This is factually incorrect. The "Cookie Directive" wasn't from 2003, it was an amendment to the ePrivacy Directive. The ePrivacy Directive came into effect in 2002, and it was amendend in 2009. That amendment is what people generally call the "Cookie Directive" because it required consent for storage of information on end user devices.
It did not specify cookies, and did not actually specify any technical means. The ePrivacy Directive requires that companies get consent from users before storing information or gaining access to information stored on end user devices. This includes every kind of cookie you can think of, including LocalStorage. There is an exception for cookies necessary for the service requested, which typically includes things like auth cookies or shopping cart cookies, so long as that data is not used for anything else.
This is not true. The national implementation of the ePrivacy Directive are still law. You are correct that GDPR does not require cookie banners, but the law that does was not replaced by GDPR and remains in effect.
The FTC has been begging the complain-for-profit sector to give it a formal path to regulate AI. The FTC's only enforcement hook in this area is that it can take action against companies that have unfair or deceptive trade practices. This is how the FTC began regulating privacy and security in the US, and it's been waiting to use it for AI.
It comes as no surprise that this complaint is from Mark Rotenberg, former head of EPIC. He's very well aware of the boundaries of the FTC's power, and this complaint effectively serves as a letter to the FTC from an expert about how the FTC can position itself to begin regulating AI.
According to Revue's platform privacy policy[0], Revue processes subscriber emails as a data processor. Each newsletter publisher owns the email addresses of their respective audiences. Revue would have a legal obligation to make those email addresses available to the newsletter publishers until the shutdown date.
Their privacy policy very strongly suggests that they are the data processor only when the account owner (Publisher) provides the email address, which they call indirect subscription.
Direct subscribers are users who subscribed themselves via the Revue service. and the privacy policy says nothing about providing direct subscribers' private data to the Publisher.
Their closure announcement does not distinguish between the types of subscriber.
So either the Publisher is only getting the indirect subscribers' info (and isn't being told they are losing the direct subscribers) or the Publisher is getting direct subscriber info which the direct subscriber never agreed to allowing (unless that is a separate agreement from the privacy policy, in which case presumably some permission was indeed obtained).
You're wrong. The ePrivacy Directive does require that a website get consent before storing information on the end-user's device. Prior to GDPR, the local country implementations of the ePD allowed for implicit consent in some EU countries, and opt-out consent in other EU countries. GDPR redefined what constitutes legitimate consent to process personal data. Consent that was previously valid under the ePD was no longer valid under GDPR, which is why GDPR is about cookies, and every other processing of personal data.
No. You need consent to store data on an end user's machine, regardless of whether you later track that data or not, unless such storage is strictly necessary for the operation of service explicitly requested by the user.
By that logic the GDPR is "about" fridge magnets because any business storing personal data using letter magnets arranged on a fridge is subject to GDPR. Sure, often cookies constitute/contain personal data, but when they don't they are not regulated by GDPR.
I mean, if you're storing user information that isn't pertinent to the business with fridge magnets on a slab of metal, and the user asks you to take them down, it's a GDPR violation if you don't remove/scramble said magnets after 30 days.
Method of data storage isn't really specified, but that's why it's General Data Protection Compliance.
Yes of course it would cover that hypothetical situation, as I said in my comment, but it would still be ridiculous in general conversation to say "GDPR does require that businesses get consent before using fridge magnets" without specifying "if personal data is involved".
Yes, that is correct GDPR as written and as being interpreted by the courts covers every aspect of commerce, any interaction with another entity no matter how far removed, and any observable side effects of said interactions even if neither party knows of the third parties.
Yes of course it would cover that hypothetical situation, as I said in my comment, but it would still be ridiculous in general conversation to say "GDPR does require that businesses get consent before using fridge magnets" without specifying "if personal data is involved".
Before GDP, the legal consensus among lawyers I asked was that consent could be a 30 pages long legal document hidden through a 6 pixel text link at the bottom of a page that can only be accessed by trawling the website. It wasn't really what the politicians that wrote the ePrivacy Directive intended, which is why the word informed consent was added.
Now if a hidden 30 page long legal document that no one can read is consent then I have this bridge I want to sell. It is totally legit.
I asked a lawyers during a conference that discussed privacy and law. I initially asked if a 50 page document was fine, which they said was not, but then lowered it to 30 and they said "sometimes" without any irony in sight. After an additional discussion they said that even if people did not read the document or had the ability to understand it, it would still count as consent.
I have also talked personally with politicians who was involved with the work of writing GDPR, and the people who wrote the ePrivacy Directive has reportedly said that lawyers interpretation of consent was beyond the imagination of the original intent of the directive, which is why GDPR now require freely given informed consent in contrast to the old consent.
