Spain Sunday: GDPR

We missed last week’s Spain Sunday and we will miss next Sunday. So here is a long post about something that recently occurred in Europe.

This is a crash course to the internet and how it just changed. I think it is pretty interesting and worth understanding since you probably don’t understand the internet generally. We didn’t – but with GDPR coming into play we thought we would try to understand things better.

GDPR is the General Data Protection Regulation. It just changed the internet a little bit. Completely for the EU – European Union, and by proxy for everyone else. Google explains it best:

“On 25 May 2018, the most significant piece of European data protection legislation to be introduced in 20 years will come into force. The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.”

Basically it’s a new law for people in the EU (physically present in the EU, not just EU citizens) to

  • control their own data
  • protect their privacy online
  • have the right to see what information companies have about them
  • have any of this data/information deleted
  • know about data breaches within 72 hours

It’s more complicated with how data is collected and stored. Some boil it down to “use the data or delete it” don’t just store everyone’s data for fun. It’s all very long but it boils down to protecting the user/consumer. Companies have to be more truthful and open about using your data. Companies have to be more careful about data (Russia is hacking everyone and everything right now). Companies only have to do these things if they’re getting sensitive information about you – and they all do.

The weird thing is that every website has to be compliant if there is a chance of anyone in the EU using their website. So websites chose to make small changes to make their website compliant for the 189.8 million Europeans who use the internet. They have the choice to either comply (with these reasonable requests) or block Europeans from seeing their website (thus losing traffic from nearly 200 million people). According to “Any company that comes into contact with personal data of EU residents MUST ensure they comply with the GDPR or they run the risk of heavy fines.”

According to Buzzfeed, “many companies are rolling out new data policies to everyone. Including you.” Instead of looking at what computer you’re using to see if you’re from Europe and then changing your experience, websites are just changing their whole privacy policy to protect everyone. This means privacy notices and settings basically changed for everyone everywhere because of the EU (thanks EU!). In short, it was easier to just make changes for everyone.

Also the GDPR hasn’t made many changes, yet. All it looks like right now is a small popup at the bottom of a website either asking you to consent or just telling you that they’re going to keep invading your privacy but at least now you know. Literally nothing has changed for the average user.  Here are 10 examples:

from Buzzfeed, Google, Reddit, New York Times, Twitter, Yahoo (the biggest one), WordPress, The Guardian, Encyclopedia Britanica, and Coca Cola.

This is all you see, however on their end they’re going to have to be more careful with our data (we obviously can’t see this). And if someone says “delete everything you know about me” they have to (as of now Facebook is refusing to do this).

The EU isn’t telling other countries what to do but if an American company is obtaining any identifiable information (sex, age, marital status, location) from any EU citizen they are meant to comply with that citizens rights. And that citizen has the right to not have their privacy completely violated.

The EU is really not asking for a lot . They’re trying to afford people’s online rights to about the same rights physical people have. So physically when I’m in public I have no right to privacy, but when I’m in my home I have a right to privacy (hence search warrants). But online privacy doesn’t exist – because of cookies.

What are cookies?

Cookies were invented in 1994 as a way to track online purchases and if a user had been to that website before. People didn’t even know they existed until a newspaper reported on them 2 years later in 1996. This article created a huge kerfuffle regarding privacy rights and visitor tracking. Oh, what was Google’s message? “The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. ” So the EU was, again, ahead of the game regarding online privacy.

Anyway, cookies are like this – the internet is like a giant farmers market. When you visit a new stand (website) you are given a loyalty card (cookie). The card has your identifying information (from your computer) and information about the stand (website) you’re visiting. So like “Bob Boberson visited the Broccoli Stand on January 1st” Like a punch pass for buy 6 coffees get a 7th coffee free – cookies track how many times you’ve visited their stand/website and what you were doing there. After a few years your loyalty card would say “here are the thousands of times you’ve come to the Broccoli Stand, what you bought and when, what you talked about with the  shopkeeper.” Cookies are really similar to a Value Card from Krogers/City Market – it sees everything you have ever bought. This is great until Krogers publishes how many thousands of adult diapers, condoms or whipped cream you’ve bought.

This is the problem with some cookies is that some are completely readable to other websites. So with the farmers market analogy, each stand you visit gives you a cookie/loyalty card. Except instead of giving it to you to hold, they stick it onto your back. So you have all these things stuck onto your back like a kick me sign. “I visited a stand to deal with my watermelon sized-hemorrhoid ,”  “I have embarrassing sexual preferences” “I pushed a baby over, once” “I’m having marital problems” “I completely identify  as a squirrel and wish my name was Snuffles.” Any of these strange, messed up things (which are your rights to do/think) are just on your back and everyone can see them  -except you.

Consider this – if you’ve ever looked up a flight online, you’ve paid higher. The first time you looked up the price you got a cookie on your back. When you visited the website again it looked at your cookies and said, “ooh you’re serious about this flight! Serious enough to pay a little more?” And it shows you more expensive flights. So you have literally paid extra money because of cookies.

