[HN Gopher] Noyb.eu files 422 formal GDPR complaints on nerve-wr...
___________________________________________________________________
Noyb.eu files 422 formal GDPR complaints on nerve-wrecking "Cookie
Banners"
Author : hosteur
Score : 118 points
Date : 2021-08-10 19:45 UTC (3 hours ago)
(HTM) web link (noyb.eu)
(TXT) w3m dump (noyb.eu)
| ckastner wrote:
| Max Schrems is just amazing. Big Tech has been steamrolling over
| privacy for more than a decade, but Schrems keeps pushing back on
| them through courts. With _major_ success (in the EU, at least).
|
| And he's not some hard-line activist with extreme demands, all
| he's doing is asking for reasonable stuff.
|
| [1] https://en.wikipedia.org/wiki/Max_Schrems
| solarkraft wrote:
| Take my money. I hate these banners, among the other common GDPR
| violations.
| AlanYx wrote:
| Doesn't this approach put the cart before the horse? The GDPR
| contains a lot of aspirational language, but European data
| protection authorities _haven 't_ yet articulated clear, binding
| common standards in this area. In the linked article, Max
| acknowledges this ("Others said that they want a clear ruling by
| the authorities, before they start complying.")
|
| There's also the reality that different DPAs have _different_
| interpretations of what the GDPR requires. In the linked article,
| Max also acknowledges this: "We need clear pan-European rules.
| Right now, a German company feels that the French authorities'
| interpretation of the GDPR only applies to France, even though
| they operate under the same law within the same European market."
|
| This may be an unpopular take, but Noyb is essentially harassing
| hundreds of companies with his organization's particular
| interpretation of the GDPR. Wouldn't it be more appropriate to
| first push authorities to develop common, clear, technically
| detailed, and legally binding interpretations of the GDPR, rather
| than going after companies to take action in what is still a grey
| area? It's not even clear at this point that the changes Noyb is
| pushing for are either legally required or, on the flipside,
| legally sufficient.
| WesolyKubeczek wrote:
| Oh, just stop it right there. GDPR is already quite clear, the
| companies just keep pretending it's more complicated than it
| actually is because they want to continue to look out for
| number one, is all.
| AlanYx wrote:
| But the GDPR is _not_ clear -- I gave two examples from the
| linked article to support my point.
|
| The same thing is true across the GDPR... I'm more familiar
| with the academic literature around whether there is a "right
| to an explanation" for AI systems embedded in the GDPR, for
| example. There are dozens of academic papers arguing both
| sides of that specific question, with no clear conclusion or
| consensus.
| zibzab wrote:
| Your mistake is that you belive that (1) the law is not
| clear and (2) these poor companies end up with these crazy
| solutions because the law is unclear.
|
| The thing is that the _intent_ of the law is very clear.
| You could search for loopholes and come up with all kinds
| of creative solutions to go around it, but then you can't
| pretend it is a decision you made in good fate.
| stavros wrote:
| NOYB is great for our liberties, please make sure to support them
| with a _recurring_ donation:
|
| https://support.noyb.eu/join
| Aerroon wrote:
| https://europa.eu/
|
| If the European Union's own main website cannot do without a pop-
| up then what are we even talking about? They have effectively
| limitless resources to make it work. Their website doesn't even
| have to earn money and yet even they use a consent pop-up.
| PhasmaFelis wrote:
| I'm not sure what you're trying to say. It seems perfectly
| reasonable for the EU's website to adhere to its own rules.
| pentagrama wrote:
| I didn't remember the site, but the other day I saw one of this
| deceptive cookie banners that tries to trick you to accept all
| cookies and make you do many steps to reject.
|
| I noticed that the banner was made by "One Trust", and if you go
| to One Trust site, the examples showed are not deceptive at all
| [1], all the examples have a clear "Reject all"/"Accept all"
| buttons.
|
| One Trust marketing page is hiding that has deceptive designs
| built in.
|
| I guess the OP can make GDPR complaints to One Trust and services
| like that, and fix in bulk the sites that are using those
| services (or make it lose clients and shut down).
|
| [1] https://www.onetrust.com/cookie-banner-gallery/
| hhlbf wrote:
| How can I file a formal complaint against the EU for this stupid
| cookie law?