You asked the wrong lawyers, at least for the US. The FTC's case against Sears in 2009 made it clear that consent to a privacy notice isn't valid if the privacy notice is buried deep in a licensing agreement, even if the notice is correct.
I'm a privacy lawyer that has worked on cookie consents for a number of commercial websites. Everything you said here is all too true. The real legal answer in a lot of cases is "Do what everyone else is doing. Don't be an outlier. Use industry tools because if there's a problem with an industry tool, they'll go after the tool and not its users."
The comments about cookies not being part of GDPR are grossly wrong. One of the early discussions in the privacy law community was how to handle the collision of the new consent requirements under GDPR with the fact that the ePrivacy Directive requires consent for cookies. Prior to GDPR, a large number of EU jurisdictions allowed for implicit consent through a variety of actions, like scrolling a page, or non-actions, like seeing a banner and not clicking "no". GDPR redefined consent and that's why cookie banners pop up.
As lawyer, could you make an argument how consent can be given by a person if they haven't read the legal document, the other party know that the person has not read the document, and even if the person had read the document they would not understand it because of its language, complexity and size.
To put it in other words, if we used the same definition of consent in any other legal contexts that also require freely given informed consent, would the legal system still function?
EU governments are exempt from the requirements of GDPR. In some countries police can access large amounts of data without the need for a warrant. For example German police do not need a warrant to get passwords to email account, PIN numbers for mobile phones, mobile usernames, birthdates, telco information, or hospital data.
The law also requires that Colorado employees be informed of all promotional opportunities. A promotional opportunity is "a vacancy in an existing or new position that could be considered a promotion for one or more employees in terms of compensation, benefits, status, duties, or access to further advancement."
If a company doesn't already have Colorado employees, they may not be interested in having a remote employee in CO that requires special treatment.
>If a company doesn't already have Colorado employees, they may not be interested in having a remote employee in CO that requires special treatment.
Generalize even further. If the company doesn't already have employees in <different regulatory jurisdiction> then they won't incur the cost of compliance in <different regulatory jurisdiction> all else being equal.
If CO had very cheap labor it would pencil out and they'd gladly jump through the hoops to comply. But CO doesn't have particularly cheap labor for the kinds of jobs in question.
Heck, my company wanted to hire a specific expert in a specific field. They were willing to pay the moon but but still almost didn't do it because of the compliance headache from having international employees. They hired a 3rd party intermediary to hire this person.
Any company over 1 billion in market cap probably already does this. Every company I've worked for has (mid sized to fortune 10). HR has to justify their existence by actually doing work.
It's also in the company's interest to provide advancement opportunities internally, otherwise your employees just leave. In this case the regulations are in line with the incentives.
If remote work sticks around (I think it will), it will be interesting to see how employers handle the additional burden of having employees in dozens or even hundreds of jurisdictions. I don't think it's insurmountable, but it's certainly something many companies have not had to deal with before.
Who says the CO remote employee requires special treatment? That would be a terrible leadership decision. The easy and obvious approach would be to treat all employees under the CO standard. It’s as simple as posting all open positions internally. Or even sending a firm-wide email when a new position is posted externally. I have a hard time believing most companies aren’t already doing this with the exception maybe of retail/labor-intensive positions where employees aren’t regularly using a computer. Certainly most companies hiring remote workers would be though.
We don't necessarily want to advertise all open positions to an internal selection process, particularly more senior managers.
The record keeping requirements in CO are concerning, particularly job description records. In particular, we don't yet have a full time HR person (there is a dedicated person, but that person has other job duties).
There's 49 other states.
edit: one more reason. We had a failing exec. Not enough to merit immediate firing, but failing enough that it was clear he or she was not going to last through the next round. We needed that person to continue doing a mildly-failing job while we found a replacement, due to lack of another person who could take on those responsibilities.
Not sure how you manage something like that with an internal hiring announcement.
Yeah, I don't quite get the rub here. The corporations I've worked for always post jobs internally first and normally they email the entire org with open positions. In general I've found most corporations want to hire internally since it's cheaper overall.
In a past organization a friend was HR at, there were branch office jobs and corporate jobs. Officially you could get promoted to the corporate office. Unofficially, don't bother as they optimized for different things for each hiring pool.
So they tried to keep the corporate jobs only available to the corporate people as otherwise the branch people would get excited and then end up having their dreams dashed from repeatedly applying and having their resumes chucked while an external hire filled their job.
Yeah, you especially don't want to proactively push out a bunch of job postings to people who have exactly zero chance of landing the position because the decision has already been made.
