While this developer may be overreacting (he probably doesn't need a DPO), i understand why it might just be easier to block it , at least until there are precedents about how to comply and more info on how the regulation will be enforced.
GDPR can be scary for developers, because nobody actually knows how a website or app is supposed to work (I have yet to see a single example), and it requires a series of steps that are not trivial on the administrative side. The Right to be forgotten is the easy part. Having to document everything you do and introduce data-dumping mechanisms that are both anonymous and secure is administrative burden. Having to do that for every little project that you release, even if it has 10 users, is a bit too much. Many developers cast a wide net, releasing products often, and this is practically unnecessary work unless you have a significant amount of users.
Introducing opt-in forms everywhere is also not great. It didn't work for Windows Vista so why do we expect this to work on the web? Opt-ins for things like cookies should be implemented on the browser. What's the point of warning a person before sharing their email? What's the point of warning them even you 'll install a cookie? IP addresses and cookies etc are integral parts of the HTTP protocol and the browser so why not introduce anti-tracking regulation that targets browser vendors and telcos instead of introducing regulation that targets every developer on the planet? It doesn't seem like an optimal plan imho. The example of the cookie law (for which it's hard to argue that it has not utterly failed) should act as a bad precedent, not a good one.
It's easy for US developers to be positive of GDPR because they can avoid the overreaching parts, but for us in the EU its something we have to abide by 100% of the time. I 'd like to hear what other people think about those, because otherwise i hear a lot of emotional praise for GDPR which is blind to how problematic it is at day 0.
> The example of the cookie law (for which it's hard to argue that it has not utterly failed) should act as a bad precedent, not a good one.
It is an utter failure but mostly because services try hard to turn it into a travesty and simultaneously manage to deceive their users by attributing blame for the annoying cookie warnings to regulators.
"We are required by law to show you this stupid warning because our site uses advanced features that need cookies to work. Without them, you couldn't even login! (OK)"
Which, of course, is utter bullshit. If you can stop this deception, things might actually work out as intended.
Sites may rethink their need for personal data gathering if cookie warnings would have to look more like the following.
"We'd like to analyze your site usage for ad targeting and other things that make us some more money.
Do you agree we use cookies for that? (yes/no)
NOTE: Even if you disagree, standard site functionality like logins will continue to work unharmed."
I don't think you need to get explicit agreement when using cookies to implement expected site functionality, as long as you don't use re-purpose them for profiling/targeting purposes. IANAL, though.
If a law can be so easily circumvented, does not provide an alternate solution and fails to effect any change at all, then it's a failed law and a bad law, regardless of good intentions.
GDPR can be scary for developers, because nobody actually knows how a website or app is supposed to work (I have yet to see a single example), and it requires a series of steps that are not trivial on the administrative side. The Right to be forgotten is the easy part. Having to document everything you do and introduce data-dumping mechanisms that are both anonymous and secure is administrative burden. Having to do that for every little project that you release, even if it has 10 users, is a bit too much. Many developers cast a wide net, releasing products often, and this is practically unnecessary work unless you have a significant amount of users.
Introducing opt-in forms everywhere is also not great. It didn't work for Windows Vista so why do we expect this to work on the web? Opt-ins for things like cookies should be implemented on the browser. What's the point of warning a person before sharing their email? What's the point of warning them even you 'll install a cookie? IP addresses and cookies etc are integral parts of the HTTP protocol and the browser so why not introduce anti-tracking regulation that targets browser vendors and telcos instead of introducing regulation that targets every developer on the planet? It doesn't seem like an optimal plan imho. The example of the cookie law (for which it's hard to argue that it has not utterly failed) should act as a bad precedent, not a good one.
It's easy for US developers to be positive of GDPR because they can avoid the overreaching parts, but for us in the EU its something we have to abide by 100% of the time. I 'd like to hear what other people think about those, because otherwise i hear a lot of emotional praise for GDPR which is blind to how problematic it is at day 0.