| alpaca128 wrote:
| The problem are the countless websites breaking the law or
| complying in the most annoying, manipulative way possible. All
| the EU is asking for is that users aren't spied on and tracked
| across the web without their consent.
|
| This is as if they made stalking illegal without consent, so
| now you are followed all day by annoying clowns constantly
| interrupting you asking whether you consent to them stalking
| you.
| mook wrote:
| The cookie law is fine, the problem is with companies who
| maliciously comply with it (and often "comply" with it in a way
| that doesn't actually comply at all).
|
| It's sort of like how telcos in America like to comply with
| various sales taxes by... making something up and adding a line
| item to your bill purporting to be taxes, but really it's just
| them charging you for no reason.
| dt3ft wrote:
| I would like to know this as well.
| [deleted]
| tester756 wrote:
| Just out of curiosity
|
| Do you know how many websites are there that show cookie banners
| when they don't have to?
|
| e.g they have only auth/technical cookies
| 7952 wrote:
| Don't know how many. But I have a few times where we used
| external APIs that could conceivably set a cookie.
| g_p wrote:
| An interesting question as many don't understand the rules for
| when consent is required.
|
| I'd wager it is far fewer sites than who don't show one, or
| show a meaningless pop-up saying they use cookies and you agree
| by browsing to the site.
|
| These sites almost invariably are using GTM to load all sorts
| of third party scripts and cookies....
|
| Heck even sites that show cookie prompts often don't link the
| prompt to the actual script placing the cookies! Cookies dumped
| before the consent box has even loaded...
| zibzab wrote:
| It feels as if the companies are working hard to make it annoying
| and complex to opt out. Every iteration makes things a bit worse.
|
| We need people like Max to stop this annoying trend.
|
| Edit: while at it, i have to get this off my chest: Legitimate
| Interest is probably illegal and violates GDPR.
|
| Max should go after that next.
| xg15 wrote:
| Based on the occasional comments here, some analytics sites
| seem to track how many % of visitors actually accept cookies
| through the banners.
|
| It's not a surprising thing to do, but it pretty quickly leads
| to the percentage becoming yet another metric to "optimize".
|
| I think it's save to assume there is no practical way to make
| more visitors _want_ to accept more cookies.
|
| That leaves only one way to optimize that metric, and that is
| dark patterns.
| tcldr wrote:
| Legitimate interest is one of the six legal bases for
| processing personal data under the GDPR, alongside: consent,
| performance of a contract, a vital interest, a legal
| requirement, and a public interest.
|
| I don't think we've seen much in the way of precedent being set
| here, but theoretically if you can demonstrate and document a
| measured approach to the way you collect and process data it
| should be fine. (Objection not withstanding.)
|
| On the other hand, a drag net approach to collecting and
| sharing data won't stand up to legitimate interest claims no
| matter how many toggles you put on your cookie banners.
| g_p wrote:
| What most websites don't realise is that cookies aren't only
| covered by GDPR, but also the ePrivacy directive (or more
| specifically its national implementation, since it is a
| directive).
|
| The ePD says consent is the only legal basis permitted for
| placing non essential cookies. Essential has a very narrow
| meaning that effectively covers a shopping basket or login
| cookie for features you elect to use. It doesn't cover
| analytics etc. No presumed consent, no opt-out, etc.
|
| The combination of GDPR and ePD means that your ePD cookie
| consent must meet GDPR standard levels of consent, which
| require clear, unambiguous opt-in, informed consent. And that
| rules out many dark patterns we see everywhere. The German
| "Planet 49" ruling confirms that consent is required for
| cookies.
|
| Therefore every time I see "legitimate interest" on a cookie
| banner, I know it's an ill-informed attempt at a dark pattern
| by someone who wants a second bite at the cherry, and doesn't
| understand they:
|
| 1. Require consent 2. Need this consent to be actively given
| (opt in, not opt out). 3. Can't just ask the question again
| with a pre-ticked box and hide it behind a tab or fold...
| zibzab wrote:
| My personal take is that there is no real legitimate interest
| here and these companies are just testing to see how far they
| can push this.
| xg15 wrote:
| In the dialogs I have seen so far, the "legitimate interest"
| page was always a perfect carbon-copy of the "consent" page -
| with the only difference that the "consent" options were off
| by default while the "legimate interest" options were on by
| default.
