121 Matching Annotations
  1. Jul 2020
    1. Under the GDPR, users have the right to object to certain processing activities in relation to their personal data carried out by the Controller. In a nutshell, the user can object to the processing of their data whenever the processing is based on the controller’s legitimate interest, or the performance of a task in the public interest/exercise of official authority, or for purposes of scientific/historical research and statistics. The user has to state a motivation for their objection, unless the processing is carried out for direct marketing purposes, in which case no motivation is needed to exercise this right.
    1. For example, as the GDPR requires that a controller must be able to demonstrate that valid consentwas obtained, all presumed consents of which no references are kept willautomatically be below theconsent standard of the GDPR and will need to be renewed. Likewise as the GDPR requires a“statement or a clear affirmative action”, all presumed consents that were based on a more impliedform of action by the data subject (e.g.a pre-ticked opt-in box) will also not be apt to the GDPRstandard of consent.
  2. May 2020
    1. Many also question how the average user with little knowledge of the GDPR will react to being asked so many questions regarding consent. Will they be confused? Probably at first. It will be up to each business to create a consent form that is easy to understand, while being at the same time comprehensive and informative
    1. Explicit Form (where the purpose of the sign-up mechanism is unequivocal). So for example, in a scenario where your site has a pop-up window that invites users to sign up to your newsletter using a clear phrase such as: “Subscribe to our newsletter for access to discount vouchers and product updates!“, the affirmative action that the user performs by typing in their email address would be considered valid consent.
    1. This scope effectively covers almost all companies and, therefore, means that the GDPR can apply to you whether your organization is based in the EU or not.
    2. An entity not established in the EU offers goods or services (even if the offer is for free) to people in the EU. The entity can be government agencies, private/public companies, individuals and non-profits;
    3. Determining your law of reference Generally, the laws of a particular region apply if: You base your operations there; or You use processing services or servers based in the region; or Your service targets users from that region This effectively means that regional regulations may apply to you and/or your business whether you’re located in the region or not. For that reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind.
    1. This scope effectively covers almost all companies and, therefore, means that the GDPR can apply to you whether your organization is based in the EU or not. As a matter of fact, this PwC survey showed that the GDPR is a top data protection priority for up to 92 percent of U.S. companies surveyed.
  3. Apr 2020
    1. “In the end, GDPR is all about consent and it’s an approach to privacy that is very European,” said Kagan. “That’s not a mistake. It’s a values statement.”
    2. Kagan said, “a lot of things that are said about what GDPR is doing are myths. There are tons of misconceptions.”As a result, regulators have had to spend a great deal of time undoing myths, explaining the law’s broad language and providing guidance
    3. I still feel like unless there is a very significant increase in staffing, they are probably going to have to pick and choose the enforcement actions that they bring,
    4. The data protection authorities have other tools as well, which might be even costlier than fines, Kagan said.In some cases, EU regulators can tell companies, “You have 90 days to rectify the thing you are doing wrong with the data, or after 90 days you cannot use the data.” Sometimes, even the big fines won’t make or break them, but the data will if it is a core component of their business.
    5. Europe’s sweeping privacy rule was supposed to change the internet, but so far it’s mostly created frustration for users, companies, and regulators
    1. the French CNIL has reminded that consent has to be given at the time of data collection, has to be specific, and cannot be passed to another controller through a contractual relationship; it could not be bundled.
  4. Mar 2020
    1. Despite some of the concerns outlined above and the more dramatic claims about the impact of GDPR on businesses, it will only be bad for those companies that buy and trade in user data, or those companies that consistently fail to protect personal data.
    2. The GDPR is a sea change and requires companies to go much further than they have in the past under the old framework. Principles like data minimization, what constitutes valid consent, and when a business can claim a legitimate interest in someone's personal data provide serious challenges to U.S. businesses.
    3. That outcome, in fact, is why the General Data Protection Regulation has been introduced. GDPR is being billed by the EU as the biggest shake-up of data privacy regulations since the birth of the web, saying it sets new standards in the wake of the recent Facebook data harvesting scandal.
    4. “Europeans' privacy will be better protected and companies benefit from a single set of rules across the EU.”
    5. In Europe, access to the Los Angeles Times was blocked and those who tried to access it were offered a screen with a notice which simply read: "Unfortunately, our website is currently unavailable in most European countries.
    1. The Cookie Law does not require that records of consent be kept but instead indicates that you should be able to prove that consent occurred (even if that consent has been withdrawn). The simple way to do this would be to use a cookie management solution that employs a prior blocking mechanism as under such circumstances, cookie installing scripts will only be run after consent is attained. In this way, the very fact that scripts were run may be used as sufficient proof of consent.
    2. When you think about data law and privacy legislations, cookies easily come to mind as they’re directly related to both. This often leads to the common misconception that the Cookie Law (ePrivacy directive) has been repealed by the General Data Protection Regulation (GDPR), which in fact, it has not. Instead, you can instead think of the ePrivacy Directive and GDPR as working together and complementing each other, where, in the case of cookies, the ePrivacy generally takes precedence.
    3. To further illustrate this point, imagine that the ability to run cookies is a room, the cookie management solution is the door and the consent is the act of rotating the door handle; you can only enter through the door into the room if the door handle is rotated (the act of giving consent). In this example, if you’ve entered the room it can only be because the door handle was rotated and, therefore, your presence in the room is sufficient proof of this fact.
    1. Users have the right to access their personal data and information about how their personal data is being processed. If the user requests it, data controllers must provide an overview of the categories of data being processed, a copy of the actual data and details about the processing. The details should include the purpose, how the data was acquired and with whom it was shared.
    2. Another EU law worth mentioning here is the ePrivacy Directive (also known as the Cookie Law). This law still applies as it has not been repealed by the GDPR. In future, the ePrivacy Directive will be replaced by the ePrivacy Regulation and as such, will work alongside the GDPR; the upcoming regulation is expected to still uphold the same values as the directive.
    1. It's so frustrating how grey this all is at the moment - I'd imagine most sites still wont be compliant come May 25th.
    2. Had a read through a few of the linked articles above... Wow. Messy, headache inducing stuff, and still so much vagueness.
    1. If a website/app collects personal data, the Data Owner must inform users of this fact by way of a privacy policy. All that is required to trigger this obligation is the presence of a simple contact form, Google Analytics, a cookie or even a social widget; if you’re processing any kind of personal data, you definitely need one.
    1. A single consent form is useful when consent is requested for a single purpose. Here: analytics

