New Service Blocks EU Users So Companies Can Save Thousands on GDPR Compliance

Catalin Cimpanu, reporting for BleepingComputer: A new service called GDPR Shield made the rounds last week and for all the wrong reasons. The service, advertised as a piece of JavaScript that webmasters embed on their sites, blocks EU-based users from accessing a website, just so the parent company won't have to deal with GDPR compliance. GDPR, or General Data Protection Regulation, is a new user and data privacy regulation slated to come into effect in the EU three weeks from now, on May 25, 2018.

The new regulation brings a wealth of protections to user privacy but is a nightmare for companies doing business in Europe. The reasons are plenty, but the humongous fines for failing to meet GDPR standards are at the top of the list for most companies ($24 million or 4% of a company's annual worldwide revenue -- whichever is higher). There's also the 72-hour deadline to reveal data breaches and the necessity of hiring a so-called "Data Protection Officer." Plus, GDPR also mandates that companies must inform users on what data they collected about them, allow them to review the data, and even let users delete the data from the company's servers if they so wish.

Nothing "new" here

[Dorianny]

geofencing is not exactly a new concept. At least it finally is being used for good (privacy protection) rather then for evil (arbitrary geographical media blocking)

Re:Nothing "new" here

[OzPeter]

for good (privacy protection)

Good is rather relative here: it's purpose here is evading privacy protection.

It's not so much as evading privacy restrictions as locking out users for which privacy protections have been mandated.

If anything you could use it as an indication to ether do or refuse to do business with a company based on what side of the GDPR fence you want to be.

Re:Nothing "new" here

It is definitely good. A Mom and Pop shop in the states selling homemade soap can't afford to have a DPO or respond to GDPR letters from hell. As per the GDPR law, even if a place doesn't do business in the EU, if an EU resident visits a site, the site has to comply.

Not every website is a multi-billion dollar operation that can spend the cash on this stuff.

So, they get blocked. $9 a month is cheap insurance compared to running afoul of the EU.

Re:Nothing "new" here

It's also totally unnecessary. Either:

1. You do business in the EU, therefore you fall under EU jurisdiction and have to follow EU laws. This service will not help because you still need to follow GDPR to do business there.
2. You do not do business in the EU, therefore you do not fall under EU jurisdiction and do not have to follow EU laws. This service will not help you because the EU can't touch you in order to enforce GDPR.

They're selling snake oil.

Re:Nothing "new" here

Or maybe its an strategy to avoid harsh fines and being forced to hire personnel to ensure compliance to service just a few internet users from the EU states that visit your website.

Re:Nothing "new" here

[mvdwege]

Tell me, what of my personal data beyond billing and shipping data for my most recent order would a Mom and Pop shop need?

This is the usual right-wing talking point about 'onerous regulation' and it is bullshit. It is not about the small businesses, unless they are merely a bait-and-switch operation trying to gain my data to sell it on to unscrupulous marketeers. It is about massive corporations that want to be free to pillage my life for their profits, and there is always an idiot falling for their 'but think of the poor small businessmen' shtick.

Re:Nothing "new" here

[Immerman]

Not quite, it's purpose avoiding (not evading) the legal requirements for privacy protection, in the simplest, most direct way possible - by refusing service to those visitors whose privacy they would be required to protect.

Re:Nothing "new" here

[Mascot]

It is definitely good. A Mom and Pop shop in the states selling homemade soap can't afford to have a DPO

Good thing they wouldn't need one, then. There are criteria for when you'd need one (e.g. your business is mass storage or processing of personal data), and the odds of a tiny shop meeting any of them would be extremely slim. Heck, we're a multinational company and we don't need one. For that matter, there's no requirement to _hire_ someone, it's a role that could be assigned to any employee with sufficient knowledge of privacy laws and best practice.

if an EU resident visits a site, the site has to comply.