|
| I understand that, legally, the buttons represent different
| actions (not giving consent vs objecting a legitimate
| interest claim) but practically, the only purpose the
| "legitimate interest" page seems to serve is as a way to have
| on-by-default options that are still borderline legal.
|
| I can't imagine this is in the spirit of the law.
| pieno wrote:
| I think a lot of sites are conflating cookie consent and
| GDPR consent. You only need GDPR consent when processing
| personal data, so you don't need consent just for storing
| settings in a cookie (as long as those settings do not
| contain personal data or identifiers linked to personal
| data). But many sites will ask "GDPR consent" or claim
| "GDPR legitimate interest" for those settings cookies in
| any case (in my view that's a dark pattern in itself
| because you're actually making the side harder or
| impossible to use and thereby inducing visitors to just
| click the big green "accept all" button to get it over with
| already...)
| glitchcrab wrote:
| Of all the major players in this space, Trustarc are by far the
| worst imo. "Please wait while we save your preferences. This
| may take a few minutes". No it shouldn't, you're just taking
| punitive action because I didn't opt in to all the tracking. I
| guarantee that if I just accepted all cookies then the popup
| would disappear immediately.
| zibzab wrote:
| Can HN readers do an analysis of trustarcs code and publish
| it here?
|
| Is that thing doing anything or communicating with any
| servers while we are waiting?
| isbvhodnvemrwvn wrote:
| It is, but it shouldn't have to in the first place.
| heckerhut wrote:
| 100% correct. I tested both options.
| [deleted]
| hosteur wrote:
| Max Schrems, Chairperson of noyb:
|
| > "We saw a lot of improvements on many websites and are very
| happy with the first results. Some major players like Seat,
| Mastercard or Nikon have instantly changed their practices.
| However, many other websites have only stopped the most
| problematic practices. For example, they may have added a
| 'reject' option, but still make it hard to read. The requirement
| to show a prominent withdrawal option clearly faced the biggest
| resistance from website owners."
| hyperman1 wrote:
| Nice. Keep up the good work
| eberkund wrote:
| What if the EU had a tech team which produced widgets that were
| mandatory to be used by companies rather than every company
| creating their own custom cookie prompt filled with dark
| patterns? Kind of like the standardized Facebook like buttons
| which used to be so popular. But instead it's a JavaScript
| snippet or web component provided by the EU that Google would be
| legally mandated to integrate into their site?
|
| Alternatively, could we just go back to using the DNT header? I
| liked this solution a lot better anyways, just set it once and
| forget about it. The problem was that sites would just ignore it,
| but if the EU adds some legal weight behind this functionality it
| could actually be meaningful.
| qwerty456127 wrote:
| We don't need damn widget. All we need is every web site to
| respect the standard do-not-track flag. And this can only work
| if the flag is off by default so only those who actually care
| set it.
|
| Things like Google Analytics should also check and respect the
| flag. Requiring every webmaster to ask every visitor if they
| don't mind Google Analytics being injected is nonsensical.
|
| We should also exclude remembering a user which has signed in
| from the tracking definition. It's absurd to warn the user
| about cookies when they sign in.
|
| I also don't want classic (no-choice) cookie warning banners,
| regardless to whether I am tracked or not. Almost everybody
| already knows cookies are always there (and we can just
| introduce a browser extension indicating cookies usage for
| those who don't). The banners serve no purpose other than
| annoying people.
| belorn wrote:
| I wonder if there suddenly would exist a bunch of google
| analytic competitor if google could no longer offer analytics
| as "free" by monetizing user data.
|
| Google analytic is a prime example of why we need data
| protection. The web developer who uses it are not the one
| paying for it, and they might not even know that google are
| tracking users for monetizing purposes. It create a market
| with broken incentives and information asymmetry, with the
| buyer having relative no power.
|
| Requiring every webmaster to ask every visitor if they don't
| mind Google Analytics is annoying, but fixing that market is
| a difficult job. Maybe the solution is more targeted
| regulation specific to website analytic software.
| rhn_mk1 wrote:
| > this can only work if the flag is off by default so only
| those who actually care set it.
|
| As the effort in the article is attempting to establish, this
| can also work when there is a legal stick against those who
| don't comply.
|
| All we need is companies to stop tracking people by default.