      This seems like an important distinction:  Probably (?) you can only use a simple Agree/Disagree consent request if you only have a single purpose/category that you are obtaining consent for.

      As soon as your site has multiple categories to need consent, then you must allow individual consent/refusal of consent for each individual category/purpose.

      This is alluded to just a little bit further on:

      Consent should also be granular; users must be allowed to selectively decide what types of tracking, analytics and other activities their data can be used for.

    2. Asking for consent when processing users’ personal data is one of the most important duties imposed on website owners by the GDPR.
    3. Regardless of where an organization is based (in the EU or otherwise), its website must meet regulatory obligations when processing EU/EEA citizens’ data or the business will face financial penalties.
    4. the introduction of the EU’s General Data-Protection Regulation (GDPR) has significantly impacted the way websites and business collect, store and use both types of cookies. For one, the GDPR includes cookies in its definition of personal data, which refers to any piece of data or information that can identify a visitor.
    1. Are cookies governed by the GDPR? Cookie usage and it’s related consent acquisition are not governed by the GDPR, they are instead governed by the ePrivacy Directive (Cookie Law) which in future will be repealed by the up-coming ePrivacy Regulation.
    2. If your website installs any non-technical cookies, e.g. via script like Google Analytics or via a Facebook share button
    3. If your website can be visited by European users
    1. illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to — or worse, incentivising — clearly illegal configurations of their systems
    2. small portion of sites (~7%) entirely ignore responses to cookie pop-ups and track users regardless of response.
    3. “meet the minimal requirements that we set based on European law” — which they define as being “if it has no optional boxes pre-ticked, if rejection is as easy as acceptance, and if consent is explicit.”
    4. All of which means — per EU law — it should be equally easy for website visitors to choose not to be tracked as to agree to their personal data being processed.
    5. majority of the current implementations of cookie notices offer no meaningful choice to Europe’s Internet users — even though EU law requires one
    6. “Popular CMP implementation wizards still allow their clients to choose implied consent, even when they have already indicated the CMP should check whether the visitor’s IP is within the geographical scope of the EU, which should be mutually exclusive,” they note, arguing that: “This raises significant questions over adherence with the concept of data protection by design in the GDPR.”
    1. If your agreement with Google incorporates this policy, or you otherwise use a Google product that incorporates this policy, you must ensure that certain disclosures are given to, and consents obtained from, end users in the European Economic Area along with the UK. If you fail to comply with this policy, we may limit or suspend your use of the Google product and/or terminate your agreement.
    1. GDPR introduces a list of data subjects’ rights that should be obeyed by both data processors and data collectors. The list includes: Right of access by the data subject (Section 2, Article 15). Right to rectification (Section 3, Art 16). Right to object to processing (Section 4, Art 21). Right to erasure, also known as ‘right to be forgotten’ (Section 3, Art 17). Right to restrict processing (Section 3, Art 18). Right to data portability (Section 3, Art 20).
    1. In order to obtain freely given consent, it must be given on a voluntary basis. The element “free” implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid.
    1. Legitimate Interest may be used for marketing purposes as long as it has a minimal impact on a data subject’s privacy and it is likely the data subject will not object to the processing or be surprised by it.
    1. You still have to use a Cookie Notice, if you’re planning to collect data that can identify an individual within the EU, or
    1. Google Analytics created an option to remove the last octet (the last group of 3 numbers) from your visitor’s IP-address. This is called ‘IP Anonymization‘. Although this isn’t complete anonymization, the GDPR demands you use this option if you want to use Analytics without prior consent from your visitors. Some countris (e.g. Germany) demand this setting to be enabled at all times.
    1. However, we recognise there are some differing opinions as well as practical considerations around the use of partial cookie walls and we will be seeking further submissions and opinions on this point from interested parties.
    2. Start working towards compliance now - undertake a cookie audit, document your decisions, and you will have nothing to fear.
    3. While we recognise that analytics can provide you with useful information, they are not part of the functionality that the user requests when they use your online service – for example, if you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent.
    4. PECR always requires consent for non-essential cookies, such as those used for the purposes of marketing and advertising. Legitimate interests cannot be relied upon for these cookies.
    1. “The GDPR is very good as a piece of paper; it’s almost perfect. But it hasn’t been enforced,” he said.
