[HN Gopher] Consent, GDPR and Google Analytics ___________________________________________________________________ Consent, GDPR and Google Analytics Author : fenier Score : 43 points Date : 2022-02-13 19:24 UTC (3 hours ago) (HTM) web link (cunderwood.dev) (TXT) w3m dump (cunderwood.dev) | adithyasrin wrote: | This is going to be a hot topic in Germany once the German courts | rule it out. Should it say it's illegal to load, we have got | loads of work in front of us. One simpler solution that I have | seen Zaraz by Cloudflare, which seems to solve this issue. Has | anyone had experiences with this? | | https://blog.cloudflare.com/keep-analytics-tracking-data-in-... | fenier wrote: | The author of the blog apparently also wrote about Zaraz in | this post: | | https://cunderwood.dev/2022/01/30/tag-management-is-no-longe... | speedgoose wrote: | Cloudflare is from USA so it's a quick decision to take. | cassianoleal wrote: | Still an US corporation, subject to the CLOUD Act. | nonrandomstring wrote: | What a tangled web of legal niceties and hypothetical | interpretations we've woven here. But the moral arithmetic, | toward which European thought is tending, is more brutal and | something to which American corporations had better pay serious | attention to if they want to keep playing this game. | | In general; we hold that "ignorance of law is no excuse", yet in | contract law _capacity_ is a key construct, and ignorance very | much _does_ play a part. It's not just minors, the mentally-ill, | or those incapacitated by drugs or alcohol, discombobulated or | bamboozled by other means, who cannot give consent in a | contractual relation. In an age where most lawyers and judges, | like everyone, mindlessly click-through "agreements" and shrink- | wrap EULAs, there's a strong and growing argument to be made that | non-expert adults lack genuine capacity to understand | technologically mediated relations. | | In other words, it's the contract law that underlies this stuff | that's coming up for revision, not the surface interpretations. | The important matter now is not deliberating whether the letter | of the law creates "consent" on this or that occasion, but | whether the spirit of the law allows for consent even in | principle, given societal standards of digital literacy and the | complexity of modern digital interactions. | shoto_io wrote: | I'm not the biggest fan of Ben Evans, but he's right on "privacy | fanatism": | | _> At a certain point EU privacy regulators will realise: When | an EU citizen requests a US internet resource, they provide a US | server with their IP address; An IP address is PII; The CIA could | record that; Therefore it is illegal to provide any internet | resource to anyone in the EU_ | | Source: | https://twitter.com/benedictevans/status/1492102034409066504 | | PS: saying this a German citizen... | MauranKilom wrote: | Providing the IP address for the communication channel is quite | obviously necessary and does not require explicit consent. | | https://gdpr-text.com/read/article-49/#para_gdpr-a-49_1_1b | | _> In the absence of an adequacy decision pursuant to Article | 45(3), or of appropriate safeguards pursuant to Article 46, | [...] a transfer [...] of personal data to a third country or | an international organisation shall take place only on one of | the following conditions: | | > [...] | | > (b) the transfer is necessary for the performance of a | contract between the data subject and the controller or the | implementation of pre-contractual measures taken at the data | subject's request | | > [...]_ | | GDPR does not forbid providing internet resources to EU users, | that is simply a lie. All it requires is that data handling | happens in the best interest of the user. | nickpp wrote: | Recent court orders in Germany and France beg to differ. | marcosdumay wrote: | Yes, taking it literally at the extreme case, the rule is | unreasonable. | | But Google Analytics is the kind of thing the Law was created | to stop, it's not an unreasonable unintended effect. | kuschku wrote: | There's no issue with that. If a person manually takes their | information and mails it to the CIA, that's also fine. | | The issue is if a person visits a resource from a company in | the EU, they should be able to expect that that information | won't be passed along to any third party that's not absolutely | necessary. Especially not to foreign governments. | | You wouldn't expect a visit to latimes.com to leak your | information to the Chinese Party either. | throwhauser wrote: | > The issue is if a person visits a resource from a company | in the EU | | Does it have to be a company in the EU? I thought the GDPR | covered any website an EU citizen, resident, or visitor might | use, in which case US-based websites might have contradictory | obligations to the GDPR and US law. | fenier wrote: | It depends on Art 3. | | https://gdpr-info.eu/art-3-gdpr/ | | Just because a website exists and may be visited by a EU | resident, does not mean that the site automatically has to | comply. | nr2x wrote: | Do they have a TikTok? | pjc50 wrote: | Extraterritorial jurisdiction + global nature of the internet | causes these problems. We've already seen lots of the reverse: | it's illegal to provide gambling to Americans. | https://en.wikipedia.org/wiki/United_States_v._Scheinberg | | It's also legally difficult to provide bank accounts to | Americans: https://www.thelocal.fr/20210924/why-americans-are- | finding-i... | | Then there was the whole incompatible court orders in re Azure: | https://www.theverge.com/2018/4/5/17203630/us-v-microsoft-sc... | | Really the only workable outcomes are a global agreement on | internet-touching governance (which the US will never accept on | principle) or Balkanization. Or I suppose an eternal chasing | into new as yet unbanned services. | madrox wrote: | I suspect there's a third outcome within crypto many are | quietly pursuing. Looked through the lens of "what if the | internet were its own country" a lot of web3 makes a bit more | sense. | | Or maybe I've read too many Neal Stephenson novels. | pjc50 wrote: | That was my "eternal chasing into new as yet unbanned | services". The ban wave has largely caught up with big | ICOs, but not with "governance tokens" or "NFT based | communities". | | There's going to be a cycle of "web3 gets big money", "big | money fraud in web3", "SEC enforcement against web3", and | then the launch of "web4" in 2030. | anothernewdude wrote: | Just don't opt in to Google Analytics. I don't. | SquareWheel wrote: | There's an opt-out, but not an opt-in for Google Analytics. | Unless you're referring to simply blocking it via a content | blocker script. ___________________________________________________________________ (page generated 2022-02-13 23:00 UTC)