H&H violating GDPR?

[ArvinJA]

No emails about updates to the privacy policy has me concerned, I'm literally shaking. Haven't been able to eat or sleep, is my right to privacy being violated???

[Granger]

As long as the information they process is solely used to provide the service (and is discarded after it isn't needed any longer and the time you have to hold it by law had expired) there is no need to jump through the hoops of explaining your users the plentiful ways in which you monetize (or abuse) their personal data, since you don't...

That's at least one stance that one can read out of the GDPR regulations (same as you don't have to state that you won't use the home address they provide to swing by and murder them) - but the details will be known in 5-10 years after the dust settles in court, as it's an especially shitty made regulation. So it might be a wise idea to put up some sentences anyway, but noone knows what these exectly need to say to have the 'keep out of jail' function that you intent them to have.

One specific shitty thing is that IP addresses are now defined as being personal identifying information (for everyone, even when you by yourself are not able to reverse it to a specific person as you're not a 3 letter agency or the ISP that assigned it to the user in the first place) and it is completely unclear if eg. simply not storing it in a webserver logfile would be enough to not 'process' it.

The GDPR is based on a nice idea but that extremely bad implemented thus lawyers will get rich, the big companies legal departments to handle it, the small shops having to pay for outside consulting (which isn't responsible in case they told them the wrong things) and we kill more trees to fill meters of big Leits binders.

[ArvinJA]

Wow granger I didn't know that you were such a shill for evil companies. GDPR is a regulation, and regulations are always good, or do you want deregulation like Ronald Reagan?

[Granger]

You read me wrong: I support the general idea (to protect the data of the people, give them the control over it and stop evil coprs from strongarming them out of their data), I just think the specific way this regulation had been structured is bad as it's completely unclear what needs to be in the privacy statement in which case to the ones that have to implement it.

That the wording of this regulation itself had been changed (not fixing typos but changing meaning) just one month ago dosn't help either.

My prediction is that it'll boil down to yet another wall of unhelpful text (that noone will read) to achnowledge for the users and years of court cases till these defined the exact wording to use when you want to avoid yet another court case.

TL;DR: the basic idea is good, the implementation sucks.

[Robben_DuMarsch]

From the Lawyer subreddit:
"If he collects any data from anyone in the EU or UK at the point of account creation, he needs a manual opt-in privacy policy explaining as such and he needs a procedure in place for people to exercise their “right to be forgotten” in terms of that information. If he sends pseudonymous information to third parties like Google Analytics, he needs that information to be available and forgettable too. If he doesn’t want to spend a couple hundred bucks getting a compliant policy in place he needs to make his website inaccessible to the EU and the UK."

Much of the other discussion was whether the individual, running a small blog about a US City, was offering a service to EU subjects, or whether the EU had personal jurisdiction. Not at issue here, I'd think

[Granger]

From the Lawyer subreddit:
"If he collects any data from anyone in the EU or UK at the point of account creation, he needs a manual opt-in privacy policy explaining as such and he needs a procedure in place for people to exercise their “right to be forgotten” in terms of that information.

Which needs to correctly identify the person in question (to prevent impersonation) - leading to having to collect way more data than actually needed.

If he sends pseudonymous information to third parties like Google Analytics, he needs that information to be available and forgettable too.

Dosn't seem to apply to Haven, at least according to what my tracker-tracker tells me about this website.

If he doesn’t want to spend a couple hundred bucks getting a compliant policy in place he needs to make his website inaccessible to the EU and the UK

That option currently dosn't apply to Haven, as the server is within the EU.

But sweden might have sane legislators that made exceptions to small companies / single persons, like austria did. Havn't researched that.

And there's always the option to decide to say: That's stupid, fuck it...

[ArvinJA]

my comparative advantage is not knowing any laws

[Granger]

my comparative advantage is not knowing any laws

hahaha.
Nevertheless, the OP has brought up a point that the devs should at least research.

Notified them of this.

[Robben_DuMarsch]

Without giving anyone legal advice tailored to their situation, the general consensus is that there is no general consensus. The GDPR is sweeping and it authorizes a ridiculous sum of damages which have, in particular, scared the shit out of large multi-national corporations. What is even more worrisome is that various provisions of the GDPR are broad or vague, and there isn't much in the way of regulatory guidance. Common sense dictates that going after small websites and service providers is probably going to be difficult from a cost-effectiveness approach of enforcing the GDPR, even if it were desirable.

Even as an Attorney, I'm probably out of compliance with the GDPR in my personal business capacity. If they want to go after me, I'll just avoid taking vacations to Europe .

[shubla]

If they keep any data of their users they probably have to do something.
I think payments are handled by 3rd party and keeping email/username for forum purposes is probably not something that would require some lawyer-written agreements!

But devs should indeed look into it. Its not impossible that somebody would want to just fuck with the devs and take it to the court!