I find it sad to see the “American corporations behave passively aggressively because evil GDPR forces them to” meme also on LessWrong, so please allow me to provide an ELI5 version of what GDPR actually says:
*
You shall not collect your customers’ personal data.
Unless they consent to that.
The consent must be explicit and freely given.
What is “explicit”?
If the user checks a checkbox near “I agree that you can store my name and address in your database, for the purpose of sending me an invoice” = explicit.
If the user forgets to uncheck a 1px large checkbox that was checked by default = not explicit.
If the user checks “I agree that you may store my data” in the context suggesting that “data” refers to their name and address, but you actually secretly turn on their webcam and store the video of them = also not explicit.
If the user checks “I agree that you can store the information about my penis size and send me promotional messages about Viagra to my personal e-mail twice a day” = explicit.
What is “freely given”?
If there are two buttons of approximately the same size saying “I agree” and “I disagree”, and the user clicks the first one, and gets the same experience as they would counterfactually get after clicking the second button = freely given.
If the button “I disagree” is 1px large, or disabled, or the application freezes after clicking on it, so that the user can only continue after clicking on “I agree” = not freely given.
If the button “I disagree” opens a large scrollable dialog with 20 settings with unclear descriptions and some of them open extra dialogs with more buttons, but the button “I agree” just makes the application work immediately = also not freely given.
But what if storing the data is intrinsically necessary for given functionality? For example, I cannot send you an invoice for the stuff you want to buy at my e-shop, if I don’t know your name and address? Or, if it is required by law, for example I am legally required to ask whether you are an adult before selling you alcohol?
That is called “legitimate interest”, and the rules are the following: You still need to ask the user for consent, but if the user disagrees, then you simply do not provide them the specific functionality (for example the “buy” button is disabled).
However, you cannot cleverly leverage the “legitimate interest” to expand your data collection beyond its scope.
If X is intrinsically/legally needed for the functionality, but Y and Z are not, you have to make this clear (i.e. you are not allowed to also label Y and Z “legitimate interest”) and the consent for X is provided separately from the consent for Y and Z (for example two separate consent checkboxes if the data is collected automatically, or input boxes clearly indicating that X is required but Y and Z are optional).
If X is intrinsically/legally needed for functionality F, but not for a separate functionality G, if the user refuses, you can disable F, but you cannot disable G.
You have to disclose on request to the user all the information that you are currently storing about them.
The user can revoke the consent, in which case you need to delete their stored personal data (except for those you are legally required to keep; in which case you need to delete them after the legally specified period is over). You cannot make revocation of the consent logistically more difficult than it was to provide the consent.
*
Whenever you see a company doing something more complicated than “hey, you okay with us storing the following information about you: yes or no?”, nine times out of ten, the company is just stupid or passively aggressive, and the things “required by GDPR” are in fact not required by GDPR at all (and often are in violation of GDPR). Yes, that includes companies such as Google. Yes, they are perfectly aware of that; they do the annoying thing on purpose, because trading your personal data is an important part of their business.
How to make your website GDPR compliant?
Easy version: Do not collect personal data.
Hard version: Display a form asking whether it is okay to collect the personal data. (No, it doesn’t have to be a modal window covering half of the screen. No, you do not have to display it every time the user visits your page. For example, in case of an e-shop, it is enough to ask for consent after the user clicks “create account” or an unregistered user puts the first item into their shopping cart.) In the user settings, create a tab that shows all information you have collected about the user. Also, provide a “delete account” button which actually deletes the personal information (you can still keep the shopping history of an unknown deleted user).
I find it sad to see the “American corporations behave passively aggressively because evil GDPR forces them to” meme also on LessWrong, so please allow me to provide an ELI5 version of what GDPR actually says:
*
You shall not collect your customers’ personal data.
Unless they consent to that.
The consent must be explicit and freely given.
What is “explicit”?
If the user checks a checkbox near “I agree that you can store my name and address in your database, for the purpose of sending me an invoice” = explicit.
If the user forgets to uncheck a 1px large checkbox that was checked by default = not explicit.
If the user checks “I agree that you may store my data” in the context suggesting that “data” refers to their name and address, but you actually secretly turn on their webcam and store the video of them = also not explicit.
If the user checks “I agree that you can store the information about my penis size and send me promotional messages about Viagra to my personal e-mail twice a day” = explicit.
What is “freely given”?
If there are two buttons of approximately the same size saying “I agree” and “I disagree”, and the user clicks the first one, and gets the same experience as they would counterfactually get after clicking the second button = freely given.
If the button “I disagree” is 1px large, or disabled, or the application freezes after clicking on it, so that the user can only continue after clicking on “I agree” = not freely given.
If the button “I disagree” opens a large scrollable dialog with 20 settings with unclear descriptions and some of them open extra dialogs with more buttons, but the button “I agree” just makes the application work immediately = also not freely given.
But what if storing the data is intrinsically necessary for given functionality? For example, I cannot send you an invoice for the stuff you want to buy at my e-shop, if I don’t know your name and address? Or, if it is required by law, for example I am legally required to ask whether you are an adult before selling you alcohol?
That is called “legitimate interest”, and the rules are the following: You still need to ask the user for consent, but if the user disagrees, then you simply do not provide them the specific functionality (for example the “buy” button is disabled).
However, you cannot cleverly leverage the “legitimate interest” to expand your data collection beyond its scope.
If X is intrinsically/legally needed for the functionality, but Y and Z are not, you have to make this clear (i.e. you are not allowed to also label Y and Z “legitimate interest”) and the consent for X is provided separately from the consent for Y and Z (for example two separate consent checkboxes if the data is collected automatically, or input boxes clearly indicating that X is required but Y and Z are optional).
If X is intrinsically/legally needed for functionality F, but not for a separate functionality G, if the user refuses, you can disable F, but you cannot disable G.
You have to disclose on request to the user all the information that you are currently storing about them.
The user can revoke the consent, in which case you need to delete their stored personal data (except for those you are legally required to keep; in which case you need to delete them after the legally specified period is over). You cannot make revocation of the consent logistically more difficult than it was to provide the consent.
*
Whenever you see a company doing something more complicated than “hey, you okay with us storing the following information about you: yes or no?”, nine times out of ten, the company is just stupid or passively aggressive, and the things “required by GDPR” are in fact not required by GDPR at all (and often are in violation of GDPR). Yes, that includes companies such as Google. Yes, they are perfectly aware of that; they do the annoying thing on purpose, because trading your personal data is an important part of their business.
How to make your website GDPR compliant?
Easy version: Do not collect personal data.
Hard version: Display a form asking whether it is okay to collect the personal data. (No, it doesn’t have to be a modal window covering half of the screen. No, you do not have to display it every time the user visits your page. For example, in case of an e-shop, it is enough to ask for consent after the user clicks “create account” or an unregistered user puts the first item into their shopping cart.) In the user settings, create a tab that shows all information you have collected about the user. Also, provide a “delete account” button which actually deletes the personal information (you can still keep the shopping history of an unknown deleted user).