- From: Mats Palmgren via GitHub <sysbot+gh@w3.org>
- Date: Mon, 13 Aug 2018 13:07:11 +0000
- To: public-css-archive@w3.org
@yoavweiss I'm not a lawyer either, but I did read through a GDPR overview a while ago (I'm a EU citizen and interested to know my new rights) and my understanding is that the intent of the law is that collecting/storing any personal data is illegal without prior explicit consent. I haven't read the actual law text, but I'd assume that it's written in general terms to be future-proof against changes in technology, and against attempts to circumvent it. So the technical details of how or where the data is collected/stored doesn't matter. I'm pretty sure UA vendors have had actual lawyers look at GDPR to make sure storing link history in the UA itself is legal. I don't know what the GDPR says about unintentionally leaking that data to unauthorised parties though, for example through `:visited` as suggested above. A quick web search on the topic suggests that UA vendors are legally responsible for not doing that. [This page](https://www.ontrack.com/blog/2018/04/20/make-your-devices-secure-and-gdpr-compliant-before-a-costly-data-leak-occurs/) claims that "companies have to report a data leak within 72 hours after the leak occured" and that "the fines are severe and the same as with an unauthorised usage of personal data". If I understand that correctly, UA vendors can be fined "€20 million or 4% of global annual turnover (whichever is greater)" if they leak `:visited` history. Again, I am not a lawyer, so I don't know for sure. -- GitHub Notification of comment by MatsPalmgren Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/3012#issuecomment-412511316 using your GitHub account
Received on Monday, 13 August 2018 13:07:16 UTC