These regulations seem worse than nothing. We already have browsers, we can block and filter cookies based on our individual preference and adjust depending on our tolerance for privacy vs functionality. How has this changed the data collection practices of Facebook or Google in any meaningful way? Not enough people are asking what effect the many new regulatory burdens will have for the internet. It entrenchs the existing players (know who has the money to hire 20 compliance officers for every Tuscan villa?) and makes the barrier to entry to compete more difficult. Plenty of proto facebooks have fallen by the wayside. Remember AOL? Remember Myspace? Now the big players have a hand in writing the law that potential competitors will have to comply with.
Why is this downvoted? This is exactly what happend. Speaking with non tech savvy users here in Germany, they feel safe and secure on Facebook and fear the „world wide west“ that the open Web has become, where you need to click 20 consent messages on every website without knowing what all that stuff means. This is just like EULAs - one more annoying thing they simply accept with a slightly bad gut feeling.
I for one welcome it. If a website has this popup, and it doesn't default to disabled tracking, and there are "legitimate interest" bullshit that cannot be turned off, I close down the website. I even uninstall apps (chess.com, here's looking at you).
Just because website purposefully give a terrible UX in an effort circumvent the law does not mean the law is wrong. It's the implementation.
I have a sneaking suspicion that if you leave the site without doing its maze of opt-outs, then they go "oh great, user didn't opt out!" and you didn't even get to read what you were looking for.
One thing I don’t understand is why in the good lords name do I have to consent to being tracked every day when I have already agreed to the goddamn cookie jar? Often several times per day as well!
> This is just like EULAs - one more annoying thing they simply accept with a slightly bad gut feeling.
The point of GDPR is that they shouldn't have any bad gut feeling about accepting these terms - because anything even slightly shady, in any way beyond the most basic necessities for performing the service, must be opt-in by default, set to "no consent".
Alas, national data protection agencies are way too reluctant to chase the offenders and issue fines, so a big chunk of the sites on the Internet are breaking the law with impunity.
Why is it downvoted? Because it’s implying that selling your information to advertising companies is a good thing, because it increases competition, and regulations making that harder are bad
The problem is that you could frame almost anything like that
Take an extreme example:
Let’s imagine gold traders were allowed to go around taking people’s jewellery at gunpoint. Gold would be cheaper to buy. Traders make more profit. More jobs! Surely this is a win all round?
Of course not, for obvious reasons.
Competition is not a an excuse for damaging your rights
And your example of clicking through 20 scary messages is because the websites, as is pointed out in the article, are not complying with GDPR
Make it so every page that contains a tracking element MUST permanently display a large-ish (say, 1% of the screen for each) seal/label indicating that it is tracking you (like ESRB labels). That way, website will be pushed to remove the tracking elements so that they can remove the offending banners.
In the end this option still hampers genuine users of those websites. That is the point and instead of people taking issue with the website tracking them, they'll complain about the banners instead.
Just look at this entire comment section... No guys, the problem is not that the law is bad, it's that the state of the internet is absolutely fucking terrible. "Why do I have to click so many consent things?" - because everyone is tracking everything about you, this is the point!
They law was aimed at the big guys and they are in my opinion still not compliant, but have not heard of them being fined, some small guys on the other hand...
This law feels more like it was a bribe fishing and checkbox exercise rather than genuine attempt at solving the issue.
Google was fined 50 million euros in 2019 because Android didn't provide enough transparency or informed consent for advertising-related tracking[1].
For a company the size of Google, it's a slap on the wrist (especially when compared to the 5 billion euro fine from 2018 over antitrust violations) but they have been going after the big players. In fact most stories I've heard related to GDPR actions have exclusively been about big players getting fined.
I feel like this is a point the HN crowd likes to ignore when it calls for governments to regulate certain aspects of tech. Do regulations like this really protect consumers, or just make their experience worse?
That point has been beaten to death here in case of GDPR, though. The problem isn't with regulation, but enforcement. The fines aren't applied nowhere near enough, so almost no site cares.
The consumer experience being worse is, in a large way, purposeful UX degradation done by the sites themselves. The typical consent popup tries to simultaneously walk the line between "illegal under GDPR" and "just scummy" (often crossing to the illegal side; see the problem of low enforcement), and shift the blame for bad UX on those pesky, no good regulators.
Did I have to deal with these popups before GDPR? No.
Was I blocked from accessing many US sites before GDPR? No.
If EU cancels GDPR would everything go back to normal? Probably.
As an unhappy consumer, that's all I need to know. The cause and effect is pretty obvious here.
Sure, some people may be happy (I hope?!) with whatever privacy benefits GDPR is supposed to bring about.
But blaming websites for responding to EU regulation one way or another, doesn't make me, who doesn't care about these supposed benefits, feel any better. If GDPR people feel like this is a cost worth paying then so be it. I certainly don't believe more enforcement will somehow make companies come up with fewer legal derisking strategies.
That's a bit like complaining about street lights, because thieves now have to accost you, where previously they'd just punch you in the dark and steal your money without you knowing what happened, or who did it.
GDPR forced bad actors on the Internet to document their bad behavior openly. If this made your overall Internet experience worse, it should reveal to you the magnitude of the problem of surveillance capitalism.
> We already have browsers, we can block and filter cookies based on our individual preference and adjust depending on our tolerance for privacy vs functionality.
Blocking cookies on the browser side is a cat-and-mouse game where the cat is a multi-billion-dollar corporation and the mouse is a handful of volunteers.
You're also vastly oversimplifying the tracking issue to just “cookies”. The big advertising networks will use any method imaginable to track you. In the US (sans e.g. CA) they do not even have to tell you that they're tracking you, let alone tell you what they're doing with the information or let you opt out.
The GDPR gives you rights that work against all kinds of tracking.
> How has this changed the data collection practices of Facebook or Google in any meaningful way?
They have to tell us what they are and obtain our consent before doing them. They also have to tell regulators before doing novel and particularly intrusive things.
> Not enough people are asking what effect the many new regulatory burdens will have […]
The burden of putting the least effort to respect people's privacy is a good one. If you actually aren't trying to spy on people the burden imposed by GDPR is much less, perhaps giving good actors a competitive advantage. You don't even need consent most of the time.
If nothing else, it definitely raised the awareness. The thing with cookies and tracking is that it's invisible. Especially for the average Joe users. But even I was surprised when, thanks partly to these dark patterns and not letting me to opt out with a single click, I saw how many trackers some sites actually use.
Now as users got pissed off, solutions started to emerge. Yes, the EU does not seem to enforce it too much, though I'm curious how many reports they get. Anyway, Mozilla just announced that they started compartmentalizing most cookies, so tracking will stop working for a lot of sites/services.
The regulation is not about cookies. It is about tracking.
You do not need a consent popup if you are using cookies for core functionality instead of tracking and you do need a consent popup if you tracking without using cookies.
The GDPR covers more than cookies though. The GDPR regulates data collection and processing regardless of which technical means are used to do so. Disabling cookies in-browser doesn't change anything when it comes to tracking IP addresses or browser fingerprinting.
Even if cookies were the only method for tracking, that would not be true. You cannot reliably distinguish tracking cookies from those necessary for functionality – there is no evil bit set.
1: It makes leaks a liable issue and one that get additionally costly if the company tries to hide it.
