I don’t need email addresses any more than, say, Pinterest. But now it is one more barrier to entry for side projects. It is definitely not easy to be compliant as many here suggest.
You can collect email addresses still, so long as you have a legitimate reason to, you seek consent, you store them securely and remove them if consent is withdrawn. These are things that you should be doing anyway! Even if it's an open source side project.
Sure. But let’s not pretend that it is cheap to do. All I’m saying that if you are cheering govt stepping into the equation then let’s have an honest discussion on who it hurts and who it benefits. Let’s take a stock of the impact to garage innovations. That is all.
OK. Why is forcing people to consider the ethics of gathering data that have hither to proven to be lacking morally and ethically a bad thing?
In terms of "impact to garage innovations", there shouldn't be any if there is nothing nefarious about it. The cost of designing and engineering software ethically is minimal.
>You can collect email addresses still, so long as you have a legitimate reason to, you seek consent, you store them securely and remove them if consent is withdrawn. These are things that you should be doing anyway! Even if it's an open source side project.
Where in your statement do you refute the fact that it is hard to comply with GDPR?
Even if you have a legitimate use case you still need to provide users a way to access all their information and delete all their information.
If you already are using more than one database this is not trivial.
This is my guesstimate but I am confident in saying that GDPR adds $25k worth of work to the cost of starting up a business in the EU assuming an experienced software engineer is worth $150k a year. There will simply be a huge layer of boiler plate code added to every project now that will be necessary whenever you are processing data.
I wonder if it's really necessary to stop using e-mail addresses as usernames / unique identifiers. Presumably you need some sort of unique identifier for each user, and such an identifier can, by definition, be tied to an individual. Would such an identifier not fall under "data required to provide the service"?. And since any such identifier is effectively PII, does it really matter if you use an e-mail address vs. some other user name?
You could also use a hash of the email so that you don't retain and can't reconstruct the original address. Then the recovery process can look for a valid account based on the provided email's hash, and if one is found, a recovery email can be sent to the provided address. Include an expiring, one-time-use token in the recovery link so you can immediately forget the address again.
I don’t need email addresses any more than, say, Pinterest. But now it is one more barrier to entry for side projects. It is definitely not easy to be compliant as many here suggest.