[HN Gopher] IAB Europe cookie consent pop-ups to be found in bre...
___________________________________________________________________
IAB Europe cookie consent pop-ups to be found in breach of GDPR
Author : youngtaff
Score : 220 points
Date : 2021-11-05 16:54 UTC (6 hours ago)
(HTM) web link (techcrunch.com)
(TXT) w3m dump (techcrunch.com)
| [deleted]
| gandalfian wrote:
| "The Interactive Advertising Bureau (IAB) is an advertising
| business organization that develops industry standards, conducts
| research, and provides legal support for the online advertising
| industry. The organization represents many of the most prominent
| media outlets globally, but mostly in the United States, Canada
| and Europe." From Wikipedia
| https://en.m.wikipedia.org/wiki/Interactive_Advertising_Bure...
| Nicksil wrote:
| https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau
| tgsovlerkhgsel wrote:
| I really hope they actually issue a hefty fine here, instead of
| just a "now stop doing that".
|
| Not issuing a fine would send a signal that simply ignoring the
| law until you're told to follow it pays off, since the companies
| involved certainly made much more profit in that time than they
| would have made had they followed the law.
|
| Also, the fines should be issued to _everyone_ involved in this
| mess - middlemen and library providers like IAB, the ad companies
| actually collecting the data, and most importantly the publishers
| that sent their visitor 's data to them.
| justapassenger wrote:
| > Not issuing a fine would send a signal that simply ignoring
| the law until you're told to follow it pays off
|
| That's how capitalism works. For better or worse. If as a
| person you break the law, you are prosecuted and punished,
| without consideration who you are and what you contribute to
| the society. It's very easy to be erased from society (lifetime
| sentence) and/or lose lifetime earnings (via huge fines,
| compared to your income potential).
|
| For corporations it's totally different. Consideration of who
| they are is a huge part of punishment. Countries don't want to
| kill/severely injure companies, especially big ones, as they
| worry about fallout effects to their whole economy. As a
| corporation you can commit much much bigger crimes and get and
| equivalent of a parking ticket in terms of impact.
| thegrimmest wrote:
| Am I the only one who thinks this is all a bit mental? Say you
| have a (real, physical) business. And say you have some customers
| who are regulars. You can use your eyes to see what your
| customers frequently buy/engage with and your brain to remember.
| You can also use a notepad to write things down. This is
| commonplace - "The usual today John?".
|
| Now say John travels to another town, and the proprietor of a
| similar establishment in that town, wanting to provide John with
| the best level of service, calls you to ask "Hey, what does John
| like?", and you tell them.
|
| Now we just supplement your eyes and notepad with technology, and
| replace phone calls with packet exchanges. What has changed
| exactly? Don't you have a _right_ to record who transacts with
| you? Isn 't that information _yours_ , to do with as you please?
| Can "John" command us to forget we ever saw him? Where in this
| sequence are anyone's rights violated? How is any of this
| reasonable?
| dane-pgp wrote:
| > Isn't that information _yours_ , to do with as you please?
|
| I could equally ask "Isn't that information _John 's_, to do
| with as he pleases?".
|
| Property is a legal fiction, and "intellectual property" doubly
| so; but it seems perfectly reasonable that society should
| decide that information about a human person should be
| controlled by them, rather than by the artificial person of a
| corporation.
|
| If John asks you to make his drink preference available to
| every competitor of yours, and you for some reason agree to
| provide that service to him, then of course John can get the
| benefit of that information sharing, but this should only
| happen if he specifically opts in to it.
|
| (In reality you wouldn't provide this service helping your
| competitors, and the information sharing could be managed by
| another service, which John would probably have to pay for, and
| service providers would compete based on the security, speed,
| ease of use, and accuracy of their service).
| thegrimmest wrote:
| "information" itself is a fiction. The only question is to
| what degree can someone else control what you do or say? The
| "information" is "mine" in the sense that I should be able to
| use my brain and mouth as I see fit. Anything else is awfully
| invasive don't you think?
| deredede wrote:
| > The only question is to what degree can someone else
| control what you do or say?
|
| Someone else can't control what you do or say, but they can
| establish consequence for what you do or say. Nobody can
| control whether you assault people or not, but they can
| certainly put you in jail for it.
|
| > Anything else is awfully invasive don't you think?
|
| I don't think so. Information that you got for the specific
| purpose of providing a service shouldn't be yours to spread
| as you see fit. In fact, there have been strict legal
| procedures in place for a long time for certain professions
| (e.g. medical sector) to enforce this.
|
| Just like I don't expect my doctor to spread information
| about my hemmorhoids, I don't expect my bartender to spread
| information about my drinking habits.
| thegrimmest wrote:
| Establishing legal consequences is our only mechanism of
| legitimate control. If you can be threatened with fines,
| and with arrest for non-compliance with the fines, then
| you are being controlled. Tyranny of the majority is a
| thing. This is why laws are an extremely blunt
| instrument. If people were truly interested privacy, they
| would simply boycott businesses that violate it. If they
| don't, there clearly isn't enough interest to possibly
| justify the use of force.
| dane-pgp wrote:
| If you work for a corporation, you already are prevented
| from using your brain and mouth as you see fit (or at
| least, what you "see fit" is being heavily influenced by
| your desire to stay employed by them).
|
| Consumer privacy regulations don't control your brain and
| mouth, they control the incentives of companies, who are
| not humans, and do not have mouths or brains. Those
| companies then control the incentives of their employees
| who can choose whether or not to work for them.
