Assuming you actually do something with your user's data -- and virtually every online business does -- then I think it is true that GDPR comes into play as soon as you have a single EU user. How you market the service is no longer relevant.
I wish it were as easy as saying the law doesn't apply if your business doesn't target EU business. Unfortunately I don't actually think it's possible to escape GDPR. Even refusing to serve all EU IP Addresses wouldn't be completely effective.
I'm sure lots of companies view this as an opportunity. Especially the big ones with experience with compliance issues, in-house counsel, etc. It's going to be tougher on the small guy.
They're responsible for whatever user monitoring their third-party ecommerce platform does, right? All the ones I've seen process and retain user data. And maybe their web analytics, A/B testing, email newsletter tracking, etc.
If your point is that static brochureware sites that don't target EU members at all and don't do anything interesting on the web probably don't have much to worry about... then I agree, but I don't think that's very insightful.
Your earlier comment said that GDPR required "at least some active targeting of EU users." But a less contrived example, say a US-based SaaS that accepts credit card payments, probably needs to be very worried about GDPR even with absolutely no active targeting of EU users.
I think very few people here are trolling. I'm certainly not. And I think it's unkind to attribute malice to those who are confused or merely disagree.
> We just assume most people will be decent/"reasonable" in implementing it, and if not, there's the sanctions.
My definition of "reasonable" isn't the same as that of European regulators. I know this because I don't consider IP Address to be PII. Luckily for me on this particular point the GDPR is explicit in saying that it is. If I were left to define PII myself though, I could well have opened myself to regulatory action as IP Addresses were logged and shared incidentally with third parties in many places.
I think this style of writing laws gives way, way too much power to regulators. Particularly for companies with no physical EU presence and thus no way to vote or have any say in how the regulators work.
I think very few online businesses will be fully 100% compliant with every provision of the GDPR and all it's current and future interpretations. So we need to just hope and trust that all the regulators in all the Union countries won't punish anyone who doesn't really deserve it. That's not a good situation.
> So what's the minimum period you absolutely need that data/those logs/those backups for?
There is no answer to this question. Strictly speaking I don't need any backups or logs. I've also, rarely, encountered subtle data corruption bugs in the wild where having backups that go back months was critical and the more the better.
Correct me if I'm wrong, but I think that changes as soon as you have one paying customer located in the EU (even if you were not specifically targeting the EU).
I would guess most people selling something on the internet have at least some small percentage of customers in the EU.
The fact that there's so much confusion suggests that it is not that easy to understand.
I've read it and I'm still confused. Without caselaw and a lawyer how am I to determine which data processing are considered "legitimate interest" in Article 6? Recital 47 is supposed to clarify this, but it's still pretty vague and it says legitimate interests may provide a legal basis for processing. May? How do I know if they do or do not?
No, I'm pretty sure that is incorrect. The EU believes that an IP itself is personally identifiable and it must be secured and processed like any PII [1]. I think you could make a case that the IP being sent to an ad network is an "acceptable" business practice for which you don't need consent, but IANAL.
Where would "non-targeted" ads even come from? How can you use an ad network or even run a standard ad server in a way that doesn't share at least the reader's IP Address?
Mom and pop publishers who don't have the resources or ability to staff their own ad sales team are going to be in trouble. The big players who can work around this obstacle are going to be fine. I'm not happy about this.
Because I apparently need affirmative check-the-box consent before I can actually use those ad networks.
I'm not doing anything shady: all the information I collect and why I collect it has always been in my privacy policy. But making people have to opt-in to see ads on the site is a big problem.
I wish it were as easy as saying the law doesn't apply if your business doesn't target EU business. Unfortunately I don't actually think it's possible to escape GDPR. Even refusing to serve all EU IP Addresses wouldn't be completely effective.
I'm sure lots of companies view this as an opportunity. Especially the big ones with experience with compliance issues, in-house counsel, etc. It's going to be tougher on the small guy.