What makes you think this is "obviously [an] attack" rather than just a cautionary tale? I certainly found it helpful to learn about a historic leader with strong similarities to Trump even though most of the left-leaning media portray him as something entirely new.
Yes. Besides for the administration costs incurred (which is probably the real killer), the list of death points are:
1. Adding a dialog as the first step in an onboarding funnel that's already difficult to get users through
2. Handling non-consent. WTF! So if the user doesn't give consent to something that 99% of the population doesn't understand, I'm not allowed to prevent them from using the app. And so my engineering team needs to waste critical hours figuring out things like how to deal with crashes, or maybe how in the fuck we're supposed to fallback to not using services that we're built on (e.g. Firebase)!
3. Dealing with the fallout of #1 in the form of bad reviews that are the kiss of death to startups
Handling non-consent. WTF! So if the user doesn't give consent to something that 99% of the population doesn't understand, I'm not allowed to prevent them from using the app.
This is like a living, breathing example of why GDPR had to be written the way it was, so that arrogant techbros couldn’t rationalize their way around to screwing everyone over for a quick dollar. It’s also a perfect example of why you get zero sympathy. “But maaaa, it’s hurting my funnel!” Good.
Did you read any further? If I can't prevent them from using the app, then I have to solve an impossible problem. Namely providing a fallback for core services that the app is built on.
You do not need any consent for essential services. But you do need to make sure that those services do not sell your users personal information to third parties, and make sure you can comply with other GDPR requirements (right to be forgotten etc) by getting a data processor agreement with that core service. You are responsible for what your suppliers do.
If you would have built your whole app on "free" services for which your users pay with their personal information, that would be problematic under GDPR. And rightfully so.
So now the EU is in charge of how I decide to build my app, and is trying to dictate what suppliers I can use?
What if I decide that crash reporting is an essential service (it is), and the EU's lawyers decide that it's not? Who is going to pay my legal fees, and potential fine? I should be on the hook because some schmuck uses a service that I provide for free (which essentially means I'm paying for it with my time), and is upset that I may not be handling his data in the way that the EU says I should be? The sane solution would be to allow me to tell this individual that he cannot use the app if he doesn't consent. But here comes the EU telling me that I must allow him to use the app.
> So now the EU is in charge of how I decide to build my app, and is trying to dictate what suppliers I can use?
No, the EU only stipulates that you are not allowed to sell, leak or otherwise slander personal data from EU residents without their freely given consent, and makes you liable for that.
IANAL, but I think there is no reason to fear too much, though I would stay on the safe side regarding interpretation. And remember that anybody can report you for anything to the authorities, or sue you already; if you are prosecuted you'll have to pay your legal fees and fines whether it's about GDPR or not.
So the rest of the world should get annoyed with the opening dialog, so that the EU doesn't have to get blocked? Sounds like this could be solved by a proper solution, which the GDPR is not.
The same law that fined me $1,800 because a posted notice fell off my door in a blizzard? The same law that allowed the judge to uphold the fine by saying "I don't believe you". Bureaucracy sucks, and the second it gets its tentacles on you, no amount of cheek clenching is gonna delay the inevitable.
Really? Most of what I've seen from outside the industry is akin to "GET THIS ING DIALOG OFF MY SCREEN I HATE IT WHEN THE FIRST THING AN APP DOES IS SHOW A ING POINTLESS DIALOG WHEN I JUST WANT TO USE THE APP"
I'm still struggling with the fact that the EU can compel me to add what will be a funnel shattering dialog to my onboarding.
I've shelved a bunch of side projects that I was excited to work on because I have no interest in dealing with any of this ambiguous law. Implementing it would most likely cause a large percentage of users to uninstall my app, because who wants to be greeted with a scary sounding dialog as their first experience in an app. I know many folks here are privacy oriented, but unless this tiny slice of the population is willing to fund my app, I have 0 interest in pandering to them vs the majority of users that would get scared away by it.
I know that there's an almost 0% chance of any repercussion for not being compliant in a tiny app that'll probably never get anywhere, but I'm just so sickened by this whole thing that I don't want to deal with any of it.
I think it's pretty easy to argue that such an intent could be described as "stifling innovation", if it's preventing people from trying new things because of the overhead associated with an impact analysis and continued maintenance of e.g. responding to data requests indefinitely.