| thegrimmest wrote:
| I'm not prevented by anyone. No one will impose a fine on
| me for speaking my mind at work. They may just terminate
| me, which is of course their prerogative. They can
| terminate me anyways. Small businesses with individual
| owners are also burdened by this legislation.
| 908B64B197 wrote:
| High end hotels do this.
|
| Honestly, more and more I'm starting to think GDPR is just an
| excuse to fleece "evil foreign tech giants". It's a set of
| arbitrary rules with vague and selective enforcement that seems
| not to be completely understood even by the legislators who
| wrote it, as demonstrated by legislators not knowing the answer
| to the simple question: Are pop-up consent forms acceptable.
| It's whatever the bureaucrats don't like that day really.
|
| Guess some US company will have to go to court (and subsidize
| the European Legal Industry doing so) for the privilege of
| figuring it out.
|
| It wouldn't be so comical if FAANG wasn't full of European devs
| who chose to innovate in the Valley, probably to escape this
| very bureaucracy.
| kymaz wrote:
| Technology is making this easy to scale up, there will always
| be people who want to abuse this, and the abuse potential grows
| with scale.
|
| What was once 'I'm particularly fond of a certain shops version
| of a food item' can then become every shop selling that
| category of item automatically guiding you to the same type of
| item. Besides the part where everyone knows your name and a
| quick dossier like you're a celebrity but without any of the
| perks, life would be so drab if it was "The usual today John?"
| at literally every place everywhere always.
| Bayart wrote:
| >Now say John travels to another town, and the proprietor of a
| similar establishment in that town, wanting to provide John
| with the best level of service, calls you to ask "Hey, what
| does John like?", and you tell them.
|
| That's unacceptable to start with.
|
| >What has changed exactly?
|
| You've automatized something unacceptable ?
|
| >Don't you have a right to record who transacts with you?
|
| Within a certain context, you do. The data that is _untrusted_
| to you is done so based on the assumption that you 're acting
| in _good faith_ and won 't trade that information without
| consent.
|
| >Isn't that information yours, to do with as you please?
|
| Absolutely not, at least not in the legal systems we have in
| Europe.
|
| >Can "John" command us to forget we ever saw him?
|
| Yes, he can ! At least in my opinion and virtually every other
| European's he does. The right to be forgotten is an active
| subject of discussion[0]. The stance in the US is that it runs
| contrary to freedom of expression. The stance in Europe is that
| personal freedom implies being sovereign over one's own data.
| In technical areas, the _right to be forgotten_ is interpreted
| as the _right to erasure_ [1], which happens to be part of the
| GDPR. I've myself used that right several times. And I end up
| being very mindful of my usage of data in software I write.
|
| >How is any of this reasonable?
|
| Your ease of business doesn't trump someone's rights over
| themselves, the data they generate being a extension of it. End
| of story.
|
| [0]: https://en.wikipedia.org/wiki/Right_to_be_forgotten
|
| [1]: https://gdpr-info.eu/art-17-gdpr/
| thegrimmest wrote:
| > _That 's unacceptable to start with._
|
| On what grounds exactly? When interacting with people they
| are able to observe you and record their observations. From
| where do you derive a "right" to control their behavior in
| this regard?
|
| How could you classify an observation about yourself made by
| someone else as "yours"? How would you enforce this "right to
| be forgotten" when people carry around storage mediums made
| from meat? Or are you simply suggesting that you should be
| forced to go through all your letters, diaries, notebooks and
| ledgers on the whim of someone's demands?
| gpvos wrote:
| I hope you are playing devil's advocate and don't mean this
| seriously.
|
| 1. When you enter it into a computer, _everything_ changes. The
| scale with which data can be stored, distributed and aggregated
| is just staggeringly more huge.
|
| 2. People don't like ads, except for a few weirdos. Ads are not
| a service in the interest of the consumer.
|
| 3. Knowing someone personally is fine, but passing on that
| knowledge without their consent, or at least knowing _for
| certain_ that it is in their interest, is a no-no.
|
| And that's only the three most egregious things you get wrong.
| thegrimmest wrote:
| A computer is just an augmentation of a mind. It does the
| same things, just more perfectly. Shouldn't we all be able to
| augment our minds as we see fit? Should our freedoms change
| in the process?
|
| People who attract new customers with ads must like them.
| People who were informed of a product that meets their
| previously-unserved needs must also, right?
|
| 3. is just plain old gossip, which is also what I'm
| describing. It has always been in poor taste, and should
| never be _illegal_ or regulated at all. Only religions do
| that.
| [deleted]
| [deleted]
| leephillips wrote:
| No, you don't have that right. If I buy toe fungus cream at
| your store you absolutely may not tell other shopkeepers about
| that. I can't even get my head around a mentality that
| considers this behavior to be moral or even normal.
| thegrimmest wrote:
| > _If I buy toe fungus cream at your store you absolutely may
| not tell other shopkeepers about that_
|
| Why exactly? Which laws would I be violating if I did?
| verve_rat wrote:
| Depending on your jurisdiction, privacy laws designed to
| prevent exactly what you are doing.
| xxs wrote:
| GDPR immediately, unless you have a consent from John to
| share his personal details. GDPR does not pertain to
| digital format solely.
| Nextgrid wrote:
| Well now you'd be violating the GDPR.
|
| Before we didn't have these laws because this wasn't a
| problem in practice - nobody was calling other businesses
| at scale to tell them who was buying fungus cream. If they
| were, we would've had a law equivalent to the GDPR to
| prevent that.
