Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> And as part of their agreement, they can do pretty much whatever they like with those, can't they?

No, they definitely can't. Parts of HN love to hate on GDPR, but laws like that prevent companies from doing the things you proposed.



They are supposed to, but usually it takes several dozen times of them getting caught with their hands in the cookie jar and fined before they are even capable of acknowledging these laws even exist.


I did a lot of GDPR work at several <insert FAANG here> companies. It was absolutely taken seriously and lawyers were involved all the time. The reason for all these fines is 2-fold:

1. A lot of the fines come from edge cases that are literally unclear in the law. Eg Facebook‘s opt out for advertising fines. You can disagree with fb’s decision but teams of lawyers couldn’t answer this question except in court. I think American and European jurisprudence aware also pretty different so someone sitting in California making business decisions might not understand the ramifications in Europe.

2. A lot of the thorny privacy bits can be bypassed if you update the TOS to mention it (or so they think). I’ve seen that happen a few times during my tenure.

That doesn’t excuse the choice of these companies to make these choices, but my point was to say that companies take it seriously but lawyers don’t always agree on how laws work except in court.


You know, that's not the sentiment I've been experiencing in the industry. There's certainly some uncertainty and risk-taking on the margins, e.g. what exactly constitutes "fair use", how do design user consent flows, and so on. But it's broadly accepted that you can't do anything with personal data without user consent, and I've found companies to be very careful in that regard.

Recently, Meta was fined $400MM for forcing users to consent to targeted advertising [0]. Note how Meta was careful to get consent (even if the way they did it was illegitimate). Sure, $400MM may not be a lot for a company that size, but I genuinely believe that the fines would be an order of magnitude higher if a company intentionally decided to do something with personal data without consent. GDPR fines may reach up to 4% of worldwide revenue, plus likely any proceeds from the illegitimate venture.

[0] https://www.cnbc.com/2023/01/04/meta-fined-more-than-400-mil...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: