The GDPR is a new EU wide legislation that harmonizes the handling of personal data for all EU citizens. You can read an a decent executive summary from ZDNet or you can read about it from the EU.

In general the basic concept is this: If you accept data from your users, you have to:

  1. Be upfront about what you’re using it for outside of expected business purposes
  2. Gain their explicit consent before using it for any other purpose (don’t pre-fill ‘yes’)
  3. Notify them in a timely manner if their data gets leaked

Seems pretty easy right?

It seems like this is the sort of thing we really shouldn’t need regulations around right? I mean, businesses want to treat their customers well don’t they?

For an eye opening look, check out this study on web design anti-patterns by the Norwegian goverment.

This is a personal example of how not to comply with the GDPR.

I recently clicked through on google news to (not linked).

I was presented with this screen:

That's nice, they value my privacy

Nice. So far so good, a big old “I do not accept button.”

However, clicking on the button leads to this page:

I guess they don't value my privacy?

Which also included over 3,000 lines of javascript code.

It also set all these cookies:

This is after I said I don’t want to be tracked. It also set cookies for the following domains:

What happens if you say yes?

It’s unlikely that this company has any presence in the EU, so they really didn’t need to comply with the directive at all, but if you’re going to do so, why spend all that time and money and then just make it a charade.

As it stands now, this site is not compliant with the directive. You aren’t allowed to block someone because they didn’t want to give you data that isn’t necessary to provide them with the service.

That’s the end of my rant.. Thanks for reading.