|
| Actually, there was one incident in the US where a
| politician's video rental history was disclosed against his
| wishes and as a result a law was drafted to prevent this
| practice in the future:
| https://en.wikipedia.org/wiki/Video_Privacy_Protection_Act
| leephillips wrote:
| The laws of decency, respected by all decent people. Sure,
| keep a ledger of what I buy from you. But do not tell
| anyone else anything about me. I respect this principle in
| non-commercial life, and so do my friends. You are not
| exempt from the rules governing decency just because you
| sell things.
| thegrimmest wrote:
| I agree, but it has always been tyrannical to legislate
| decency. What next, fines for not saying "please" and
| "thank you"?
| leephillips wrote:
| There's s difference between being impolite and being
| _indecent_. We have peeping-Tom laws because it 's beyond
| impolite to press your face against someone's window and
| peer through the gap in her drapes. Are such laws
| tyranny? Most think not, because they are there to
| protect potential victims.
| thegrimmest wrote:
| If someone can stand on public property and press their
| face against your window, they should have the perfect
| right to do so, for as long as they see fit.
| leephillips wrote:
| So you think that the nearly ubiquitous peeping-Tom laws
| are unjust? You see no purpose to them?
| thegrimmest wrote:
| Yes? Draw your curtains before you change? Anything you
| can see from a public space you have the right to stare
| at?
|
| Our government shouldn't be in the business of policing
| modesty or decency. Only administering the basic peace.
| leephillips wrote:
| When I first became aware of these laws I thought as you
| do. But after a while I came to think the laws are OK,
| maybe even necessary. You say "draw your curtains", but
| in my example the curtains are already drawn. Unless you
| seal them with duct tape, there are almost always tiny
| holes or gaps through which someone can see, _if_ they
| 're allowed to do things, like pressing their face
| against the window, that have _no legitimate purpose_
| aside from the intention to invade someone's privacy. Our
| laws routinely consider the intention and purpose behind
| the act.
| kubanczyk wrote:
| It's not tyrannical in the dictionary sense of the word.
| You simply don't like it, that's what your arguments boil
| down to in this subthread so far.
| Aerroon wrote:
| But on the other hand, if you had an interaction with the
| shopkeeper then wouldn't the same laws of decency prevent
| you from telling others about that encounter?
| pessimizer wrote:
| There are plenty of deals that you make with
| vendors/merchants that are given in confidence; a
| merchant may give you 50% off if you promise not to
| spread it around. Other than those occasions,
| "shopkeepers" not only want you to spread around that you
| shopped there, they actually depend on it and will often
| pay you to do it.
|
| As a customer, I have no interest in you advertising for
| me, so it's not comparable. Any information that you
| spread around about me is likely to give other
| "shopkeepers" _greater leverage_ over me (which is why
| vendors don 't do this in the real world unless they have
| some sort of financial relationship with each other.)
| leephillips wrote:
| It depends what I tell. If the shopkeeper tells me that
| he recommends a particular brand of toe fungus cream
| because it works for him, I will never reveal his
| condition to others. But I might mention his hours of
| operation, or that he runs a good store, because that's
| public information.
| spurgu wrote:
| I'm more or less in agreement. What we need is a change of
| mentality/awareness, i.e. that everything you do online is
| being tracked and shared with other parties. Because it mostly
| is.
| croes wrote:
| Bad example. You are not memorizing one customer but millions,
| you don't note one favorite purchase but all, you don't tell
| one other store owner but thousands. One locust is harmless
| thousands are a plague.
| Nextgrid wrote:
| The problem is the scale at which this is done. Technology
| allows to not only collect much more of this data but puts that
| data at risk of being stolen much more than a single physical
| notebook.
|
| If you employed an army of people to be able to take
| photographs and remember or write down what every customer
| looks like, what time they come in, what they typically wear,
| how long they spend looking at each product, etc... most people
| will find that creepy and will take offense at that.
| thegrimmest wrote:
| They may find it creepy, but why should it be _illegal_ or
| regulated by the government in any way? If you don 't like
| the creepy establishments, go elsewhere?
| tpush wrote:
| > They may find it creepy, but why should it be illegal or
| regulated by the government in any way?
|
| Because that society has decided that it wants no creepy
| restaurants at all. Same with unclean ones, discriminatory
| ones, etc.
| Aerroon wrote:
| Has it though? I don't remember being asked.
|
| And yet I see every single supermarket offer their own
| membership card "to get discounts" and everybody is happy
| with it. The only purpose of that card is precisely to
| track your purchases.
|
| It seems to me that _some people_ in society decided that
| websites aren 't allowed to sell ads based on what you
| view, but all the other tracking in our society is just
| a-okay. I've not seen a single campaign or push against
| predatory membership cards or credit card info being
| sold.
| Nextgrid wrote:
| > Has it though? I don't remember being asked.
|
| Depends if you're in the EU but I guess you could've
| lobbied against the GDPR when it was being drafted. You
| could also lobby against restaurant food safety
| regulations, or discrimination laws. The reason these
| laws are there and stick around is because a majority
| decided that these behaviors were noxious and should be
| outlawed and the current majority appears to be happy
| enough with the current situation to not demand laws to
| be changed.
|
| > every single supermarket offer their own membership
| card "to get discounts" and everybody is happy with it
|
| It is opt-in (you can decide to not swipe it when buying
| the aforementioned fungus cream if you don't want it
| associated with you), the data collection is relatively
| common knowledge and is disclosed when you sign up for
| the card (and if it isn't then that's a breach of the
| GDPR and should be rectified).
