information GDPR is taking a bite out of European ecommerce

[equity78]

GDPR is taking a hit out of European website traffic and e-commerce. A recent study shows that since GDPR went into effect, page views are down by 9.7% and revenue decreased by 8.3% due to GDPR. European ecommerce is taking a hit at a time when it’s already hard competing with the likes of Amazon. […]

Continue Reading

 

[MadAboutDomains]

No, you are misssing the understanding that the cookie law was introduced in 2011 that said you had to gain consent for placing a cookie on a machine at all. This had nothing to do with GDPR. Please go investigate the cookie law. IT WAS INTRODUCED IN 2011. 7 YEARS BEFORE GDPR.

GDPR is about protecting what can be considered personal identifiable information. Cookies could be impacted by this but are not necessarily. As I have already said there was legislation that was intended to complement GDPR that was meant to bring the cookie law into line with GDPR but this was delayed.

If you did not seek user consent to use cookies prior to GDPR you broke EU legislation plain and simple.



Im sorry but that is exactly what GDPR does, it protects user data and what organisations are allowed to do with said information. It restricts them from sharing said informsation with 3rd parties unless required to do so by law, is required to operate as a business or is done so with the consent of the user.

I couldn't give a monkeys when the cookie law was introduced. GDPR restricted unauthorised collection, processing, storage and sharing of personally identifiable information amongst other things.

Before GDPR you could get away with implicit consent for cookies. However GDPR required explicit consent from the user to store personally identifiable information in cookies, whether it was stored in the cookie or could be deemed personally identifiable information when paired with other information.

It restricts them from sharing said informsation with 3rd parties unless required to do so by law, is required to operate as a business or is done so with the consent of the user.

Yes and how would Namecheap have failed in this regard when sharing the contact details?

You seem to beleive you are an expert on GDPR however do not seem to have grasped the basics here. I stronly urge you to read GDPR as I have done.

Laughable.

 

[branding]

To be honst this is exactly why when you see people such as Mark Zuckerberg in front of the US Comitees they cite EU regulations and proceedings, They do not have anything at present that really protects user information. The current US laws really only kick in once you can prove that you as a user have been financially hurt from such actions (there are several states looking to address that however with their own GDPR like legislation). The EU tries to err on the side of protection to stop it happening in the first place

Thank you for that info. As an European I only know the basics about US laws so this is some good insight for me and further supports my concerns.

When the GDPR kicked in we all had to make adjustments but in the end it'll serve the greater good. Like you said, the 'cookie law' preceded and cannot be compared to the GDPR. Like most of the world today, most EU citizens though that to be very annoying. I personally still do actually.

The 'cookie law' didn't gain much traction globally which is probably why a lot of people are not familiar with it.

 

[Peter]

I couldn't give a monkeys when the cookie law was introduced. GDPR restricted unauthorised collection, processing, storage and sharing of personally identifiable information amongst other things.

Before GDPR you could get away with implicit consent for cookies. However GDPR required explicit consent from the user to store personally identifiable information in cookies, whether it was stored in the cookie or could be deemed personally identifiable information when paired with other information.

.

Clearly you are not interested in facts at all. The cookie law was what introduced explicit consent NOT GDPR. What GDPR did do in this respect was make the fines considerable in the event of non compliance.

Yes and how would Namecheap have failed in this regard when sharing the contact details?

Unaurthorised sharing of personal identifiable informtion, the exact DATA that GDPR is set out to protect!

 

[MadAboutDomains]

Like you said, the 'cookie law' preceded and cannot be compared to the GDPR.

Tell that to the thousands of companies in the EU that were falling all over each other to make sure they they were no longer just implicitly asking for cookie consent and that they were explicitly asking for permission to store cookies that stored personally identifiable information.

 

[MadAboutDomains]

Clearly you are not interested in facts at all. The cookie law was what introduced explicit consent NOT GDPR. What GDPR did do in this respect was make the fines considerable in the event of non compliance.



Unaurthorised sharing of personal identifiable informtion, the exact DATA that GDPR is set out to protect!

It's not unauthorised when the person has agreed to it in the registrant agreement. That is GDPR. The agreement explains how their data is collected, processed and shared. Which bit of this are you failing to grasp?

 

[Peter]

Tell that to the thousands of companies in the EU that were falling all over each other to make sure they they were no longer just implicitly asking for cookie consent and that they were explicitly asking for permission to store cookies that stored personally identifiable information.

There are either 2 possibilities in this.

1) Those companies just did not bother complying with the cookie law
2) Those comoanies fell outiwth the jurisdiction of the law itself so were not concerned about it.

GDPR changed specification on who was liable bringing organisations outwith the EU in reach of the EU. Instead of the law only considering where a company was based GDPR introduced consideration of where the users were based so if a company was based in the US but had EU customers they had to comply with the law where prior to GDPR they would not necessarily have needed to do so (some did).

