LTTStore.com is not GDPR compliant

[dvdkon]

Hi all,

I saw the cookie banner on LTTStore.com and decided to do some digging. Even without interacting with the banner at all, the site sets a lot of its own cookies (some presumably custom, some from Shopify), but also a lot from Google, Facebook and TikTok.

 

This is clearly in breach of the GDPR (and member state law implementing it, it's kind of a mess...). If LTTStore.com actually needs all those cookies, then it doesn't need the banner at all (per the GDPR, anyway), but clearly all the analytics identifiers aren't required for a web store to work. Consent should also be given "for one or more specific purposes", a blanket "accept" button isn't compliant IMO.

 

And "our site uses cookies to ensure you get the best experience" is weasel-word nonsense. That's sadly not illegal, but disappointing nonetheless. Shopify's own cookie banner on their docs site is much better, so presumably adopting something like it for the store shouldn't be hard.

 

You (LMG) can take the stance of "we won't move a finger for anything less than an import ban" and probably be a successful business. But considering how much of LTT hinges on reputation, I'd like to think you might actually care about this.

[OhYou_]

I vote LTT Store block all EU IP ranges instead

[sub68]

12 minutes ago, dvdkon said:

This is clearly in breach of the GDPR (and member state law implementing it, it's kind of a mess...).

The thing iirc it only applies to EU sites, since LTT is Canadian they dont have to do it...

I know a bunch of North American sites that dont have the pop up, but they are sites that probably dont even ship to EU places.

[Holmes108]

4 minutes ago, sub68 said:

The thing iirc it only applies to EU sites, since LTT is Canadian they dont have to do it...

I know a bunch of North American sites that dont have the pop up, but they are sites that probably dont even ship to EU places.

 

I just did some reading up on this now because I wondered how it would/could impact international businesses, and one of the exceptions I read about mentioned that organizations under 250 people are largely exempt from the data traacking aspect of the GDPR as well. This was just a couple of minutes of googling and reading though. I'm far from an expert. 

[BoomerDutch]

11 minutes ago, OhYou_ said:

I vote LTT Store block all EU IP ranges instead

7 minutes ago, sub68 said:

The thing iirc it only applies to EU sites, since LTT is Canadian they dont have to do it...

I know a bunch of North American sites that dont have the pop up, but they are sites that probably dont even ship to EU places.

Yeah it's technically EU thing. 

But nah bro most other sites doesn't even have popup. Only EU shops mostly do.

[dvdkon]

1 minute ago, sub68 said:

The thing iirc it only applies to EU sites, since LTT is Canadian they dont have to do it...

I know a bunch of North American sites that dont have the pop up, but they are sites that probably dont even ship to EU places.

That's not true, de jure GDPR applies worldwide. However, it only applies *in EU law*. International law is even more messy than national law, so ignoring EU regulations and continuing on like nothing happened is likely not to get any small company in trouble (or big company in non-western countries). Many sites just ignore it, especially if they don't actually do business with Europeans.

[OhYou_]

2 minutes ago, BoomerDutch said:

you say that until you have to browse the web now and every single site has some giant banner that takes up half the screen and you have to click like 7 times to select "necessary cookies only", not even getting an option to deny all usually. And if that isnt enough, some sites outright dont let you interact at all until you click the stupid popup.
it's every site, its incredibly frustrating.

[dvdkon]

4 minutes ago, Holmes108 said:

 

I just did some reading up on this now because I wondered how it would/could impact international businesses, and one of the exceptions I read about mentioned that organizations under 250 people are largely exempt from the data traacking aspect of the GDPR as well. This was just a couple of minutes of googling and reading though. I'm far from an expert. 

What you read might have been based on paragraph 5 of article 30 (full text here). That only applies to record-keeping, the rest of the GDPR has no small-operation exemptions IIRC (this means many people just ignore the onerous parts, but that's a systemic problem that lawmakers should solve).

[BoomerDutch]

5 minutes ago, OhYou_ said:

you say that until you have to browse the web now and every single site has some giant banner that takes up half the screen and you have to click like 7 times to select "necessary cookies only", not even getting an option to deny all usually. And if that isnt enough, some sites outright dont let you interact at all until you click the stupid popup.
it's every site, its incredibly frustrating.

Oh those? I've blocked them?

 

And now they aren't allowed to collect data but they do it regardless of popup or not.

 

Even if you deny it, they do it anyways.

 

You know how they are once checkup has passed they will switch back to collecting.

 

Same with terms of service.