|
| In comparison, online data collection is _at best_ opt-
| out and at worst mandatory and often invisible (and even
| if you could see what data is _collected_ from your
| browser, you have no visibility on what further
| processing is done on it or to whom it gets transferred
| or sold).
|
| > but all the other tracking in our society is just
| a-okay
|
| Source?
|
| > I've not seen a single campaign or push against
| predatory membership cards
|
| Those are opt-in.
|
| > or credit card info being sold.
|
| Every time the selling of credit card info comes up on HN
| people speak out against it just like they do against ad
| tracking, and the only reason nobody else talks about it
| is because they most likely don't know (would a
| reasonable person expect their bank to be sharing their
| purchase info with third-parties?).
|
| Both of these issues are addressed by the GDPR by the
| way; it covers much more than just ad tracking on the
| web.
| Aerroon wrote:
| But GDPR bars websites from doing what the stores are
| doing. The website can't refuse to serve you the website
| if you don't agree to the tracking, but membership cards
| work exactly like that. You only get the membership
| discount if you agree to the tracking. Websites aren't
| allowed to do that.
| Nextgrid wrote:
| The store doesn't bar you from entering & shopping
| without a membership card. If they did, it could very
| well be that the GDPR would equally apply and forbid them
| from mandatory data collection as a prerequisite for
| shopping there.
| pdpi wrote:
| So, the card is a great example, because it's opt-in, and
| you get some reward for opting in. Basically the exact
| opposite of adtech tracking.
| Aerroon wrote:
| The opt-in of adtech is visiting the website and the
| reward is the content on the website. You're the one that
| starts the chain of events in both cases.
| Nextgrid wrote:
| You can still serve ads (based on the content of the
| webpage for example). They just shouldn't collect nor
| process any personal data.
| Nicksil wrote:
| >The opt-in of adtech is visiting the website and the
| reward is the content on the website.
|
| No, quite clearly I've opted-in to the site's content.
| _No body_ has _ever_ knowingly navigated to a website to
| enjoy its advertising and tracking. (except for maybe 3-5
| individuals)
|
| >You're the one that starts the chain of events in both
| cases.
|
| This is victim blaming. I started the chain of events
| leading to the rendering of the website content, not the
| ads or tracking behavior to which I would otherwise be
| oblivious. This is akin to saying I asked for a computer
| virus by purchasing this computer.
| thegrimmest wrote:
| "society has decided" all sorts of awful things in the
| past. I'm just pointing out that this is one of them.
| Nextgrid wrote:
| What if everyone does it and so you literally don't have
| anywhere else to go?
|
| What if the data collection was done in such a way that
| most non-technical people aren't even aware what data is
| being collected and how it is used? In my hypothetical
| example about a business employing an army of workers to
| follow, photograph & take notes about every customer the
| behavior would at least be visible by the customers (and so
| they could choose to go elsewhere), which is not the case
| with modern technology - data is being collected silently
| in the background.
|
| > why should it be illegal or regulated by the government
| in any way
|
| There are plenty of other unlawful things you could apply
| this question to. Society enacts laws to dissuade & punish
| behaviors that the majority finds reprehensible.
| yjftsjthsd-h wrote:
| That assumes that the customer is aware that it's happening
| and that there are other stores that don't do it. Since at
| least one of those things is vanishingly unlikely, we have
| legislation.
| fangorn wrote:
| And if that shopkeeper starts following you around everywhere
| you go, noting what you do, what you buy, what you read, with
| whom, and then shares this with whomever they want, for profit,
| isn't that stalking, isn't that person basically a creep? And
| if they did it with all of their customers? And since it's
| physically impossible for a single person to do that then they
| will build an army of robots that will do that for them, is
| that still OK? Because that's already a reality we live in.
| thegrimmest wrote:
| I mean, yeah if it's their shop of course they can follow you
| around with a clipboard and sell copies to whomever wants
| one. That's why it's _their_ shop. If you don 't like it, you
| can leave. If they follow you home, yeah they're stalking
| you, but that's not what we're talking about is it?
| [deleted]
| paxys wrote:
| A lot of tech regulation exists specifically because of the
| scale of the collection/automation that is now possible. For
| example surveillance cameras, license plate readers, facial
| recognition can all be replicated by positing a dozen cops on
| every intersection in the country, but many jurisdictions still
| have laws against them.
|
| To answer your specific scenario, it would be pretty creepy
| (and possibly illegal) if shopkeepers in different towns were
| calling each other and discussing my specific purchasing
| preferences.
| jacquesm wrote:
| The question to ask yourself is always 'if I prefix this with
| 'at scale' does that change the equation?'. And if the answer
| to that is a 'yes' then your online/offline analogy doesn't
| hold water.
| gostsamo wrote:
| Maybe John traveled to another city so that the things he does
| there are not linked to what he does at home. If John wants
| that I share his preferences, he should let me know and the
| other business owner should ask him whom to contact in order to
| spare him the inconvenience of listing all his preferences
| himself.
|
| Edit: grammar
| matsemann wrote:
| Wow, I think your example is what's mental. In no way what so
| ever is it ok for someone to share that with someone else.
|
| So I actually like your analogy, it shows how insane the ad
| businesses and tracking is.
|
| (Except for the part where you say the other business owner
| does it to give great service. Ads aren't used to help people,
| no one likes them)
| thegrimmest wrote:
| Since always? If someone asks you a question you have a right
| to answer as you see fit, don't you? Shouldn't you? Even if
| you've entered into an agreement to keep a secret, it's only
| a legal contract that you'd be violating (which you have a
| perfect right to do) not a law.
