Critters website unsubscribes EU Members

[mosaix]

Just had an email from the critters website saying that members in the EU are being unsubscribed because of the GDPR legislation.

They say it’s too complicated to understand and implement and can’t take the risk of a high fine.

 

[Jo Zebedee]

Just had an email from the critters website saying that members in the EU are being unsubscribed because of the GDPR legislation.

They say it’s too complicated to understand and implement and can’t take the risk of a high fine.

That’s crazy. It’s not that hard to implement

 

[mosaix]

That’s crazy. It’s not that hard to implement

Just what I thought. Accidentally I haven’t been removed I might reply and explain. But most EU members have already gone, apparently.

 

[Onyx]

I hadn't heard about this, so I went to the GDPR website. Not only could I not understand exactly what they were talking about, there is no clear implementation rules. I can't see how a small forum created with off the shelf software by an individual could know if they are in compliance without hiring services that there is no budget for.

This may not be the intent, but if you have "members" it sure looks like you have to create an extensive infrastructure to comply with the the GDPR. If that's not the case, that sure isn't the way it looks reading the FAQ.

I work at a tiny ecommerce company. We keep customer's addresses on file and ordering history. I have no idea if we comply, and I doubt the GDPR has a staff large enough to help us figure it out.

 

[AlexH]

Stupid EU, although I agree with the sentiment behind GDPR. Perhaps one of the few good things about about the UK leaving the EU is we'll be able to rejoin Critters!

A great (non-writing) mailing list shut down a couple of days ago prompted by GDPR. There are probably many more I'm not aware of.

 

[Jo Zebedee]

I hadn't heard about this, so I went to the GDPR website. Not only could I not understand exactly what they were talking about, there is no clear implementation rules. I can't see how a small forum created with off the shelf software by an individual could know if they are in compliance without hiring services that there is no budget for.

This may not be the intent, but if you have "members" it sure looks like you have to create an extensive infrastructure to comply with the the GDPR. If that's not the case, that sure isn't the way it looks reading the FAQ.

I work at a tiny ecommerce company. We keep customer's addresses on file and ordering history. I have no idea if we comply, and I doubt the GDPR has a staff large enough to help us figure it out.

Yeah - their site isn’t helpful. But there have been boiled down ones and, basically, they need a privacy statement and to ensure they only hold the data for the purposes stated within that statement.

 

[CTRandall]

There's a lot of legalese on the websites but it's actually pretty straightforward: make a database of customer/member information you hold (a simple spread sheet will do), inform them how you use their info (sending out a mass email will do) and keep the data secure. If you're sending advertising to people or sharing their info with third parties, it gets more complicated but, for most non-commercial/hobbyist-type things, it's not hard at all. It's pretty wimpy for professional sites to be whining abput this.

I'm glad that someone is trying to put a little control back into personal data.

 

[sknox]

That "keep the data secure" is probably the sticking point. Since major corporations and governments with high-powered IT departments appear unable to do this, I can see why a small-time operator might think his hobby isn't worth the risk.

 

[RJM Corbet]

There's a lot of legalese on the websites but it's actually pretty straightforward: make a database of customer/member information you hold (a simple spread sheet will do), inform them how you use their info (sending out a mass email will do) and keep the data secure. If you're sending advertising to people or sharing their info with third parties, it gets more complicated but, for most non-commercial/hobbyist-type things, it's not hard at all. It's pretty wimpy for professional sites to be whining abput this.

I'm glad that someone is trying to put a little control back into personal data.

Me too. All these companies are now compelled to tell us with whom.they are sharing our details, and offering us the option to block that. I took the trouble to look through the yahoo stuff. Without wishing to exaggerate, it appears Yahoo was allowing my details to circulate around 2500 other organisations, of which around 80% are not 'registered' to whatever required standard of data handling. Presumably there was no guarantee all these would not circulate my details to others.

After much ferreting around, toggling hundreds of switches, I eventually stumbled upon one single toggle enabling me to.opt out from all of them. So I did, lol.

But there were about five 'walled' organisations I could not opt out from.

 

[awesomesauce]

I don't think Critters is in any danger. Even if someone were to make a complaint, my understanding is that the EU intends to work with small businesses and organizations and to help bring them into compliance. They don't expect perfection.

Data regulator will not make example of small businesses over GDPR

 

[awesomesauce]

That "keep the data secure" is probably the sticking point. Since major corporations and governments with high-powered IT departments appear unable to do this, I can see why a small-time operator might think his hobby isn't worth the risk.

A little common sense goes a long way. Take reasonable security precautions like making sure security patches are up to date, encrypting your backups, etc. People aren't going to get fined because there was a breach where other people's data is taken, just like people don't get arrested if someone breaks into your watch repair business and steals other people's watches. Though if you had no alarm system and left the door wide open when you went home for the night, and you kept no inventory of what watches you had, and didn't bother to notify the owners they were stolen, you might have some issues.

 

[Onyx]

I wonder how a EU organization can have jurisdiction on a website outside the EU?

 

[awesomesauce]

I wonder how a EU organization can have jurisdiction on a website outside the EU?

International agreements and treaties.

 

[Onyx]

International agreements and treaties.

