Sure, but that's in connection with SARs and such (which have legal obligations are around secrecy). What I mean are the "generic" credit card payments where payment processors & banks process the personal data for things like fraud detection. That's perfectly fine legitimate interest, but that doesn't absolve them from article 14 requirements as fraud prevention doesn't have such requirements around secrecy around the fact that it even exists. They can restrict some detailed information e.g. regarding algorithm itself by relying on trade secrets, but that is different from their obligation to inform data subject that they received the information.

It's important to note that this is what European Commission has determined to be acceptable for them. One very important distinction here is, as far as I understand, that EC is not bound by ePrivacy Directive as directives bound member states and require them to include them on their national law. They do still try to be consistent with how the directive is applied in the member states though but since it can be varied they have more leeway compared to most other controllers.

The text on that website does state that some DPAs have found some first-party analytics acceptable, but that's not something that is confirmed by CJEU. And ePD does not have single-stop shop so you need to follow every DPAs directions if you are offering services to that DPA's country.

If you mean what they are planning to change (as part of the omnibus) there is report by NOYB https://noyb.eu/sites/default/files/2025-12/noyb%20Digital%2...

If you mean how CCPA/CPRA differs from GDPR there are lots of things. For example you are not entitled to know actual recipients of your data, only the categories. So you cannot really know who actually received your data which then prevents you from exercising your rights against those controllers (or covered entities in CPRA language). GDPR also requires companies to usually notify you if they receive your data as controller (though there are some exceptions), in reality that's not really happening though (e.g. how many payments processors or acquiring banks have notified you about your credit card payments?).

CPRA also allows selling your personal data if you do not opt-out, in GDPR that would generally require consent (except in certain situations where you can use legitimate interest as the basis). GDPR also regulates cross-border transfers a lot more closely as the idea is that the protections & rights travel with the data.

> Finland (where gyrovague is from)

They should probably review existing case around how Finnish courts treat the journalistic exception in the context of citizen's journalism (as he relied on that at least as one of the reasons): https://tuomioistuimet.fi/hovioikeudet/ita-suomenhovioikeus/...

Of course facts are different, but at least two Finnish court seem to require a lot more reasoning from the controller in the context of citizen journalism compared to traditional media when they want to invoke the journalistic exception. No clue which side this would fall into.

Not quite true. In Finland YEL (yrittäjän eläkevakuutus, pension insurance for entrepreneurs) is required and it's based on estimated value of the entrepreneur's work input. Even if you pay yourself 0 euros your YEL income is likely higher. The models that insurance companies use take revenue in account.

There seems to be grey deny button at top-right on first view but it disappears if you select the details. You need hide the details first if you want to click it.