#rob wrote:We talked about this problem to our data protection guys.
In short: don't worry about it too much.
If anything about your company or web site (regarding GDPR) is not in order, or appears not to be in order, or could potentially not be in order... then the first report ALWAYS has to go through the data protection authority. Courts will not handle cases like this.
The "vulture" lawyer has to report your company or web site to the appropriate data protection authority, they will then check the claims and contact you, give you a certain time period in which you can either prove that what you're doing is OK or fix anything that was wrong. Finally, they'll check your company or web site again to make sure everything is in order now.
If anything still isn't in order, despite the authority telling you to fix it and giving you an ultimatum to fix it by, only THEN would you get into trouble.
But you can safely refer any "vulture" lawyer who tries to extort you like that to your data protection authority. If they want to take your money for not obeying the law, make them obey the law first and make them go through the legally required instances.
Thanks a lot for sharing this info, that calming a lot
and good to know in future if some vultures try...
fluffy_little_something wrote:Sounds like yet another crazy EU law, which costs a lot to implement and yields poor results.
As long as a company is online, privacy and safety are just an illusion. As soon as data leaves the EU, adiós data protection. In Germany even public organizations are selling citizen data to companies, and it's legal.
Do developers who outsource the whole shopping part to a third-party service provider also have to invest in all that security?
German Abmahn parasites will like that new law, though.
I remember a text on the EU-US data protection shield or whatever it is called. It is a joke.
The complicated thing about GDPR is also, there is GDPR in general - but every EU country have it changed to there own opinion/need. Some country have it not fully in action yet or just step by step, and some only in a "soft"version... for example in germany it is in a very intense version compared to some other countries - and along with that every country has own additional laws running besides it concerning spam, privacy, digital stuff etc...
for example here a list (in german) about the GDPR in each country, not fully up to date, but you can see big differences: https://www.isico-datenschutz.de/blog/2017/10/17/dsgvo-umsetzung-aktueller-stand-eu-laender/
Interesting read, indeed. If this is true, anyone with a Like-button might become subject to abuse through the cease-and-desist industry. The article says that German authorities interpret the law so that consent needs to be given *before* a cookie is set, e.g. when using Google Analytics.
As far as I understood, consent for tracking *before* a cookie is set was only ever necessary for such kind of profiling which links the user activity directly to the user's profile. In other words, if the tracking data ends up in a database without being anonymized, prior consent is necessary and a cookie notice or a paragraph in a privacy statement is not enough. Not sure.
However. Tracking can not only be done with cookies. Once a user on a website can be identified (a login, a purchase whatsoever), he can as well be tracked by log files. I'm curious to see if this ends up being a problem as well. It would make offering a website very difficult in general, because how can you ever get consent before the landing page?
It`s not just a facebook like button, also twitter tweet button or soundcloud player embedded. (and youtube embedded), in all of them, when used / or embedded there will be cookies running before the user can accept them. And thats the "not legal" part now since yesterday. As example, with standart facebook like&share, twitter tweet button + youtube and soundcloud embedded we had through this up to 10 cookies running directly through just these 4 things... now it`s only 1 - google analystics - which is ok when anoymized (via script or additional tool and privacy page tells everything about it and you providing a optout function). But the rest is mhm not ok anymore. On our websites, we removed soundcloud as embedded player everywhere, on youtube embedded we reworked all embedded videos via additional tools that there is not as usual the doubleclick cookie running (which is by default if you embedded a video from youtube), exchanged all share buttons with a tool (shariff wrapper) to have no facebook or twitter api +cookies running. And got rid of all other social plugins like sidebar sliders,feeds etc.
And with 3 websites, +400 content pages - much fun to rework them all!
The work time, trouble with many different reports or infos on that topic + cost for additional tools, privacy police etc will be also for smaller companies not helpful (in terms of being effectiv). Also if the GDPR is good for everyone (as user) for companies it`s really bad + you lose newsletter, social function and as sound content developer - no soundcloud e.g. embedded...well also bad and more...