| leephillips wrote:
| You seem to be using "right" to mean something like the
| state of affairs where there is no criminal penalty. Am I
| mistaken? I don't think most people understand the term in
| that way. So my answers would be no, you don't have a right
| to answer as you see fit; no, you should not; and no, you
| don't have a right to violate a contract.
| thegrimmest wrote:
| Yes, I mean "right" as in action that may be taken with
| no criminal consequences. What do you mean by the term?
|
| With this definition, you do in fact have a right to
| breach any contract as there are no criminal penalties
| for doing so. That's why most contracts specify what
| happens if they are breached under various conditions.
| There's a major distinction between civil and criminal
| law.
| leephillips wrote:
| I mean something that it is wrong for you to do. You
| indeed do not have the "right" to violate a contract;
| that's precisely why doing so exposes you to civil
| remedies.
| yjftsjthsd-h wrote:
| > Now say John travels to another town, and the proprietor of a
| similar establishment in that town, wanting to provide John
| with the best level of service, calls you to ask "Hey, what
| does John like?", and you tell them.
|
| That was already way too invasive, yes. You could probably get
| away with it before, because the scale was so small that it
| wasn't quite as horrible. There is after all a difference
| between occasionally violating one person's privacy and
| violating the privacy of thousands of people a minute. Not an
| actual ethical difference, but there are finite legal resources
| to go around.
|
| Also, I object to this idea that because the pieces of behavior
| are acceptable the combined effect is automatically okay. It's
| perfectly legal to own and use a camera. It's perfectly legal
| to own an use a telephoto lens. It's even legal to look at your
| neighbor's house. Nonetheless, taking a camera and pointing it
| through a telephoto lens at a neighbor's house and recording
| 24/7 is an excellent way to get arrested.
| thegrimmest wrote:
| All of what we're discussing is within the realm of _decency_
| , not _law_. Yes it 's impolite to gossip about people,
| always has been. It's however tyrannical and totally
| inappropriate to legislate decency.
| Nextgrid wrote:
| If the gossip was scaled up enough you might have laws
| created around it (actually some jurisdictions have anti-
| libel laws which is basically equivalent to gossip). We
| don't currently attempt to legislate decency because in
| most cases the system self-regulates, just like it used to
| do with the shopkeeper & fungus cream scenario mentioned in
| another comment. Then technology came along and increased
| the possibility of information sharing (and potential harm)
| by orders of magnitude, and once it's been determined that
| the system no longer self-regulated laws such as the GDPR
| were drafted.
| em-bee wrote:
| well online-mob-cancellations fuelled by social media are
| exactly what scaled up gossip leads to. so we are already
| there and it's about time that something is being done
| about that.
| leephillips wrote:
| It's not tyrannical, unless the very existence of laws is
| tyranny. Law _is_ the legislation of decency. Any other
| kind of law we call "unjust".
| thegrimmest wrote:
| "decency" is not definable, that's why it's tyrannical to
| legislate about it. Laws serve to establish a framework
| merely for peaceful coexistence. To use them to try to
| make everyone decent is surgery with a sledgehammer.
| Macha wrote:
| Right, and that's why we have GDPR consent and legitimate
| interests and all those other terms to come to something
| that is legally definable.
| thegrimmest wrote:
| All of those things are basically religious terms to me.
| Some people subscribe to the religion that they have a
| "right to be forgotten" or a "right to their data". I
| don't subscribe to this religion, I want out.
| Macha wrote:
| You can lobby for the law to be changed. Don't be
| surprised you can't get a critical mass for "Yes, I'd
| like businesses to be able to track me".
|
| You could just as equally declare copyright law or
| property law to be a religion and insist you don't want
| to subscribe to it, but society as a whole does, and so
| if you want to participate you just have to lump it.
| thegrimmest wrote:
| What if the laws were the other way, and business were
| being _mandated_ to track _everything they can_ about the
| people they interact with? How would this tyranny be
| different from the one existing currently? Just because
| the majority decides something, that doesn 't mean it's
| not tyrannical. People should be free to peacefully
| interact with each other as they individually see fit.
| Some people may track, some may choose not to, advertise
| that fact. Any picking of sides is totally arbitrary and
| therefore unjust.
| Macha wrote:
| Is it not tyrannical to prevent you from selling copies
| of Lord of the Rings without paying the author by that
| same logic?
|
| If the majority of society was in favour of tracking
| everything then the opponents of that would have the same
| options of lobbying to change people's minds. As seen in
| the difference between end user reactions to GDPR vs
| ACTA, that seems like it would be much easier.
| thegrimmest wrote:
| Yes? Copyright law was widely regarded as tyrannical when
| first introduced. Anything to which violence is an
| inappropriate response should not be legislated.
| leephillips wrote:
| Why is violence an inappropriate response to someone
| threatening your livelihood by violating your copyright?
| thegrimmest wrote:
| Because once you've told something to someone it's not
| yours anymore? Sure you can sign an agreement, but the
| consequences of violating it are civil, not criminal.
| munk-a wrote:
| I'd actually challenge you to find a law in society that
| doesn't have some origin in vague decency - the legal
| framework built above decency is something we expect to
| be rather stable over the long term but, at a really
| basic level, we have a law to not murder people because
| we really don't appreciate it when people do it - not
| because there is some natural law inscribed in our DNA
| stating that murder must be a crime.
|
| Laws conform with societal ethics and those ethics
| absolutely change over time and are never uniformly
| agreed to by all individuals.