2: All data collection by the big players are sitting behind a single legal argument that informed contained can be gain by a pop up window or by passively clicking a link, both which the GDPR writers said was not informed consent. That big players explicit ignore part of the regulation and get away with it is a problem that not enough people are questioning. The discussion has moved away from the law makers and into the enforcement.
The GDPR added a data export feature to many websites. I have used it so much. I think the pressure is being felt by companies. Otherwise walled off platforms like apple are starting to open up.
I work in European adtech and the GDPR regulations have meant that a loooot of players had to scramble to remove all the information that was stored in datalakes that could be used to identify you.
So, from a privacy point of view, it's improved the situation. If some DMP has their S3 bucket hacked, then there's less of your personal information being leaked.
These big companies are not compliant. For example Instagram if you make a GDPR complaint they will reply with a couple of canned responses and when you keep pointing out they have no read your complaint they will simply stop responding. What could you do next without having your account deleted in retaliation?
Guy in IT sec recently: some companies reduced their yearly pentesting budget and spend the money on a GDPR paper trail instead. Compliance on paper more important than actual IT security.
This shows that they consider GDPR fine possible, thus making it a more worthwhile risk. There risk of penalties from cyber attack unpreparedness is essentially zero.
Interesting that this site itself may use one of the described dark patterns. The banner on the main page has options "Got it" and "Learn more". There is no indication as to whether the "Got it" button is taken as consent for tracking, nor is there a "Reject all non-essential tracking" option on the main banner.
Whether or not this site is compliant depends on whether the "Got it" button is taken as affirmative consent for non-essential tracking or not.
The site itself completely stops working if cookies are disabled, it just forwards me to a "cookie absent" error page.
Their privacy policy says:
> Other than in the restricted-access portions of the Web Site that require an ACM Web Account, ACM does not log the identity of visitors. However, we may keep access logs, for example containing a visitor's IP address and search queries. We may analyze log files periodically to help maintain and improve our Web Site and enforce our online service polices. ACM only uses analytical cookies and does not use any user-specific targeting cookies.
> A cookie is a small file of letter and numbers that is placed on your device. Cookies are only set by ACM when you visit restricted portions of our Web Site and help us to provide you with an enhanced user experience. Raw log files are treated as confidential.
So... not sure why a public portion of their website straight-up won't load without them. They're clearly not only checking/setting cookies on certain pages, otherwise they wouldn't know that my cookies were disabled.
It took some digging, but if you go to https://www.acm.org/privacy-policy, the "this website uses cookies" banner at the bottom includes a selector to choose which ones are used, and "necessary" is auto-selected. Expanding the "Show details" panel along the selector shows which cookies are considered necessary, and it looks like it's part of their Cloudflare attack protection system (__cfduid), their load balancing schema (AWSALBCORS), the cookie storing the status of your cookie consent (hah, ironic) (CookieConsent). But then there are some that I wouldn't personally consider necessary, such as two Bloomberg-vended cookies that appear to mirror the consent information to Bloomberg's servers, a Swiftype tracking pixel, a YouTube cookie to estimate the user's bandwidth for optimizing video loading, and some suspiciously-opaque BACKEND and sessionState cookies.
In general, it's unfortunate their page doesn't degrade gracefully if cookies are disabled (though that's not always possible; for example, you can't assume that traffic Cloudflare can't analyze for trust is trusted... but those BACKEND and sessionState cookies being mandatory feels lazy).
One of the areas on the cookie consent that confuses me is if a cookie is required for the website to function it doesn't need consent. Since the only cookie my website uses is a session cookie, I don't use a cookie banner. My site won't without it due to the security login area. If you're in a public area and your browser doesn't accept cookies you can still do public things such as reading things and sign up but not login and use the actual system. I am still not sure if I am compliant or not.
There is some server side tracking, basically the source and campaign if they convert. And some A/B testing tracking. But the thing is, I can't have two separate session cookies with the framework I'm using. And it's not exactly possible to delay a session cookie creation with the framework i am using if it's in an area converted by the security firewall rules.
To be legal you need to get the user's consent, upfront, for that tracking. Technical challenges are not a defence.
GDPR is not the only regulation at play here. The PECR also applies. You need consent for the session cookie in the public areas of your site. It doesn't become essential until the user logs in, registers, adds an item to the cart, etc.
Honestly, considering the state of play at the moment the law is pretty much unenforcable. They literally can't fine everyone who is breaching it, they don't have the manpower.
And considering the ICO, the UK org that enforces these laws and where you have to go to find out the UK laws on it, literally just tell you that they use cookies to make their website work and don't ask for consent makes me think this is so much more complicate than any of us truly understand.
If they're setting cookies without consent with a user tracking id, I am going to guess that my session cookie falls under the same thing theirs does.
> To be legal you need to get the user's consent, upfront, for that tracking.
No, that's just one basis for processing data. Another basis for server-side tracking like this could be legitimate interest. The site will need to provide evidence that they've weighed up the user's interest in this and be able to demonstrate a convincing case in favour of the site.
For example, it could be a legitimate interest to track A/B testing in order to increase shopping cart checkout rates - the legitimate interest is arguably that the site wants to increase its revenues and if it can demonstrate a convincing case for this, it will be allowed by the regulator.
Storing a cookie which is not strictly necessary to provide the service, requires explicit consent. This is a PECR requirement, not a GDPR one. Tracking the source and campaign of a user between pages is not required to deliver the page.
So you may rely on legitimate interest to process the data, but you need the consent to store the session cookie to collect the data in the first place.
If you have A/B testing in place it is strictly necessary to have a session cookie. Otherwise a user could end up in a case where they where in the A group on their first request but their second has them in the B group but the page they visited isn't enabled or displays different content than what they expected to see.
If you have special offers based on the URl they came from then it is strictly necessary to be able to remember where they came from so they get the special offer and don't fall victim to false adverstising.
Strictly necessary means if the website will break in anyway without it.
Your understanding of strictly necessary is incorrect. You do not need to a/b test a website for it to function. It is optional. It doesn’t become legal just because your tech stack makes it difficult, or because you engineer the site not to work without a non-essential cookie.
You could a/b test based on even or odd numbered IP address and not require consent to store a cookie. You can pass the referrer around via query string and not require consent to store a cookie.
However, as you said, there is no enforcement of the regulation so the risk of non-compliance is basically zero :)
>Your understanding of strictly necessary is incorrect. You do not need to a/b test a website for it to function. It is optional. It doesn’t become legal just because your tech stack makes it difficult, or because you engineer the site not to work without a non-essential cookie.
No if a user clicks a button to see the prices at 10 euros but see the prices at 20 euros then that is an issue. That is a rather serious issue, if I show you a price and then when it goes the payment processor on the second request that is illegal.
There are many ways of doing things but considering the ICO's list of strictly necessary this falls into it.
Also, I use the session id in my logs so I can debug issues such as the user saw x on page then did y so z happened. This is falls under it as well due to it being required for the operation of the website.
The fact there are other ways of doing things doesn't remove the fact for my way the cookie is strictly necessary. The system will fail. And yes, the tech stack and the way I built it does affect this. Look at the laws and you'll see a number of times where they say something along the lines of "if feasible". The recommendation from ICO is that you don't need to ask for permission for everything and they kinda make a point of saying that as it's annoying as hell for everyone.
> No if a user clicks a button to see the prices at 10 euros but see the prices at 20 euros then that is an issue.
I agree with you, that is a serious issue. But that issue is caused by your use of a/b testing, and if you solve that issue with a cookie then you need consent.
