(Apologies in advance for the lengthy epistle)
Background: A colleague is planning to launch a social media and forum website which will appeal to a relatively narrow audience. For the sake of discussion, I've compared it to an online dating website. During a technical review, I noted he intends to block the entire EU due to GDPR regulation, as other major media outlets (presumably following legal advice) have taken the same approach. Personally, I've always detested blanket-bans as they inhibit the open and collaborative nature of the Internet. I sought for a solution that would allow EU users to knowingly waive their GDPR rights in order to use a site that was not necessarily GDPR compliant. See GDPR & Blocking EU Visitors?
In response to the question, @DavidSiegel pointed out a US State Privacy Legislation Tracker map which depicted five US states that also currently have active GDPR-like data privacy laws. Additionally, there are apparently a handful of other states that are working to introduce similar laws which are expected to possibly be active by 2023.
@DavidMulder noted that other countries like Japan, Canada, Brazil, Israel, Kenya, Argentina [and probably many others] also have their own data privacy legislation.
All this information was helpful, but it ultimately led my colleague to drastically expand his geoblock ranges to encompass these additional states and countries. Ugh!
Changing gears, I myself am also an engineer who has several services and websites I would someday like to share with the world. Consequently, this discussion around GDPR/CCPA has piqued my interest to some degree.
So now that you have an overview of the background...on to The question:
Why is the onus for adhering to privacy directives (e.g. GDPR, CCPA, etc.) on a host and not the user?
If I create a website and make it available to the Internet, anyone in the world can theoretically access it. From EU users, to Iran users, to California users. If my server resides in New York City, USA, I would expect that the laws of the USA, New York State, and New York City apply to that server.
I'm not a lawyer by any stretch of the imagination, but many articles I've reviewed seem to suggest that my server (in NYC, USA) would be responsible for adhering to GDPR if someone in the EU connected to it and provided so called PII. Likewise, if someone in California connected to my server in (NYC, USA) and provided personal info, the server must adhere to California's CCPA law.
The preceding paragraph is the crux of my concern. If my NYC server doesn't actually need to care about who is connecting from where or what data they provide, this entire question I posed is moot/there is no concern.
However, if my server must be concerned about every single privacy law legislation in existence (GDPR, CCPA, California Prop24, Colorado SB 190, Connecticut SB 6, Virginia SB 1392, Utah SB 227, and surely more to come in the US) plus Japan, Canada, Brazil, Israel, Kenya, Argentina and forthcoming privacy laws legislation from other countries (and/or their states?)...
Well hopefully, you see what I'm getting at. If it's required to support this plethora of ever increasing and changing legislation, it effectively prevents law abiding individuals or small businesses from providing interactive websites or services -- we simply just don't have the time, legal team, or financial resources that large corporations do. If this is the case, then the Internet's future does not look very bright to me.
Assuming your answer is GDPR/CCPA/XYZ compliance is required for my NYC server, how does that mandate even bear any weight? The US is a sovereign nation, not a part of EU. Even though California is a part of the US, it's not part of New York so I would expect that only servers operating within California would be required to adhere to CCPA. If/when New York State creates privacy legislation, then my NYC server would be subject to it. And Iran, only servers in Iran would be expected to follow Iran's mandate. Etc., etc. This is the only approach I can fathom that makes any sense when dealing with multiple disparate legal jurisdictions.
While I suspect (and would hope) there is a significant amount of overlap between the privacy legislation from all these legal jurisdictions, there doesn't have to be. Some jurisdictions may change their legislation more than others, add unique requirements, etc.
I don't want anyone to think that I'm against data protection or privacy; I've always been a strong technical proponent for both.
But we must ensure that individuals and small businesses can still operate in a global connected environment without having to blacklist the world for fear they don't comply with one of the ever fluctuating policies for country XYZ.
Personally I think a site that is claiming GDPR/CCPA/XYZ compliance should clearly disclose it to users when they visit the site and then leave it up to the user to decide whether or not they will use the site. (I always assumed that was the entire point of the barrage of popups that routinely appear when visiting a website?)
Instead of burdening every service with the requirement to support every piece of privacy legislation in existence from where it's users may visit (again, how is that even legal to enforce in sovereign nations like the US?), it would be much better to do things the usual way of requiring the user to take personal responsibility for the sites that they access.
Reflect back on how things transitioned for web browser connections: In the old days, you visited a web server and it was always an unencrypted HTTP connection. Anyone between your computer and the server could read or change anything you sent or received. Later, SSL and then TLS encryption was added to scramble all data when in transit. Today, when you visit a site, popular browsers displays a padlock icon for sites that using a secure connection and a warning is first displayed if you try to access an older site that isn't setup to use encryption. Moreover, you can verify the site's certificate to ensure it matches the entity that you expect to be communicating with (e.g. your financial institution, business, etc.) The system isn't perfect, but it allows users to be much more confident that their sensitive information (e.g. a credit card number, passwords, government id numbers, PII/whatever you want to call it) won't be stolen in transit over the internet, while still allowing older non-encrypted sites to be usable.
Something similar could be setup to support all these different privacy legislations. If the site doesn't support whatever privacy legislation you desire, then choose not to use the site. (Again, I believe this is what all the popups you see when first visiting a website are trying to do.) Large businesses will quickly adapt to support whatever legislation you want because they don't want to lose sales. Sites that aren't profit driven (or generate very low profits) likely won't care and they'll just accept that the user doesn't want to use their site and will use an alternative instead.
In summary, I'm really tired of reading about privacy legislation. Attempting to foist privacy legislation on services external to the legal entity that created them is going to destroy individual and small business innovation, lead to more monopolies and ultimately be bad for everyone.
While it is important to protect PII information, all it takes is a single data compromise for it to be exposed. Large corporations routinely experience data breaches. Being GDPR/CCPA/XYZ compliant does not mitigate the problem of protecting PII.
Thanks in advance to all who share what they know about this. Looking forward to reading everyone's feedback.