In my layperson's knowledge of GDPR, these awful consent popups always seemed completely illegal:
1. They prevent access without a lengthy/arduous process. Certainly in violation of the spirit of the legislation and almost certainly also the letter.
2. This was of course entirely intentional, in order to annoy users into clicking yes and laying blame on the GDPR
"The GDPR made us annoy you". It doesn't.
3. They often do not allow a single click deny, you have to go through sometimes dozens of vendors and deny them one-by-one. This is so obviously illegal it isn't even funny.
4. What's worse, if they do have a "Deny all" button, it's almost certainly there to trick you.
Because they have essentially the same list of trackers duplicated under the "legitimate interest" category. Which "Deny all" won't catch. You have to "object" to the legitimate interest. So if you hit "Deny all", you will instead be tracked by all.
This is so brazen it's almost breathtaking.
Anyway, good to see progress on this front. The ad-industry is still in deep denial about GDPR, thinking that they can continue their business model in the face of it. They can't. Their business model is illegal, and has been since GDPR came into force.
The conflict has been brewing for some time now, weaving its way up through the channels.
Yeah, I still don't quite get the argument against do not track, and why its clear declaration of intent couldn't be made binding. I mean, you're effectively telling web sites "Do not track me", and they are responding with "Hi, we'd like to track you - please spend ten minutes working through our dark patterns if you're not OK with that".
Unfortunately, DNT is not a clear declaration of intent, because privacy evangelists view it as their moral duty to make that decision for everyone.
It's an inconvenient fact that - perhaps a decade ago - we had DNT, and advertisers were starting to respect it, but then browser makers decided to default it to on, making it pointless.
You're very close, but I think "browser makers" makes it sound like it was more than one. Microsoft Internet Explorer defaulted it to on. Every other browser was in agreement that it would only get advertising industry buy-in if it was defaulted to off.
I think Microsoft's default-on stance was likely intentional sabotage - Google operates a big ad network and would have to deal with a lot of the fall-out.
Why shouldn't the default be to not be tracked, and only start being tracked if you explicitly want to? Advertisers always frame this conflict as though it's absurd to expect them to just stay out of our lives, and anything that makes it easy or default to avoid them should be rejected as impossible.
The feasible choices are between (a) DNT, off by default, that the more responsible and regulated side of the ad industry respects or (b) DNT, on by default, that everyone ignores.
Which one is the greater good?
In other words, you're welcome to walk up to me, slap me in the face, and call me a son-of-a-bitch... but that's probably not a great start to a conversation that ends with "Would you please work with me on this?"
> In other words, you're welcome to walk up to me, slap me in the face, and call me a son-of-a-bitch... but that's probably not a great start to a conversation that ends with "Would you please work with me on this?"
Wow, that's quite some re-framing going on there, if you're casting yourself as the advertiser in that sentence. It's more like if you were regularly "borrowing" my car without permission. Do not track is a bit like the lock on the car, which obviously you can get around in 30 seconds flat. Everyone has a lock on their car, right, and it's installed by default, so by the advertisement industry's reasoning it isn't a true indication of whether I want you "borrowing" it. If you were regularly "borrowing" my car without permission, it'd be reasonable for me to walk up to you, slap you in the face, and call you a SOB, but I'd me more likely to just call the cops.
Data about me is owned by me, and other entities can process it only in strongly limited circumstances. That's the default position, by the standard of basic decency, and also in law. Stop making it sound like me demanding control over my own possessions is unreasonable.
Yes, that is what you want. But you know there are other people in the world? Who want different things? Some of which may be the opposite of what you want? And that therefore, in the interest of civilization, we find consensus between what everyone wants?
Not pointless. We know that most people are not okay with tracking (the opt out on iPhones are 90+%), so the right setting is to be one by default.
However while the ad industry might be okay with a few nerds opting out they weren't okay with most of the general public opting out and so they spread stories like the one you repeated.
To get to 90%+, Apple had to present their users with a forced choice. The majority of users might prefer not to be tracked if they're put on the spot and required to give an answer, but how many would actually go to the trouble of changing a default?
> Unfortunately, DNT is not a clear declaration of intent
Often it is. Firefox, Brave and Safari explicitly advertise themselves as privacy-friendly browsers.
That leaves non-savvy users who just use whatever defaults exists, but there is an even stronger argument to protect precisely those people - you can't consent to something you don't yet understand.
Tracking can leak extremely sensitive information, just like microphone, screen sharing and webcam permissions could. Protecting the user is a sane default in all of these cases. The fact that personal data has commercial value is secondary, just like it would be with webcam access.
Imo, the only meaningful difference between tracking and camera access is that fully-fledged tracking was an accidental side effect of third-party cookies, and before "we" understood the implications of that a trillion dollar industry was established. The reason we're apathetic to tracking is because it's abstract and novel, whereas snooping to your audio or video is easier to grok.
Servers have access to both the DNT header and the browser id. Advertisers could have argued that the DNT header sent by some browsers was not an informed decision and likely forced those browsers back to explicit opt-in/opt-out by users. But they did not. They used the first escape hatch they found to ignore the header completely, kicking the can further down the road. Of course they did, because every body knows how many people will opt-in to tracking without being bribed.