Not quite. If your site collects personal data about a EU resident, the site has to comply. If your site does not collect personal data, GDPR does not apply.

Re:Nothing "new" here

[BronsCon]

even if a place doesn't do business in the EU, if an EU resident visits a site, the site has to comply.

And they can kiss my ass as far as enforcement.

Re:Nothing "new" here

[HornWumpus]

Exactly, just don't have a presence in the EU and they can pound sand.

Re:Nothing "new" here

[HornWumpus]

Unless you have a server or office in the EU, they don't have shit.

The law should be ignored by all non-EU web sites.

Re:Nothing "new" here

[DarkOx]

I see because only big business should be able to profit from data. Smaller companies would not like to be able to do things too like say store your browsing history on the site to offer you discounts on products you looked at but did not buy etc.

Sorry your rules are crappy barriers to entire and they are THE REASON THE RICH GET RICHER and nobody else gets a break.

Re:Nothing "new" here

[WoodstockJeff]

> Tell me, what of my personal data beyond billing and shipping data for my most recent order would a Mom and Pop shop need?

What about storing information on the products you purchased, so you can be notified if there are any recalls? What about storing information to prove that certain taxes have been paid? That's two items that fall under government requirements that also fall under GDPR, along with your billing and shipping information. "Giant evil corporation" and "Mom and Pop shop" both have to deal with them.

Re:Nothing "new" here

and there is always an idiot falling for their 'but think of the poor small businessmen' shtick

With any luck Slashdot will adopt this service and you will be cut off.

Re:Nothing "new" here

[lgw]

If you're a mom-and-pop soap shop, you don't employ any technical people - there's Bob's cousin who's "good with computers" who made your web site a couple years back. You don't ship outside the US, but people from the EU might still visit your web site.

This is indeed onerous regulation for a business at this scale. Geoblocking fixes it for you.

Now if you're a mom-and-pop soap in the EU, you use a vendor who takes care of this shit for you, and you just hope you won't go to jail because you once threw out a mailing label without shredding it first. Sure the regulation is still onerous, but you won't notice any more than a fish notices water.

Re:Nothing "new" here

[mvdwege]

That canard again. IP address logging for the purposes of site operation has never fallen under EU privacy guidelines, unless that data is kept for longer than its intended purpose and used for data mining.

Which is exactly the point of the GDPR: it says 'Don't do that and you'll be fine'. If you look at the FAQ you see that the GDPR does not cover this use of data.

Re:Nothing "new" here

[lgw]

Generalization fail. The rich get richer because of regulatory capture - the more you regulate, the more the largest companies benefit, and the harder it is for the little guy to make good. Business regulation causes social immobility - might still be worth in in some cases, but don't pretend the cost isn't real.

Re:Nothing "new" here

[rsborg]

Tell me, what of my personal data beyond billing and shipping data for my most recent order would a Mom and Pop shop need?

This is the usual right-wing talking point about 'onerous regulation' and it is bullshit. It is not about the small businesses, unless they are merely a bait-and-switch operation trying to gain my data to sell it on to unscrupulous marketeers. It is about massive corporations that want to be free to pillage my life for their profits, and there is always an idiot falling for their 'but think of the poor small businessmen' shtick.

I think it was a pipe dream to think that GDPR would cause big corps to change how they do business in the US. It's clearly too profitable to let go of that sweet precious data.

However, if there were such a small shop that inadervtently took customers (and their personal info for shipping or order fulfillment) from EU and then got a GDPR request (perhaps automated by some legal-bot), they might be best positioned to just avoid those customers in the first place.

Re:Nothing "new" here

[Anonymous+Brave+Guy]

Regulations have consequences.

Yes, and the GDPR really does have significant uncertainty and cause disproportionate overheads for a lot of smaller businesses, charities, etc.

This is the kind of thing that makes it difficult for you to pretend otherwise.

