[stephangeorge]

Hi all,

not sure if anyone is affected by this - the Critters workshop (which as a writer I find really useful) has closed it's doors to EU members due to the GDPR, as they can't fully implement it and it has potential massive fines. Very sad to hear, as this certainly was not what the GDPR was designed to do....

 

[an758GnQExU249]

As far as I know, compliance means:

You must have a clear privacy policy
You can only request information that is necessary for performing whatever it is you do.
You must clearly tell people what you are doing with that data
You must keep it secure

What is it they claim they can't adhere to?

 

[stephangeorge]

http://www.critters.org/c/privacy.ht#privacy

 

[KelliWolfe]

As far as I know, compliance means:

You must have a clear privacy policy
You can only request information that is necessary for performing whatever it is you do.
You must clearly tell people what you are doing with that data
You must keep it secure

What is it they claim they can't adhere to?

In addition to what you mentioned, you also have to be able to give the user all the data you have collected on them and allow them to correct it and in some cases delete it and have it removed from search engines like Google, etc. It isn't trivial, and when one potential infraction could ruin you, who can blame them? 4% of turnover or 20 million euros, whichever is higher, and from what I've seen large sections of the law are every bit as ambiguous as KDP's content policy. Throw in some ambulance chasers looking for a big win to collect their fee off the top and you have a recipe for disaster.

I'm not saying the law isn't a good thing in principle and a big step forward to reining in the ridiculous level of data scooping being done, but the fines are simply too high for most small companies to risk.

 

[Evanesco]

I've never heard of 'Critters' before tonight, but they're - in my opinion - overreacting by some distance! I don't get what part of GDPR (and as a UK author I have been very interested in this!) they can't comply with?

 

[KelliWolfe]

I've never heard of 'Critters' before tonight, but they're - in my opinion - overreacting by some distance! I don't get what part of GDPR (and as a UK author I have been very interested in this!) they can't comply with?

TWENTY. MILLION. EUROS. If you are a small website, is it worth taking the risk of falling afoul of a complex law with some very ambiguous clauses when that kind of penalty is involved? If you are one of the big players and can afford to hire a legal team to go through it with a fine-toothed comb to make absolutely certain you are 100% in compliance, okay. If you are a small website that can't afford a legal team and you aren't going to bring in 20 million euros over a period of years, why on earth would you even risk it?

 

[CoraBuhlert]

Content removed. I don't consent to the new TOS of 2018.

 

[Cactus Lady]

most of the members of the EU parliament who proposed and voted on GDPR have only a very limited internet presence (two of the main authors of the GDPR bill have no internet presence whatsoever).

Why am I totally not surprised by this?

 

[an758GnQExU249]

In addition to what you mentioned, you also have to be able to give the user all the data you have collected on them and allow them to correct it and in some cases delete it and have it removed from search engines like Google, etc.

If Critters is panicking like this, then I have to wonder what information, exactly, WERE they collecting without their members' knowledge?

I am wracking my brain here. Other than the basic info you enter when you sign up for the site, which you can access at any time and change at any time as far as I know, what where they collecting behind the scenes without anyone's knowledge?

 

[Nic]

If Critters is panicking like this, then I have to wonder what information, exactly, WERE they collecting without their members' knowledge?

I am wracking my brain here. Other than the basic info you enter when you sign up for the site, which you can access at any time and change at any time as far as I know, what where they collecting behind the scenes without anyone's knowledge?

I need a like button. This nails it.

 

[Patty Jansen]

If Critters is panicking like this, then I have to wonder what information, exactly, WERE they collecting without their members' knowledge?

I am wracking my brain here. Other than the basic info you enter when you sign up for the site, which you can access at any time and change at any time as far as I know, what where they collecting behind the scenes without anyone's knowledge?

In the time I was at Critters, I asked them several times to remove a very early version of a story from their database. They said they couldn't/wouldn't. As far as I can see, this stupid policy runs counter to the GDPR requirement: that users can delete themselves from the site. It's the main reason I left Critters.

