Nik | Klampfradler ๐ŸŽธ๐ŸšฒMay 8

This evening has had a sad surprise for me.

Now, I am calling for #openSUSE to revert the recently imposed project-wide ban on young people:

https://lists.opensuse.org/archives/list/[email protected]/message/6PU6JU2IGKDANYNN3KIXDR2UQSVP6JI2/

(Update: Thanks for the overwhelming reactions! Please also consider https://toot.teckids.org/@nik/116550879189375534 .)

Show threadBilly O'NealMay 9
@nik Iโ€™m guessing they donโ€™t want the liability of COPA and similar Acts. ๐Ÿ˜Ÿ
Show threadFuchsiii~~~May 9
@malwareminigun @nik Typical article 8 German GDPR problem. You need explicit parental permission to handle (note the โ€œhandleโ€, not just โ€œsaveโ€) PII of ppl under 16 (and the IP address hitting Apache/NGINX counts as a PII, therefore every website is technically 16+ until someone wants to fight this in court).
Show threadTill KleisliMay 10
@fuchsiii if this was true, I'm sure there would be a truck load of lawyers trying to make some money out of it. Maybe there are, but I never heard of it. @malwareminigun @nik
Show threadNik | Klampfradler ๐ŸŽธ๐ŸšฒMay 10

@kleisli @malwareminigun

The explanation is a bit too complex for a Mastodon thread.

Generally, I prefer the person who first put up a claim to prove it. It's also easier to prove something exists than the contrary.

So, @fuchsiii claims there were a law restricting the handling of information from people under 16 years. Show me the law.

Everything else will fall into place from there I think, we can clarify the misconception then.

Show threadFuchsiii~~~May 10
@nik 13-16: parental approval required. If we are lenient and say processing an IP address is not sufficient to be PII, the storing of the mail address on account creation sure is. There is an exception for services primarily target children (which has higher policing requirements anyway). I would rly love to be proven otherwise, yes this is very problematic, but its what I read here. @kleisli @malwareminigun
Show threadNik | Klampfradler ๐ŸŽธ๐ŸšฒMay 10

@fuchsiii @kleisli @malwareminigun

The headline solves your misconception: It is explicitly about **consent** given by a minor.

Consent by the subject is one of six rules allowing data processing. The others include technical or legal requirement. GDPR allows a lot of things without explicit consent, and AFAIAC, I never was in a situation where any consent was even necessary at all.

You cannot collect consent for targeted ad campaigns from minors. But you can certainly handle IP addresses.

Show threadFuchsiii~~~
@nik In that case I'm out of ideas about what the reason could be, their Matomo tracker is according to the Terms of Site configured to anonymize. Maybe Czech law plays a role, as most openSUSE servers seems to be hosted in Prague https://en.opensuse.org/DigitalSovereignty/EU @kleisli @malwareminigun
May 10 at 12:29pmWeb
Show threadNik | Klampfradler ๐ŸŽธ๐ŸšฒMay 10

@fuchsiii @kleisli @malwareminigun I think the answer is simply that they didn't care enough to take on the extra work of learning how legal things involving minors work.

Also note that this restriction is in the **terms of use**, not the privacy policy.