The ICO PECR guidance explicitly states that you can not rely on the strictly necessary exemption for analytics cookies.
A/b testing is not analytics. Analytics is how many people are using the site not market testing. And it says you can‘t use it for soley analytics, soley being a keyword. The analytics from market research which results in a legal requirement of having to charge the price advertised is not the same as Web Site analytics of how a user used the site. Just which version of the site they used and what legal requirements/contracts are in place.
On this point GDPR is pretty simple. In general security do not require consent, nor does cookies that are used for functional aspects of the sites.
A simple guideline is to imagine if someone breaks into your server and steal data. If that data can come to harm real people somewhere then you likely have something which you needed to have gained consent in order to handle. On top of that there is an additional exception for data only used for security purposes.
Second paragraph is false, first one is partially true.
There are many legitimate reasons for storing and processing data, and you should not ask for consent needlessly - among other reasons, because consent can be withdrawn, at any time, and you are obliged comply stop processing and remove data - unless you have other legitimate reasons, in which case the whole exercise seems pointless.
Whether the data can be used to harm real people has significant correlation with whether it is covered by GDPR, but does not relate to consent. It can also be of relevance on what security precautions are required and when weighing right to privacy vs. needs to process specific data.
As a typical example, you do not need (and shouldn't ask for) consent for data and purposes that are reasonably necessary for the services customers ask for. You are not allowed to share / use for unrelated purposes other than allowed by other stipulations. Also, information on data collection / processing should be reasonably, easily accessible.
This is completely wrong. I don't want to pick your comment apart, but I suggest actually reading the GDPR. It is available in every European language.
I suggest you read the Recitals 47 to 49 of the GDPR, especially 49. It is liked here https://gdpr-info.eu/recitals/no-49/ but it is short enough to fit a HN comment. It is called Network and Information Security as Overriding Legitimate Interest, a name which has the word overriding in it. Pretty clear language.
The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.
GDPR is compatible with information security and do not interfere with it. The section is technology neutral in that you can use cookies, logs, firewalls, blacklists, oracles or any other methods that include data processing and as long the purpose is strictly necessary and proportionate to ensure network and information security than that is acceptable as according to Recital 49.
> A simple guideline is to imagine if someone breaks into
> your server and steal data. If that data can come to harm
> real people somewhere then you likely have something which
> you needed to have gained consent in order to handle.
The website admins and developers are not those who decide what data is covered, based on any idea we might have as to what may be likely to cause harm. Rather, the GDPR defines personal data and the rules for handling it differ between controllers and processors. I should have typed up a more thorough answer.
In any case, there are always more and more nuances to be discovered about the GDPR depending on field. I'm not a lawyer and I'm glad to always be corrected and updated.
Never said that the information needed to be likely to cause harm, but simply can. The exact phrase that GDPR use is "Any information that relates to an identified or identifiable living individual".
An example where any information that related to an identified or identifiable living individual would be harmful would be in a court. Any information about juries, judges, accused or defendant is potentially harmful if abused. All legal systems depend on the presumption of privacy in this regard, and all legal system that I know have processes in places to replace individuals when that harm can be actualized.
A similar situation is possible when it comes to information being distributed to a very large audience. Unimportant "harmless" information can be perfectly safe in a small group, but if millions of people see it in a harmful context then such harmless information can turn harmful. Any person operating a forum, a voice chat group, or a place where any two people meet should treat any logs with the threat model of it being leaked and the information harming real people.
I should have clarified in the above comment that information that related to an identified or identifiable living individual should always be assumed as potentially harmful, and thus involving a risk to the identified person. This is the problem GDPR is mostly attempting to solve, and thus the situation for which the operator need to act on. Similar, if the information is of such nature that it can't be harmful, it is also very unlikely to be information that relate to an identified or identifiable living individual.
When GDPR came it a lot of people asked similar questions as the parent post. What about Apache logs? What about login credentials and sessions. What about CRM and customer registers? The collective answer from that conversation, as I remember (and much of those discussion can be found archived), was that the question depend on the context. If its purely for security then the operator can likely continue on as before per the above quoted section, with some caveats to proportionality. For most everything else, look to the purpose of the GDPR.
Why does a site even get to know when cookies are disabled?
I feel like this is a horrible implementation of this browser feature. If the user disables cookies, the browser shouldn't tell the website "I don't support cookies", but rather let the website's JS think it happily set a cookie but not store anything when you navigate to any other page.
Your system wouldn't prevent detection as a simple fixed cookie on the landing page and a redirect on a robot prohibited page, with js on this page expecting the cookie and you get yourself a detection mechanism.
(Note that you could also check server side on the redirection page)
I believe (but I cannot formally prove it) that it's actually impossible to prevent detection.
It's a bit similar to private browsing mode (which in that case should in theory not be detectable) but has revealed to be a challenging problem.
Detection is hard (impossible for arbitrary JS) if the cookie isn't physically stored somewhere (at least in memory).
That said, I think cookie auto deletion basically satisfies that use case? I personally have cookies set to wipe when I close my browser, and I close my browser fairly frequently. That's not quite as often as you're suggesting though.
This is just a regular journal page. Not surprised they're tracking their users. A better place to link would probably have been the arXiv: https://arxiv.org/abs/2001.02479v1.
I have had some luck just using reader mode. It is not important when I am on my ipad, because I use Safari in private mode and it doesn’t share cookies with other tabs, but this is even easier.
"Interesting that this site itself may use one of the described patterns."
Is it really interesting, though. For example, we have seen this as a very common retort in HN comments every time an author is critical of advertising, tracking/analytics, etc. Someone points out the author's site itself uses the thing being critiqued.
Is that supposed to detract from the argument being made by the author. That does not make much sense.
It is a bit like another common retort we see in discussing tech company behaviour: "But everyone else is doing it." Does that make it OK. Or one we see when discussing regulatory action: "They should be focusing on X not Y." Don't look here, look over there.
I am highly skeptical of comments that try to leverage these tactics. The message is what it is. Whether or not it is valid does not depend on who is voicing it, where it appears, or what's going on somewhere else. This is pure misdirection.
This paper might be a worthwhile read. It makes little sense to pre-judge it before reading, simply because it appears on ACM's website, and ACM's website developers try to get users to enable cookies. What if the paper is re-posted on a site with no Javascript and that does not try to set cookies. Does the content of the paper then become "legitimate". Why or why not.
It is easy to retrieve this paper without using cookies, from another site. For example,
Not trying to single out this one comment. It's fine. The paper is not really arguing for or against banners and other notice and consent mechanisms, just studying their use. I cannot even see the banner because I use a text-only browser.
The most interesting paragraph in the paper IMO is the last one. They ask why the client, e.g., through browser settings, cannot be in control of the legal consent mechanism. What if clients were to sed an additional HTTP header to indicate whether or not the user consent to cookies. For example, Allow-Cookies: no.
The online advertising companies have apparently fought against this, e.g., the DNT header. If you enable DNT in one popular browser deployed by an advertising company you get this ridiculous warning message. Why the heck is it a big deal if the user controls the headers sent and the server has to honour them. When you read RFCs about www development they always make it sound like clients and servers on are equal footing. The reality is quite different. These companies want to control how a user "consents".
If it's so hard to do the right thing that someone who apparently both cares and understands the problem space still messes it up, then the issue is more fundamental than education.