 

[Nic]

In the time I was at Critters, I asked them several times to remove a very early version of a story from their database. They said they couldn't/wouldn't. As far as I can see, this stupid policy runs counter to the GDPR requirement: that users can delete themselves from the site. It's the main reason I left Critters.

In that case nothing much is lost. A writer/critique group not respecting copyright law is no good thing to be in anyway...

 

[Nate Hoffelder]

I've never heard of 'Critters' before tonight, but they're - in my opinion - overreacting by some distance! I don't get what part of GDPR (and as a UK author I have been very interested in this!) they can't comply with?

Instapaper (a save for later service) stopped supporting EU users until it can bring its service into compliance with the GDPR, and that's just one example. USA Today essentially had to strip all the ads and tracking from the version of their site that EU users see. Also, the Unroll it Twitter service is now blocking EU users.

I can't recall the name, but I know of one major US newspaper company that has simply decided to block all EU traffic because they don't want (or simply can't) to comply with GDPR.

So no, this is not an overreaction.

 

[Speaker-To-Animals]

If Critters is panicking like this, then I have to wonder what information, exactly, WERE they collecting without their members' knowledge?

I am wracking my brain here. Other than the basic info you enter when you sign up for the site, which you can access at any time and change at any time as far as I know, what where they collecting behind the scenes without anyone's knowledge?

My guess would be the posts. It's not clear how this all applies to private identifying information in posts and quoted posts and all that. The right to be forgotten looks ludicrously broad from everything I've seen. I've run a board for a dozen years or so and since I can't find answers and I don't have time to deal with this, I'm considering shutting it down. I hadn't considered that a note saying EU members aren't allowed could solve that.

 

[Used To Be BH]

The problem with GDPR is that there is no way to know how it will play out in practice. I've asked my attorney some questions, and I'm going to be getting answers once the research is complete, but it's already clear that there's no such thing as a guarantee in this case.

That said, email lists are relatively easy to make compliant. It's websites that offer the greatest challenge.

For those of us with Wordpress, there are a number of plugins designed to address the issue. After some experimenting, I settled on Wordpress GDPR from Code Canyon. It's a measure of how rapidly the develop responds to user concerns that the plugin updates once or twice a day. As far as I can tell, it covers all the bases.

I don't collect much data in the first place. All areas of the site are accessible without signin, and I'm not selling anything. Basically, the only data comes from the comments (name, email, and IP address--for antispam detection). A few other plugins collect anonymous data. I got rid of Google Analytics, figuring it wouldn't be very accurate once people started opting out of it. It was comparatively easy to describe in the privacy policy what the remaining plugins are doing. Wordpress GDPR provides very clear accept or decline choices and enables users to change them any time. (It also provides the setup for users to make data requests and has a particularly neat feature that allows users to delete their own data if they wish.

GDPR applies in two cases: if someone does business in the EU, or if someone is monitoring the behavior of EU citizens. Wordpress GDPR has a mode in which it loads only essential cookies even if someone accepts cookie usage. I tested the site, and everything seems to work with that setting. If I turned it on, I could argue I wasn't monitoring the behavior of EU citizens. Am I doing business in the EU? Distributors that sell my books are doing business there, not I.

The one problem I have is that, since people don't have to sign in, the plugin has no way of preserving a record of whether they accepted cookies or not, though I could demonstrate that the site loads only essential cookies until a user consents. Not having a record wouldn't be an issue if I blocked all nonessential cookies myself. If everybody had to create an account and sign in, that would ironically cause me to collect more data. That's one of the questions my attorney is looking at.

What puzzles me is watching how differently businesses react. I've seen everything from blocking EU citizens to seemingly continue with business as usual. Even the companies with legal teams seem to be reacting very differently.

 

[an758GnQExU249]

My guess would be the posts. It's not clear how this all applies to private identifying information in posts and quoted posts and all that.

So long as the user can remove their posts, or a mod can remove the post upon request, then there shouldn't be an issue. Our mods here at KB delete and edit posts all the time!

I think the real problem is stuff that goes on "behind the scenes." Sites like FB, Twitter, and even Google collect enormous amounts of data about users without their knowledge. And then you have sites that sell access to their users without those users knowing.

