I'm curious what about that notification is "hidden away in legal wording" or doesn't "require active consent". You have to agree with it to make that go away.
At least the way my multi-national employer is interpreting it, under GDPR you can't get away with "click here if you agree with our privacy policy". You have to explicitly say everything that is tracked, everything that is stored, how long, and why it is required for use. If it's not required for use, you can't ask for it and you can't store it unless the person explicitly says yes. If they say no, you have to let them use it anyway, without the tracking and without the storing.
> If they say no, you have to let them use it anyway, without the tracking and without the storing.
This is the part I'm most excited about. (Or would be if I lived in the EU.) I'll be very interested to see how that works out. I'd love to see something like that in the US.
I have to wonder whether at some point the EU is going to become so aggressive that the big US tech firms really do start calling their bluff. Stronger legal privacy protections may be long overdue in our modern, online world, but that particular measure is transparently aimed at undermining entire business models that have supported services evidently valuable to literally billions of people around the world, and that may be a bridge too far.
If the likes of Facebook and Google all turned off their services across the EU for a day, and replaced them with a SOPA-blackout-style message explaining that they can't afford to continue providing services without the ad model that pays for them, a lot of people would notice, and the EU probably wouldn't get nearly as easy a ride afterwards. I don't know how much damage would be caused if those same big tech firms cut off EU citizens permanently, but for better or worse, very many people now rely on the likes of Facebook and Google Mail for their everyday lives, and I'm betting the damage would be worse to the EU citizens than it would be to Facebook's and Google's financial statements (assuming the alternative is that they continue to operate but with a heavily damaged business model).
> but that particular measure is transparently aimed at undermining entire business models
Yes, but that's the entire point. That's why this regulation exists That's why it has so many fans here on HN.
Not sure if there's a qualitatively different way of achieving the same goal with a different method. There probably isn't, so it boils down to a careful balancing act - how to damage those business models without going overboard and having all US companies show EU the finger.
> If they say no, you have to let them use it anyway, without the tracking and without the storing.
That part of what he said is incorrect. The EU may be able to do alot of things, but they can't make me give you access to private documents on my server that is not based in the EU if I don't want to. You can simply tell them to go away if they disagree with your terms, or you can block all EU users from the beginning.
