As a European I encounter a lot dark patterns to circumvent privacy laws.
Some just ignore your choice and track you.
Some don't give you a reject option.
Some make it really really annoying (or slow) to reject.
Do you think it's possible to politely ask them on twitter to change? Maybe as a group?
> Some make it really really annoying (or slow) to reject.
Some even make it slow to accept, or reload to a homepage after submitting, instead of back to the original page. It just doesn't make any sense to me. But apparently people just accept it as the way the internet is nowadays.
Reload probably means that they have implemented it fully on the server side. So the cookie (about the cookies) gets set through the server, or worse, they initially send down the cookies and then clear them with the reload.
If you are talking about this and not malicious reloads that make giving a consent harder. (I haven't seen that latter and the former doesn't bother me.)
The same reason funding police departments on ticket revenues is bad. It incentives overzealous enforcement, where it's not so much about preventing people from breaking the law, but instead figuring out what you can pin on them.
Police enforcement includes the police powers of arrest and detention.
GDPR enforcement is (I believe) limited to a fine which can be appealed to a court. If the enforcement department turns out to be wasting court time, then there are likely to be significantly negative consequences for that department (at least, more than for the police in the US).
I agree that fine collection is not an ideal way of funding a department, but not all incentives are perverse just because they exist - incentives are allowed to align.
Either a site has the opt out choice clear, marked by default (the bigger/more visible button), or it should be reported.
Obviously authorities can’t follow up on every small player here, so the key is to make an example by imposing some extremely large fines on some large companies.
Anyone who sees it should think “whatever we risk losing by losing 99% ad revenue is better than THAT”. Preferably sanctions should include personal sanctions on decisionmakers but I’m not sure if that’s possible as the regulation works now.
It needs to be made a proper criminal offense so that investigators have the tools they need.
An efficient way to go about this could be to find one of the companies that supplies these dark pattern services (sells cookie gateway services), demand lists of their customers and verify that they indeed used that product - and fine all off them off the face of the internet.
I noticed that too. A lot of German media started doing this ("pur" subscription vs "full" subscription which also gives access to additional paywalled articles). I would be surprised if these huge publishers didn't do their legal legwork - or they are doing it just waiting for a test lawsuit to clarify the reading of the law.
the freemium in itself is certainly legal. In the case of spiegel though it's really accepting tracking for the free articles. sz.de e.g. has the usual toggle option for the different cookies.
A big part of GDPR is that you can't just say "by using our site you agree to forgo your GDPR rights" or "click here to agree not to invoke your GDPR rights" or anything like that.
The service cannot be dependent on the acceptance of third party cookies, no. That is, the service provided to those that reject third party cookies cannot be worse (slower or incomplete, for example) compared to the visitors who accept cookies.
So you can supply an ad supported version and a paid version without ads, but you cannot require that those that choose the ad supported version must accept tracking ads.
I have gotten confirmation from several DPAs that state a very different interpretation.
You can’t segregate the same service, two distinct services one that is provided with ads that include 3rd party cookies and a separate paid service that does not is perfectly fine.
What you cannot do is to create multiple tiers in a free service based on different levels of tracking.
That sounds like an extremely business friendly interpretation of the regulation. Creating a separate service (the paid one) shouldn’t in any way change the circumstances for the first service (the one with ads).
What you are describing sounds like a business can simply declare “well untargeted ads doesn’t pay enough so the options are tracking ads or paid subscriptions”. The regulation shouldn’t and doesn’t let a site make that decision. It would make it completely useless!
DPAs including the German on are quite “business” friendly unless it will be challenged in court.
You can’t force someone to provide their business at a loss.
As long as you don’t penalize or segregate users based on their decision alone it does not run afoul of GDPR, neither does blocking someone completely you just need to have a valid business reason for doing that and it has to be tied to the nature of the service including how it’s funded.
It’s not upto the DPAs to regulate things at this level just like you could run an astrology service and collect PII to give people readings, astrology is horseshit but you won’t run into issues with GDPR if you request users to give you their birthday and email to get spammed with BS on a daily basis.
> you could run an astrology service and collect PII to give people readings
Processing or possibly even keeping a birthdate for an astrology newsletter is clearly a legitiamate interest for the subscriber of that newsletter.
> but it’s a valid business model.
What is? Showing ads to provide a service is a valid business model yes. Showing tracking ads or blocking those who don't accept the ads - no.
But "I need to show the ads to keep the lights on" is NOT a legitimate interest to the visitor. The reason for handling the personal infrmation needs to be a hard requirement to provide service itself. Not merely part of the "business model". You cannot set up a separate service (paid subscription) and argue that because that other service exists, your ad-funded service deserves special exceptions from the GDPR e.g. that it can show ads which are tracked or else users are blocked. It's pretty clear in the regulation that "cookie walls" aren't allowed, just like pre-checked/assumed consent isn't.
Legitimate interest can be for anything (user, business, society as a whole) but it's still highly questoinable whether sharing peoples PII for ads alone is a legitimate interest (It's not clear it isn't either - the text is deliberately vague). What's clear is that you can't show people "by entering you accept to". You have to show them an opt out and if they opt out they need to get a service that is as good as if they opt in. Binary choice shouldn't help - if that has been a judgement it's very dubious imho.
No they absolutely do not need to get a service, you cannot degrade a service but you can very much make it dependent on consent, heck you don’t even need consent it just prevents you from having to do an LIA you can simply inform the user of what is going on and allow them the option not to use the service.
I too thought GDPR is much stricter but in reality it’s not. Both the ICO and several continental DPAs including the German one allow for binary choice.
Why are you all talking about the "reject option", which implicitly considers the opt-in to be the default? The default MUST be the opt-out (for non-essential cookies), hence there is no "reject" because there must be the "accept".