Well, yes and no. The article here isn't great: it perpetuates a lot of myths and exaggerations. The specific blocking service mentioned has been heavily criticised in other forums already for trying to cash in on the fear while providing questionable protection.

Anyone with two firing brain cells can anticipate that GPDR trolls will appear on day 1 to sue whomever has deep enough pockets to be worth suing.

Unless they'd actually used those brain cells to read, in which case they'd know that the GDPR is going to be enforced primarily through government regulators, not personal legal actions. There are plenty of problems with it, but attracting ambulance-chasing lawyers isn't likely to be one of them.

Re:Nothing "new" here

[ScentCone]

Tell me, what of my personal data beyond billing and shipping data for my most recent order would a Mom and Pop shop need?

So, a smaller company shouldn't be able to retain any information about which of their modest advertising expenditures resulted in which sales, and which search engine terms produced the traffic that led to the specific transactions that allow them to actually stay in business? The company's got no interest in retaining information when a customer or prospective customer uses a contact form to ask a question, or a chat tool to provide some guidance on a product? A business could easily do a million dollars worth of sales as year and still have nowhere near the budget to build all of tools the EU insists that the web site provide to anyone who's visited the web site.

This is the usual right-wing talking point about 'onerous regulation' and it is bullshit.

No, this is another person who's clearly never actually run a business spouting off out of ignorance, and deciding to throw a little bit of the usual vitriolic, unhinged politics in just because they can't say or do anything without dishing out some of that poison no matter what they're talking about.

It is about massive corporations

If it were, it would only apply to them. But it doesn't, which you know. So stop lying.

This is about yet more leftist muscle-flexing from the land of we-still-haven't-figured-out-that-the-Nanny-State-crushes-people seeking to make every small business give up and turn all of their operations over to giant corporations that can be better micromanaged by EU bureaucrats who specialize in nest-feathering and empire building to preserve their non-productive careers.

there is always an idiot falling for their 'but think of the poor small businessmen' shtick

Yup, definitely someone who has exactly zero experience running a business. Even a mid-size one with dozens of employees. Please take your ignorance and spite into account and make you don't do anything dangerous to other people. Like, say, voting. You're not equipped for it by knowledge or disposition.

Re:Nothing "new" here

[mvdwege]

RTFFAQ, this is not covered under "large scale systematic monitoring" or "large scale processing of sensitive personal data"

Re: Nothing "new" here

Simple as this, then. If I don't do business with Europe right now, I don't want to spend even a microsecond caring what their regulations say. Since the EU has announced that I must spend a microSD slot or more thinking about it or I could literally be sued into usury, I will find the cheapest and easiest way to deal with that.

I will block the EU entirely. Seems cheaper and easier than even reading their document. After all, I need to be paid 15 dollars an hour to survive. And I bet their documents cost more than 30 minutes of my time.

See, simple as that.

Enjoy your circle jerk.

Re:Nothing "new" here

[Wrath0fb0b]

Having run a very large scale service, I can say that my legitimate interest was "log as much as we have storage for" so I don't have to go in front of the bosses and say "things are failing but we don't log enough to know why". Of course, this is a defensive position -- I hope there are no issues and that my logs remain forever unreviewed. But if there is an issue, I can't predict ahead of time what information will be needed to diagnose and fix it.

None of it was used for marketing purposes, and it was tightly controlled (engineering didn't even have the ability to search logs in production) but I couldn't guarantee that it's GDPR compliance. And I can't justify spending $50K on a legal review to have someone check.

Re:Nothing "new" here

[Anne+Thwacks]

Good is rather relative here: it's purpose here is evading privacy protection.

No. Its purpose is avoiding having customers in the EU.

Those of us in the EU have voted against having suppliers who know their business methods contravene the GDPR.

This solution is a gigantic win for everyone involved!

Re: Nothing "new" here

Also being able to calculate helps in surviving.

Option 1: Pay a service 9 dollars/month.
Option 2: Use say 1 hour at a cost of 15 dollars.

