the pond and some UK anecdotes would be useful.

  19. Anonymous Coward
    Anonymous Coward

    Too bad...

    I remember 20 years ago marveling at the internet and thinking that one day it would be ruined by corporate greed. For me it’s just a tool now to bank, send emails instead of snail mail and book holidays. Any potential has well and truly been snuffed out long ago.

  20. Petersonregistery

    So what!

    What do companies in the U.S. have to fear about an EU law? We are not subject to the GDPR.

    1. Anonymous Coward
      Anonymous Coward

      Re: So what!

      >What do companies in the U.S. have to fear about an EU law? We are not subject to the GDPR.

      You are most mistaken.

      (1) Schrems v. Data Protection Comm’r, CJEU Case C-362/14 (Oct. 6, 2015)

      (2) GDPR is very much on the radar of the US FTC, amongst others.

      So, unlike all the nonsense the yanks try to impose on a extra-jurisdictional basis on the EU, GDPR, my friends, does actually have teeth on your side of the pond.

    2. Anonymous Coward
      Anonymous Coward

      Re: So what!

      What do companies in the U.S. have to fear about an EU law? We are not subject to the GDPR.

      This sort of comment always puzzles me.

      If someone in one country, is providing a service to someone else living in another country, they must comply with the laws in that other country. This is how global services works. This isn't something new for GDPR, this has always been the case (for many many years anyway).

      i.e. If you in the USA provide a service to the EU, you must comply with EU law, in the same way that an EU based company, must comply with US law if providing services in the USA.

      This is why things like search results, or news outlets, differ in different countries such as China etc. As companies need to be compliant with the local laws.

      GDPR is simply laying down some new rules in the EU, and so if you provide services to people in the EU, you must comply with those new rules. In fact the rules have been in place since 2016. so companies should have been compliant back then, 2018 is just when enforcement starts.

  21. Anonymous Coward
    Anonymous Coward

    The funny thing about agreeing with the "IEEE Privacy Policy"

    ...you have to switch on all trackers / disable Ghostery before you can physically do so. Otherwise, yeah, the JavaScript won't run.

  22. Anonymous Coward
    Anonymous Coward

    Wading through e-mail GDPR "Achtung Mails" is not fun.

    As usual, most annoyingly describe the Prvacy Notice as a "Privacy Policy", which it is not. How hard is it to give things correct names?

    ACM has sent me an "Here at ACM, we take your privacy seriously, and we are committed to protecting your personal data.", with a link: https://www.acm.org/privacy-policy

    IEEE say that "To continue receiving the latest news and information, we kindly ask you to read and consent to the updated IEEE Privacy Policy": https://www.ieee.org/ieee-privacy-policy-agreement.html - I thought I already did that? Do I have to do it for every sub-organization?

    The one from Ghostery, however ("We at Ghostery hold ourselves to a high standard when it comes to users’ privacy, and have implemented measures to reinforce security and ensure compliance with all aspects of this new legislation.") does not "require me to visit the website", but they send me about 500 e-mail address in the "To:" field. Oh My God!

  23. WereWoof

    Standard disclaimer "IANAL" A long time ago I used to run a site, no registration needed, no data collected by myself (This was before the days when hosting companies inserted adverts),. So if I was to resurrect this site how would I be able to comply with GDPR if the hosting site and adverts not controlled by myself were hoovering up any data?

    1. Anonymous Coward
      Anonymous Coward

      > adverts not controlled by myself were hoovering up any data

      And who put those adverts hoovering up data on your site ?

      Oh yeah, that would be you! The "webperson" (to be politically correct).

      Seriously !

      Your site. Your business to make it GDPR compliant. End of story.

      Don't try the Google-esque tactic of saying "its not us, its them". That's unlikely to work for them much longer under the new regime and its certainly unlikely to work for you.

      GDPR is not hard and its not expensive. Just get on with it. You've already had two years to figure out the "how" !

      1. WereWoof

        @AC

        > adverts not controlled by myself were hoovering up any data

        And who put those adverts hoovering up data on your site ?

        Read the post the ads would placed by the hosting company not myself , I would have no control over them.

        1. Anonymous Coward
          Anonymous Coward

          Re: @AC

          >Read the post the ads would placed by the hosting company not myself , I would have no control over them.

          Nonsense.

          Your website. Your HTML (or JavaScript or however you put adverts on there).

          Your job of GDPR compliance.

          GDPR is quite clear. There is little scope for passing the buck in GDPR, for the same reason that you can't outsource your email sending to a third-party and then seek to blame them for misplacing your customers email addresses. It is your responsibility to ensure the third-party mailer complies with GDPR requirements and therefore you have no lesser duties in circumstances such as your advertising scenario.

          1. SImon Hobson Bronze badge

            Re: @AC

            Your HTML (or JavaScript or however you put adverts on there).

            As I read it, his site does not put the adverts there - his hosting company does it when sending pages out. Ie it's the hosting company that is modifying his code before it gets sent to the client.

            I would suggest that it's STILL the website owners problem - they have chosen to use that hosting outfit to serve their site, and they need to ensure that they have appropriate contractual clauses with the third party (the hosting company). In this case, the hosting company (or the ad companies they subcontract to) is going to be collecting data that is in excess of what they, and the website owner, needs to collect in order to perform the act of serving up the website. Thus the hosting company is in breach of GDPR, and the website owner is in breach because clearly they do not have contractual terms in place that would (or should) avoid this.

    2. Cederic Silver badge

      re: if I was to resurrect this site

      Despite the answer you've already received I think there is a grey area here.

      Are you as a website owner responsible for the behaviour of adverts that you aren't hosting, if they're rendered in a browser tab that's also rendering your webpage?

      The spirit of the law says yes. The letter of the law may not (I'm not sure, and it's a pain in the arse to check, but I'm guessing not).

      If they're not ads, they're just social media buttons - letting someone hit 'like' on Facebook for instance - then it would be a brave court that rules you responsible for Facebook privacy invasions.

      Technically there's no difference between a Facebook 'like' button and an advert served by Facebook's ad slinging network. There's no real reason there'd be a difference legally either. They both render in your brower, and the request to serve them is used to feed into Facebook's big data set, and they can both set cookies to track you across multiple sites.

      So I think this is an area that's going to need some deeper exploration, likely via the courts. In the meantime, just host your own ads and don't abuse your users' data, and you'll be fine.

      1. Anonymous Coward
        Anonymous Coward

        Re: re: if I was to resurrect this site

        >. I think there is a grey area here

        There is no grey area.

        If there was a grey area, then self-interested parties such as the IAB (Interactive Advertising Bureau) would not be dishing out suggestions.

        See the IAB FAQ section 3 "How does the framework assist website operators" (http://advertisingconsent.eu/wp-content/uploads/2018/04/FAQ_Transparency_Consent_Framework_V12_170418.pdf)

        Obviously I would take an IAB document with a pinch of salt as obviously it is in their interests to exploit any loopholes (real or perceived). However it does appear clear from the FAQ that they are clear that that the website operator is ultimately responsible for GDPR compliance.

  24. Loyal Commenter Silver badge

    Nonetheless, this effectively means that many of the firms sending people one or more emails (Chase Distillery has sent your correspondent no less than four) are simply flagging up the fact they have been non-compliant with existing laws for years.

    Are you sure you didn't give consent, and forget about it, due to the prograde amnesia caused by excessive consumption of one or more of their products?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like