Facebook is completely insane about these kick-me-sign cookies on your back. There is a little F facebook logo on just about every website. By being present on other websites they’re, in a way, part of that website. So Facebook gives you a cookie on every website you’ve ever been to (just about). Facebook has seen every news article you have ever read, any porn you’ve ever seen online, almost everything you’ve ever researched, every restaurant you’ve looked up, every trip you’ve ever planned, every recipe you’ve made. Facebook has seen everything. Every. Single. Thing. And you never posted any of it to Facebook, they just tracked you through every other website (the cookies stuck on your back). In this analogy the cookies aren’t just taped to your back, Facebook is a straight up stalker sitting on your shoulder writing down everything you’ve ever done.

Facebook just got in huge trouble for this, rightly so. They weren’t just looking at this stuff for fun, they were selling it. And yeah, Facebook (like freedom) isn’t free. By visiting this free website you’re “paying” for it with your private information. Not so free anymore? But they overstepped basic things, to tracking and sharing everything. If you think you have nothing to hide, that’s great. But this brings us back to online rights vs physical rights you have. Physically when you’re in public you have no right to privacy, but when you’re in your home you have a right to privacy. Even if you have nothing to hide at home, you don’t want your drapes open every second of every day. You still have doors that keep people out.

When you’re online you’re using your personal device (phone, laptop, ipad that you paid for) to look up your own private things. You’re paying for your own internet. But you’re not paying for the website (Google, Facebook, Yahoo). They need ads to exist – to pay people to make the website, to pay for physical servers where the internet lives, to pay for air conditioners to keep the internet comfortable. And to pay for a security team to keep it safe. This isn’t free. Everyone acknowledges the necessity of advertisements. But many websites take it too far, they’re not just paying their bills – they’re completely exploiting your whole life to understand you. This can be hacked, exploited, stolen or yeah, sold.

When you watch TV you get random ads designed for people who are probably watching that show. Watching kids shows-  you get toy and cereal advertisements. Watching sports? you’l get shaving advertisements. Online, though, it sees you’ve been looking at hemorrhoid cream, vitamins, ice cream, and larger pants – and suddenly you’re getting diaper and baby name advertisements. That’s right – it knows. Is this fair? There isn’t an answer to this question.

Websites try to sell cookies as a fun personalized experience. That cookies “Provide you with the best possible experience [and] Show you content and ads that are relevant to you.” The ads on the side of roads, on radios or on TV are random. The ones you see online were literally chosen for you. This is promoting a consumer culture but also very nice of them – no one wants to watch a taxidermy advertisement when they don’t care about it. This is great because the website gets money and you didn’t have to pay for it. It’s a mutual relationship. So maybe it is all fair. GDPR won’t take this away, it just wants to make it more transparent. A mutual relationship, for once. And to stop another Facebook full-on-stalking from happening again.

By the way, was this passed because of Facebook’s debacle? Probably not, it has been under discussion for 4 years and was decided on officially in April 2016. Facebook’s situation really got into public view in March 2018.

In short, cookies and you are a very complicated relationship. Websites want to see they’re doing a good job, they need money, they want to make better content. But your privacy can be completely lost in the process.

We, little old us, use cookies all the time to see how our blog is doing. WordPress, which hosts our website is using the cookies they’re already giving out to give you advertisements (which we don’t get any money from, FYI) and they let us see how things are doing. What are our most popular posts? Where countries are people coming from? How many people stay and read more than one post? This is helpful for us to write better content. It means we didn’t have to pay very much to have our own website. It hopefully meant any ads you saw were better for you.

So full disclosure, here it is. Here is what we learn from the cookies we hand out:

  • Most of our audience is from the USA (but we have had traffic from 41 countries).
  • We’ve had 593 unique people visit who looked at 1,569 posts (so on average every person who comes looks at 2 posts).
  • Most of our traffic comes from search engines (Google) but some are coming from Facebook.
The visitors and view count is just for May, by the way.

Our Internet Has Changed

The fee for not being GDPR compliant (and remember they only have to inform people on their rights, allow people to delete their own data, and protect your private information) is 20 million Euros or 4% of the company’s global revenue (whichever is higher). This is a steep fine but reasonable to keep some big companies (which bid your private information to the highest bidder) under control.

Some companies are just not doing it. So when we go to some websites they look like this now:

Tronc is a news agency that owns Chicago Tribune, the Los Angeles TimesThe San Diego Union-Tribune, the New York Daily News, the Hartford Courant, the Orlando Sentinel, Ft. Lauderdale’s Sun-Sentinel, and The Baltimore Sun. They don’t want to comply so they’re just blocking everything to everyone in the EU. When we go to these sites we see “Unfortunately, our website is currently unavailable in most European countries.” then a bunch of nonsense about how great their journalism is and that they’ll look into “technical compliance solutions.”

There is a big debate if they’re just trying to be red blooded stubborn donkeys won’t let Europe tell them what to do or if they collect enough data (and sell it) that they couldn’t possibly comply with the GDPR. (See also, Facebook and Google getting hit with lawsuits and proposed fines on the FIRST DAY of GDPR with folks in the EU”seek[ing] to fine Facebook 3.9 billion and Google 3.7 billion euro. On the FIRST DAY).

That’s all the average person really needs to know. We’ll have to see what happens with non-compliance, how they can even enforce it, and if we’ll ever get our data out of Facebook’s clutches (probably not).

One thought on “Spain Sunday: GDPR

  1. Excellent post. I often wondered about the the cost an airline ticket increasing due to browsing alone. It’s astounding how quickly cookies are able to formulate an ad campaign!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.