| A side benefit is that webmasters don't need to ask about
| Google Analytics if it's not being used.
| qwerty456127 wrote:
| This is utopian. I want this but don't believe this is
| possible.
|
| Perhaps they might agree to stop tracking a portion of
| users who opt out but forcing them to stop tracking anybody
| is unlikely to succeed, and even if it succeeds they will
| just track everybody secretly. I also am not confident in
| total elimination of tracking being a good idea from the
| economical point of view - many small businesses rely on
| precise targeting today.
| pieno wrote:
| What a dystopian world we live in when people/companies
| can just plainly and publicly say that they don't agree
| and won't comply with a binding law with supervision
| mechanisms and penalties, and still have the general
| public believe that there's nothing we can do about it...
|
| And mind you: we're not (just) talking about the top-5
| tech companies and 0.01% here. This attitude is shares by
| almost every other company out there, and I have a
| feeling (based on anecdata) that the issue is even worse
| in smaller companies who think they don't have to comply
| because they're small or because they're a startup or
| because they just need to "move fast and break things"...
| and we seem to accept that...
| xg15 wrote:
| > _many small businesses rely on precise targeting
| today._
|
| And many businesses relied on CFCs as coolants before
| they got forbidden. they found a solution.
|
| Regulation can also be a source of innovation if it
| forces businesses to think of alternative, less harmful
| ways to solve a problem.
| pieno wrote:
| That's actually the entire point: this should not be
| standardised. That would make it useless. The purpose of GDPR
| is that, in principle, you need consent to process personal
| data. The consent must be specific both in terms of _what_ data
| is processed, and in terms of _why_ it is processed. The
| consent must also be explicit (no opt-out or implicit consent
| by browsing a site) and voluntary (no coerced consent by
| refusing service for not giving away personal data that is not
| specifically required for the service you're asking for).
| Standardised widgets are exactly the opposite of all that.
|
| In a way it's very frustrating to see all these nonsense cookie
| banners that absolutely do not comply with GDPR at all. Why nag
| visitors with annoying cookie banners when your website is just
| as "illegal" as when it wouldn't have a nag screen at all. This
| is really the worst of both worlds.
|
| Then again, it's perfectly understandable for companies to
| comply just a little, as they can then start long arguments
| with regulators on whether their implementation is compliant or
| not and whether they are getting valid, specific, express and
| voluntary consent (rather than just getting fined right away
| because there's clearly no consent being asked at all which
| would make it too easy for the regulator).
|
| So I'm really glad to see someone picking up this battle to
| actually enforce GDPR and call out the complete
| joke/smokescreen that most companies have made of it...
| withinboredom wrote:
| I think what they mean is a standardized end-user interface
| with some drag-drop/easy configuration on the dev side. Every
| site on earth doesn't need to develop their own modals/UI to
| gather consent.
| pieno wrote:
| But why ask for consent right away when someone just visits
| your website for the first time? Imagine that you walk into
| a shop and the owner starts harassing you right away,
| blocking your path and your view and nagging you whether
| you consent to them following you around the shop tracking
| what you're looking at, what you touch, what you actually
| purchase, and then give the shop next door a call to tell
| them all about your visit so that they can all "improve
| your shopping experience by giving you personalised
| recommendations". Pretty sure almost no one would keep
| shopping there. In fact, this is pretty clear from Apple's
| new do not track option where Facebook said in their
| quarterly report that it's really hurting then (contrary to
| their statements that all of their users already happily
| consented to tracking and that they're actually doing their
| users a favour by tracking them).
|
| What should _really_ happen is that sites just stop asking
| for bullshit consent to being tracked. No one will consent
| to being tracked if given an actual, clear and explicit
| opt-in choice, if there's absolutely no downside in
| refusing consent and no one is tricked into giving consent
| by dark patterns.
|
| Websites should just abstain from processing personal data
| until the visitor does something that actually requires
| personal data (e.g. sign up, make a purchase, ...). In
| those cases, most obvious processing of personal data can
| be done based on other grounds (performance of contract,
| legitimate purposes, ...) so really there should not be any
| consent nag screens needed at all except for some very
| specific exceptional cases...