Many organizations just aren’t structured that way. I had a coworker who worked alone on what was a small project, gradually transitioning to a technical leadership role over the project as it got larger, until eventually he became the manager of the team that owns it. So he got a promotion opportunity, but there was never an opening as such; it would be pretty unfair for the company to open up applications for anyone to come in and take his project away.
I don't know how HR departments typically deal with this sort of thing. There's an obvious downside to posting a bunch of job openings that have effectively already been filled. The same applies to outside hires that effectively have had positions created for them (and job descriptions written with them in mind).
We have something like 15,000 employees and 20 some odd brand companies that operate largely independently. There is no reasonable way for us to wrangle every single opening into a single process to comply with a CO law (times all the other jurisdictions who’d like to put their own thumbprint on it).
I would always rather take a qualified internal candidate rather than spend months to land someone outside. So, I do shop jobs internally now, but Even without reading the CO law, I’m pretty sure I’m not fully complying with it if I had an employee in CO.
At that size, I imagine you're already operating across several states, and HR already has processes in place to deal with differing regulatory requirements. Adding the latest CO rules to these processes isn't all that onerous in the overall scheme of things. It's not like "post a minimum salary" and "post listings internally" are crazy or complicated ideas.
I can't see why the number of employees or companies complicates this. I work for an enterprise with over 60,000 employees and they have decided to apply the Colorado standard to all job openings.
Editing This was poor word choice in the morning; I should say I can clearly see how the size or scope of a company could complicate this. I just don't have any sympathy for them; you adapt your processes to match the desired state.
>Or even sending a firm-wide email when a new position is posted externally.
Please. No more emails.
>It’s as simple as posting all open positions internally.
One of the problems that happens (today) with this is that companies decide to hire someone external for a position essentially created for them. So they may create a job posting as a formality. But it's effectively a fake posting. No one else actually has a shot at an interview, much less getting the position.
Don't try this in Northern Ireland btw. I know of US mangers getting into some serious hot water over not advertising the job in Catholic and Protestant publications.
My curent company shares an email about open promotional opportunities every 6 months. I am continously amazon how on hackernews expecting basic decensy from corporates is a 'terrible burden'
Excuse me. You're not expecting, quote, "basic decency." You are expecting compliance with a specific regulatory framework. One of these requires a soul, the other requires lawyers and paperwork and record-keeping.
For example, I could say that I expect "basic decency" to not kill each other. But I also support having a law making murder illegal. As part of that law, you have the possibility of people being jailed, possible for months are years, before we even get to a court case. They may be able to pay a large fee to get back to their daily life (while part of the money is sometimes returned, there are plenty exceptions to this). Then you get to the court case, where people are expected to spend days in courts and small fortunes on lawyers to prove they didn't murder someone. Lots and lots of lawyers and paperwork and record-keeping, not to mention the costs to an innocent individual wrongly accused. Good luck getting any payments to make up the debt you incurred.
Yet as a society we accept that we have to do things the legal way because just the expectation alone does nothing to stop bad people. As such the concept of "basic decency" is completely gone from the modern world, so I think it is safe to give it a new definition which includes the enforcement of a legal framework.
The is nothing profitable a corporate bureaucracy won't do out of 'basic decency'
Before we had 'spesific regulatory framework' companies enslaved people, exploited children, commercialised rape and commited serial murder to break up unions
I am having trouble reconciling your assertions, in which you seem to think HN should expect "basic decency" from corporations while simultaneously asserting that "'basic decency'" has never actually served as a meaningful barrier. It seems to me that the later statement rather undermines the original.
Maybe "basic decency" is a very bad phrase to describe things here, and we should just leave it out. It's probably useful as invective, and if one is already predisposed to sympathize with the point, can galvanize one to action, but it serves poorly as a tool to actually communicate.
I propose that if we avoid it, we can talk meaningfully about how the company finds it more convenient to avoid business than comply with regulatory burdens without the distraction of moralizing the matter, and draw conclusions about whether the passage of the law was wise under these particular circumstances, or what circumstances or structure might have made it better, and the like.
Perhaps your vintage-1921 blue-collar labor dispute is more of a distraction than a help, as well :)
6 months is not compliant. Employees have to be made aware of the posting on the same calendar day the job is posted. For jobs that are in constant demand, the company has to either send a daily email or have some kind of banner on its corporate intranet.
There is also no geographic restriction so if a company has any offshore service centers, it would need to post any promotional jobs to its Colorado employees as well.
We're talking about a spreadsheet that is posted to an intranet. If someone in Colorado wants to apply for a Thailand based job and is willing to relocate for the position, then why shouldn't they know about it.
Of course, Thai employers can still discriminate on the basis of gender, sex, religion and a bunch of other things that Colorado employers can't.
And any company operating in Thailand has a local Thai company established, which would be the actual employer for the local employees. So the Colorado law would not apply.