I guess I am not overreacting because I have a lot of practical knowledge dealing with government agencies. Not in the EU, but I'm worked through audits from the DOT, FAA, FDA, OSHA, and other federal and state agencies. The regulations are always written in the most convoluted manner, but the realities of enforcement typically tend to be "Are you making a good faith effort to comply?" What I have learned from dozens of audits over the years is that investigators want to see you are making a good faith effort. They will dig their fangs in and not let go if they think you are actively attempting to skirt the law, and they will bring down the hammer if they think you are willfully engaging in behaviors designed to circumvent the law, but mostly they just want to see you acting in a principled manner.

 

[Nic]

My guess would be the posts. It's not clear how this all applies to private identifying information in posts and quoted posts and all that. The right to be forgotten looks ludicrously broad from everything I've seen. I've run a board for a dozen years or so and since I can't find answers and I don't have time to deal with this, I'm considering shutting it down. I hadn't considered that a note saying EU members aren't allowed could solve that.

Every current forum software has the feature for members to delete themselves with or without posts and with anonymised posts, and has done so for at least the past 5-6 years. It's no problem.

 

[Nic]

I left Critters a long time ago, but it's been around for decades and one of the best critiquing groups on the Internet.

Well, if a critique forum doesn't respect copyright it can't be among the best, it won't even be just adequately "good". The very first thing I'd expect anyone working with my texts to respect is my right to decide what happens to them. That includes what happens to them behind a password wall or in a database accessible only be members or administrators.

 

[Speaker-To-Animals]

So long as the user can remove their posts, or a mod can remove the post upon request, then there shouldn't be an issue. Our mods here at KB delete and edit posts all the time!

What my post that you quoted or yours that I've just quoted. Does that apply? And I don't know of any software that will do that. If for no other reason that plenty of times someone quotes without attribution.

In terms of Critters, I also wonder if they're using software that was modded a long time ago and they just don't have the money or skills to adjust.

 

[KelliWolfe]

So long as the user can remove their posts, or a mod can remove the post upon request, then there shouldn't be an issue. Our mods here at KB delete and edit posts all the time!

I think the real problem is stuff that goes on "behind the scenes." Sites like FB, Twitter, and even Google collect enormous amounts of data about users without their knowledge. And then you have sites that sell access to their users without those users knowing.

I guess I am not overreacting because I have a lot of practical knowledge dealing with government agencies. Not in the EU, but I'm worked through audits from the DOT, FAA, FDA, OSHA, and other federal and state agencies. The regulations are always written in the most convoluted manner, but the realities of enforcement typically tend to be "Are you making a good faith effort to comply?" What I have learned from dozens of audits over the years is that investigators want to see you are making a good faith effort. They will dig their fangs in and not let go if they think you are actively attempting to skirt the law, and they will bring down the hammer if they think you are willfully engaging in behaviors designed to circumvent the law, but mostly they just want to see you acting in a principled manner.

Are you willing to gamble 20 million Euros on that? Especially when Europe is crawling with ambulance chasers whose sole purpose in life is to take advantage of laws like this to extort payments from businesses over claimed violations?

You have to remember that it isn't just the forum software these people have to worry about. When you go onto a website the server collects data about you as well. You've got server logs, cookies, and potentially other logs collected at different levels depending on what plugins you have for IIS/Apache. ALL of that is included in this law, because your IP address and the information associated with it is considered part of that personal information because it can be used to identify you. The site operators have to be able to show that to the user ON DEMAND and delete it if required. This includes purging from backups, etc. Most systems, especially older ones, don't have any easy way to do any of that. It would all have to be compiled and changed manually, or else you'd have to write or buy software to do it. And getting rid of it from your backups? When I was an admin, we'd have backups going back YEARS in some cases for legal reasons.

For businesses like Google and Facebook which exist to collect data they do have all of that information in one place and it isn't particularly onerous for them to get it in front of the user, and they're running in-house software that they constantly modify anyway so it isn't a huge deal for them to add in an interface to allow users to modify or even delete it. Smaller web sites simply don't do that kind of thing, though, and the older the software they're running, the more difficult it is to make changes without breaking things.