After two months actually reading would save you money.

Re:Nothing "new" here

[Sarten-X]

If you look at the FAQ you see that the GDPR does not cover this use of data.

Oh, let me just look at that...

What constitutes personal data?

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from ... a computer IP address.

Well, crap. Maybe I don't need to worry if it's just a log?

Unfortunately, the actual text doesn't mention logs at all. Neither does it make any exemption for temporary storage, and it also doesn't actually define boundaries for what's "data mining", since it includes no mention of data mining at all. In fact, most of its restrictions are on the "processing" of personal data. Let's look at what that is:

'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

In other words, running grep on a log is processing. Looking at Article 6(1) and 6(4), the processing of an IP address (as any other personal data) requires either consent or official authorization... unless the personal data belongs to a child, in which case only official authorization will suffice, but there's very little I see here about what that actually entails.

Now, the GDPR doesn't actually enact law itself; that's up to the Member States. Those laws could be better-written to allow reasonable things like a traffic log where the identifiable information is never intended to be resolved, but under the text of the GDPR, the laws could also be broad enough to forbid such things.

Re:Nothing "new" here

[LynnwoodRooster]

From your link:

What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

So that mom-and-pop shop with your name or e-mail address is completely subject to these regulations. I guess we cannot keep tracking numbers, invoice records, etc.

Of course, Mr. IRS (or your country's equivalent) doesn't look kindly on NOT having records of where the money came from, especially if they're a repeat or larger customer. I'm sure Mr. IRS will waive any and all actions on me if I say "I make everything a 100% cash sale and a 100% cash purchase so I do not store any data and do not fall afoul of the GDPR; trust me that this is the right amount of money coming in and out and it wasn't gathered/used for nefarious means".

Re:Nothing "new" here

[LynnwoodRooster]

It turns out, return sales are higher than new sales. Customers who have already bought from us like to buy again - because they already know what they're getting. Did it ever occur to you that you could simply opt-out at the beginning, or any subsequent e-mail (and that is an option we offer)? But either way - I know have a big set of EU regulations about how I control/use/store/analyze my data because of - why?

Re: Nothing "new" here

Thing is, that "letter from GDPR hell" would take less than ten minutes for a mom and pop to complete accurately, _if_ the organisation is in compliance with _current_ law.
Of course, if the organisation isn't currently in compliance with the law.

Re:Nothing "new" here

[Phillip2]

You don't need to hire a data protection officer whatever the abstract says. You need to have some one designated in this role; it's like someone has to be responsible for safety, someone has to be responsible for first aid. A large company may well have a specific person whose job is only to do this, but most don't.

Re: Nothing "new" here

For most companies, especially small "mom and pop" stores GDPR compliance is trivial.
All you need to do is
* Store no more data than you need
* Decent password encryption
* Have a data deletion policy
* Don't send marketing emails to anyone that you can't prove agreed to receive them (basically log ticking an opt-in box)
* Designate someone to be responsible for replying to data requests

If you'd rather pay for a service to block EU users than fulfill that, I don't want you having my data. The companies that it's expensive for are the ones that have large amounts of user data, your Facebook, Google etc.

Re:Nothing "new" here

[Sarten-X]

To address your points in reverse order:

So this is not "every piece of personal data is forbidden". That is a huge misconception.

Certainly not "forbidden" by the regulation, but in practice. If I go tell my manager "our server logs have IP addresses", he's not going to launch an inquiry into whether that personal data can be combined with anything else, and he's not going to let me get fully-encrypted storage for our highly-sensitive logs. He's going to say "get rid of them".

Practically, he doesn't have a choice. Keeping the personal data means our lowly web servers are now a focus for compliance, which means even if we do nothing else, we have to have additional process reviews, audits, staffing for those audits... His choices are either a nebulous expense for compliance, or turn off logging and hope the troubleshooting is the less-expensive option.

