> According to the EU law if you don’t click accept it’s equivalent to denying.
The result is the same. Technically there's no such thing as denying, only providing (explicit) consent. If consent is required and no consent is provided, then there is no ground for processing.
How do you object to the site's legitimate interest use of your personal data? That is a legal grounds for processing, which can be enabled by default as long as you are provided with an option to actively object.
>How do you object to the site's legitimate interest use of your personal data?
With the legitimate individual control over one own data required to run a healthy society and unavoidable to sustain a democracy. If a business can't exist without threatening society, the sooner it's going out of existence the better.
If it is an actual legitimate interest then you would likely be expected to contact the site out of band to object to the use of your data. Depending on the technical details you might not be able to continue using the site after a successful objection. In some cases the site might be able to reject your request.
The cookie banner thing is intended to allow the user to explicitly provide consent, should they for some reason wish to do so.
The cookie banners are routinely used to object to "legitimate interest" uses and the corresponding sites continue to work normally, not sure what your alternate understanding is based on.
The cookie banners are for initial consent. You just consent to less stuff sometimes.
A website might claim some sort of legitimate interest for the initial collection of data but might not think that they can claim that for the retention of data I suppose. That would seem kind of dodgy to me...
Just because a website claims something doesn't mean it is valid. There isn't a lot that falls under legitimate interest for a website.
What you state is provably wrong. Consent and objection to legitimate interest are two different things, in the eyes of GDPR, and are managed separately in privacy banners:
Navigate to a website of your choice [1]. Let's assume its privacy banner is served by onetrust.
The text at the top of their "Privacy Center" says, verbatim, "We share this information with our partners on the basis of consent and legitimate interest. You may exercise your right to consent or object to a legitimate interest"
If you then unfold the "Manage Consent Preferences" you will notice that you can, _separately_, provide your consent for a given purpose, by sliding the switch to the right to enable it, and also, _at the same time_, "Object to Legitimate Interests" by clicking on the button labeled so.
Of course, this is a dark pattern to make it as cumbersome as possible to object to Legitimate Interest purposes.
It’s also to check if something works. I recently added something new and while I cannot and will not track any personally identifying information, I still need some data if people go through the whole process alright. That covers legitimate interest. It’s the minimum data I collect and its get wiped after some time.
An IP address is not "personally identifiable data". You can not know who the person is just because you got an IP address in the request.
We are almost 10 years into the GDPR, and we still have these gross misunderstandings about how to interpret it. Meanwhile, it has done nothing to stop companies from tracking people and for AI scrapers to run around. If this is not a perfect example of Regulatory Capture in action, I don't know what is.
> An IP address is not "personally identifiable data".
GDPR says it is [1][2].
> We are almost 10 years into the GDPR, and we still have these gross misunderstandings
Because people would rather smugly and confidently post about their gross misunderstandings. If only there was some place to read about this and learn. I’ll give you the money shot to save 10 more years:
> Fortunately, the GDPR provides several examples in Recital 30 that include:
> Internet protocol (IP) addresses;
From Recital 30:
> Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses
When an IP address is linked to any other data, then it counts as PII. By itself, it's not.
So, sure, if you stick the user's IP address on a cookie from a third-party service, you are sharing PII. But this is absolutely not the same as saying "you need to claim legimate interest to serve anything, because you will need their IP address".
IPs are PII even before you inevitably link them to something in your logs. If you can make a case that you absolutely don’t store them anywhere, they’re just transiently handled by your network card, maybe you get away with it but only because someone else along the stream covers this for you (your hosting provider, your ISP, etc.)
Source: I have been cursed to work on too many Data Protection Impact Assessments, and Records of Processing Activities together with actual lawyers.
Basically we are in agreement: IP addresses, by themselves, are not PII, only when they are linked to other information (a cookie, a request log) then it consitutes processing.
So, apologies if I was not precise on my comment, but I still stand by the idea: you don't need to a consent screen that says "we collect your IP address", if that's all you do.
Not really, no. I don’t think I can make it more clear than I, or the law, already did: IPs are PII no matter what. Period. It’s literally spelled out in the law.
The misconception is that you need explicit consent for any kind of processing of PII. That is not the case. The law gives you alternatives to consent, if you can justify them. Some will confuse this with “must mean IPs aren’t PII”, which is not the case.
An IP address linked with the website being accessed is already PII.
When serving content, you're by necessity linking it to a website that's being accessed.
For example, if grindr.com had a display in their offices that showed the IP address of the request that's currently being handled, that's not saving or publishing or linking the data, but it's still obvious PII.
IP address is considered personal data and can be considered personally identifiable data in some circumstances for example if you can geolocate someone to a small area using it
- they don't care about the cookies they are setting on their properties, if most of the functionality they have require you to be authenticated anyway.
- These "smaller websites" are exactly the ones more likely than not to be Google's and Facebook's largest source of data, because these sites are the ones using Google Analytics/Meta Pixel/etc.
This is not my experience at all with Facebook. Since six months ago or so, Facebook is saying my three option are to pay them a subscription, accept tracking, or not use their products. I went with option three, but my reading of the GDPR as that it's illegal for them to ask me to make this choice.
I'm in Spain, this is probably not the same worldwide.
The "Reject all" does not in fact reject all. They are taking extreme liberties with the "legitimate interest" clause to effectively do all tracking and analytics under it.
The YouTube consent screen for example includes this as a mandatory item:
> Measure audience engagement and site statistics to understand how our services are used and enhance the quality of those services
I don't believe this complies with the GDPR to have this mandatory.
Also: the consent has to be informed consent. Me clicking away a nag banner, even if I click "accept" isn't informed consent by the definition of the law.
You want to share my data with your 300+ "partners" legally? Good luck informing me about all the ways in which every of those single partners is using my data. If you are unable to inform me I can't give consent, even if I click "Accept all". That is however a you-problem, not a me-problem. If you share my data nontheless you are breaking the law.
Undoing whatever data collection and sharing, as well as seeking and obtaining restitution, is probably a much harder problem to solve (for you) if you select accept.
Are you sure? Most notices provide a list of partners. What needs to be provided is a list of who gets to see which data for which purpose.
Most lists I have ever seen are lists that are not informing me of that, especially the lengthy ones. The only ones that comply are very short lists by privacy conscious website owners.
Except that isn’t an alternative title, unless you want to lie by omission thus being wrong.
“Apple offers new option for subscription in addition to existing one-time purchase optinos” might be an alternative though, and reduce the number of cynically inane comments from people that apparently didn’t RTFA before commenting.
Here's what we always tell founders about demo videos: "What works well for HN is raw and direct, with zero production values. Skip any introductions and jump straight into showing your product doing what it does best. Voiceover is good, but no logos or music!"
The video I provided was a raw, uncut, video. The editing is done by Screen Studio, which only does the "zoom" effect. But there's no studio magic there. I didn't speed anything up or cut out buggy bits or even do a retake!
Yes, its also failing on my workspace account but worked on my personal. Might be a bug or a delayed deployment for workspaces b/c it might need to be "enabled" by admins?
Oh well. Uninstalled. This was my first experience doing software development guided by AI. Doesn't seem like a tool that will serve me well in the long run.
reply