This is part of the problem. The laws are not retained within that country making them. They spread overseas. If the Spanish have one rule and the Italians another, which laws should you adhere to for your own site?
You should adhere to law of the UK. Unless there is a treaty between the UK and another country covering that matter, it will be hard to enforce a foreign law against you. – I’ll come back to that in minute with an example.
Of course, this will be fundamentally different if you run a business with a physical presence in another country.
Because of the vagueness of the GDPR legislation, each country has their own interpretation of what the GDPR law mean. This is another part of the problem.
In my perception the major part of the GDPR is not vague at all. There are some grey areas, but I think for most use cases they are not worth worrying about too much until they are clarified.
The internet is run largely by ads. If this forum had no ads, it would not survive. What is the difference if you go into a shop in person? They could collect your data. They have your gender, approximate age, what you look like etc. Why don't you go up to the counter and ask for a refund!
Data privacy does not prevent you from showing ads. Would it make such a huge difference if you would not show individually targeted ads but generic technology related ads instead? –This is not meant as a rhetorical question, I’m genuinely interested in an answer.
If a physical shop would record that a white male, apparently between 30 and 50 bought some stuff, I would not object. If they would combine that info with data to identify me as person, like a photo or my credit card data it would be a different matter and would need explicit consent. – Customer loyalty cards are implementing that and with them you actually get a tiny partial refund.
So, I looked at the site. I did a GDPR check. It failed. Since you feel this is an important issue, you might be shocked that you are not complying with the GDPR rules.
Oh, I see. That is my site indeed. - The check failed in more than one way.
In general, such automated checks can only test some very superficial aspects of data protection and GDPR compliance. Nevertheless, as this is our very topic in this thread let’s look at that check in more detail.
The check just focused on cookie related stuff (no surprise for a website called “cookiebot”). It found 4 Google Analytics cookies on my site and addressed three (potential) issues with them (in reverse order):
Passed - Personal data is transmitted to 'adequate countries' only (GDPR)
The adequate country referred to is the United States. Well, my website passed but the test itself failed. The United States are not an 'adequate country'. Only US companies adhering the Privacy Shield framework are adequate companies in a not-so-adequate country. Google does so, of course. So, my website is compliant, but the check did not mention that; I doubt they actually verified it.
Failed - Prior consent on personal data (GDPR)
Correct, I do not ask for prior consent. However, the check failed to notice that IP addresses are anonymized, and cookie lifetime is set to a minimum in the setup of Google Analytics. Thus, the data is not personally identifiable and the GDPR not applicable. It is just the data of “one visitor”, very much like in the physical shop example above.
I explicitly address this in the data protection statement on the website. So, it’s not something you would only notice when poking around in the source code of the page.
Failed - Prior consent on other than strictly necessary cookies (ePR)
That is not related to the GDPR but the ePrivacy Directive. Other than the GDPR the ePrivacy Directive is not European law but needs to be implemented by the member countries in local laws. The German implementation of ePrivacy considers the browser settings to be sufficient in that regard. So, if you set your browser to accept cookies you automatically consent.
Other European countries are not happy with the German interpretation of ePrivacy and complained about it, but to my knowledge this has had no effect yet. - This is an example for foreign countries wanting to impose their laws abroad. Unless there is some treaty or agreement between the countries covering that, it does not have an automatic effect.
So, while the check is not entirely wrong here, my website is still compliant to the ePrivacy implementation of the local jurisdiction.
(Warning to future readers: The EU ePrivacy legislation is currently under review and might be updated in the near future.)
So, am I shocked by the results of that check? No, not at all! After closer inspection they turned out exactly as intended. In terms of the law, I consider my site to be fully compliant to all currently applicable rules for data privacy.
Would I get around the cookie notice if not applying the more relaxed German interpretation of ePrivacy? I don’t know. I guess so, because I’m not using those cookies to identify persons. I would need to do more research on that to be sure.
My point: You can absolutely be compliant with data privacy regulations without bombarding your visitors with popup notices.
To not let the disadvantages of my approach go unmentioned: By restricting Google Analytics to not identify persons I lose all demographic information on website visitors and the new vs. returning statistics are utter rubbish. On the codekabinett.com site I do not care much about that.
On my AccessDevTools.com shop site, I lose the ability to track how a user purchasing stuff originally came to the site. I do not know which marketing channel is most effective. This hurts my interests as an online seller. So, I can understand businesses which want to track their visitors more closely. Nevertheless, I decided (for now) I rather don’t track visitors for the usability improvement of the absent cookie notice.