Also, some kind of personal data are more sensitive and given special status.

While that's true, the GDPR doesn't really distinguish different sensitivity levels. Rather, the GDPR considers even weakly-identifiable information (like an IP address in a webserver log) as still being "personal data", and if it can be combined with anything else (like by correlating timestamps to database entries) in the enterprise to produce an identity, it has to be treated like it's all directly identifiable. Despite it being a data-handling best practice for many years, there is no concept of a "Chinese wall" screening information from different processes.

The huge problem arises when you gather a shit-load of information on people that you really don't need and start data mining that.

In the GDPR text, there is no distinction between "data mining" and any other kind of "processing" on stored data. There is also no limit on scale. If I have a comment form on a website that asks for a name, and that's stored in a database, I am collecting and processing personal data.

That's pretty much my complaint about every part of this thing. It's horribly vague, to the point that normal daily operations become regulated activities. It'd be fine if the "processing" definition had a limit on it like "any operation... for the purpose of inferring more information about the data subject", but there's no such thing. That would arguably cover any data mining or user-tracking process, but leave an exemption for basic things like logging or mostly-anonymous interaction.

Ah, no. The Member States can have their own laws that are stricter if they want, however they cannot make laws that nullify the GDPR or parts of it. But unless they have a law of their own, the GDPR is in effect. That is why the new GDPR is a regulation rather than a directive (which the GDPR was replacing).

I understand that. To clarify, I'm hopeful that the laws are more clear than the GDPR, defining "personal data" and "processing" with a bit more restraint, and allowing for isolation practices. Such things could be written carefully to avoid actually contradicting the GDPR, again mostly because the GDPR just blissfully ignores such concepts entirely.

Seems like the right reasons to me

[ranton]

A new service called GDPR Shield made the rounds last week and for all the wrong reasons. The service, advertised as a piece of JavaScript that webmasters embed on their sites, blocks EU-based users from accessing a website, just so the parent company won't have to deal with GDPR compliance.

This is just the type of service you would hope exists to make sure citizens can decide what levels of privacy they want and companies can decide what level of privacy they are willing to provide. For some time now we will see many stories of companies improving their privacy, companies pulling out of the EU market, and companies being fined by the EU. All are good and expected outcomes of rules such as the GDPR.

Re:Seems like the right reasons to me

[Archangel+Michael]

They aren't all "good and expected outcomes". Good being subjective. Being fined into oblivion for being on the web by an entity that you have never had interaction with, should be problematic for everyone.

Compliance within tyranny is always "expected", and rarely all that "good".

I run a website with worldwide audience. I've also never been to Europe. Tell me why I should comply or face fines to a jurisdiction I've never been to?

No, there is nothing good about any of this, even if the goal is admirable.

Re:Seems like the right reasons to me

[ranton]

I run a website with worldwide audience. I've also never been to Europe. Tell me why I should comply or face fines to a jurisdiction I've never been to?

You are servicing their citizens while they reside in their country, so you should follow their laws. Just because the Internet makes it so easy to reach those customers doesn't mean you should be able to ignore their laws.

Re:Seems like the right reasons to me

[Archangel+Michael]

Okay, so what you're saying is that in a world wide economics, I have to comply with often mutually excusive rules and laws. I must do this in this jurisdiction, and I am forbidden to do the same thing in another. Good one.

GDPR will fragment the internet

[xack]

Just like China has their own websites that comply with the great firewall we will have a world where large chunks of the internet will be GDPR walled. I expect most US companies will find it more profitable to block than comply.

Re:GDPR will fragment the internet

[JaredOfEuropa]

It depends on how onerous the GDPR really is. The biggest one is the requirement to have a Data Protection Officer, but this is required "only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences." For the rest it is pretty basic stuff: you need to be aware of the rules, and prepared to take action e.g. in case of a data leak. A lot of it really is common sense stuff, that is if you're a conscientious operator.