This is why now for example I am unable to view some US news websites as they have chosen to block EU traffic so thatr they do not have to comply as of yet.

 

[branding]

Tell that to the thousands of companies in the EU that were falling all over each other to make sure they they were no longer just implicitly asking for cookie consent and that they were explicitly asking for permission to store cookies that stored personally identifiable information.

I know. Most companies failed to understand the specific requirements at the time. Lots of companies actually neglected this whole law and didn't ask for permission whatsoever. The law was never enforced that rigorously.

 

[MadAboutDomains]

Jesus Christ this is getting boring. GDPR made it so that you had to let people know what personally identifiable information you were storing.

If you store personally identifiable information in a cookie you have to ask since GDPR.

Asking to store cookies (the law you're harping on about) and asking to store personally identifiable information in a cookie is two separate things. One is the cookie law the other is GDPR compliance.

 

[MadAboutDomains]

Namecheap don't have to get your permission because they already have your permission to share it. It is explained in their terms in the registrant agreement.

 

[branding]

Namecheap don't have to get your permission because they already have your permission to share it. It is explained in their terms in the registrant agreement.

Could be. I personally never checked this. Would be interesting to know if I could opt out of this as this would be my right by the GDPR but let's leave that for another debate

 

[MadAboutDomains]

Could be. I personally never checked this. Would be interesting to know if I could opt out of this as this would be my right by the GDPR but let's leave that for another debate

Hopefully not, because then we'd all rely on courts or UDRP to get anything resolved.

 

[Peter]

It's not unauthorised when the person has agreed to it in the registrant agreement. That is GDPR. The agreement explains how their data is collected, processed and shared. Which bit of this are you failing to grasp?

This is from Namecheaps T&C's

Legally Required Disclosure.

We will never share your information without your permission or in ways other than as outlined in this policy. The only exceptions to this are when we are required by law, in the good faith belief that such action is necessary in order to comply with the law, or when we must comply with a legal process. Examples of these types of exceptions are court orders, subpoenas, and UDRP/URS processes. In each of these situations, we will carefully review the documentation provided and only comply if such documentation meets requisite legal standards.

I beleive the bit you are looking at is in fact

For Legal and Other Purposes. We may access, preserve and disclose information to investigate, prevent, or take action in connection with: (i) legal process and legal requests; (ii) enforcement of our Universal Terms of Service; (iii) claims that any content violates the rights of third-parties; (iv) requests for customer service; (v) technical issues; (vi) protecting the rights, property or personal safety of Namecheap, its users or the public; (vii) establishing or exercising our legal rights or defending against legal claims; or (viii) as otherwise required by law. This may include responding to lawful governmental requests. Learn more about how we evaluate and respond to these requests here.

There is 1 major flaw in this T&C's however. The word "here" that is intended to be link to see how such informsation is used is not a link therefore the T&C's cannot be properly evaluated as they are incomplete. However that is a very broad statement that is amongst legal reasons the data might be shared. I very much doubt this T&C would protect Namecheap providing personal identifiable information to another individual upon request would satisfy GDPR.

The following link is the section of GDPR that states what consent is. Do you really beleive that T&C satisfies this?

http://www.privacy-regulation.eu/en/recital-32-GDPR.htm

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.

This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.

Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

Consent should cover all processing activities carried out for the same purpose or purposes.

When the processing has multiple purposes, consent should be given for all of them.

If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.[/QUOTE

 

[MadAboutDomains]

https://www.namecheap.com/legal/domains/registration-agreement/

Point 21.

You agree to it when you sign up.

 

[Peter]

Fair enough however the fact they declined your request suggests they did not agreee with your trademark claim (rightly or wrongly). And the fact that the whois privacy company declined under the basis of GDPR means they do not have such a clause for the service and deem giving out such information would put them at risk of fines under GDPR. This does not preclude you from raising a complaint via ICANN (or the body that oversees the extension in question) or going through the legal route.

 

[poweredbyme]

It's surprising to me that outside of the EU there is so little support for this.

IMHO, websites are bound by the laws where they are hosted. Also website owner (person or company) has to obey the laws but not all laws of all countries. If the owner, server and domain are out of the EU, enforcing GDRP has no legal basis in my opinion. Because you can not enforce a law of x country in all counties unless all counties have the same law. Internet is a global thing, not the property of EU or another country. One country or a group of countries can not rule the internet.

 

[branding]

IMHO, websites are bound by the laws where they are hosted. Also website owner (person or company) has to obey the laws but not all laws of all countries. If the owner, server and domain are out of the EU, enforcing GDRP has no legal basis in my opinion. Because you can not enforce a law of x country in all counties unless all counties have the same law. Internet is a global thing, not the property of EU or another country. One country or a group of countries can not rule the internet.

You raise some valid points however in this day and age it simply doesn't work that way.

I would love to discuss this further but we'd continue down a road that would derail this thread to the max so I won't go there some other time, some other place