| withinboredom wrote:
| > But why ask for consent right away when someone just
| visits your website for the first time? Imagine that you
| walk into a shop and the owner starts harassing you right
| away
|
| You do implicitly give consent to "be tracked" when you
| walk into a shop. A savvy shop-keeper will look at the
| clothes (brand, style, etc.), hair, facial features, etc.
| and internally compare you to other's who have made
| purchases and either approach you or not.
|
| The closest thing we have to that is our (pretty
| terrible, in the privacy kind of way) ad networks to tell
| us what kind of people visit our online shop. Without
| that information, it's hard to (nay, impossible) to guess
| what demographics come to our store and position the
| store to cater to the demographic that actually makes a
| purchase vs. those that don't. If I see a whole bunch of
| boomers coming to the site, but they don't convert, I can
| figure out why they're not making a purchase and do
| something about it, just like I could in a brick-and-
| mortar store.
|
| I really don't like the amount of personal data gathered
| or the dark patterns surrounding them. But there's got to
| be a way to surface some kind of aggregate information
| without sacrificing privacy.
| xg15 wrote:
| I think the elephant in the room is that tracking is the
| major business model that currently powers the web - and
| regulators (and citizens) have made clear they do not
| want this business model to continue.
|
| It's really a power struggle between businesses and
| regulators in regards to tracking as a business - and
| overly complex cookie banners are the most visible sign
| of it.
| ajford wrote:
| I fully second the DNT header. Perhaps even some common set of
| headers, like DNT/FirstPartyOnly/Performance)
|
| I like what GDPR did for privacy, but I absolutely hate it's
| impact on web browsing. Now _every_ damn site has a cookie
| banner covering the bottom third of the page. Plus many sites
| have a fixed nav or another damn banner at the top. Mobile
| browsing has gotten painful.
| g_p wrote:
| California seems to be trying to pass (or succeeded in
| passing?) some new legislation which aims to get sites to
| honour some new version of DNT.
|
| The problem I have is that DNT is "good enough". Websites
| need to accept the law (opt in is needed, defaults must be to
| assume a user is opted out unless/until they do so of their
| own accord, and can't apply coercive pressure or try to force
| them to agree). DNT fell down when websites said they
| wouldn't honour it if browser makers made it enabled by
| default, or made it too easy for too many users to enable it,
| and it was "voluntary".
|
| We now see CCPA privacy statements required to state whether
| they honour a DNT opt-out... If the next step is to require
| sites to honour the preference, It just seems to me that
| adding a new header achieves very little, and using the
| existing one could achieve more in a shorter time!
|
| If we aren't careful, we'll end up with fingerprinting of the
| new privacy browser headers, based on the granularity of
| privacy choice information being conveyed in headers due to
| the various disparate attempts at applying more sticking
| plasters to the wound. Heck, fingerprinting just DNT and a
| couple of other proposed privacy headers alongside user agent
| would probably at least give enough information to
| distinguish multiple users sharing an IP via NAT... (!)
| kevin_thibedeau wrote:
| I rarely use my GDrive but today I had to download an image sent
| from my phone and wasn't allowed because third party cookies were
| disabled. It seems like they've added a new dark pattern to force
| 3PC on but nobody's been complaining about it. It seems
| absolutely ridiculous that a Google property depends on a
| separate domain for access. After enabling, there were network
| requests to googleusercontent.com which really has no reason to
| exist other than to serve as a wedge for the dark pattern.
| g_p wrote:
| Not excusing their dark patterns (which don't play nice if you
| block double-click at DNS level, but just as an observation,
| googleusercontent.com itself is actually a legitimate and valid
| (at least IMO) security precaution.
|
| By serving up all user generated content from a separate
| domain, it gives defense-in-depth against any kind of uploaded
| content getting script execution - it's served up from a domain
| that is completely separate from any authentication tokens or
| valuable cookies etc. That way, a user-uploaded HTML file (if
| someone found an endpoint that would render it) shouldn't be
| able to be served up from a first-party domain.
| trangus_1985 wrote:
| I use a Firefox extension (self deleting cookies). Clicking
| "accept" and then having the browser delete all of those trackers
| when I leave the site? Pretty good.
| zibzab wrote:
| But that means they can do whatever they want with your data
| during that session?
|
| Furthermore, some store it externally (e.g Trustarc) and maybe
| they can recover your consent later somehow?
___________________________________________________________________
(page generated 2021-08-10 23:01 UTC)