You buy device and terms of service is fine until they change it and make it one button to only accept soo...

 

I have television and they did it same so ive unplugged it and never used it again

And moved on because i know i wasted money but i can't get it back regardless.

[OhYou_]

2 minutes ago, BoomerDutch said:

Oh those? I've blocked them?

 

And now they aren't allowed to collect data but they do it regardless of popup or not.

 

Even if you deny it, they do it anyways.

 

You know how they are once checkup has passed they will switch back to collecting.

yeah, the law is stupid.
implemented very poorly, and invasive to all parties.
They should have instead made the "do not track" currently in most browsers become enforceable by law.
this way you check the box and you're done for every site. some sites may beg you to turn it off, but whatever, it wont be as bad.

[sub68]

2 minutes ago, Holmes108 said:

I read about mentioned that organizations under 250 people are largely exempt from the data traacking aspect of the GDPR

Huh makes sense LTT is around 100 at the moment.

The other sites I am thinking some ship to EU but under the 250 employee mark.

 

But the sites I am thinking of bunch of them are firearms related... (small makers of the gear not the firearms themselves)

Others are medical gear resellers.

They service probably only North America...

[Holmes108]

7 minutes ago, dvdkon said:

What you read might have been based on paragraph 5 of article 30 (full text here). That only applies to record-keeping, the rest of the GDPR has no small-operation exemptions IIRC (this means many people just ignore the onerous parts, but that's a systemic problem that lawmakers should solve).

 

Yeah, what I read applied to the information saving aspect, ie: cookies. Which was arguably the stricter portion. The rest of it sounded like LTT would be exempt on the basis that they don't specifically cater to the EU (best I can tell anyways) The stated examples in what I read mentioned things like a if they had a German language advert, or giving prices in Euros, etc.. 

 

I'm not 100% sure LTT doesn't advertise in Europe, but I didn't think they did.

[dvdkon]

4 minutes ago, Holmes108 said:

 

Yeah, what I read applied to the information saving aspect, ie: cookies. Which was arguably the stricter portion. The rest of it sounded like LTT would be exempt on the basis that they don't specifically cater to the EU (best I can tell anyways) The stated examples in what I read mentioned things like a if they had a German language advert, or giving prices in Euros, etc.. 

 

I'm not 100% sure LTT doesn't advertise in Europe, but I didn't think they did.

There's a lot of dubious information on the web about the GDPR sadly. I try to just go by the actual text, but especially for international business court rulings are also relevant.

 

I'd say LTTStore.com caters to EU citizens by virtue of shipping to the EU. Seems like a pretty clear bar to me. It gets messy when you have sites that don't actually conduct business with most visitors, like regional news sites with lots of ads and tracking.

[BoomerDutch]

6 minutes ago, dvdkon said:

I'd say LTTStore.com caters to EU citizens by virtue of shipping to the EU. Seems like a pretty clear bar to me. It gets messy when you have sites that don't actually conduct business with most visitors, like regional news sites with lots of ads and tracking.

It would be great if admin/mod is willing to share what's being shared or used or tracked.

 

But seeing reputation of linus media group.

I doubt it's gonna raise big issues.

 

And their reach is YouTube and WanShow.

You don't need to advertise at all.

[dvdkon]

3 minutes ago, BoomerDutch said:

But seeing reputation of linus media group.

I doubt it's gonna raise big issues.

I trust LMG with their first-party custom cookies. But I'm not going to extend that trust to Facebook and TikTok.

[Holmes108]

10 minutes ago, dvdkon said:

There's a lot of dubious information on the web about the GDPR sadly. I try to just go by the actual text, but especially for international business court rulings are also relevant.

 

I'd say LTTStore.com caters to EU citizens by virtue of shipping to the EU. Seems like a pretty clear bar to me. It gets messy when you have sites that don't actually conduct business with most visitors, like regional news sites with lots of ads and tracking.

 

I'd personally think that's an overreach for trying to control a foreign business. But I certainly couldn't say what bar the organization would use when trying to enforce it's rules.

 

If I'm not specifically catering/targeting your country, and I'm a smallish business (let's use the 250 number), it seems reasonable to me that I wouldn't be beholden to your local rules. Just being able to visit my site, and me just being able to send a package to you, just seems to fall under regular living in this internet age. 

 

But ultimately, my opinion doesn't matter. I guess it's up to the GDPR people on what they want to try and do about it, if LTT doesn't follow it to the letter.

