this post was submitted on 16 Dec 2024
7 points (62.1% liked)
Privacy
32442 readers
635 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Can you be more specific about what in their TOS violates GDPR? They say they've had a policy written to align with GDPR since 2018. And simply being cloud-based is not a non-compliance.
Kinda shitty to force use of their software, but not a GDPR non-compliance.
Under GDPR, consent must be freely given GDPR Article 7 Conditions for consent. Cricut’s requirement to use cloud-connected software to operate a purchased machine restricts users' freedom of choice, which is problematic because:
Consent Cannot Be Conditional: Users are forced to accept cloud processing to use the machine for its primary purpose.
No Real Offline Alternative: Without an opt-out option, Cricut risks violating GDPR's standard for valid consent.
This also challenges GDPR Article 6 Lawfulness of Processing, which requires an appropriate legal basis for data processing.
Other references: Cricut Terms of Use (June 7, 2024), Cricut Privacy Policy (March 31, 2022)
Are we assuming personal data includes anything uploaded to the cloud? Like the .svg files? Because that is likely not personal data, at least it's not all personal data by default.
Source: https://commission.europa.eu/law/law-topic/data-protection/data-protection-explained_en
So I would think what details are associated with one's account, and what sort of encryption and control of the .SVG files plays a part.
As for what you can do if you think your rights under GDPR haven't been respected, you can boycott them or file a complaint or file a legal action.
IMO, unless you could show your data specifically was mismanaged and exposed to someone who should not have had it, I would be skeptical of the success of any lawsuit. Obligatory, not a lawyer.
Thank you for your valuable insights! I agree that complaints, legal claims and boycotts are valid approaches to push for accountability.
Online accounts are not part of the primary purpose of acquiring the device. When purchasing a vinyl cutter or printer, users do not initially agree to a software license which is enforced later on with changing terms over time. Additionally, SVG files created with Cricut are expected to contain private information about third parties, such as addresses and messages, since the tool is designed for creating personalized items like cards and invitations. This raises serious data privacy concerns, as those individuals have not consented to their data being processed by Cricut, violating GDPR principles related to consent and purpose limitation.
Also if its for business, anyone signing up agrees with a data-processing-agreement (which I dont known if thats the case here) but normally they promise not to use PII for other services then the one provided.
It would take analysis of that DPA if thats the case or not.