H&H violating GDPR?

[Granger]

It's like suing McDonald's for their hot coffee on steroids.

That specific case, iirc, had merit though: serving coffee that can give 3rd degree burns in <10 seconds in unstable containers and the victim that only went to court to get the medical bill covered and the final verdict factored in the 700+ people injured prior (of which McDonald's knew about - and did nothing). The media reported it as being fraudulent though, including plenty of wrong statements and painting her as a gold digger...

"[W]hoever, being of the age of 18 years and upwards, by any act corrupts or tends to corrupt the morals of any minor less than 18 years of age . . . commits a misdemeanor of the first degree."

Nice. Moral based law where the damage is purely in the eye of the beholder, what can possibly go wrong?

I'm sure there are some creative ways to mess with people in it.

[Robben_DuMarsch]

Nice. Moral based law where the damage is purely in the eye of the beholder, what can possibly go wrong?

I'm sure there are some creative ways to mess with people in it.

As far as creative ways to defend, it's really just a factual dispute. The law is pretty clear that just about anything can qualify as a factual basis to support the charge so long as it meets some vague standard: "Therefore, the question of sufficiency for the corruption of minors conviction ultimately rests on whether Appellant's actions were of a type that would offend "the common sense of the community and the sense of decency, propriety and morality which most people entertain."

[loftar]

I am indeed at least vaguely aware that the GDPR might affect us. I've been hopeful that since we, just like someone wrote in this thread, don't "process" personal data in any way whatsoever and only log the bare minimum necessary for researching security problems it shouldn't be affecting us very much, and from what little I've been able to glean from it from all the various websites covering GDPR that all try to say as little as possible about it since noone seems to know what it means, that seems to be somewhat corroborated.

That being said, if you can think of any way to exploit the GDPR to scam money from us, I encourage you to tell us instead of executing it. :)

If anything, I should probably remove the "full name" field from the registration page, that we've never used for anything anyway. I've been considering its meaninglessness for years now.

[loftar]

As an aside, a question for those who've managed to understand more of the GDPR than I have: Do you think it will actually change anything at all whatsoever, or will all sites just gain a slightly larger "cookie disclaimer" to get your "consent" and continue doing exactly the same things they've always done?

If the GDPR means the death of Google Analytics and Facebook button tracking, I might actually welcome it. But I have my, well, doubts.

[Granger]

FYI: IP and mail addresses are personal data under GDPR, you process these on a regular basis....

[loftar]

FYI: IP and mail addresses are personal data under GDPR, you process these on a regular basis....

I do believe "process" means something more under the GDPR than merely storing them. They seem to assign some kind of significance to the difference between "structured" and "unstructured" storage of personal data, apparently for the purpose of distinguishing data mining. The details are murky, of course.

[Robben_DuMarsch]

As an aside, a question for those who've managed to understand more of the GDPR than I have: Do you think it will actually change anything at all whatsoever, or will all sites just gain a slightly larger "cookie disclaimer" to get your "consent" and continue doing exactly the same things they've always done?

If the GDPR means the death of Google Analytics and Facebook button tracking, I might actually welcome it. But I have my, well, doubts.

Here's a message from an attorney at a large corporation that discussed this recently:
"My work doesn't actually touch GDPR, but the US part of the team sits on my floor. I think we've hired something like 20 different external counsel across the globe and received 20 different interpretations as to what we're supposed to be doing."
For that reason, most corporations with a lot of skin in the game are construing it broadly to try to protect themselves from liability which can be pegged at 4% of their international gross revenues.

You've got much less skin in the game, I'd imagine.

[Granger]

FYI: IP and mail addresses are personal data under GDPR, you process these on a regular basis....

I do believe "process" means something more under the GDPR than merely storing them.

Sadly: nope.

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

identification number = IP address
location data = can be derived from IP address
online identifier = mail address

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

There's 'storage' and 'use' - you have both.

[Miss_Min]

... I don't really see how my IP addresses can identify me, the natural person on the other side of the keyboard? I mean, they might with a lot of data processing show that I've accessed the site from a surprising number of McDonalds branches (IF using McDonalds wifi shows up as identifiable to that level, rather than just as O2 wifi or whatever it was in Spain), and with a bit of processing in the other direction they would associate my account with a few others, which would hardly come as a surprise given that I've previously mentioned sharing a household with other people who've posted on the forums (one currently somewhere in the Northern Kingdom, one now playing Warhammer Online instead).

I've previously thrown some money in the general direction of Seatribe, so I suppose they have my Paypal ID, which goes some way further towards identifying me as a natural person, but also doesn't particularly distinguish me from the person in Singapore who occasionally puts my email address on forms for mailing lists they don't really want to sign up to.

[Aceb]

... I don't really see how my IP addresses can identify me

the thing is, it can't. Sure, it can be tracked to certain PC at certain time, but without extended knowledge and information it is impossible to say WHO, but WHEN or WHY. There's no way to be 100% sure that the person who accessed your accounts, e-mails and everything, is You or not your mother, burglar, hacker, cracker or a dog. There's only high probability it was You.