Is this somehow suggesting nonprofits are less liable? I was quite shocked to read an article that gave a weekend sports team as an example of an organization that was maintaining GDRP protected data, basic the list of their team members
What I have seen everywhere is that all the consent is based on violating one of fundamentals of GDPR Art. 7(4):
"It shall be as easy to withdraw as to give consent."
All those dark patterns to hide the rejection, keep some things ticked etc. are a complete waste of time. They all violate GDPR and are just another case for: no one has read the GDPR and is just copying everyone else.
It is just a waste of developers time, hiding rejection of consent, making it less understandable, etc. is just violating the GDPR. Google is violating it, Facebook is violating it,... but they have money for lawsuits, if you have it too, no problem, just copy them, if not, reconsider your tactics.
Bottom line, you are wasting time and effort to implement it, you are trolling the users with popups and at the end even the consents that you got is invalid and void. So why doing it?
Imagine the scenario, your beautiful website, your beautiful android application is being checked for a GDPR compliance based on lawsuit.
And you bring in your dark-patterned consent dialog (whoever the provider is, it doesn't matter, YOU are the controller, YOU are the one who needs to care for your visitors/users privacy and you will be fined if google ads are violating privacy by their scripts run from your application/site).
What do you think will happen, you will get pat on your back and someone one will say "you poor thing, you didn't understand, let me pardon you" or you will get an "Tommy Lee Jones" implicit facepalm [1]?
Same goes for all the sites that stuff the user id into the "consent/no consent" cookie where just setting "consent=yes" or "consent=no" would be enough. Again, just same thing, for avoiding storing one PII you create another PII (by GDPR, anything that is unique to a person is PII) and violate it by doing that. Just why. Dont bother. Wait for a law suit and that is it. Dont just waste more money with same result as not wasting it, rather label a jar with "GDPR Lawsuit" label and stuff the money wasted for illegal consent methods into the jar.
What absolutely infuriates me is this "legitimate interest" crap that is almost always hidden away, and often you have to scroll through literally hundreds of opt-outs with no way to disable them all in a single click.
If I'm so damn "legimately interested", why is it on by default and basically impossible to turn off? Find me one person on this earth who is legitimately interested in being tracked by marketing companies who sell their information on to whatever giant collections. This should be illegal.
It's usually a good hint that it really isn't a legitimate intrest case if they allow you to turn it off.
A legitimate intrest does not require an opt in (or an opt out). Consent does. If the page mixes those two up they're either clueless or trying to walk in the gray area and don't really understand(or don't want to understand) what either of those terms mean.
Legitimate Interest has a legal definition as a Legal Basis. It's a list of Purposes and Special Features that a Vendor declares to the IAB that they claim to need [0]. A User absoultely has the right to Object to Consent and Legitimate Interest.
Any CMP that does not allow you to opt-out is on shaky GDPR legal ground.
"legitimate interest" is a legal term with specific definitions in the GDPR. (And indeed it refers to the interest of the site, not yours)
IANAL, but as I understand, it refers to data collection that is inherently needed to perform a service.
E.g., a pizza delivery service has a legitimate interest to know the address of the place where it should deliver the pizza to - because, well, otherwise they can't deliver the pizza.
In such a case, the GDPR wouldn't require the pizza place to get consent. (the GDPR requires that a service is performed even if consent is denied, so without the legitimate interest exception, the pizza place could end up in a legal catch-22 if someone ordered a pizza but denied consent to collect the address.)
The basic idea seems perfectly reasonable to me, but of course sites always tried to stretch the "legitimate interest" definition as wide as they could get away with, and this seems to be the latest iteration of that.
I have no idea where the latest fad of claiming all kinds of ridiculous things as legitimate interest as long as there is an "object" button comes from, but I imagine there was some court case that decided this was borderline legal. If anyone else knows more about this, I'd really like to know as well.
But at least I think this is why many consent popups ask the exact same questions twice, once as "consent", off by default and once as "legitimate interest", on by default: They are simply trying their luck on two separate legal avenues. (Not that this would make any sense from a UX point of view or from the intent of the law. But I guess it does make sense from a "scummy lawyer" point of view)
> because, well, otherwise they can't deliver the pizza.
This is covered by one of the five other GDPR principles for lawfully processing data ("to fulfil contractual obligations..."), so it wouldn't be considered a legitimate interest.
An example of legitimate interest would be the Pizza Place keeping your address on their phone system, so that when you call from the same number on a future date, they can confirm your address without having to ask for it again.
It can also be for advertising. It's very unclear where the line is: of course Facebook has an interest in tracking you, it legitimately makes them money. Afaik that's what this purpose is for. But it should also be weighed how reasonable versus invasive it is. The data protection authorities are clear on how they see it (namely as mostly a dummy clause that rarely lets you do anything) but it has yet to be seen how this holds up in court.
The attitude of the UK's ICO seems to be quite lax - it gives as an example "you do not want to give the individual full upfront control (ie consent)" with the implication that if you don't want to ask for consent, it's a legitimate interest.
I expect the first point of divergence between UK GDPR and EU GDPR might be here (since they are now separate), in how 'legitimate interest' is interpreted in the law.
"Find me one person on this earth who is legitimately interested in being tracked by marketing companies who sell their information on to whatever giant collections"
Sure. I'm legitimately interested in that.
I prefer being marketed to by people who have a good idea about what I would like, rather than getting phone calls at dinner time from people trying to refinance my non-existent mortgage.
And no, I'm not scared about Google knowing details about my life. If a dangerous entity such as a rogue government wants to do me harm, they will be able to find out whatever they want about me whether or not I use a 'secure' browser and search engine.
As the paper states, the GDPR is comically unenforced. I doubt these 'legitimate interest' cookies are compliant with the law. In practical terms, they don't need to be. Nothing happens to websites that break the rules.
My favorite deceptive pattern I encountered is "double click the checkbox to disable". Literally a checkbox but it wouldn't do anything. I got a little frustrated and started clicking furiously just to discover that a double click would reliably disable the items...
(I don't remember if this was on desktop or mobile, on mobile s/click/tap/g)
Also, I personally lean towards being in favor of GDPR and cookie law (wish there were some improvements though); I'd like to say it just because every opinion you find is "GDPR useless", "cookie law bad"
Yes, seems as though those opinions are the loudest and perhaps it encourages the dissenters to stay quiet for fear of down-votes. Ive noticed that with certain viewpoints and have adjusted towards censoring myself a bit. The crowd seems bimodal but perhaps that's the nature of the conversations and the voting tool reinforces that.
Depends on the timezone, perhaps. I hail from the EU, post mostly during EU wake hours, and often comment in favor of GDPR, and I very rarely if ever get negative karma on those comments.
This is the PDF: https://arxiv.org/pdf/2001.02479.pdf I couldn't understand how to find it on the linked site. Maybe the submission URL should be changed?
I recently purchased something from the official UK Nintendo Store [1]. I did not opt-in, and was not asked to opt-in, to marketing emails.
Several days after purchase I received a marketing email with an Unsubscribe link.
I submitted a GDPR enquiry and after a few weeks I get:
Having investigated this matter fully, we can see that you were opted in as a result of a small technical difficulty which we are now fixing. We have taken action to set your marketing permissions to "no" as requested.
I think we're so far past the GDPR "start date" that there's an apathy to it from companies and they're pushing the limits again. How Nintendo can have such a formalised GDPR enquiry process but such sloppy controls is beyond me. I will formally complain to ICO (UK data regulator) but I doubt it'll effect much.