I agree, we should also get rid of copyright and property laws in the name of not "stifling innovation". It is absolutely ridiculous that I can't just walk into a peoples homes and install my 'adtreckr' eye tracking cameras on their TVs, even though that has the potential to revolutionise the amount of engagement and make sure that they only receive the most engaging, most relevant ads for their tastes./s
Less satirically, you are free to innovate by coming up with new tech, then selling to people who care enough to deal with regulations. The 'stifling innovation' copout is so utterly overused by people who want to ignore negative externalities like pollution or the surveillance state we are building up. I am starting to think of it as a type of rent seeking: "I am currently in the privileged situation of having the technology and network effect necessary to exploit this unguarded treasure of X without dealing with the fallout. Please don't pass any regulation requiring me to actually pay my dues"
I think there's a very specific motivator behind people who build tech with the intent to sell, and that motivator doesn't cover every reason behind other people who build tech. If I want to start a project and think, "cool, if this works out, i'll sell it 6 months from now so it can actually do cool stuff", I'm just not going to work on that project at all.
Honestly though, I would _love_ to live in a world where you could walk into my home and install your 'adtreckr' eye tracking cameras on my TV. What you're describing is "trust", and I think the amount of it that each person has (for people in general, but also for companies) is a big influence in how they view GDPR (and other regulations that some might argue are unnecessary). Obviously, we're very far away from that world, so this isn't consent for you to come waltzing into my home in the near future. :)
In my eyes, the satirical representation of what's happening here (from a consumer's point of view) is me placing an order for your awesome new eye tracking cameras, looking forward to the delivery and installation, and then seeing delays and delays as you repeatedly come back with, "well, are you sure you want this? are you sure I can enter your home? are you sure I can touch your TV? are you sure I can modify your TV?" I signed up, I paid for it, I told you I want it, just do whatever you need to do to give me it.
From a business POV, I already treat user data with utmost regard, and my users know that. Similarly, I trust that the companies I willingly give my data to do the same. There are probably some bad actors in the mix, but I doubt they're going to bother with compliance anyway. Having to go out of my way to prove that data trust is there to a third party completely uninvolved with the contract I have with my users, and to spend hours and hours implementing new workflows and pipelines for out of scope functionality that needs to be maintained indefinitely -- this is not good for a business. It's bad for small businesses because it sucks up time, money, and other resources, and it's bad for big businesses because it opens up such a huge area for litigating non-issues. It might have some value to users, as I said elsewhere, but it's a heavy-handed regulation that is too overreaching in its implementation, in my personal opinion.
> Honestly though, I would _love_ to live in a world where you could walk into my home and install your 'adtreckr' eye tracking cameras on my TV. What you're describing is "trust", and I think the amount of it that each person has (for people in general, but also for companies) is a big influence in how they view GDPR (and other regulations that some might argue are unnecessary). Obviously, we're very far away from that world, so this isn't consent for you to come waltzing into my home in the near future. :)
Anarchy is always ruined by all those people! (I'm a big fan of trust, and not a big fan of Hayek,but Hayek had an insight when he talked about the micro and the macro cosma. People are to diverse that we can rely on "trust" to solve things, we need agreed on official rules)
> In my eyes, the satirical representation of what's happening here (from a consumer's point of view) is me placing an order for your awesome new eye tracking cameras, looking forward to the delivery and installation, and then seeing delays and delays as you repeatedly come back with, "well, are you sure you want this? are you sure I can enter your home? are you sure I can touch your TV? are you sure I can modify your TV?" I signed up, I paid for it, I told you I want it, just do whatever you need to do to give me it.
No. If you opt into buying my camera, since it is explicitly necessary to do all of that stuff, the consent is given as part of the buying contract. I just need to clearly state and explain that. If you had to gain access Facebook or instapaper via a huge opt in order form (let's say a pop-up detailing exactly what happens to your data), then it is equivalent...and that is exactly what GDPR requires
> From a business POV, I already treat user data with utmost regard, and my users know that. Similarly, I trust that the companies I willingly give my data to do the same. There are probably some bad actors in the mix, but I doubt they're going to bother with compliance anyway. Having to go out of my way to prove that data trust is there to a third party completely uninvolved with the contract I have with my users, and to spend hours and hours implementing new workflows and pipelines for out of scope functionality that needs to be maintained indefinitely -- this is not good for a business. It's bad for small businesses because it sucks up time, money, and other resources, and it's bad for big businesses because it opens up such a huge area for litigating non-issues. It might have some value to users, as I said elsewhere, but it's a heavy-handed regulation that is too overreaching in its implementation, in my personal opinion.
If you already do everything that is commonsense data protection, which is the bulk of what is required by GDPR, then all you have to do is documen that. If you cannot guarantee that the data is not shared, then the third party isn't uninvolved in the contract you do with your users.
Honestly, think of my data as something I own, like my house or my car, and GDPR becomes easy. Think of it as something you "create" by tracking me on your site, and your point of view becomes easier. I like my world better
I have a hard time seeing any justification for your view. Why would you own data about yourself? Do you own your name? Do you own the fact that you went to taco bell for dinner last night? Can you sue someone else for knowing you went to taco bell last night? Should it be a crime for someone who knows your name to tell someone else your name? What if they do it for money?