|
| Lastly - scale absolutely does matter when it comes to
| laws we want to enforce. We _don 't_ want to enforce a
| no-gossip law because the invasiveness of enforcement
| would be unbelievably deep, so decency is there to tell
| you that while you won't get arrested for doing a thing
| you should feel guilty about it - most members of society
| get equipped with this guilt during their upbringing and
| so criminally malicious gossip is a problem we mostly
| ignore at a societal level.
|
| Laws are absolutely BS in their inherent nature and a
| construct of society that could easily shift radically
| with large political shifts - but that doesn't mean
| they're invalid.
| thegrimmest wrote:
| We have laws not to murder people because the state
| assumes a monopoly on violence. In absence of retributive
| justice we did and do continue to murder each other in
| blood feuds that last generations. This is perfectly
| normal human behavior. The state is there merely to
| provide a framework in which people who hate each other
| can be expected to surrender their natural right to use
| violence.
|
| To me that's where the right of one group (the
| government) to legitimately use force ends. The
| sledgehammer that is the legal system should only be used
| to administrate the peace.
|
| Beyond that, the only concept that can really be
| impartially measured is liberty. How free are you? In the
| graph of all possible actions, which are legitimately
| available to you? Everything else is an attempt to define
| good or evil, or right and wrong, and is therefore some
| form of religion. In a world where we are all equal, have
| no oracle to discern good from evil, and disagree
| diametrically, the only reasonable thing to do is
| optimize for liberty, and let everyone figure it out for
| themselves.
|
| Scale does matter, but not in regards to rights. If you
| have the right to do a thing, you have the right to do it
| a million times. If you have the right to write something
| down, you have the right to keep it in a database. If you
| can publish your letters, you can do so over HTTP as
| well. This isn't a new conversation. People have been
| publishing memoirs of their private correspondence since
| the printing press. What disturbs me is how we seem to be
| shifting our consensus that they have the right to do so.
| labster wrote:
| The state needs not have a monopoly on violence. Dueling
| was outlawed in France in 1626, and early modern France
| was certainly a state. The dueling laws only became
| necessary because our mores on violence changed.
| SiempreViernes wrote:
| > We have laws not to murder people because the state
| assumes a monopoly on violence.
|
| This theory utterly fails to explain laws against murder
| from the millennia when there was no such thing as a
| state that claimed monopoly on violence. In the feudal
| system there was no such thing as a unified state entity,
| it was just a bunch of people invested with certain
| rights organised into nested hierarchy of fealty, no
| monopolies there, but still they had no problem ruling
| people guilty of committing murder.
|
| > If you have the right to do a thing, you have the right
| to do it a million times.
|
| You've never seen those signs that say you get only one
| free cup of coffee have you?
| leephillips wrote:
| Do you have opinions about different laws? That some are
| arbitrary and unjust, whereas others are good? How do you
| form these opinions?
| thegrimmest wrote:
| By whether these laws enforce negative rights or positive
| ones. You should have a right to _do_ whatever you _want_
| as long as you 're not directly interfering with the
| rights of others to do the same. That's what it means to
| be free.
| leephillips wrote:
| Is this demarcation a form of religion? Or can you
| demonstrate its objectivity?
| mindslight wrote:
| Decency works for managing personal behavior on a small
| scale, with an ultimate check of free association.
| Commercial surveillance invalidates _both_ the assumption
| of scale and the ability to opt out.
|
| In general it seems like you're just asserting that value
| judgements should be scale free, while ignoring qualitative
| criticisms.
| thegrimmest wrote:
| You're right, I'm basically arguing that free people
| don't have value judgements imposed on them.
| yjftsjthsd-h wrote:
| Erm. Are there _any_ laws that you 're okay with, then?
| "Murder is bad", "People should get paid for the use of
| copyrighted works", Freedom of Speech, private property
| existing, the modern concept of a fair trial... every one
| of those is a value judgement.
| mindslight wrote:
| I'm sorry to break it to you, but you're really not.
| Commercial surveillance is exactly this imposition of
| value judgements onto people without their consent.
|
| I myself am a libertarian. A government is merely a large
| corporation that is impractical to opt out of.
| Conversely, corporations that are impractical to opt out
| of constitute de facto government. Data protection laws
| like the GDPR attempt to constrain the power of
| corporations so they don't rise to that level, which
| ultimately constrains the amount of government.
| thegrimmest wrote:
| A government is much more than a large corporation that
| is "impractical" to opt out of. They are the sole arbiter
| of legitimate force, and the sole entity that can govern
| your behavior in places you have a _right_ to be.
| Corporations are perfectly practical to opt out of, as
| demonstrated by the many people who _do_. Find me one
| person who doesn 't pay taxes and doesn't go to jail. I
| know plenty of people who don't interact with FAANG at
| all. Corporations will never rise to the legitimate use
| of force. If they do, they'll be governments.
| mindslight wrote:
| > _They are the sole arbiter of legitimate force, and the
| sole entity that can govern your behavior in places you
| have a right to be_
|
| This fully depends on the definitions you choose.
|
| Imagine this: A company that owns a vast area of land.
| You agree to contract with this company in order to be on
| their land. This contract includes things like using
| physical force against you if you violate other terms
| spelled out in the contract (just as you can contract to
| have violence done to you at a BDSM club). The contract
| defines a technical term "right", the definition of which
| spells out some things you're positively allowed to do,
| and is somewhat harder to amend but not impossible. The
| terms allow you to sublease a bit of their land for your
| own use exclusive to every other customer. Your sole way
| to terminate this contract is to completely leave the
| company's land and pay off any balance you owe. Call this
| company USG and it is indistinguishable from the United
| States Government.
