> If your use was really, trully unobjectionable you'd be fine with getting clear and explicit consent.
This ignores human nature: requiring people to make a decision, any decision, is a friction point that will lose users. Something like "we'd like to increment a counter when our app crashes, we won't log anything else than that single bit".
So first of all, you'll have people who will claim that you could be lying, and they'll opt out, or not install your app, or whatever. Fine. But now all the people who truly didn't and don't actually care will have to make a decision. And making choices takes effort. So some people will just refuse to make a choice, and you'll lose users.
Consider the other side of this: I'm from the US but currently in Europe. GDPR requires explicit consent for the various trackers, it has defaults. I don't change them. I don't want to think about them. I don't care enough. And it's just effort I have to expend before I actually get to the stuff I'm interested in. Like a government mandated paywall (think the "we use cookies..." but more extreme, with checkboxes to decide which cookies they can store).
Even as someone who truly actually doesn't care, and is happy to, in the abstract, give explicit consent to all the tracking these sites do, I don't want to have to explicitly consent, because its work to do something I don't care about.
I expect, though I'm by no means certain, that most people who aren't on HN are in that bucket. And that means that requiring explicit consent for otherwise innocuous things is just bad for business with little gain, and it numbs people for explicit consent on actually important things.
> requiring people to make a decision, any decision, is a friction point that will lose users
One could argue that's a good thing.
> you'll have people who will claim that you could be lying
That's not a claim, that's a fact. You could very well be lying and I wouldn't know as I don't have access to the internals of your company.
> But now all the people who truly didn't and don't actually care will have to make a decision. And making choices takes effort.
The horror!
> So some people will just refuse to make a choice, and you'll lose users.
Good, people shouldn't blindly sign up to services they don't understand just because it's a new shiny thing.
> I don't change them. I don't want to think about them. I don't care enough.
Good for you. I'm also in Europe and I think GDPR is fine and I do change the cookie settings instead of just clicking through.
> And it's just effort I have to expend before I actually get to the stuff I'm interested in. Like a government mandated paywall
Music to my ears.
> requiring explicit consent for otherwise innocuous things is just bad for business with little gain
I couldn't care less about what's good or bad for a data collecting business, I care about the people whose data will inevitably be leaked by said business in a future breach.
Then you should make that argument. If you think it's a good thing, put in the effort of saying why. Don't force me to imagine why it might be so.
> That's not a claim, that's a fact.
Sure. But asking for explicit consent for the innocuous thing: logging a bit and nothing else, doesn't change the fact that the company could be lying. Nothing is gained. If they're lying about logging the bit, they might be lying if you opt out. Obviously it's far easier to figure out what is being sent than what is being being logged serverside, but you'd still need to verify that independently. If you don't trust the group providing the service, unless its verifiably trustless (not communicating at all or client-side encrypted with minimal side channels), you shouldn't use the service. Otherwise, you're still trusting the service provider.
> The horror!
Yes. Making people expend mental energy on otherwise unimportant/irrelevant decisions is anti-user.
> Good, people shouldn't blindly sign up to services they don't understand just because it's a new shiny thing.
My point is a lot of people do understand and just don't give a shit. Getting in the way of those people is anti-user.
> Music to my ears.
Again, anti-user.
> I care about the people whose data will inevitably be leaked
I'm talking about innocuous things. Things where being leaked isn't a problem: truly anonymous or aggregated data that can't be used to identify or tied back to an individual user or group. You're saying users should still need to opt in to those kinds of tracking. That's anti-user. It obfuscates actually harmful tracking.
To phrase it another way, there's PII and not-PII. Are you suggesting that tracking of non-PII need explicit user consent? Even if revealing non-PII, by definition, can't be tied to an individual user?
>by said business in a future breach.
Recently, we've seen leaks of PII from CapitolOne and Equifax. Click boxes on websites don't help when the data being leaked is banking information that (for capone) has to be stored tied to an identity and can only be opted out of by not using the products in question (credit cards, banks), or isn't gotten from the user at all (equifax).
How does clicky-consent boxes on their websites help with that?
There's a difference between a post request with zero content to some count API and a request with metadata. If there were a way to send a request without even info like IP address, it'd be even less objectionable, but that kind of request doesn't exist on our current tech stack.
Yes, because you get a bunch of meta information when any device of mine uses my internet connection to connect to your servers to increase that counter. If you save that information or not, you created a trail.
I expect from any app that it doesn't establish any connections per default to be honest. You can have that as an option that I can enable if I feel like it.
Ok, so what if the app is internet connected and has to communicate with some central server? Think a non-p2p messaging app, or an app for a bank/<some internet thing like youtube or facebook or reddit>?
Then it is obviously allowed to do that for that specific purpose. If you want your flag to be packaged into the data stream, it has to be some option that says "send additional diagnostic data".
It should be noted that the GDPR doesn't apply to truly anonymous data, like your hypothetical counter. The reason you get those consent dialogs is because those trackers are doing a whole lot more than incrementing counters.
In fact, is anyone incrementing counters nowadays? At all? Every solution I see involves pushing a whole crash report filled with a bunch of device info (including IDs, IP, etc) and then aggregating that into numbers. Talking about incrementing counters seems like misdirection when discussing the current state of privacy.
> requiring explicit consent for otherwise innocuous things […] numbs people for explicit consent on actually important things.
I know HN is not the right place for tinfoil hat conspiracy theories, but that sentence gave me shivers, thinking it could be the real reason those cookie consent shenanigans were mandated in the first place.
It's probably not, it's probably just a power game between the EU government and US companies. But still.
This ignores human nature: requiring people to make a decision, any decision, is a friction point that will lose users. Something like "we'd like to increment a counter when our app crashes, we won't log anything else than that single bit".
So first of all, you'll have people who will claim that you could be lying, and they'll opt out, or not install your app, or whatever. Fine. But now all the people who truly didn't and don't actually care will have to make a decision. And making choices takes effort. So some people will just refuse to make a choice, and you'll lose users.
Consider the other side of this: I'm from the US but currently in Europe. GDPR requires explicit consent for the various trackers, it has defaults. I don't change them. I don't want to think about them. I don't care enough. And it's just effort I have to expend before I actually get to the stuff I'm interested in. Like a government mandated paywall (think the "we use cookies..." but more extreme, with checkboxes to decide which cookies they can store).
Even as someone who truly actually doesn't care, and is happy to, in the abstract, give explicit consent to all the tracking these sites do, I don't want to have to explicitly consent, because its work to do something I don't care about.
I expect, though I'm by no means certain, that most people who aren't on HN are in that bucket. And that means that requiring explicit consent for otherwise innocuous things is just bad for business with little gain, and it numbs people for explicit consent on actually important things.