It is not trivial for publishers who have years of adding advertising and analytics tools to their website to come up with a strategy for peeling these back or checking compliance. If I had a blog, it would be easy for me to check and decide what to remove or modify. But being part of an organization means that most of the shit on a publisher’s network is a manager’s baby project and is going to require meetings, ego stroking, and if you suggest a change then revenue drops, you will be prime suspect. Not to mention months of managers saying — “well we used to have this really great analytics platform that helped me steer this company but now I can’t do my job because so and so deactivated X”. For many of the tools you might have a contract with a company to provide service. They have people specifically hired to be persuasive calling your leadership to try to keep the relationship going, so they will fight to keep you as a customer. I think the interesting thing is that you can’t pass the buck, you are ultimately responsible for providing compliance, not just choosing tools that claim compliance.

> It is not trivial for publishers who have years of adding advertising, advertisement and analytics tools to their website to come up with a strategy for peeling these back or checking compliance.

Correct. I did cover this when I said, in the post you are replying to: "...admittedly it may be expensive to store and process others' personal data while excluding EU citizens from that mechanism"

> Bullshit. It's trivial to implement. Don't store my personal data. Done.

Tell that to the dozens of engineers that spent months on GDPR compliance at my company.

I personally spent two weeks making sure my systems had both export and deletion capability. These systems were engineered for soft delete data retention and maintaining change logs across writes. In several different databases. And offline data warehouses. And feeds consumed by downstream systems.

> But the blanket statement "GDPR compliance can be extremely expensive to implement" is on its own extremely misleading in this context.

You have no idea what you're talking about. Every system out there handling personal information needs to be re-engineered. Soft deletes, change logs, feeds, plumbing between microservices, data validation logic, primary keys and foreign keys with PII, on and on... it all needs to be changed to handle new APIs: delete and export. That requires a lot of work to do correctly and capture all of the surface area.

> Perhaps, but this is not relevant to a news organisation publishing a general article online from the USA

Maybe they can't afford to change things? Sure, they might be collecting too much information in order to sell ads, but they have to decide if the EU traffic is worth rebuilding what they already have in place.

Don't take a gut value judgement about GDPR being the right thing to do and equate it to being inexpensive. It is not.

> Every system out there handling personal information needs to be re-engineered

The complaint is that this website should not be handling any personal information. (Whether you agree with that or not.)

News outlets have relied on advertising to make their content accessible and still profitable since the 1830s[0]. It would be in immense industry shift to change from and advertising based model.

The GDPR also holds you liable for your outsourced work, which means that any ad network that serves a single malicious ad violating GDPR could make you violate the law. It’s a tough conflict.

[0] https://en.m.wikipedia.org/wiki/Penny_press

The GDPR does not prevent you from serving ads. The ads being served in the 1830s, for example, would not have been in violation of the GDPR had it been in force at the time.

This is correct.

GP says:

> News outlets have relied on advertising to make their content accessible and still profitable since the 1830s[0]. It would be in immense industry shift to change from and advertising based model.

But the immense shift has already been happening, just the other way, -away from a somewhat acceptable kind of contextual advertising model ("put my ad next to the recipes pages") to the current dragnet surveillance behavioural advertising model.

What is needed isn't much more than going back to 2009 or when it was Google bought Doubleclick, when the separation between shady spyware, passive ads and content was somewhat clear.

Of course this would be expensive, in the same way that getting your buildings fire safe would be expensive after you've relied on lack of inspections to rake in rents for years from cheap housing.

Meta: HN could need a feature to "flag" when someone is abusing downvotes like on parent comment. I can always send a mail as I sometimes do, but I guess a way to flag for general moderator attention would improve reporting of such abuses.

The comment is trivially easy to prove right, points out an important detail and is still downvoted.