|
| > _Find me one person who doesn 't pay taxes and doesn't
| go to jail_
|
| Most people who have under the table income and don't
| report it. Same as how it's often possible to get around
| breach of contract when your counterparty doesn't find
| out. Model vs reality. And note how similar the
| requirements for keeping your income unreported mirror
| the requirements for avoiding transitive association with
| a given corporation.
|
| > _I know plenty of people who don 't interact with FAANG
| at all_
|
| 1. There are likely still surveillance profiles being
| kept on them. 2. It's hard to believe said people use the
| web for anything, given the prevalence of CAPTCHAs and
| embedding. 3. More entrenched than FAANG are Equifax and
| LexisNexis, which are even harder to distance yourself
| from. I'd say it's easier to renounce your citizenship of
| most countries than it is to avoid the worst of the
| surveillance companies.
|
| > _Corporations will never rise to the legitimate use of
| force_
|
| You keep using this word _legitimate_ , which entirely
| depends on perspective. I would say that it is plainly
| illegitimate to throw someone in a cage for smoking a
| plant, and so calling government inherently legitimate is
| a bit dubious.
| yjftsjthsd-h wrote:
| It was a matter of decency first, but we're here talking
| about it because to varying degrees in varying
| jurisdictions it most certainly is law.
| thegrimmest wrote:
| Yes, and I'm suggesting these laws are unjust because
| they impose the values of some segment of people on to
| others. Leave people to associate as they see fit. Some
| groups will track you, some won't. You can choose which
| to patronize, on which browsers.
| leephillips wrote:
| Literally all laws "impose the values of some segment of
| people on to others", so according to your criterion all
| laws are unjust. I guess that's a form of anarchism, and
| you're welcome to it. For me, it's simply not an
| interesting way to think about justice and how society
| should be ordered, because it seems to be the end of a
| conversation, rather than the beginning.
| thegrimmest wrote:
| No, some laws and some rights merely provide a framework
| for peaceful coexistence. See negative vs positive
| rights.
|
| _...your right to swing your arm leaves off where my
| right not to have my nose struck begins._ -John B. Finch
| leephillips wrote:
| Are laws against theft unjust because they criminalize
| nonviolent forms of theft?
| thegrimmest wrote:
| Laws against theft are just because violence is a
| legitimate form of recourse against thieves. In order to
| surrender this right to violence, people need an
| alternative recourse. This furthers my point - since what
| we're talking about is basically gossip at scale, would
| you argue that violence is a legitimate form of recourse?
| leephillips wrote:
| Why is violence is a legitimate form of recourse against
| thieves? Perhaps violence is so inherently evil that it
| is better to part with one's property than to protect it
| with force.
| capableweb wrote:
| > Now say John travels to another town, and the proprietor of a
| similar establishment in that town, wanting to provide John
| with the best level of service, calls you to ask "Hey, what
| does John like?", and you tell them.
|
| That's not how it works in the real world though. Why would a
| restaurant answer someone random calling them and asking what
| one of their regulars is typically ordering? I see no possible
| benefit in answering that question.
| pessimizer wrote:
| > Now say John travels to another town, and the proprietor of a
| similar establishment in that town, wanting to provide John
| with the best level of service, calls you to ask "Hey, what
| does John like?", and you tell them.
|
| You casually say this like it's obviously OK, and like it ever
| happens in the real world. If I'm doing business with you, and
| you investigate me to discover other people that I've done
| similar business with in order to ask them _what I like_ ,
| you're officially a creepy business.
|
| The reason this is a matter of creepiness and not law IRL is
| because no business with more than a couple of customers could
| manage to regularly do this. The internet is what provides the
| dragnets, and the ability to be creepy at scale.
| tgsovlerkhgsel wrote:
| The more you move from "your brain" to "database", the bigger
| the risk of abuse.
|
| If you keep it in your head, it's not going to be stolen or
| abused. If you put it in a notebook, the risk increases, but
| you at least aren't going to be doing this at a large scale,
| simply due to physical limitations.
|
| Various laws have different thresholds, but usually it's
| something like a "systematic collection of data" or "automated
| processing" (I think it's the latter for GDPR), which seems
| like a reasonable compromise to avoid hampering the low-risk
| small scale use cases.
|
| Edit, looked it up, this is the definition GDPR uses:
|
| _This Regulation applies to the processing of personal data
| wholly or partly by automated means and to the processing other
| than by automated means of personal data which form part of a
| filing system or are intended to form part of a filing system._
|
| So if you keep your database in a notebook, you're probably
| still fine, because the structure makes it impossible to do
| nasty things at scale. Once you switch to alphabetically sorted
| index cards, you've crossed the threshold.
| thegrimmest wrote:
| This is exactly what seems crazy to me. Why does augmenting
| my capabilities with technology arbitrarily subject me to
| additional regulation? I should either have a right to do
| something, or not have that right. That's what "inalienable"
| means. In this case an inalienable right to free expression.
| Macha wrote:
| A recognition that they're not going to be realistically
| able to stop the small business owner keeping customer
| preferences in a notebook and the cost/benefit of chasing
| after them is low should not preclude taking action when it
| gets scaled up to monitoring way more people in a way more
| pervasive fashion.
| pjc50 wrote:
| > Why does augmenting my capabilities with technology
| arbitrarily subject me to additional regulation?
|
| Augmented capability lets you cause more, newer and larger
| problems.
|
| We didn't have speed limits on the roads until humans
| acquired the technological capability to go faster, causing
| more fatalities.