The big companies will have no trouble complying, paying lip service or working around the rules. The smaller companies might at first decide to forget about Europe. This happened with a couple of smaller service providers when the EU VAT rules were changed: I got a few notices that such-and-such company was no longer able to provide their service in Europe. However they probably looked at the amount of business they were getting from Europe, had another look at the rules and found them not that hard to comply with, and removed the block.

Re:Thousands, try millions.

[FictionPimp]

We didn't find much trouble in compliance. Sure we had to write a few policies and work out a procedure for exporting and deleting data from our systems. We did not spend even 25k in work to pull this off. It was fairly trivial for companies that don't make a product out of consumers.

Good

[houghi]

The way I see it as a European, it will mean that they where selling my data anyway, so that means they won't do that anymore. It also means they will not be able to do that for any of the other 350+MM Europeans.

This was also the intended reason for the law. It is as if Europe is saying "You are not allowed to take our data" and these websites are saying "Well, if that is the case, as punishment, we are not going to take your data."

Re:EU needs to be careful...

[religionofpeas]

As a EU resident, I don't mind if companies are choosing to block EU if they can't comply with privacy rules. I'd rather not do business with those companies.

Re:EU needs to be careful...

[lucasnate1]

I actually want this to happen. Forks are good at times and allow for improvements. Maybe the european internet can create something better than the american one.

Nothing Wrong- It's for all the right reasons

[PhYrE2k2]

This is for all the right reasons and there is nothing wrong with it.

Many businesses don't target foreign visitors, but get them anyway. Websites target local content (small businesses, retail locations, etc) that really gain no monetary benefit in showing their products to EU customers. Why deal with any compliance?

Keeping up with the laws of hundreds of foreign countries (and the states/provinces within them) is a full-time job. It's also very technical. A business in Canada or USA or any other country can either study EU legislation and adjust their web site for no real benefit (avoiding the risk of hefty fines) or just block the EU and move on with life.

Until countries unify their data protection and online laws for the greater good of society as a whole, this is the new state of the Internet. Focus on your own markets which makes you money, block everyone else. Saves risking non-compliance with foreign laws.

Let me correct some details on the GDPR

[Qbertino]

Disclaimer: I've worked myself into GDPR details to shape my employer up for it.

GP is a little off on some details.

You have to *name* a Data Protectoin Officer. This can be anybody empowered to check compliance. Usually this is done by some administrative or IT specialist. Germany has had this for decades. No need for an extra hire.

You don't have to spend thousands or millions. You just need to have a proper setup and due diligence in place. The new thing is that you need to document procedures in a standardized manner. The big difference between the law that come in on 25.4.2018 is that someone could only sue you if he was damaged and only if he could prove a data breach of critical personal data. The fines up to this point also were laughable.

Now anyone involved, including customers, can ask how data is handled and the authorities and others have the right to review documentation of your SOPs for data protection. Also you're in for big trouble with massive fines (up to 4% of global anual revenue) if you're careless with data and aren't willing to comply with the GDPR.

In short: If you have your IT in order GDPR compliance isn't that much of a big deal.
Documentation is, but compliance is not.

If however your IT is shit, then you're in for trouble if they come for you. Big time.
Since they *will* eventually come for you *and* most companies (online *and* brick and mortar) IT setups are somewhere between disorganized shite and abysmal, companies would rather opt out than go through the hassle of complying. Which means only companies with proper procedures and due diligence in their IT will remain doing business in the EU. ... Can't really complain about that actually.

Thus endeth some real-world details on GDPR.
You're welcome.

Wrong reasons?

[Sloppy]

While trusting users to load and execute Javascript is hopelessly naive (any company relying on this to avoid huge fines, is about to pay some huge fines) how is wanting to avoid huge fines the "wrong reasons?"

This is shockingly stupid implementation, not stupid motivation.

Re:Wrong reasons?