So someone using an anonymous yahoo address signs up on some social website in the US, gets data collected and then receives marketing at that anonymous email, and the US site is liable to the EU government?

That's like getting prosecuted because you took a trip to Amesterdam and smoked pot while you were there.

 

[awesomesauce]

So someone using an anonymous yahoo address signs up on some social website in the US, gets data collected and then receives marketing at that anonymous email, and the US site is liable to the EU government?

That's like getting prosecuted because you took a trip to Amesterdam and smoked pot while you were there.

I don't understand what argument you are trying to make with that response, maybe you could expand or clarify? An email address isn't considered anonymous under the GDPR, unless it's a generic business address, like "sales@widgets.com" it should be treated as personal data.

As a counterpoint to your original post,
Why do European businesses comply with US CAN-SPAM legislation?

 

[Brian G Turner]

Well, anyone from Critters is welcome here, especially if they focus on science fiction and fantasy.

As for the GDPR - there's been a lot of fear mongering about that, but I struggle to recall a single story of any company being prosecuted for not displaying the cookie warning that was mandated a few years ago. I doubt there'll be a big rush to prosecute small businesses over GDPR compliance.

 

[Onyx]

I don't understand what argument you are trying to make with that response, maybe you could expand or clarify? An email address isn't considered anonymous under the GDPR, unless it's a generic business address, like "sales@widgets.com" it should be treated as personal data.

As a counterpoint to your original post,
Why do European businesses comply with US CAN-SPAM legislation?

The problem is that a website is cheap, as is an ebusiness. Giving a foreign power to penalize any website owner in another country because that power has citizens that chose to sign up to that website seems crazy. It is defacto extraterritoriality. It is hard enough for a small business to track all of the local and national regulations, but now they have to be aware of and follow foreign country's regulations?

Imagine if Russia had a law that you can't say "babushka" to a Russian citizen. Then a Russian called you and got you to say that word on the phone. Would it be reasonable if you were fined 1 million rubles for violating a Russian law while on the phone in your home country?

Critters dumping EU citizens seems like a reasonable precaution against a foreign power that has enormous reach but no responsibility to assist in compliance.

As for the GDPR - there's been a lot of fear mongering about that, but I struggle to recall a single story of any company being prosecuted for not displaying the cookie warning that was mandated a few years ago. I doubt there'll be a big rush to prosecute small businesses over GDPR compliance.

Unfortunately, this is the kind of thing that is true until some government wants to put pressure on an unpopular business or individual. Then the exceptions come out.

 

[awesomesauce]

As for the GDPR - there's been a lot of fear mongering about that

Mostly, I've noted, from companies who are creepy with our data; lots of clickbait media sites seem like their design is centered around ALL THE TRACKERS. Then there are the ones selling GDPR compliance solutions.

 

[thaddeus6th]

Randall, I suspect most people agree with the sentiment, the problem is the cackhanded and seemingly confusing/overbearing execution of it. When the EU decided to try and get more tax from Amazon etc, they rejigged VAT in such a stupid way it cracked down on microbusinesses who, fearing fines/prosecution for not complying and unable/unwilling to deal with the red tape, either closed or shifted their business from their own sites to market websites. Like Amazon.

A similar piece of idiocy is going through the EU pipeline regarding old books (I think 150 or 250 years is classed as 'old'). Basically it's introducing much red tape for genuine businesses because they're worried about ISIS flogging stolen antiquities (which is a legitimate concern). However, real businesses are very up in arms about it (I'm acquainted with someone who runs such a business) whereas Terrorist McMurderscum, who is content to commit atrocities, is unlikely to dither when faced with the decision of lying on a form or not (or even just smuggling to start with).

In a few weeks, the EU's also going to try and bring in a link tax on the internet. Which sounds thoroughly demented.

 

[awesomesauce]

The problem is that a website is cheap, as is an ebusiness. Giving a foreign power to penalize any website owner in another country because that power has citizens that chose to sign up to that website seems crazy. It is defacto extraterritoriality. It is hard enough for a small business to track all of the local and national regulations, but now they have to be aware of and follow foreign country's regulations?

Imagine if Russia had a law that you can't say "babushka" to a Russian citizen. Then a Russian called you and got you to say that word on the phone. Would it be reasonable if you were fined 1 million rubles for violating a Russian law while on the phone in your home country?

Critters dumping EU citizens seems like a reasonable precaution against a foreign power that has enormous reach but no responsibility to assist in compliance.

I guess this is going to sound harsh but...

1. I see no indication that the EU has any intention of persecuting American small business owners, or any small business owners. The GDPR is, if anything, a legislative response to the data harvesting practices and use by mostly huge foreign companies of our citizens.

2. Personal data is a commodity. As an EU citizen, my opinion is if you want to extract that data from EU citizens, then you comply with our rules for handling it. Just like if you wanted to mine minerals, you'd have to compIy with local laws governing the extraction and handling of the resource. If you don't want to do that, then don't harvest data from EU citizens. I have no issues with sites region blocking us; they've had two years to get compliant. If they chose not to, it's hardly the EU's fault. (So sorry your targeted ad program for offering sub-prime loans at extortionate rates to low-income demographics is going to suffer. What a shame. )