How can Santa keep his lists when GDPR is around?

For my non European readers, there is excerpt of what GDPR means: (emphasis mine)

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).

A processor of personal data must clearly disclose any data collection, declare the lawful basis and purpose for data processing, how long data is being retained, and if it is being shared with any third-parties or outside of the EU.

I haven’t been notified by Santa and/or his elves that he is collecting data about me. And mind you: my name and surname are my personal data, not to mention data on whether I have been good or naughty.

Moreover, Santa also needs my full address to deliver my presents, and again, that is also my personal data

I haven’t been notified by Santa whether he is updating his Privacy Policy, so my assumption is, that Santa stopped collecting these data, at least for Europeans.

Does it mean that Santa is delivering me nothing this Christmas? If there is any way around this, can you please tell me what it is and how can Santa deliver me presents while still being compliant with the GDPR regulation?

Please assume I haven’t been naughty

Publishers Haven’t Realized Just How Big a Deal GDPR is

On May 25, 2018, the new EU General Data Protection Regulation (better known as GDPR) comes into effect, and I’m quite worried about how this will impact publishers because most don’t seem to be even close to compliant.

.. What I’m not seeing, however, is any real change to the way publishers use data, the business models they have that rely on data, or any consideration as to what impact this will have on their editorial strategies.

.. What people are reacting to is not just what Facebook is doing, but how every publisher is using a very large number of 3rd party trackers, where neither the publisher or the reader has any control over what is actually happening with this data.

.. . Think about how people are using services like Snapchat, Instagram Stories, or Twitch live streaming … all services that, by default, delete what you have posted so that it can’t be turned into a privacy violation later.

.. If you then, as a publisher, just implement GDPR by taking advantage of all the exceptions or loopholes, so that you continue to load 38 trackers into your site and do it like it’s all ‘business as usual’, you will be fighting against this trend.

In other words, you become the bad guy.

.. Companies like Google and Facebook are perhaps those who have benefited the most from being able to collect data from multiple sources, so you would think that they would do everything they can to try to use every loophole GDPR has.

What we are seeing, however, is a very different outcome.

Let me just remind you of the basic principles of GDPR in a simplified way:

  1. Everything must be consent based.
  2. You can only collect what is adequate, necessary, and not excessive in relation to the specific service you offer.
  3. People have the right to transparency.
  4. People have the right to be forgotten.
  5. IP addresses are also considered to be personal information.

.. But think about this in relation to a new visitor. Someone that you have no prior relationship with (a first time visitor). What data can you actually collect and use for that person?

The answer is … nothing!

.. The reason is that a first time visitor hasn’t done anything that could be considered consent, so you have nothing to work with.

I don’t think publishers realize just what this means.

Essentially, it means that you can’t load any 3rd party service into your site. You can’t load advertising from your ad partners (via their scripts), you can’t add social widgets, you can’t add a quiz to your articles that is using some 3rd party service.

.. when Google looked at GDPR they basically came to the conclusion that there was no way around it without resulting in lengthy and likely very expensive legal fights. Fights that they would be attacked with in the press, that would also cause a drop in trust from their users.

So, Google has come to the same conclusion that I have, which is that they can’t do anything until you have given them consent. And, as a result, Google has now implemented a system so that when you visit them, you are presented with a box that looks like this:

..  So, Google is trying to get ahead of this by just getting rid of the problem altogether.

It’s the same with Facebook. They too are moving to a consent based baseline for how they do everything. And, they are also stopping their practice of buying personal data from data brokers.