I have a different issue myself. Despite having opted-in to marketing e-mails I never have obtained a marketing e-mail from Nintendo since then. Nintendo's website shows that I have agreed to "receive promotional e-mails". At one point I did in fact unsubscribe, but later I resubscribed. I think that there is a bug that sometimes causes promotional e-mail setting to not be updated in newsletter database (maybe the server was down when I tried to change the setting, and Nintendo Account website quietly ignored the error).
Main bulk mailing companies (iContact, Sendgrid) will make a blocklist for you of anyone who has unsubscribed - and if you're not careful about it once on you'll NEVER get off - and it prevents send to those addresses even if you later re-add them to your list.
I complained about tv2.dk (I used to be a customer) sending me a e-mail after I deleted my user and told them not the send me e-mail. This was a really bad experience where their support attempted to make me login to the site which I refused to do since I removed my user previously.
Then I sent them a GDPR request to remove all my info and complained to the Danish Data Protection Agency.
I stopped receiving e-mail but got nowhere with my complaint. The agency wrote me that they didn't want to pursue this.
Based on this ..
I don't think that anyone is taking GDPR seriously and no one is trying to defend the small people (me!).
Sad, I get that it might be to small a case to actually deal with, but most cases will be. Only in aggregate will complaints as your ever get anywhere.
On a positive note, I have noticed that deleting accounts have become much easier after the introduction of the GDPR, and more and more I see tracking opt-in/out forms where opt-out is just as easy as opt-in. So something is working.
This is actually a really good idea. A Trust Pilot type of site which is owned by a non profit or some such with no monetary interest in contrast to TP where GDPR issues toward companies can be created, shared on social media and executed automatically when a number of people agreed to complain about the same issue.
Having seen how other companies make the sausage, I can take a guess.
To Nintendo, marketing is not a "core" business function, so when the company was sorting out GDPR, no one invited them to the room and they didn't ask to be invited. When companies think about "what data do I have" they tend to get tunnel vision to their main business operations. I bet Nintendo has robust processes for their online gaming services. No one ever seems to think about the twenty dozen Google Analytics accounts they're all running, and a good fraction of them don't even think about their CRM systems.
In the UK, there's another law called the PECR in place that may supersede the GDPR in this case.
I've had multiple merchants get back to me after such a complaint claiming that under the PECR they're allowed to send further marketing solicitations following a purchase.
I haven't pushed it further so no idea if this is actually legal or if the GDPR supersedes it.
The Privacy and Electronic Communications Regulations (PECR)[1] do not supersede GDPR as such, they sit alongside it.
Section 22 is the relevant section they are hoping to rely on, specifically section 22(3) which allows them to:
----------
(3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where—
(a) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;
(b) the direct marketing is in respect of that person’s similar products and services only; and
(c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.
----------
So in this case, they are obliged to let you withdraw your consent every time they email you. It is not a blank cheque for them to keep emailing you simply because you've purchased something; it is consent-based and therefore uses the same consent processes as the GDPR.
> How Nintendo can have such a formalised GDPR enquiry process but such sloppy controls is beyond me.
Probably because only 1% of 1% of their customers even bother to notice. I'd be willing to bet money that you were the first person to discover this implementation error.
Yes, part of the Brexit agreement was the UK "domesticating" some parts of EU law by passing them as UK legislation. There is now a law called UK-GDPR, which is literally a copy-paste of GDPR, with names of EU institutions find-and-replaced with their UK equivalents.
There are still some operational differences, around the fact that the UK regulators will not participate the cooperation mechanisms that the other regulators will. This ends up mattering for businesses: a significant aspect of GDPR was that a company only ever had to deal with one regulator, but now they need to interface with one for the EU and a second for the UK.
I believe GDPR is supposed to be implemented in every participating country's legislation, so the GDPR was implemented in UK law and this remains the case even after Brexit. Nothing prevents them from amending that law and repealing the GDPR's effects on it though.
I am working as a developer for a medium sized publisher in germany. Im pro GDPR and dont like the way the industry treats the users. But they just seem to continue on their course. Reaction on GDPR was very slow. Cookie Banners (before GDPR) where ignored. When GDPR was there we started to implement regular cookie banners - despite the warning from us developers that this would be illegal.
The first real reaction on GDPR came at that moment Google forced them to. There was a deadline (somewhere in february 2021) where Google would limit ads if no consent-manager is implemented.
When we finaly implemented it they set everything they can to fight against the user: The big blue floating button for the consent manager was hidden - instead i had to implement a link into the footer. Nobody will find it there. Then they disabled the "disable everything"-button. Now you can just allow everything or manually tick a hundred boxes. They totally know that its not legal. But nobody cares. Ad revenue is the most important thing and if they would follow the rules they would loose quiet a lot of money.
As a developer its frustrating to see how user hostile the web has become ... Sure you can get another job, but its the same situation in every other place ...
If you are just a user browsing the internet and beeing annoyed by all this stuff and mistreatment: Im sorry.
Get an ad-blocker (uBlock Origin) and maybe additional uMatrix and learn how to protect yourself. The only way to "vote" is with the active denial of your data. They can see that statistics. They can see the rising number of people blocking all this tracking and advertisement stuff.
>>The first real reaction on GDPR came at that moment Google forced them to. There was a deadline (somewhere in february 2021) where Google would limit ads if no consent-manager is implemented.
The irony is that the Cookie warning you get on all Googles sites are including all the dark patterns and seems to be there only to pretend they follow the law. All is op-out by default and you have to dig through many settings to turn off tracking
Things could be so simple if politicians had made the law more concrete or if it would be enforced.
Because some websites do comply and have a reject all button on the first pop up.
I know this us the law, but it should be... you know literally the law.
Why is the law not enforced for the online marketing industry? After all, you will scarcely find an industry so full of criminals as this one!
Whether something is "legal" is a fuzzy computation that runs in the minds of average citizens on a jury, though it's more commonly simulated by judges and lawyers. The text is not absolute.
So what if an accept-only contract (like a ToS, EULA, or consent pop-up) did what average users think they agreed to, regardless of what the text says?
This would shift the burden of understanding from the user, where it currently lies, to the company. If it's essential to a company's business model that users agree to something complex that most users don't understand, the company will just have to help the users understand, deploying all those marketing and UX patterns they've perfected over the years to do so.
(Yes I know this isn't how contracts currently work; it's just a harmless little thought experiment.)
FWIW, legal systems are sometimes closer to what you're describing there than you might realise. Obviously this varies with jurisdiction, but contracts of adhesion often do carry less weight in the event of litigation, for example automatically giving any benefit of the doubt to the party that didn't write the contract. Often there are relevant consumer protection rules as well, for example a general requirement that the terms of any B2C agreement must be reasonable or they will be unenforceable. More generally still, contract law is usually based on the basic idea of a meeting of minds, with an implication that all parties understand the contract they are entering into.
When we drew up the Ts & Cs for my first business that was selling online, we took advice from a lawyer who specialised in this kind of work, and one of the first points they made was that if there was anything at all surprising or unusual in what we wanted for our terms, it should be emphasized prominently and early, not buried in small print at the back, for exactly the kind of reasons above.
I once saw an anecdote (possibly apocryphal, I don't know) about a consumer rights lawyer who said they never bothered reading the small print in these situations. When someone expressed surprise that even a lawyer wouldn't check what they were signing up to, they replied that either the terms offered would be reasonable, in which case the lawyer would have no problem with them, or they wouldn't, in which case the unreasonable aspects would be unenforceable anyway.
permanent fix: learn to use your uBlock-Origin quick element picker.