[BoomerDutch]

4 minutes ago, dvdkon said:

I trust LMG with their first-party custom cookies. But I'm not going to extend that trust to Facebook and TikTok.

That's fair, are you willing show some proof thats connected to facebook and tiktok?

 

Its possible that share button is related to those two?

 

Ive disabled both of those in brave settings.

[dvdkon]

5 minutes ago, BoomerDutch said:

That's fair, are you willing show some proof thats connected to facebook and tiktok?

 

Its possible that share button is related to those two?

 

Ive disabled both of those in brave settings.

You can try checking yourself (the list is too large to fit in a screenshot): Open lttstore.com in an anonymous window, open the developer console, look for the cookie list (in Chrome it's under Application->Cookies (in sidebar), Firefox has a Storage tab). Or just take a look at the screenshot.

 

The cookies coming with share buttons is a good guess, but it seems like they actually do include some analytics automatically (see screenshot).

[Levent]

37 minutes ago, sub68 said:

The thing iirc it only applies to EU sites, since LTT is Canadian they dont have to do it...

I know a bunch of North American sites that dont have the pop up, but they are sites that probably dont even ship to EU places.

GDPR makes up basis for most of the worlds data security related laws. It is usually beneficial for companies to provide GDPR compliance especially if they want to be EU compliant. AFAIK only California has tougher laws compared to GDPR.

 

For example, my local data protection regulations are pretty much covered by GDPR. We aim to be GDPR compliant and in turn be locally compliant.

[dvdkon]

8 minutes ago, Holmes108 said:

If I'm not specifically catering/targeting your country, and I'm a smallish business (let's use the 250 number), it seems reasonable to me that I wouldn't be beholden to your local rules. Just being able to visit my site, and me just being able to send a package to you, just seems to fall under regular living in this internet age. 

Yeah, I agree. There should be more exemptions for small businesses. And the international part isn't very well done, it's IIRC actually impossible to achieve compliance for companies operating from some countries. I get the sentiment, if we allow foreign companies to ignore the GDPR we only hamper our own EU-local options. But I also want laws that can be complied with just by following the spirit of the law.

 

Ultimately, what I care about is the tracking, and "not GDPR compliant" seems like good phrasing to get the point across.

[Holmes108]

3 minutes ago, dvdkon said:

Yeah, I agree. There should be more exemptions for small businesses. And the international part isn't very well done, it's IIRC actually impossible to achieve compliance for companies operating from some countries. I get the sentiment, if we allow foreign companies to ignore the GDPR we only hamper our own EU-local options. But I also want laws that can be complied with just by following the spirit of the law.

 

Ultimately, what I care about is the tracking, and "not GDPR compliant" seems like good phrasing to get the point across.

 

 

Yeah, the idea of it is certainly sound, and the EU in general has been trying hard to do some good things for consumers, but actually implementing and enforcing such things can be incredibly hard. 

[BoomerDutch]

7 minutes ago, dvdkon said:

You can try checking yourself (the list is too large to fit in a screenshot): Open lttstore.com in an anonymous window, open the developer console, look for the cookie list (in Chrome it's under Application->Cookies (in sidebar), Firefox has a Storage tab). Or just take a look at the screenshot.

 

The cookies coming with share buttons is a good guess, but it seems like they actually do include some analytics automatically (see screenshot).

Thank you for providing this.

 

@colonel_mortis are you willing to elaborate on this?

 

[sub68]

4 minutes ago, Levent said:

AFAIK only California has tougher laws compared to GDPR.

Yes Cali is really strong. However its only that state and I think most states wont follow suit but I dont want to get into the weeds.

6 minutes ago, Levent said:

It is usually beneficial for companies to provide GDPR compliance especially if they want to be EU compliant.

I am not denying that just thinking if your doing the bare minim from the country of origin, I think its lazy and lack of resources...

But its LTT so whoknows what they are cooking up there.

Alot of the sites I use sometimes to buy things are US only shipping due to ITAR or they dont want to ship internationally.

[sub68]

51 minutes ago, OhYou_ said:

you say that until you have to browse the web now and every single site has some giant banner that takes up half the screen and you have to click like 7 times to select "necessary cookies only", not even getting an option to deny all usually. And if that isnt enough, some sites outright dont let you interact at all until you click the stupid popup.
it's every site, its incredibly frustrating.

I remember a extension that auto denys them for you.

https://super-agent.com/

[BoomerDutch]

3 minutes ago, sub68 said:

I remember a extension that auto denys them for you.

https://super-agent.com/

Yeah another extention great..