    2. There’s not even a consensus on whether or not cookie alerts are compliant with European law. In May, the Dutch data protection agency said these disclosures do not actually comply with GDPR because they’re basically a price of entry to a website.
    3. Most companies are throwing cookie alerts at you because they figure it’s better to be safe than sorry When the GDPR came into effect, companies all over the globe — not just in Europe — scrambled to comply and started to enact privacy changes for all of their users everywhere. That included the cookie pop-ups. “Everybody just decided to be better safe than sorry and throw up a banner — with everybody acknowledging it doesn’t accomplish a whole lot,” said Joseph Jerome, former policy counsel for the Privacy & Data Project at the Center for Democracy & Technology, a privacy-focused nonprofit.
    1. Consent is one of six lawful grounds for processing data. It may be arguable that anti-spam measures such as reCaptcha can fall under "legitimate interests" (ie you don't need to ask for consent)
    1. If you’re not a legal professional, getting your website or app to be compliant with international privacy laws can be tedious and difficult.
    1. Very few solutions include all of the GDPR required features like: 1) Enabled prior consent. 2) Clear and specific information about data types and purpose of the cookies. 3) Full documentation of all given consents. 4) The possibility for users to reject superfluous cookies and still use the website. 5) The possibility that users can withdraw their consent whenever they want. Cookie solutions that don’t have those features are not GDPR compliant.
    2. It is required by the GDPR as you must document cookies and online tracking at anytime and you must be able to show that documentation to both your users and the EU.
    1. For instance, a strict interpretation of the law would require publishers to get opt-in consent by individual vendor, rather than an 'Accept All' pop-up prompt. The approach that publishers and ad tech vendor are taking is that a mass opt-in button - with an option to dive deeper and toggle consent by vendor - follows the "spirit of the law". This stance is increasingly coming under fire, though, especially as seen by a new study by researchers at UCL, MIT, and Aarhus University.
    2. Another value-add of CMP tech is that it can sniff the user's location and show the prompt just to EU residents. This helps to comply with the law while not intruding on non-EU user experiences.
    3. haven’t consent tools been around for a while? Sort of! Ever since May 2011, when the EU Cookie Directive went into effect, most EU sites have added cookie notification bars to the top or bottom of their pages. This prompted many third-party solutions to pop-up, including WordPress plug-ins and the leading tool from Silktide. These tools are still around, and many sites continue to use them under the GDPR. However, these solutions were built for the older law, and the GDPR is much more specific about requiring explicit opt-in consent. Most of those older tools don't provide this, nor do they integrate with downstream ad partners, paving the way for the more sophisticated CMPs.
    1. Note that the scope of personal data is truly broad, which makes processing complex and tricky. So, even though, for instance, you employ anonymization in Google Analytics to get rid of all information that falls under this category, you’re still in a catch-22 situation. This is because GA stores a visitor online identifier in a cookie, and under the GDPR that file constitutes a piece of personal data. That means you still need to obtain consent from visitors to process their data.
    1. we make it easy to implement using our Consent by Geolocation feature that auto-identifies the location of the website visitor and applies the correct consent notice and behavior based on the visitor’s current location. For example, simply add PreferenceChoice Cookie Consent and Website Scanning to your website, and the functionality of your consent notice will automatically update to display a CCPA-compliant consent notice to a visitor in Los Angeles, and a consent notice in compliance with ePrivacy and GDPR to a visitor in London.
    1. Do I need a CMP? Short answer: Probably yes. Long answer: If your company is based in the EEA (European Economic Area) or if you are dealing with customers/visitors from this area and show them advertising, it is very likely that you will collect and/or process personal data such as IP-addresses. Therefore, according to GDPR, you need to make sure that the visitor is informed and you need to ask the user for consent. In order to do this you will need a CMP.
    1. To be fully compliant with GDPR, you would also need to enable Show Reject All Button setting.
    2. Consent Model. In the case of GDPR, you must choose the Opt-in. This means that you cannot start tracking people before the consent was given.
    3. if you are using some tools/scripts on your website that are used to identify individuals and their data is processed by you or 3rd parties), that can be done only when a person gives consent
    1. Further, as Logic Hop integrates with third party tools you’re already using such as Drip, ConvertKit, Facebook ads, UTM codes, and more, you may not need to store the data Logic Hop generates to use the plugin how you want. You may even be able to generate all the personalizations you need in real time, with nothing stored!

