Ask HN: Why doesn't YC comply with GDPR?

13 points by RIMR 2 days ago

I've noticed that YC sites (main website, Hacker News) don't seem to be GDPR compliant. For example, there are tracking cookies without consent dialogs, and no option to delete accounts on HN.

Given that YC supports startups operating globally, GDPR compliance seems like a basic expectation. Is there a particular reason for the lack of compliance? Could someone from YC clarify their stance on this?

throwawayffffas 2 days ago

I just checked on a private window there were no tracking cookies. And according to the FAQ if you want your account deleted you just have to contact HN.

  • RIMR 2 days ago

    The main page contains embedded YouTube videos that autoload and send tracking info to Google, associated with your Google account. That's a tracking cookie.

    • throwawayffffas 2 days ago

      You mean on www.ycombinator.com? I see 3 cookies one is XSRF. The other two could be for analytics.

      About the youtube thing. Does anyone here know? If you have an iframe and that iframe sets analytics cookies on it's own domain, do you have to have cookie banner?

solardev 2 days ago

Does the GDPR apply to non-European companies?

If a YC-funded startup wants to operate in Europe, presumably they'd have to follow those laws. But YC itself? Are they under any obligation?

  • throwawayffffas 2 days ago

    It applies if you have European users. Companies that want to avoid having to comply will typically block European users. They usually respond with http error code 451 Unavailable For Legal Reasons.

    • tzs a day ago

      > It applies if you have European users.

      That's not quite correct. If you aren't in the union, whether it applies or not is covered by Article 3(2). That gives two situations where it applies. It applies if you are handling the data of people in the Union if the processing activities are related to:

      (a) "the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union"

      or

      (b) "the monitoring of their behaviour as far as their behaviour takes place within the Union"

      There's a recital (number 23) that provides more detail for (a). It says "In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union".

      So for example if you ran a forum for fans of your local community theater group in some small US city, and some Europeans found it and joined, that probably wouldn't require you to comply with GDPR unless you were doing behavioral monitoring that fell under 3(2)(b).

    • wruza a day ago

      It applies in EU and your site will/may be blocked in EU if you ignore it. So EU is free to block a site, which is both its right and responsibility, since it’s EU’s idea. Sites self-censoring for EU is just a friendly compliment, not a world-wide obligation.

      There’s no law (of this level) that could force someone around the globe to do something for someone else. You can only make a public contract like “you do X here or we block you in here and that’s all we can do unless you come here”. It doesn’t work like “all of you over there must do X now”.

      • solardev a day ago

        The EU GDPR website has this to say: https://gdpr.eu/compliance-checklist-us-companies/

        > You may be wondering how the European Union will enforce a law in territory it does not control. The fact is, foreign governments help other countries enforce their laws through mutual assistance treaties and other mechanisms all the time. GDPR Article 50 addresses this question directly. So far, the EU’s reach has not been tested, but no doubt data protection authorities are exploring their options on a case-by-case basis.

        It sounds like a fancy way to say "Yeah, we can't do anything to you NOW, but we're hoping that other countries will listen and help us enforce this via treaty in the future..."

        • bigfatkitten a day ago

          It's a completely empty threat unless you happen to have a presence in a jurisdiction with equivalent offences to those provided by EU privacy legislation.

          Otherwise, you have about as much to fear from Europe as you have from the Chinese for hosting pictures of Winnie the Pooh.

    • segmondy a day ago

      why should anyone have to build extra logic to block EU users? Let EU block themselves.

  • Olphs 2 days ago

    It does, if the company has any branch/office/agent or similar in the EU, or if it targets their services/website to EU residents.

    What "targets" means exactly in this case I'm not sure, but given that YC actively markets to EU based companies too, I would think that GDPR applies to them as well.

    • solardev 2 days ago

      I see, thank you!

      Here's a link with more info: https://gdpr.eu/compliance-checklist-us-companies/

      > Why US companies must comply with the GDPR

      > The GDPR applies to companies outside the EU because it is extra-territorial in scope. Specifically, the law is designed not so much to regulate businesses as it is to protect the data subjects’ rights. A “data subject” is any person in the EU, including citizens, residents, and even, perhaps, visitors.

      > What this means in practice is that if you collect any personal data of people in the EU, you are required to comply with the GDPR. The data could be in the form of email addresses in a marketing list or the IP addresses of those who visit your website. (See our article explaining what is considered personal data under the GDPR.)

      > You may be wondering how the European Union will enforce a law in territory it does not control. The fact is, foreign governments help other countries enforce their laws through mutual assistance treaties and other mechanisms all the time. GDPR Article 50 addresses this question directly. So far, the EU’s reach has not been tested, but no doubt data protection authorities are exploring their options on a case-by-case basis.

sergiotapia a day ago

who cares dude, we aren't in europe. they can not visit the site.

admissionsguy a day ago

[flagged]

  • RIMR a day ago

    I have no idea what this response is supposed to mean. Are you accusing me of being a commie because I am calling out a big startup incubator for being non-compliant, or are you complimenting me for pushing the compliance needle forward by calling this out?

    Regardless, the ChatGPT hallucination you posted in complete nonsense, and maybe you should try relying on actual sources rather than asking weird questions of an LLM and acting like they mean anything. Googling the phrase "People like you made the Soviet Union go round" produces zero results, so you are likely the first person ever to use this phrase, which only leads me to believe that you're trying to insult me by calling me a commie.

    To that, I strongly recommend calming down and finding a less stupid cudgel to beat things with.

    • carlosjobim a day ago

      > Are you accusing me of being a commie...

      No, you're being accused of being a busy-body and a tattler. And those people were fundamental for making the Soviet Union go around.