You can be forced to choose, i.e. you can be presented with a popup. And that popup should have both a reject (opt-out) and an accept (opt-in) option. Well, the latter is not needed but otherwise it wouldn't make sense.
Now a lot of sites play tricks to make the reject/out-out a hard deliberately choice. (Which IS a violation of the GDPR, of course.)
Most websites, made by low budget webdevs which are thriving thanks to companies asking for low budget websites[1], do not consider - even in the EU - the reject option.
In the large majority of websites, Google Analytics fires even before the cookie banner, and the banner is only used to inform you that by continuing navigation you are accepting to be tracked.
Yes, this is illegal. But not enforceable.
[1]: there are devs selling websites for 500 dollars/euros.
pricing correlates to 0.95 with poorly managed cookies in my anecdotal experience. Customers don't even know what all that means, they just want a cheap, functioning website.
Yes, and most consumers outside the tech space just want to access the content. 95% of my friends have no clue what a cookie is - they just press the green button and get on with their shopping. It's not an education issue either - they just don't particularly care.
Exactly - and the regulators thought of this. The obvious/simple/default option MUST be the one that protects the users information the most, or the GDPR is violated.
The law is written understanding that users are lazy/ignorant/non-technical. Anything else would have been useless.
That's true. As long as they have not to bear the external cost it's cheap to pollute. But the market is two sided.
We can bring the cost to the polluter if we choose to.
Look I need money, you want me to track users at each step, record ip and browser information(and extra), and log that into a database even if you haven't hit submit? Okay.
I don't agree, but my son needs to eat. My day job sucks, I'm in a never ending spiral, I'll code anything you want. My passion is far gone.
If you disagree, I actually agree with you, it shouldn't be this way, but this isn't the net of the 90's, I need side cash and my son is hungry.
To summise, I'll break every rule, or find a work around necessary to keep my family up, and I hate it.
I love the internet, hell it made me who I am, but until browsers become serious about user security, it's not going to happen.
I love how it says "Learn more and customize" but doesn't actually let you customize anything. Just shows you dozens of links where you can supposedly "Opt out" by going to the target directly.
Checking whether cookie banners are compliant should be mostly straightforward for regulatory bodies. In 90% of cases it’s clear if there’s opt in or not.
Why can’t regulatory bodies set up automated flows and tools to handle this at scale? Don’t need to catch every case but they should be able to massively scale the complaints process for this.
It is, but there are a huge number of web sites. And I don't think automation is possible unless you are only allowed to use an approved consent script.
If the regulatory bodies have a list of people actively breaking the law, and the public knows that, it would require them to make a decision “do we do anything about this or not”
Based on the lack of any real regulatory action under GDPR, I’m guessing regulators would prefer not knowing who’s breaking the law since they aren’t actively enforcing GDPR (for better or worse).
This pattern is kind of like what MicroSoft did in the ninties with their license agreement: it was contained in the shrink-wrapped box and the agreement said that by opening the shrink-wrap you've accepted the terms.
These accept-only 'consents' do the same type of trolling. Sometimes they even say on top of that that by using the site you accept their use of cookies. (Which is OK, as long as they only use essential, e.g. session cookies, but a lot of the time it's not the case.)
- I add: tell GA to not set cookies and to not track the user (IIRC it's "storage" set to "none" and "storeGac" set to false)
If one does that when the user's not opted-in to "analytics" or "tracking", that ought to be enough to satisfy informed consent, no? The site is then just tracking page views, with no personal information or cookies to fly around.
If the user then opts-in to analytics then the site's code could well send more pseudonymous data to Google Analytics, with the user's consent, as well as tell GA it's fine to track the user around the site using a cookie or whatever other means.
Same goes for the setup for Adwords or similar: it's all in the hands of the website, and so long as things are configured to not track the user, it might be fine.
If a site's livelihood depends on showing ads to users, it doesn't mean that the user has to opt-in to ads. They ought to opt-in to being tracked by the ad provider.
So, configure _that_ -- no opt in? No tracking. Opt in? Tracking, remarketing, retargeting, what-have-you.
It's all about "playing safe" and _not_ tracking when the user's not opted in.
Many sites instead do it the other way around, and do it all until/unless the user's opted-out.
And even then, I wouldn't hold my breath that they're really doing it.
I use uBlock Origin to delete the GDPR banner, clicking neither "accept" nor "reject". I just hide it. I have no idea whether this makes any legal difference, and I am sure the assholes responsible don't care either way, but it makes me feel better to circumvent the silliness.
The GDPR strictly requires an explicit opt-in.
So it's reasonable to assume that clicking on 'X' is a rejection.
But some website do not accept that as a rejection.
In this case the footer banner is not accessible with an open cookie banner.
E.g. German law requires the website owner to have a legal link to the website representative.
In this case, only by consenting to the cookies I could have access to those links.
Fingerprinting is nearly impossible with JS and cookies disabled, which is how I casually browse. And yes i spoof my user agent. IP is their best signal, and admittedly they fall back to that. I often get ads intended for my housemates.
I assume it would be a performance disaster, but transparently running the browsing process in identical VM's would probably make fingerprinting much harder. I like the idea!
Unfortunately this is not so simple. I am using Qubes OS with disposable virtual machines and my fingerprint is always unique. Have a look at the corresponding discussion if you are interested: https://qubes-os.discourse.group/t/is-your-browser-fingerpri....
Well the implication of that sentence is therefore that if you click "Accept" you're simply accepting that you can consent by closing the notice. Therefore clicking the X is consenting, and clicking "Accept" is choosing not to consent.
Do you think it's possible to politely ask them on twitter to change? Maybe as a group?