[HN Gopher] Consent, GDPR and Google Analytics
___________________________________________________________________
Consent, GDPR and Google Analytics
Author : fenier
Score : 43 points
Date : 2022-02-13 19:24 UTC (3 hours ago)
(HTM) web link (cunderwood.dev)
(TXT) w3m dump (cunderwood.dev)
| adithyasrin wrote:
| This is going to be a hot topic in Germany once the German courts
| rule it out. Should it say it's illegal to load, we have got
| loads of work in front of us. One simpler solution that I have
| seen Zaraz by Cloudflare, which seems to solve this issue. Has
| anyone had experiences with this?
|
| https://blog.cloudflare.com/keep-analytics-tracking-data-in-...
| fenier wrote:
| The author of the blog apparently also wrote about Zaraz in
| this post:
|
| https://cunderwood.dev/2022/01/30/tag-management-is-no-longe...
| speedgoose wrote:
| Cloudflare is from USA so it's a quick decision to take.
| cassianoleal wrote:
| Still an US corporation, subject to the CLOUD Act.
| nonrandomstring wrote:
| What a tangled web of legal niceties and hypothetical
| interpretations we've woven here. But the moral arithmetic,
| toward which European thought is tending, is more brutal and
| something to which American corporations had better pay serious
| attention to if they want to keep playing this game.
|
| In general; we hold that "ignorance of law is no excuse", yet in
| contract law _capacity_ is a key construct, and ignorance very
| much _does_ play a part. It's not just minors, the mentally-ill,
| or those incapacitated by drugs or alcohol, discombobulated or
| bamboozled by other means, who cannot give consent in a
| contractual relation. In an age where most lawyers and judges,
| like everyone, mindlessly click-through "agreements" and shrink-
| wrap EULAs, there's a strong and growing argument to be made that
| non-expert adults lack genuine capacity to understand
| technologically mediated relations.
|
| In other words, it's the contract law that underlies this stuff
| that's coming up for revision, not the surface interpretations.
| The important matter now is not deliberating whether the letter
| of the law creates "consent" on this or that occasion, but
| whether the spirit of the law allows for consent even in
| principle, given societal standards of digital literacy and the
| complexity of modern digital interactions.
| shoto_io wrote:
| I'm not the biggest fan of Ben Evans, but he's right on "privacy
| fanatism":
|
| _> At a certain point EU privacy regulators will realise: When
| an EU citizen requests a US internet resource, they provide a US
| server with their IP address; An IP address is PII; The CIA could
| record that; Therefore it is illegal to provide any internet
| resource to anyone in the EU_
|
| Source:
| https://twitter.com/benedictevans/status/1492102034409066504
|
| PS: saying this a German citizen...
| MauranKilom wrote:
| Providing the IP address for the communication channel is quite
| obviously necessary and does not require explicit consent.
|
| https://gdpr-text.com/read/article-49/#para_gdpr-a-49_1_1b
|
| _> In the absence of an adequacy decision pursuant to Article
| 45(3), or of appropriate safeguards pursuant to Article 46,
| [...] a transfer [...] of personal data to a third country or
| an international organisation shall take place only on one of
| the following conditions:
|
| > [...]
|
| > (b) the transfer is necessary for the performance of a
| contract between the data subject and the controller or the
| implementation of pre-contractual measures taken at the data
| subject's request
|
| > [...]_
|
| GDPR does not forbid providing internet resources to EU users,
| that is simply a lie. All it requires is that data handling
| happens in the best interest of the user.
| nickpp wrote:
| Recent court orders in Germany and France beg to differ.
| marcosdumay wrote:
| Yes, taking it literally at the extreme case, the rule is
| unreasonable.
|
| But Google Analytics is the kind of thing the Law was created
| to stop, it's not an unreasonable unintended effect.
| kuschku wrote:
| There's no issue with that. If a person manually takes their
| information and mails it to the CIA, that's also fine.
|
| The issue is if a person visits a resource from a company in
| the EU, they should be able to expect that that information
| won't be passed along to any third party that's not absolutely
| necessary. Especially not to foreign governments.
|
| You wouldn't expect a visit to latimes.com to leak your
| information to the Chinese Party either.
| throwhauser wrote:
| > The issue is if a person visits a resource from a company
| in the EU
|
| Does it have to be a company in the EU? I thought the GDPR
| covered any website an EU citizen, resident, or visitor might
| use, in which case US-based websites might have contradictory
| obligations to the GDPR and US law.
| fenier wrote:
| It depends on Art 3.
|
| https://gdpr-info.eu/art-3-gdpr/
|
| Just because a website exists and may be visited by a EU
| resident, does not mean that the site automatically has to
| comply.
| nr2x wrote:
| Do they have a TikTok?
| pjc50 wrote:
| Extraterritorial jurisdiction + global nature of the internet
| causes these problems. We've already seen lots of the reverse:
| it's illegal to provide gambling to Americans.
| https://en.wikipedia.org/wiki/United_States_v._Scheinberg
|
| It's also legally difficult to provide bank accounts to
| Americans: https://www.thelocal.fr/20210924/why-americans-are-
| finding-i...
|
| Then there was the whole incompatible court orders in re Azure:
| https://www.theverge.com/2018/4/5/17203630/us-v-microsoft-sc...
|
| Really the only workable outcomes are a global agreement on
| internet-touching governance (which the US will never accept on
| principle) or Balkanization. Or I suppose an eternal chasing
| into new as yet unbanned services.
| madrox wrote:
| I suspect there's a third outcome within crypto many are
| quietly pursuing. Looked through the lens of "what if the
| internet were its own country" a lot of web3 makes a bit more
| sense.
|
| Or maybe I've read too many Neal Stephenson novels.
| pjc50 wrote:
| That was my "eternal chasing into new as yet unbanned
| services". The ban wave has largely caught up with big
| ICOs, but not with "governance tokens" or "NFT based
| communities".
|
| There's going to be a cycle of "web3 gets big money", "big
| money fraud in web3", "SEC enforcement against web3", and
| then the launch of "web4" in 2030.
| anothernewdude wrote:
| Just don't opt in to Google Analytics. I don't.
| SquareWheel wrote:
| There's an opt-out, but not an opt-in for Google Analytics.
| Unless you're referring to simply blocking it via a content
| blocker script.
___________________________________________________________________
(page generated 2022-02-13 23:00 UTC)