[sinij]

While trusting users to load and execute Javascript is hopelessly naive

I don't think this meant to be a working technical solution, rather a legal solution. That is, it isn't conceptually different from "Warning, explicit content. Are you are least 18 years of age?". As a web master you are not actually interested in blocking anyone from accessing your site, so it is only minimum sufficient effort to satisfy legal requirements.

Brilliant idea

[gurps_npc]

If you don't want to have to deal with the laws of a certain country, should have the right to not do business inside that country.

Of course, that leaves a big underserved market. In less than 4 years someone will come along and serve them, while abiding by the laws they hate.

Which could very well lead to those companies losing world wide market share as those new, privacy conscience companies expand out of their underserved market into the general world wide marketplace.

As for the laws they are trying to avoid? We need them in our country.

Re:Thousands, try millions.

[Fringe]

The trouble is, actually being in compliance isn't enough. You have to be able to afford the lawyers to defend against the accusations, even when they're completely invalid. All you've done is reduce your risk; you haven't eliminated it.

Re:Thousands, try millions.

[mvdwege]

A one person shop does not need a DPO:

Does my business need to appoint a Data Protection Officer (DPO)?

DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesnâ(TM)t fall into one of these categories, then you do not need to appoint a DPO.

(Source: GDPR FAQ)

Unless that one person shop does engage in large scale processing of sensitive personal data, of course, but then they either have enough revenue to afford a DPO, or they are a shady 'ethicul biznizman' (aka spammer).

Re:Right reasons

[Immerman]

Yep. Now we can only hope that more markets follow in their footsteps and make it impossible for such sites to stay in business at all. It's not like compliance is hard - just stop recording information about your visitors. Unless of course your business model depends on spying on your visitors, in which case good riddance.

Re:EU needs to be careful...

[Immerman]

If the short-bus version actually respects people's privacy instead of spying on visitors, then maybe we need more short buses.

Re: Why would an American site need to block GDPR?

[reanjr]

Not necessarily. Treaties and a general good relationship with the EU means they could have US courts enforce judgment. Currently, the US is not under treaty to enforce the GDPR, but that could easily change.

**note - they don't have to be sitting in the EU

[btroy]

People you do business with don't have to be sitting in the EU when they visit your site for you to be liable.

A EU citizen sitting in Starbucks in the US is equally as protected as if they were sitting in France.

Also, if you stored the shipping label to let's say...send them a package to their vacation home in Iowa, you're still liable ... as long as they are EU citizens.

If all you do is Geo-fence, you're already not going to make it.

Re:**note - they don't have to be sitting in the E

[Brett+Buck]

They aren't protected AT ALL. Unless you want to try to invade the US to enforce your rules, you can call all the cops you want, file some diplomatic grievances, quote some EU law, and they will laugh at you.

      EU people are always on about the US trying to police the world. Well, this is the EU trying to enforce their laws globally. We tell the Chinese to piss off and they have *real* power. The EU is a bunch of backwater corrupotocrats trying to replicate the USSR who have no power whatsoever, and depend on us for both endless streams of money and for subsidizing their defense (in some cases because we don't trust them to have any power themselves, Germany being a repeat offender). You have NO control and the people that are currently paying their fines are doing it semi-voluntarily - it's extortion and designed to be.

  If push comes to shove, US companies will tell you to piss off and there's not one damn thing you can do about it.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Not completely effective

[MrDiablerie]

While you can block based on IP, this doesn't address EU citizens living abroad in non-EU countries like the US. GDPR applies to all EU citizens regardless of location.

Re:**note - they don't have to be sitting in the E

[bsolar]

The point is that geo-fencing is a misguided attempt to avoid liability since a user can be outside the EU and still be protected by the law.

You argue that the law might be unenforceable for companies not having a legal presence in the EU, but assuming this to be correct, it makes the geo-fencing even more useless: why geo-fencing away users when by your assumption you can ignore EU liabilities anyway?