GDPR – No reject option – what to do?(twitter.com) |
GDPR – No reject option – what to do?(twitter.com) |
Do you think it's possible to politely ask them on twitter to change? Maybe as a group?
Some even make it slow to accept, or reload to a homepage after submitting, instead of back to the original page. It just doesn't make any sense to me. But apparently people just accept it as the way the internet is nowadays.
If you are talking about this and not malicious reloads that make giving a consent harder. (I haven't seen that latter and the former doesn't bother me.)
The Data Protection Authority are underfunded and understaffed. They try the best with their resources.
There are way too many people that tolerate absolutely pathological software vendors for trivial reasons. Don't be part of the problem.
Obviously authorities can’t follow up on every small player here, so the key is to make an example by imposing some extremely large fines on some large companies.
Anyone who sees it should think “whatever we risk losing by losing 99% ad revenue is better than THAT”. Preferably sanctions should include personal sanctions on decisionmakers but I’m not sure if that’s possible as the regulation works now.
It needs to be made a proper criminal offense so that investigators have the tools they need. An efficient way to go about this could be to find one of the companies that supplies these dark pattern services (sells cookie gateway services), demand lists of their customers and verify that they indeed used that product - and fine all off them off the face of the internet.
This site here e.g. does it: https://www.spiegel.de/
imprint is still reachable, but if you want to read this news site you'll have to allow all the tracking crap.
They call it Nudging.
I might translate this to a proper blog post in English.
Both via legitimate interest and consent.
Now a lot of sites play tricks to make the reject/out-out a hard deliberately choice. (Which IS a violation of the GDPR, of course.)
In the large majority of websites, Google Analytics fires even before the cookie banner, and the banner is only used to inform you that by continuing navigation you are accepting to be tracked.
Yes, this is illegal. But not enforceable.
[1]: there are devs selling websites for 500 dollars/euros.
Look I need money, you want me to track users at each step, record ip and browser information(and extra), and log that into a database even if you haven't hit submit? Okay.
I don't agree, but my son needs to eat. My day job sucks, I'm in a never ending spiral, I'll code anything you want. My passion is far gone.
If you disagree, I actually agree with you, it shouldn't be this way, but this isn't the net of the 90's, I need side cash and my son is hungry.
To summise, I'll break every rule, or find a work around necessary to keep my family up, and I hate it.
I love the internet, hell it made me who I am, but until browsers become serious about user security, it's not going to happen.
https://twitter.com/LetMeReject/status/1366473613709365257?s...
Thanks to everyone supporting this. We changed the world a little bit.
If you think this format has potential please follow @LetMeReject.
Why can’t regulatory bodies set up automated flows and tools to handle this at scale? Don’t need to catch every case but they should be able to massively scale the complaints process for this.
Based on the lack of any real regulatory action under GDPR, I’m guessing regulators would prefer not knowing who’s breaking the law since they aren’t actively enforcing GDPR (for better or worse).
These accept-only 'consents' do the same type of trolling. Sometimes they even say on top of that that by using the site you accept their use of cookies. (Which is OK, as long as they only use essential, e.g. session cookies, but a lot of the time it's not the case.)
That might well not be a problem, depending on how the configuration and setup of Google Analytics was done in that case.
From https://www.cookiebot.com/en/google-analytics-gdpr/
- turn on IP anonymisation
- don't send personal data
- don't send pseudonymous identifiers
- I add: tell GA to not set cookies and to not track the user (IIRC it's "storage" set to "none" and "storeGac" set to false)
If one does that when the user's not opted-in to "analytics" or "tracking", that ought to be enough to satisfy informed consent, no? The site is then just tracking page views, with no personal information or cookies to fly around.
If the user then opts-in to analytics then the site's code could well send more pseudonymous data to Google Analytics, with the user's consent, as well as tell GA it's fine to track the user around the site using a cookie or whatever other means.
Same goes for the setup for Adwords or similar: it's all in the hands of the website, and so long as things are configured to not track the user, it might be fine.
If a site's livelihood depends on showing ads to users, it doesn't mean that the user has to opt-in to ads. They ought to opt-in to being tracked by the ad provider.
So, configure _that_ -- no opt in? No tracking. Opt in? Tracking, remarketing, retargeting, what-have-you.
It's all about "playing safe" and _not_ tracking when the user's not opted in.
Many sites instead do it the other way around, and do it all until/unless the user's opted-out.
And even then, I wouldn't hold my breath that they're really doing it.
Some are, or at least try hard to.
The GDPR strictly requires an explicit opt-in. So it's reasonable to assume that clicking on 'X' is a rejection. But some website do not accept that as a rejection.
Does that break the law?
In this case, only by consenting to the cookies I could have access to those links.
Only 'I agree' and 'See more' which leads to other dead-ends.
The law is written understanding that users are lazy/ignorant/non-technical. Anything else would have been useless.
Not the best way, I know, but better than nothing.
So you can supply an ad supported version and a paid version without ads, but you cannot require that those that choose the ad supported version must accept tracking ads.
You can’t segregate the same service, two distinct services one that is provided with ads that include 3rd party cookies and a separate paid service that does not is perfectly fine.
What you cannot do is to create multiple tiers in a free service based on different levels of tracking.
What you are describing sounds like a business can simply declare “well untargeted ads doesn’t pay enough so the options are tracking ads or paid subscriptions”. The regulation shouldn’t and doesn’t let a site make that decision. It would make it completely useless!
Police enforcement includes the police powers of arrest and detention.
GDPR enforcement is (I believe) limited to a fine which can be appealed to a court. If the enforcement department turns out to be wasting court time, then there are likely to be significantly negative consequences for that department (at least, more than for the police in the US).
I agree that fine collection is not an ideal way of funding a department, but not all incentives are perverse just because they exist - incentives are allowed to align.
You can’t force someone to provide their business at a loss.
As long as you don’t penalize or segregate users based on their decision alone it does not run afoul of GDPR, neither does blocking someone completely you just need to have a valid business reason for doing that and it has to be tied to the nature of the service including how it’s funded.
Of course not. But no one is forced to provide the ad funded service at all.
It’s not upto the DPAs to regulate things at this level just like you could run an astrology service and collect PII to give people readings, astrology is horseshit but you won’t run into issues with GDPR if you request users to give you their birthday and email to get spammed with BS on a daily basis.
Processing or possibly even keeping a birthdate for an astrology newsletter is clearly a legitiamate interest for the subscriber of that newsletter.
> but it’s a valid business model.
What is? Showing ads to provide a service is a valid business model yes. Showing tracking ads or blocking those who don't accept the ads - no.
But "I need to show the ads to keep the lights on" is NOT a legitimate interest to the visitor. The reason for handling the personal infrmation needs to be a hard requirement to provide service itself. Not merely part of the "business model". You cannot set up a separate service (paid subscription) and argue that because that other service exists, your ad-funded service deserves special exceptions from the GDPR e.g. that it can show ads which are tracked or else users are blocked. It's pretty clear in the regulation that "cookie walls" aren't allowed, just like pre-checked/assumed consent isn't.
You can provide users with a binary choice, as long as it’s all or nothing and the free service and paid service are separate it’s acceptable.
I too thought GDPR is much stricter but in reality it’s not. Both the ICO and several continental DPAs including the German one allow for binary choice.