Every time you open a site and it shows a popup for picking your cookies, just open uBlockOrigin from your browser toolbar, click the quick element picker (eye dropper icon), click the popup.
Done. Now you will never see the popup for that site (even if you do not save cookies, or clear your cookies), and you are technically guarantee to not accept any non-essential cookies ever (if they follow spec)
Also, off-topic: it's annoying that acm.org has now added a horizontal progress bar, similar to QuantaMagazine.org. I already know how far through the article I am, my browser shows me a scrollbar.
The authors of this article also created a browser extension that allows you to pre-configure what data you consent to share and autofills a good number of the most common GDPR pop-ups : https://addons.mozilla.org/fr/firefox/addon/consent-o-matic/
How about introducing a standard way to declare and categorize cookies and let browser take care of consent? On first start set your default cookie preferences for all websites and adjust per website, when needed. It could be quickly build as an extension first and later moved to browser core.
Without legal backing, advertiser's will weasel out of any technical measure. You can even see this in the common practice of showing a app specific permission prompt ahead of browser/OS level prompts because they no that being rejected at the OS level removes their ability to prompt again later.
Legal systems are not so willing to prescribe specific technical solutions to avoid the "oh, you had very specific rules about advertising on radio, but this is TV so we get a few years of free roaming before you can update the law" issue
> Legal systems are not so willing to prescribe specific technical solutions
Also, when they do that, it is often critizised that the technical solution is out of date, inappropriate, prevents competition in the space and many more. (Often rightfully so.)
As someone who's blocked cookies and ads for years, the result of the GDPR has a been a parade of unblocked pop-ups. Frankly I liked it better when pop-ups had naked women in them.
> Ideally, we'd be able to control opt-outs at the browser level.
We tried it at the protocol level with do-not-track and it just gave them an additional bit of info to track.
But I agree: It would be awesome to have this as a browser option. Just send a list of all the optional things to my browser which responds with the accepted results.
> The second best thing would be a law to prevent consent popups from making it harder to opt-out than it is to opt-in
I wish it was this explicit, but it isn't. EU member states have all interpreted the regulation differently.
Making it harder to opt out than in is explicitly prohibited in the UK and Germany. It is perfectly legal in Italy. In Spain, it is legal to bury the opt out buttons at the end of a 50 page cookie policy.
Full compliance, across the whole of the EU, is exceptionally difficult.
GDPR is a textbook example of how government intetvention in our business never ends in the way the technocrats desire/promise. It simply makes things more convoluted and difficult for everyone including those they claim to be protecting.
Given that the industry was never going to address the problem on their own, I don't see how there was ever an option other than government intervention.
The only company that sort of care is Apple. Without government intervention privacy would something reserved for wealthy.
You have it backwards, this is big companies doing what they can to protest a law they don't agree with. Much in the same way big tobacco and big oil for years have been combating science
Is this even relevant nowadays? I've been doing some tests with Edge and Firefox, and with their built-in tracking prevention + uBlock, it didn't matter whether I accepted all or only essential cookies, because at the end, only first party cookies are set.
One might argue that accepting all allows tracking by the site itself. But, does it really matter? I'm already on the site because I'm willing to. At this point, we're no longer talking about tracking but analytics.
GDPR consent buttons and statements are as worthless as the California Proposition 65 cancer warning that gets slapped on every consumer product. Any plugins to strip them out or automatically consent?
You can use it on Android with Kiwi Browser, a Chromium derivative. It used to work with Firefox, but it looks like Firefox still hasn't un-broken extensions on Android.
I suppose that's getting a bit dated, but I'd have to be actively experiencing significant breakage to give up extensions for a browser update. I am not.
ublock origin takes care of most of them. You will want to go to settings > filters and make sure that you have EasyList, EasyPrivacy, and EasyCookie all enabled. I would also recommend Fanboy's Annoyances filter list enabled, as it contains quite a few nice cosmetic filters to block out similar annoying web elements.
It's different from the Prop 65 warnings. Unlike those, the GDPR explicitly bans annoying/misleading consent prompts. Merely disclosing tracking isn't enough to comply, consent needs to be:
* explicitly opt-in, so no action from the user means they shouldn't be tracked - pre-ticked checkboxes are not allowed
* it should be as easy to opt-in as to opt-out, so approaches like a big "accept tracking" button but a "learn more" or putting the deny option in the fine print isn't allowed
* needs to be "informed consent", so the user should be made fully aware of what data will be collected and how it will be used
* needs to be granular, so the user should be allowed to decide what data to provide and for what purpose
* optional - you are not allowed to deny/degrade the service if the user does not consent to tracking
The problem is that the GDPR is not being enforced properly. The annoyances you are facing would not be a thing if the law was enforced. It explicitly learned from the earlier "cookie law" which merely enforced disclosure and led to stupid & useless cookie banners with no easy way for the user to actually act on them.
We should standardize the GDPR “pop up” by putting it inside the browser settings, and send a HTTP header that reflects user choice.
I see no difference between websites adhering to a HTTP header versus what the visitor chooses in the website’s custom pop up.
To start with, we should add to the GDPR regulations that a “Do Not Track” HTTP header requires the website to not display the pop up and interpret it as the visitor allowing only “strictly necessary cookies for website to functionality”.
Every time I see the term 'dark pattern', it's always a case of one or the other, with the delineation into fraud varying depending on the relevant laws. In this case, they mention how websites skirt the minimum GDPR requirements and trick the users to do what they want, so it looks to be both.
The term is in the best case superfluous, in the worst case a harmful euphemism.
I read it as primarily saying that the thing which 'dark patterns' refers to is more plainly called "fraud and psychological manipulation, not so much that merely using 'dark patterns' as a euphemism is itself "fraud...etc." Suspicious perhaps, but as an indirect second-order thing.
It can be seen as ambiguous, but a lot of language relies on assumptions about what a reasonable person would be thinking. Which causes trouble if you're trying to express a contrary or startling opinion.
I don't think everyone who uses that term has an agenda. I'm sure most have good intentions, or just are naturally attracted to new buzzwords. It just so happens the term does play into the agenda of those who have one and who manipulate others psychologically in this way.
The whole topic is a sensitive one. I'm sure a sizeable number here on HN derive some direct or indirect profit from such practices (running, being employed in or having stock in a company that does this sort of thing, especially FAANGs) while also having some dissonant misgivings about how the internet and technology is evolving. Terms like 'dark patterns' only serve to deepen this confusion and create additional moral distance between such tech workers and the consequences of their work, even if they are not necessarily intended to be nefarious: therefore, we ought to discourage it whenever possible.
Of course, in the grand scheme of things, none of what I say here will actually have an effect on any of this, but it's fun to discuss these topics all the same.
In any case, I don't see how any of this can be inferred from that single original sentence, but I'll take your word for it.
The term “dark pattern” refers to user interface design patterns. That’s where the “pattern” bit comes from. There was already a term for anti-pattern which referred to mistakes. I wanted a term that had a Machiavellian tone to it, so I chose “dark” (Star Wars, Harry Potter, why not?).
I’m not quite sure why this term proved to be so popular. I think it is helpful to have a term that is a little vague though, as it can be a lot of work to pin down whether something is truly deceptive with an outcome of harm - or just an annoying attempt to nudge.