      I don't like how GDPR encourages more and more to be done on-the-fly on the client-side so that you don't have to send it to the server and accidentally have it saved somewhere.

      Related:

      Geolocation, using IP address (geolocation is never stored).

    2. If data storage is off, the data listed above is temporarily available for the current session, but nothing is stored. When the visitor leaves your website, no data is stored.

      What does "When the visitor leaves your website" mean exactly? What if they never leave the site and just leave the tab open indefinitely? Isn't the data stored somewhere in the meantime?

    1. You need to provide the ability for users to look at cookies individually, so they need to be listed (and that can be quite a lot of work in major systems). You’re allowed to define some cookies as “necessary for the correct functioning of this product”, usually cookies that store session related data. After all, if a user opts out of those, they can’t meaningfully use the web site, or that part of the site.But you have to be honest about it. You can’t, for example, define marketing or analytic cookies as necessary, and you have to allow users to opt out from them. Those don’t stop the site from functioning, it just reduces the data you can collect about site use.
    1. Why would a company want to have one system for people in France, Germany, and Italy and a separate one for people everywhere else?
    2. “It’s strange to say, ‘Yeah, we’re going to respect the privacy of Europeans more than all other human beings all over the world,’”
    1. Is that enough to be GDPR compliant? No. My understanding is that to be compliant you would wait to initialize the analytics until after you had received the user's explicit consent. Even then you would need to be able to turn off analytics again if the user later revoked their consent.
    1. almost any compliance expert will tell you that a lot of the GDPR is written vaguely and will need to be litigated. And that’s 100% accurate. But err on the side of caution until the courts can provide more clarity.
    1. Absolutely not! There is no GDPR cookie rule. That is a total myth.
    2. if the cookie is installed by your own site, then the consumer can decide ON THEIR OWN BROWSER, if they want to send it. Cookies are a data signal YOU ARE SENDING FROM YOUR OWN COMPUTER. If you don’t want to voluntarily submit a cookie, just turn it off.
  5. Nov 2019
    1. Clear affirmative action means someone must take deliberate action to opt in, even if this is not expressed as an opt-in box. For example, other affirmative opt-in methods might include signing a consent statement, oral confirmation, a binary choice presented with equal prominence, or switching technical settings away from the default. The key point is that all consent must be opt-in consent – there is no such thing as ‘opt-out consent’. Failure to opt out is not consent. You may not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions, or seek to take advantage of inertia, inattention or default bias in any other way.