Defaulting to no tracking is the correct default for advertisers that are respecting GDPR. If someone wants to be tracked, they can opt in by turning it off.
They obviously wouldn't want to just comply with DNT (or any other easy way to opt-out) as they'd be signing their own death certificate.
Instead they exploited the apathy & incompetence of the regulators with their so-called "consent" flow. Considering the GDPR was supposed to be enforced since 2018 and they've made it to 2021 without any consequences I'd say that strategy paid off.
I have also see some sites that are also using a pattern where you either accept their tracking of you or you can't use the site at all, they just block the content or send you to a useless site. That isn't legal either, consent has to be something people actively give and not giving it can't be a reason to reject service. Quite a lot of gyms are getting this wrong in regards fignerprints, they don't get to force that mechanism on you and deny you access if you wont provide it.
When the legislation first came in I reported about 100 websites that were breaking the law in obvious ways, they are still like that and the ICO hasn't even responded to those complaints.
This has been my experience as well - the complaints take lots of time to write and manage (you have to first complain to the company and give them 30 days to respond, etc) and in the end the ICO was completely useless anyway.
The rules are actually very simple, you have to obtain a clear, explicit consent given out of a user's own free will to track him, or you're breaking the law. Don't like it? Tough luck.
If I do a blocking banner that said, we track users on this site to pay for it with ads, click OK or leave - under GDPR there are lots of gotcha's that make this potentially insufficient. I think folks claiming GDPR is "simple" do not understand it - and how complicated it is.
We have this for age restricted sites already - if you are under 18 leave, if over 18 continue, content is NSFW.
Reddit does the same thing for adult subreddits, you get a popup, this content may be NSFW, if you are at work and will be fire, leave, if not click through if you want - you've been warned.
This model however may NOT be permitted under GDPR which has a TON more requirements on tracking consent, recordkeeping for consent, versioning of disclosures, tracking versioned disclosures to consent identifiers tied to other identifiers etc. If you violate any of this you are breaking the law, are committing crimes, and may need to pay $20M or a % of turnover whichever is GREATER!
There are multiple ways to satisfy the requirements, but that's hardly Kafkaesque. It's simply convenient for the ad business to pretend the rules are incomprehensible, because they'd really rather not understand them.
I'm sure there are real problems with the GDPR (e.g. perhaps how and particularly where it's enforced, and how it favors large business over small, and that there aren't enough practical exemptions for small-scale data collection), but the fact that there's no reasonable and clearly legal loophole for the ads/tracker-business isn't one of them. That's not Kafkaesque, that's by design.
"They often do not allow a single click deny, you have to go through sometimes dozens of vendors and deny them one-by-one. This is so obviously illegal it isn't even funny."
The site sets two cookies on landing regardless of any clicks anywhere.
Edited because I can't reply:
There are lots of lies being told on this discussion. The EU websites track you even if you don't hit accept. It's a 13 month cookie.
"
When opening a page where Europa Analytics is enabled, the browsing experience is registered by the service.
If you refuse cookies, you will also stop the Europa Analytics service. If you choose, though, to contribute your browsing experience on our websites as part of the anonymous statistics, you will enable us to significantly improve the performance of our communication, its outreach and its cost-efficiency."
Before accepting any cookies I got a _pk_id cookie expiring in 13 months.
They are clear this is what will happen.
Just check it for yourself before you listen to the lies / blather you read here.
The EU's own websites track you on first landing.
Note - I have been following this. They used to do a blocking cookie pop-up. This actually had nothing set on pop-up, but blocked you from using their websites until you gave consent or denied it.
The problem was, these required cookie popups are so annoying that many folks have (perhaps illegally) moved to the EU's new model, where they stick it at the bottom, they set the cookies, and if you just use the website you get them.
"Consent must be freely given, specific, informed and unambiguous."
So a question remains, if you give someone the option to decline to be tracked, is that enough? Or do you need actual consent?
The EU website is doing the tracking with option not to be. Other experts say you really should have consent first before doing any tracking.
Anyways, not giving my opinion on which is right, just that there are different views, and even EU does it in ways I think that folks here do not understand.
The one thing, the EU sites are extremely CLEAR about things, I do like that.
In my layperson's knowledge of GDPR, these awful consent popups always seemed completely illegal:
1. They prevent access without a lengthy/arduous process. Certainly in violation of the spirit of the legislation and almost certainly also the letter.
2. This was of course entirely intentional, in order to annoy users into clicking yes and laying blame on the GDPR
3. They often do not allow a single click deny, you have to go through sometimes dozens of vendors and deny them one-by-one. This is so obviously illegal it isn't even funny.4. What's worse, if they do have a "Deny all" button, it's almost certainly there to trick you.
Anyway, good to see progress on this front. The ad-industry is still in deep denial about GDPR, thinking that they can continue their business model in the face of it. They can't. Their business model is illegal, and has been since GDPR came into force.The conflict has been brewing for some time now, weaving its way up through the channels.
Exciting times.