Cricut’s Design Space enforces automatic cloud syncing of user files, even those stored "locally." This raises serious GDPR concerns, especially when files contain personal data like client details, addresses, or sensitive info, undermining user control and privacy.
What steps can we take to push Cricut toward GDPR compliance and respectful data handling? Would regulatory complaints or organized campaigns for local-only storage options make a difference?
Can you be more specific about what in their TOS violates GDPR? They say they've had a policy written to align with GDPR since 2018. And simply being cloud-based is not a non-compliance.
Kinda shitty to force use of their software, but not a GDPR non-compliance.
Under GDPR, consent must be freely given GDPR Article 7 Conditions for consent. Cricut’s requirement to use cloud-connected software to operate a purchased machine restricts users' freedom of choice, which is problematic because:
Consent Cannot Be Conditional: Users are forced to accept cloud processing to use the machine for its primary purpose.
No Real Offline Alternative: Without an opt-out option, Cricut risks violating GDPR's standard for valid consent.
When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Are we assuming personal data includes anything uploaded to the cloud? Like the .svg files? Because that is likely not personal data, at least it's not all personal data by default.
Personal data is any information that relates to an identified or identifiable living individual (data subject). Different pieces of information, which together can lead to the identification of a particular person, may also be considered personal data.
So I would think what details are associated with one's account, and what sort of encryption and control of the .SVG files plays a part.
As for what you can do if you think your rights under GDPR haven't been respected, you can boycott them or file a complaint or file a legal action.
IMO, unless you could show your data specifically was mismanaged and exposed to someone who should not have had it, I would be skeptical of the success of any lawsuit. Obligatory, not a lawyer.
Also if its for business, anyone signing up agrees with a data-processing-agreement (which I dont known if thats the case here) but normally they promise not to use PII for other services then the one provided.
It would take analysis of that DPA if thats the case or not.
Apologies, I should have provided more context! Cricut is a company that sells vinyl cutter machines with printing features often used to create stylish cards, envelopes, and crafts. For example, you could receive a physical card or letter created with Cricut that contains your personal information (like addresses or messages) even if you don’t use their services. This raises concerns because files with such private data are automatically uploaded to Cricut’s cloud without user control, which. I think. infringe GDPR.
You don't need to apologize: that user could have clicked your link to the cricut site and easily figured it out. They are being willfully ignorant and intentionally vauge.