Thanks for letting me know. Looking through the thread again after my initial off-the-cuff reaction, I'm starting to think that I may be reading too much into the term due to my own biases and assigning interpretations to people that they might not have. There's certainly more to say on this topic.
>I’m not quite sure why this term proved to be so popular.
Well, it does sound cool and memorable on its own...
I think if someone puts the pauses at different spots than you, the grammar changes substantially. Reading your replies I figured it out, but it reads like not everyone caught that so I thought it might help you sort out some of the reactions you’re getting.
Precisely why the new term was devised: dark patterns are not, in general, technically fraud.
They are playing completely within the rules but taking advantage of human psychology to tilt the outcome in the direction the website owner wants (and, it is assumed, against what the average user wants).
Well, an interpretation of the rules that their lawyers said was at least justifiable enough to make a legal argument out of. It's hard to write rules when the readers are incentivized strongly to use any ambiguity as a weak spot to attack and use as a workaround rather than following intent.
Following intent isn't a good legal framework either, of course, better to make the people with legal training work hard to write them correctly once rather than making them complicated to interpret.
I sincerely doubt that much financial reward will come for any random individual doing this to any randomly selected website in that sample that does not meet the GDPR requirements.
On one hand, you've technically got the right idea that I ought to put some skin in the game. On the other, it's a reasoning meant to shut down criticism on the same level as the infamous "yet you participate in society, curious!" comic
> I sincerely doubt that much financial reward will come for any random individual doing this to any randomly selected website in that sample that does not meet the GDPR requirements.
Then whats the point of GDPR if its not worth taking them to court. Is the idea that only govt can bring them to justice?
This topic is above my paygrade since I lack the relevant legal knowledge. But some things I've noted so far:
- GDPR shone a light on these practices that is visible to the casual user. This highlights some examples long term counter-productive thinking: people blaming GDPR for showing those practices instead of the practices themselves. A symptom of the messed up ways in which all this has been developed over the years
- Even single governments alone aren't enough in some cases (see France's measly series of fines against Google that probably evoked laughter in the boardroom)
- As a user, the prospect of being able to download my data from FAANGs seemed so miraculous and unrealistic at first that it made me realize I complacent I had gotten to unequal practices and to these websites and companies just doing whatever they wanted whenever they wanted. That specific point alone is worth the entirety of GDPR to me
- Baby steps. GDPR is already a step in the right direction, they are still figuring these things out (especially enforcement) whereas the private sector has decades of experience in anti-user practices, honed by some of the finest minds. The next step is to get a better share of the deal for Europeans as a whole.
Would you consider the fact that bread and fruit and veg are always at the start of a supermarket journey a dark pattern?
Supermarkets have gotten customers to spend more than they intended with all their patterns as well -- just like social media sites get customers to spend more time online. It's just what they optimise for. The concept is much older than the coined word.
Most of a supermarket's layout is determined by hard requirements like refrigeration, stocking heavy items and handling payments.
That hasn't been generally true for a long time. The big chains spend a fortune deciding how their stores should be presented and optimising the layout of different products, and there is a lot of sophisticated analysis going on behind the scenes. There are certainly recurring themes in the results, but for example there are several major stores near me that have totally different layouts in many respects including all of the ones you mentioned, and it would be surprising if any of those differences was an accident. The stores don't run all those loyalty card schemes, nor rearrange their products from time to time, just for fun!
The whole concept of the placement of the milk being suspicious and needing an explanation never made sense to me. Why would they or should they optimize for people who go to the supermarket just to buy milk? It makes perfect sense to me from the point of view of usually buying more than one thing per trip.
If in a "normal" grocery store trip you go through most of the store then of course you want to get refrigerated and frozen foods last, just before you go to the checkout. So they don't warm up too much.
By the way, frozen stuff is not all on the perimeter in my experience of US supermarkets. It's funny how something can be so mundane and everyday you never really look at it.
Highly depends on the Aldi. Mine does indeed start with bread but has Veg at the end of the first aisle across the refridgerated goods. I would guess that the position of the bread depends on the infrastructure, specifically where the baking station can be built.
Is it? It's comforting to think so, but I'm not convinced there's a meaningful dichotomy that can be drawn. I add a "save this card" functionality to my store so users don't have to type it in every time they buy something: am I offering a neat convenience feature, or am I manipulating them by reducing the psychological barrier of a sale?
>Is it? It's comforting to think so, but I'm not convinced there's a meaningful dichotomy that can be drawn. I rework my store's checkout workflow, making it simpler so users only have to click a couple buttons to buy a product: am I making their lives easier, or am I manipulating them by reducing the psychological barrier of a sale?
"making their lives easier" implies that the purchase is the default outcome that the user needs to improve their lives, when the purchase could simply not be made at all. As long as the intention is to make more money, and that the effort expended does not improve the nature of what is purchased in some way, I'd say it technically qualifies even if the consequences are the lightest of grays.
That said, your example is thoughtful, and you are probably right overall. We could look at the broader context of all these systems encouraging consumption, but that would be moving the goalposts on my part.
edit: just to clarify an edit took place while I was replying
(I was under the impression that all ACM conference papers with NSF grant numbers in the acknowledgments would automatically be added to CHORUS, but this one seems to be missing.)
I can't read the paper beyond the summary. But for what it's worth, I agree that GDPR is a good thing in general. However the implementation and execution of it is sloppy (as seen with these "dark patterns")
GDPR should have been aimed at the browser and then force websites to comply with the settings defined in the browser. Non-compliant sites would be immediately flagged by the user's browser instead of hiding behind numerous dark UI patterns.
Perhaps it was easier to force thousands of EU sites rather than trying to coerce Google, Apple, Microsoft.
- tracking cookies are bad and yes it is an issue.
- GDPR and consent pop-ups are pain, surfing is becoming similar effort like moving through the mud.
Solution? I hope we can embed response in the browser, so you say once I do not want to be tracked not even for "legitimate interests" :P and then in background browser does the rest?
How difficult is that?
This highlights why governments are impotent:
- it has been 5 years since GDPR was implemented to great fanfare
- by the time of implementation data mining has been going on for many years
- 5 years after 90% of businesses use dark patterns that are non-compliant
- actual fines and enforcement are negligible
- maybe they will start enforcing more aggressively... after another 5 years
It is simply the case that large bureaucratic organizations are too slow and too incompetent to deal with rapidly changing technology. And the tech community sees this and has no respect for governments. How can you respect impotent Industrial Age structures today anyway?
My view is that by mid-century Western governments will be going bankrupt in droves since tech will optimize out their ability to collect taxes or inflate currency. Plus they will just be extremely behind the curve and become irrelevant to everyone’s tech-dominated lives.
It is tech companies that will lead the future. It doesn’t matter if this does not agree with pro-democratic sensibilities. Sensibilities will change and adapt to reality.
For me personally - all these popup banners and modal walls for websites about cookies and stuff just really make the internet a worse place. I suspect that empirically, they don't accomplish what the GDPR intended to - and they make the internet less enjoyable. Thanks GDPR.
>It's just a really disingenuous and dismissive comparison. Nobody is complaining about flashlights.
I don't make that comparison lightly. I'm not dismissing the issue: it is a serious problem that is widespread over the internet. It's not disingenuous: it describes a series of institutionalized behaviors that are directly parasitic on the user.
Now the reaction is to be angry at GDPR because of the pop-ups, which aren't even GDPR compliant in the majority of cases as directly evidenced by the OP link. This reaction is comically absurd, hence the comparison. This garbage heap is the result of shitty implementation by the websites, and ironically a lack of enforcement of the law.