      On opt in vs opt out in GDPR.

    1. Although the GDPR doesn’t specifically ban opt-out consent, the Information Commissioner’s Office (ICO) says that opt-out options “are essentially the same as pre-ticked boxes, which are banned”.

      On opt in vs opt out in GDPR.

  6. Oct 2019
  7. May 2019
    1. Unsurprisingly living up to its reputation, Facebook refuses to comply with my GDPR Subject Access Requests in an appropriate manner.

      Facebook never has cared about privacy of individuals. This is highly interesting.

  8. Sep 2018
    1. E' altresì necessario accellerare la creazione di una struttura di certificazione del software nazionale che consenta di usufruire di tecnici che possano testare i software creati per la PA e assicurarne la conformità alle regole AGID e al GDPR (privacy by design). In tale ambito la capacità nazionale è attualmente molto limitata.

  9. May 2018
  10. Apr 2018
    1. A purpose that is vague or general, such as for instance ‘Improving users’ experience’, ‘marketing purposes’, or ‘future research’ will – without further detail – usually not meet the criteria of being ‘specific’”.[

      I see a lot of cookie notices that give vague reasons like "improving user experience". Specifically disallowed by GDPR?

    2. The GDPR permits the opt-out approach when the purposes that the companies want to use the data for are “compatible” with the original purpose for which personal data were shared by users.[6] In addition to the opt-out notice, users also have to be told of their right to object at any time to the use of their data for direct marketing.[7]

      GDPR can allow opt out rather than opt in.

    1. The alternative, of a regulatory patchwork, would make it harder for the West to amass a shared stock of AI training data to rival China’s.

      Fascinating geopolitical suggestion here: Trans-Atlantic GDPR-like rules as the NATO of data privacy to effectively allow "the West" to compete against the People's Republic of China in the development of artificial intelligence.

  11. Feb 2018
    1. The extraterritorial nature of these two frameworks — they protect the privacy rights of people in Europe regardless of where their data is collected — means that they will become the de facto standard for privacy around the world.

      I'm not totally clear on how would be enforced yet, but jeepers

    2. Your privacy testing procedures should predict the ways unauthorized users would access actual data on your system. Would a suspicious search for user data, or an alteration to a record, be logged as a security vulnerability? Is data stored in login cookies? Could someone gain access to data by intentionally triggering an error?

      This sounds a lot like threat modelling.

    3. The European term “personal data” differs from the American term “personally identifiable information.” The latter pertains to a much more limited set of information than the European model. It also does not see information as contextual, whereas the European framework emphasizes the risks inherent in data aggregation.

      Important distinction. This is a useful article

  12. Jan 2018
    1. No more retention scams that allow online signups but demand users phone a call centre to delete their accounts.

      Holy caw, this covers opt-out after subscriptions too? Eeeenteresting...

    1. L’article 15 complète l’article 40 de la loi du 6 janvier 1978 pour utiliser la marge de manœuvre prévue à l’article 23 du règlement relatif à la limitation de certains droits des personnes concernées. Cet article prévoit la possibilité pour le droit national de limiter, par la voie de mesures législatives, la portée des obligations et des droits des personnes concernées (droit à l’information droit d’accès, droit de rectification, droit à l’effacement, droit à la portabilité, droit d’opposition, etc.), lorsqu’une telle limitation respecte l’essence des libertés et droits fondamentaux et qu’elle constitue une mesure nécessaire et proportionnée dans une société démocratique pour garantir certains objectifs (sécurité nationale, défense nationale, sécurité publique, prévention et la détection d’infractions pénales, protection de l’indépendance de la justice et des procédures judiciaires, objectifs importants d’intérêt public général de l’Union ou d’un État membre,…). Le considérant 41 du règlement précise à cet égard qu’« une mesure législative » au sens de cet article, « ne signifie pas nécessairement que l’adoption d’un acte législatif par un parlement est exigée, sans préjudice des obligations prévues en vertu de l’ordre constitutionnel de l’État membre concerné ».

      faille.

    1. The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for US companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 2 % of worldwide turnover.

      This appears to be the source for the quote. If you search the web for the quote, though, it seems most often to be attributed to Wikipedia itself.