All over the world, this was in Kuala Lumpur I did some rereading up on the country and decided to pass, I would have had to cut my hair short for one.
One of my co-workers did this but his asthma could not stand the humidity and he had to come back.
I am amazed that people do not understand that difference between Voluntary Action and Mandatory / Regulatory Burden.
A Company could 100% already being doing everything to be in compliance with a regulation and still oppose the regulation, and take actions to ensure they are bound by that regulation
Don't forget about C: companies that propose regulations because they know they can handle them and competitors cannot.
Big companies will have no problem with these regulations. However small and medium sized companies need a bunch more busy work that needs to be done and so will avoid it.
This last is hard to measure - regulations have a cost in this form but it is hard to figure out what would have been done but isn't.
On of the consequences of those provisions is often either
1. Companies do weird divisions to keep under the limits
2. Companies are artificially restricted in their growth as they need to add employees but are unable to, for example if the cut of was 50 employees, adding the 49th employee is easy, adding the 50th employee is $$$$$ thus it will not happen, this would mean few companies grow to 50, rather you would see several 50+ employee companies merge as the cost burden for the new 100 employee company would spread over all 100 employees, vs the regulatory cost being hit with the single employee add
Of course B primary motivator and I do not see that as a bad thing
I am not sure why you think anyone or any company would DESIRE to have external actors imposes requirements on their actions or why it would be unpalatable to say you do not want to have regulatory burdens imposes on you
As a culture have we so lost the respect for freedom and liberty that is now bad if you want to have said freedom?
>I am not sure why you think anyone or any company would DESIRE to have external actors imposes requirements on their actions or why it would be unpalatable to say you do not want to have regulatory burdens imposes on you
Of course they desire to have external actors impose requirements on their own actions and other people's actions and other companies' actions. Just so long as they think those requirements benefit their bottom lines.
Ever hear of the business lobby opposing union-busting laws on the basis that they create regulatory burden?
union "busting" laws generally speaking are about REMOVING regulations around who is required by law to negotiate with and/or join a union. So these laws by definition are not imposing any regulatory burden on anyone they are removing regulatory burdens
Though it does seem like the promotion opportunity is one that any sane company will want to have anyway. It takes some time to learn the companies internal systems, and promoting from within saves a lot of that time.
I am a privacy lawyer that has spent far too many hours on cookie issues. It is disappointing that your correct answer was downvoted. It goes to show just how much misinformation is out there about GDPR.
The top comment in this thread demonstrates that as well as the Data Protection Directive of 1995 had a functionally identical requirement allowing users to opt out of completely automated decisions for credit purposes.
If it's the TrustArc Ads Compliance Manager, it makes a call to all the ad networks requesting the network's opt out cookie. The opt out cookie prevents the user from being tracked by that ad network across all sites. Cookie banner opt outs usually only prevent tracking from the site you are one.
Unlike GDPR, which uses a website as the gate for all cookies, the ad industry also has self-regulatory programs. Participation in these programs require that a website allow a user to opt out of all ad networks present on their site. TrustArc built a module to do that: https://preferences-mgr.truste.com/.
If you run the tool there, it will make a call to the ad networks listed. Of course if you're running an ad blocker, the call will get blocked and it will look like the tool doesn't do anything.
The problem is you're being presented a mandatory popup for what appears to be used as GDPR compliance but realize that it isn't because real ones are instant. This is fake GDPR in the sense that it isn't (compliant); it's other things, as you note. If the purpose is to facilitate GDPR, that opt-out time shouldn't be conflated (the ad stuff shouldn't be bundled), given that GDPR appears to have a requisite "It shall be as easy to withdraw as to give consent.". Is that a correct interpretation? You're suddenly notified you can't operate for minutes (unless you opt-in), which is definitely dark, and unnecessary (unless you want to achieve the action they're doing, but you didn't; you just need GDPR). Sitting captive for minutes is not a modern day web experience anyone finds acceptable, that's why Google is so focused on empowering loading speed inspection/resolution. The experience made me wonder if they use users who don't opt out (I almost gave up just to get out of being locked out) as a selling point. There wasn't, that I could find, an instant GDPR-compliant way around this obstruction. Why would any company care for this experience? If they wanted to be polite and do extra action (this ad network regulations thing), they have the tech to do it asynchronously/unobtrusively, right?
It did not specify cookies, and did not actually specify any technical means. The ePrivacy Directive requires that companies get consent from users before storing information or gaining access to information stored on end user devices. This includes every kind of cookie you can think of, including LocalStorage. There is an exception for cookies necessary for the service requested, which typically includes things like auth cookies or shopping cart cookies, so long as that data is not used for anything else.