"Owning" data about yourself is a very strange concept to me.
GDPR could have safeguarded data by demanding more transparency, still allowing apps to accept data as a form of payment through personalized ads. It's not obvious why they are requiring apps to provide the same service for free 'without detriment'. That destroys a number of business models. Why not just allow they give an option to not give their data if they are willing to pay?
> GDPR could have safeguarded data by demanding more transparency
That would be a toothless regulation. It would just cause businesses to add more crap to their privacy policies, which nobody reads anyway, and doesn't impact user behavior.
> It's not obvious why they are requiring apps to provide the same service for free 'without detriment'
So that users can opt-out of having unnecessary data collected. You should only be collecting the data needed to run the service. If your business collapses when users opt-out, your business model was nothing but data harvesting to begin with, and probably doesn't deserve to exist.
> That destroys a number of business models
A number of exploitative business models that harm society and democracy. Works for me!
> Why not just allow they give an option to not give their data if they are willing to pay?
You can do that now. Stop collecting data that isn't necessary to run your service, and charge people money.
If they were smart about how transparent a business needed to be, I don't think it would be toothless at all. It would have given users more information about what is happening behind the scenes and allowed them to make their own decisions.
> So that users can opt-out of having unnecessary data collected. You should only be collecting the data needed to run the service. If your business collapses when users opt-out, your business model was nothing but data harvesting to begin with, and probably doesn't deserve to exist.
This is a really rosy view of things. The reality is that there are tons of apps / games / sites that people use and enjoy but would not pay for. And there are people who could not otherwise afford to pay for them but are able to enjoy them because personalized ads can be used as a form of payment. I would argue most of these things make the world a better place not a worse place. And that people should be able to choose how they want to pay for those services.
I don't agree, but at least I understand where you're coming from. Here is the stasis of our dispute:
> I would argue most of these things make the world a better place not a worse place. And that people should be able to choose how they want to pay for those services.
I'm not convinced any of the apps we pay for in data really improve our lives. The price we pay in control over our identity and our information usually outweighs the benefits. And in some cases, like in many distracting social apps or pay-to-win games, there is no benefit. The app is just designed to addict us, keep us occupied, and make our lives worse.
Furthermore, I don't think "allowing users to decide for themselves" is going to make a difference. That's like allowing poison in food, because everyone can scan the ingredients on the label for known poisons. It's unreasonable to expect the average person to do due diligence on every service they use online.
I'm not convinced any of the apps we pay for in data really improve our lives. The price we pay in control over our identity and our information usually outweighs the benefits.
Hundreds of millions of Google and Facebook users disagree. If you ask people what Google does with the data they collect, a large percentage both incorrectly believe that they directly sell it to advertisers (rather than just using it for ad targeting) and don't have a problem with that.
I'm not saying that you're wrong, but I am saying that you aren't so clearly right that your preferences should be forcibly imposed on everyone.
That's fine, the problem is there was no choice before. OK, Google Analytics is somewhat easier to block, but e.g. Facebook with their shadow profiles? How do you block that? Is it feasible to expect teenagers to not use FB/Snapchat/Instagram when all their friends are just to protect their privacy?
My point is, I have no clue what's collecting data in an improper way, and I'm not going to hire a lawyer for a hobby app.
The amount of conflicting information about whether I do or don't need consent based on what services I use is just stupid. And I wouldn't even be showing ads.
Part of the apps function is related to location, do I need consent? Maybe.
It will use Firebase, do I need consent? Maybe.
It will collect crash data so I can debug the stupid thing, do I need consent? Maybe.
Welcome to the real world. If your little hobby project leaks the personal information of a real person, then they don't care how much of an unimportant side project it was to you.
For purely personal use "hey guys, this is just a hobby use at your own risk" you won't get hit with gdpr
Imagine if you were building cars for a hobby then selling them. Would you complain about all of those onerous regulations like seatbelts, crunch zones etc when all zou really want to do is tinker with some cool engine tech?
I don't see what leaking personal information has to do with collecting crash data, or using Google's infrastructure to store my data. Why should I have to be on the hook for what is most definitely much safer than trying to safeguard the data myself?
Like I said, all it will accomplish is discouraging projects like mine that aim to provide utility to some people. One of my released hobby apps is no great commercial success (I don't show ads or collect revenue), but it's one of the top rated apps in its category on the Play Store, and I have about 20k DAU.
If the GDPR ever came after me for it, I'd just take the app down. Bam, 20k people a day affected because of over regulation.
Also, I wouldn't equate personalized ads with the life and death regulations involved in the auto industry.
I think if your app isn't available in European regional Play/App Stores, you aren't considered to be targeting EU residents and you can safely ignore the GDPR.
When will the media get that this doesn't work?