But, nobody here is complaining about GDPR. They are complaining about the terrible UX, and wasted time, and attention, which the non-compliant implementations have caused. That is not an absurd reaction, it's perfectly reasonable. That's why your comment comes off as dismissive.
If anything, it's more akin to complaining about the shitty, half-rate pest control person your landlord calls to get rid of the rats. They do a bad job, poison your house, waste your time, and the rats never go away.
At the time of writing, the parent comment I replied to ended with "Thanks GDPR". To me, there can be no clearer indictment of the law instead of the shitty practices. Reading through the thread has been frustrating. There are many users coming so close to the realization contained in the analogy but stopping just short of it. I understand that it is confirmation bias to some extent: many other users have made no such complaints. But I see it often in other places as well, and even have had those arguments in real life. I am willing to consider those perspectives, but I simply disagree with them.
>If anything, it's more akin to complaining about the shitty, half-rate pest control person your landlord calls to get rid of the rats. They do a bad job, poison your house, waste your time, and the rats never go away.
I don't want to stretch the analogy further than it can work, but a more apt comparison in my view would be this: a person discovers that every inch of their floorboard and walls are filled with highly intelligent rats. The pest control comes, creates some measures that have a small effect but does not enforce everything at the outset. It's likely they will come back for another round since they are still learning the ropes for such an enormous job. The rats have been there for decades and it is the only pest control service even trying to fix the problem in the entire city. The rats scurry around in a panic, but keep infesting the apartment. In this scenario, would the person try to get the pest control to enforce the measures and get better at it over time, or would they simply carry on as usual and feel comfortable with the infestation?
You're right that the issue isn't the GDPR, it's the tracking industry trying to figure a way around it. The EU learned a lot from the original cookie law, but the industry have not, they still try to continue as normally, until someone is hit with a crippling fine.
The companies that want to track you have turned the web into a "complete garbage heap of an experience" (apparently, sites I visit don't seem to have this problem). That's not the GDPR.
I was just thinking about that the other day. The billions of extra clicks and taps and wasted seconds. And for what gain? I think that this can be discussed outside of the basic "should we regulate" or not. Specifically looking at these modals that have spread all over, what actual protection does the average user get from this modal?
The modals don't exist to protect the user. Their goal is merely to annoy users to the point they just give up and blindly click "Accept". They only exist for the benefit of companies, and most of them violate GDPR.
Right. I'm not saying the intent of GDPR was to provoke them. But empirically, they are an effect of the GDPR. An undesirable one - that does not fulfill its intent. I'd say we are in agreement here.
I'm not in agreement with that. The banners are an effect of shitty companies being shitty to their customers. They already put as many annoyances and dark patterns on their website as they can, with or without GDPR: newsletter subscriptions, opt-in as default, multiple trackers.
Those banners are merely the effect of shitty companies trying to cover their asses and being non-compliant to a law that's actually sane.
The problem is that the GDPR is not being enforced properly. The GDPR explicitly bans annoying/misleading consent prompts, so this shouldn't be an issue if the law was enforced. It explicitly learned from the earlier "cookie law" which merely enforced disclosure and led to stupid & useless cookie banners with no easy way for the user to actually act on them.
You can complain to your country's data protection expert, and they will tell you this or that company blah blah but not act.
Nothing ever happened. I filed 3 complaints in 2 countries.
2/3 took over a year to receive a response.
1 took about 6 months and nothing changed.
Imagine that, an EU regulation resulted in nothing but unintended consequences and close to zero benefit to anyone -- unless you count consulting gigs of course. Who could have possibly foreseen this!
All this talk about how the problem is lack enforcement is an absolute riot. Hey, I've got an idea! Let's write another law to address the lack of enforcement. Uh, even better, a third one to address the dark patterns!
(I'm very sorry for the low value comment but I've apparently got a condition where I am physically unable to resist the urge when the topic is rage inducing enough.)
EVERY WEBSITE I visit from my ___location in the USA seems to have these stupid cookie popups. We added one to OUR WEBSITE even though nothing is hosted in the EU - simple cargo-culting "everyone is doing it so we must do it also".
No one says that all sites should honor China's laws for visitors from China. No one claims that all sites should honor Saudi Arabia's laws for visitors from Saudi Arabia.
But magically the GDPR must be followed by the entire world if a visitor shows up from France.
China has the great firewall, the EU tried something similar under the "think of the children" excuse, which promptly failed.
Also a lot of people speaking out against China had to find out the hard way what some western companies will do when you speak out against a cash cow that will happily kick them out if its rules are enforced.
USA set the precedent when the FBI arrested Dmitry Sklyarov (a Russian Citizen) for working for a Russian company that apparently, while in Russia, broke US law.
It would be like Wendys slagging off the Thai king on a billboard in Dakota, then an employee of Wendys went on holiday to Bangkok and was arrested.
That's actually a counter example to what you're trying to say.
In this case you are arguing that Russian law should follow a citizen, where as the US said it shouldn't. So the "precedent" that was set (if in fact there was one set) in a case from 20 years ago in which the case against the accused was dropped, was actually that your laws don't follow you around.
The precedent set was that the EU could arrest a citizen of the US for working for a company based in the US if that citizen happened to go to the EU on holiday.
The Meng Wanzhou case had the EU being able to extradite a US citizen from the UK for breaking EU law.
If it has no presence, no money, no sales, no partners, basically absolutely nothing in the EU then it may be in the clear. But that is a large difference to just not having hosts in the EU.
> Location of the host is irrelevant, it depends on the target audience. Serve pages to the EU? You get to follow it.
No, merely serving pages to the world (that happens to include the EU) does not mean you have to follow the GDPR. That is only the case if you cater to EU residents specifically (e.g. by taking payments in Euros).
We've had them up long enough for somebody to have generated some hard numbers by now. I wonder what the numbers look like on percentage of users that modify the settings from the default?
I don’t have a cookie banner on my website. You know why? Because I don’t track my users with (or without) cookies. Maybe you should stop doing it on your website, and then the cookie banner can be removed.
You mean developer or website manager who do not apply the law properly. All those deceptive patterns are not part of the GDPR, they should clearly label accept and refuse.
I think it will take time for people to stop gathering so much information from users. Once a competitors start to figure it out, users might start using them (i.e. New York Times & GitHub.)
I ALWAYS go through them. Either reject, tediously try to find the hidden settings like legitimate interest.
Lately I open some sites in incognito window, accept all, then close the window when I'm done.
Some science mag I recently visited set 143!! cookies and that's before even showing the consent screen.
I've also started to write scrapers for news sites I visit on a daily basis who go over the top with all the tracking and ads. So I "just" scrape their content and have written a frontend to read the content.
Most of the time that content is just blown up but if there's something really interesting I have a link to the original article there and again open it in an incognito window.
It has become such a chore, when ever I visit a new site on my phone and see a cookie screen, I navigate back and/or open an incognito window.
What the EU should do is disallow those cookie full page modal consent windows.
Many use overflow: hidden when showing it so you can't just adblock it without having to modify the markup.
It has all gone out of hand.
Every time I see one I go to the options to refuse all, if they do not allow me this option, I leave the page and add their ___domain name to my no cookie blacklist.
It's strenuous, but I prefer to do so.
I click accept all of them cause I use Firefox + Privacy Badger :D Badger icon shows in orange the number blocked resources and cookies and in some sites is an amazingly high number.
