A few months ago GDPR took the world by storm. As a result, everything still happens as usual but you got even more obnoxious and annoying cookie c...
For further actions, you may consider blocking this person and/or reporting abuse
The most important thing that I always see in the wild, is consent messages that have the trackers enabled by default, so pressing ok or consent will track you. This is explicitly not allowed. As this post says, you do not need consent for cookies necessary to function, but all tracking has to be opt-in. And the law explocitly says that having all checkboxes filled in by default does not count as consent!
So wait, does this mean that having Google Analytics on your page is against the GDPR is they didn't agree to it?
If you have
anonymizeIPenabled, then no, they don't have to agree. GA took precautions, they trim the IP on EU servers. Also they assure you (I think in their ToS) that they don't store the original IP address.This means they don't have any personally identifiable information, and it doesn't fall under the GDPR.
What they can't ensure though, is that users store personally identifiable information in their events. So if you do that, you have to take your own precautions. Basically you should just stop doing that. Since afaik, GA doesn't allow selective deleting of data, so as soon as a GDPR delete request comes in, you'd have to delete all of your GA data.
The question is if your analytics collect personally identifiable information, such as IP addresses.
The biggest problem with "Delete Data", users accidentally delete and then blame us for not being able to bring it back when users are not that tech savvy. This is even more complicated when their data is part of their communication with other users and they are all business transactions.
You don't have to delete all of it and all at once. Or even to delete it at all. But it must be documented and based on the legal pretenses listed above.
Also the "contractual performance" can probably be invoked in some cases.
But yeah, it's a pain in the ass which is why you should think around it from day one of your product design and only merge "compliant" code.
So finally, poor people cannot start internet startups anymore, it is only Rich people's game !!! That is truly GDPR. Funny thing is, poor person with no intention of stealing/selling personal data has to pay 30 millions in fine in case of some mishaps.. and Billionaire also pays 30 millions easily to steal personal data and get away with it.
Well not exactly. While internet giants are able to hide their data malpractices under undecipherable layers of bullshit, the cost for small companies is not so great. I work with a lot of startups and it's true that implementing GDPR afterwards is painful but if you have it in mind from the ground up that's pretty much invisible.
Also the big difference is that in addition to the fine, big violations become penal. Aka you can go to jail, especially if you're a large-scale CEO. So while fairness could be improved, it's a good step forward in my opinion (as a small company)
I don't believe any large-scale CEO will ever go to jail, Facebook CEO & Google CEO would have been jailed already if that was true, they will get out easily.
It doesn't have to instantly delete everything when they click a single button - you can obviously send a deletion confirmation email and show multiple warnings that it cannot be undone.
This makes me so angry. Wtf does css have to do with data collection.
Amazing article. Thank you.
It’s honestly amazing how many site owners assume that they either just have to tell the user what they collect, make it take time to disable it, or serve a stripped down version to people who want to keep their data.
Hi!
Thank your for this thoughtful and well written post. I've seen so much paranoid bullshit of people closing their blogs because of the gdpr and cursing it while the gdpr really is only for the people, not for bullying them.
Kind regards
Dennis
Hmm, I think that more then 70% of the new law already existed since 1995 en.m.wikipedia.org/wiki/Data_Prote...
As users we had most of these rights before, but noone care, like noone will care next year after the hype.
From what I know the definition is broader, ANY person on EU soil is protected, the citizenship is not important.
Best GDPR post I’ve seen yet.
Great article, thank you! I used to use the old UK DPA rules and was pretty confident with them, but still a bit fuzzy on how GDPR is has changed things. Thanks for the clarity and examples!