| thegrimmest wrote:
| We've had laws governing public spaces and common rights
| of way for millennia. Governing what and to whom people
| can communicate, and what they are allowed to remember or
| record, that's the new thing I'm objecting to.
| leephillips wrote:
| Augmented capabilities are different capabilities. Your
| inalienable right to free expression only exists for
| certain definitions of expression. It does not extend to
| incitement to crime, revealing classified information,
| deceptive commercial speech, misleading investors in a
| public corporation, etc. You have (in my opinion!) an
| inalienable right to have a pistol, but not to have a
| hydrogen bomb.
| thegrimmest wrote:
| How would you derive exactly where the line should be
| between a pistol and a hydrogen bomb? If you can build
| one, you should be able to have one no?
| leephillips wrote:
| No, you should not. We draw the lines wherever we think
| we want them. If you think the line is in the wrong
| place, you bribe a legislator to move it, or vote, or
| something like that.
| foxfluff wrote:
| > I should either have a right to do something, or not have
| that right.
|
| Should you have the right to watch which direction I'm
| going when I pass by at an intersection?
|
| How about at the next intersection?
|
| And the one after that, and the one after that, and the one
| by my home, and all the ones that I happen to go by when I
| next leave and go somewhere?
|
| There's no single point at which passive observation turns
| into stalking but we still have laws against stalking and
| it's still perfectly ok and legal for you to watch where
| I'm going. If you understand why it's ok to look around you
| (and perhaps even take notes or draw what you see, snap a
| photo) but not OK to do that systematically around someone,
| you should also understand why we might want to restrict
| automated unwarranted and consentless data collection, even
| if taking some notes is OK.
|
| The other thing is scale. Laws against seemingly minor
| things are enacted when that thing becomes widespread
| enough to upset many people. You probably don't upset
| people too much by taking some notes in a shop. If every
| shop had a fleet of staff dedicated to the same thing, that
| probably would upset people and lead us to a similar
| discussion.
| leephillips wrote:
| Whatever the GDPR was supposed to accomplish, wouldn't it have
| been better to simply criminalize whatever the law imagines
| people should have to give "consent" to?
| jeffbee wrote:
| Are there privacy organizations that can stop themselves from
| putting out unhinged, frothing-at-the-mouth press releases like
| these? I'd like to be aligned with some privacy interests but I
| absolutely no intention of associating with anyone who would
| write this.
| whoknowswhat11 wrote:
| Right - agreed - (you'll get downvoted here though - HN moving
| towards the reddit orthodoxy model vs the discussion model).
|
| Its super off-putting
|
| What about letting users control cookies browser side? No
| permission needed and total control.
| Nicksil wrote:
| >Right - agreed - (you'll get downvoted here though - HN
| moving towards the reddit orthodoxy model vs the discussion
| model).
|
| >Its super off-putting
|
| Nothing about any of your comments on this topic has
| demonstrated you're the least bit interested in having a
| discussion.
| whoknowswhat11 wrote:
| Nothing has made it seem like anyone actually looks at any
| of this themselves. I've been following this a while now.
|
| Open a new incognitio window and go here:
| https://ec.europa.eu/info/privacy-policy/europa-
| analytics_en
|
| Do not click accept on anything.
|
| Check your cookies. Tracking cookies have been set before
| consent.
|
| Many on HN are ranting about how something like this is
| illegal or that the GDPR is easy. The answer is that the
| GDPR is NOT easy. That some would say that setting tracking
| cookies on landing without consent is not legal, others
| that it is, and the EU is all over on enforcement.
|
| If you browse an EU website, they track you without any
| explicit consent.
|
| I prefer this approach personally, all their websites used
| to have a modal pop-up, you could not move forward until
| you consented. Between phone, desktop etc etc, SO annoying.
| I'm sure it turned a lot of folks off GDPR, so they cheat
| with this to try and avoid annoying people (as many others
| do).
| Nicksil wrote:
| >Nothing has made it seem like anyone actually looks at
| any of this themselves. I've been following this a while
| now.
|
| This is you, mate. Look through your comments here;
| almost all are aggressive, confrontational, and toxic.
| Some of your comments make assertions with no supporting
| information and are subsequently dispelled. I can't tell
| if you're just trolling or are otherwise oblivious to
| your behavior. If you demand better discourse, practice
| it.
|
| >Open a new incognitio window and go here:
| https://ec.europa.eu/info/privacy-policy/europa-
| analytics_en
|
| >Do not click accept on anything.
|
| >Check your cookies.
|
| "Incognito" mode (or whatever one's browser may call it)
| is irrelevant in this scenario. This mode of browsing
| simply eliminates a subset of browsing data upon exit.
| Such a mode is useful for quickly navigating to some
| website you don't want showing up in your history or
| maintaining a session and that's about it.
| whoknowswhat11 wrote:
| Sorry for not being clearer - I will try to spell things
| out better.
|
| "Incognito" mode (or whatever one's browser may call it)
| is irrelevant in this scenario."
|
| No it is not. When looking at what a website does, if you
| browse in your regular session you may be bringing over a
| very large cookie store, visit history, prior acceptance
| of cookie popups. The reason I suggest using a new
| incognito session is because you start these sessions
| fresh from a cookie perspective, and the site you are
| visiting should see you as a new user and re-prompt for
| cookie acceptance etc. Then you can easily see what they
| are doing.
|
| It's really actually interesting being lectured and
| yelled at by "experts" here. I think the GDPR is sort of
| a bandwagon thing at this point. A fair number of
| relatively uninformed folks on the issues / technical
| side jumping on and making a set of fairly strong and
| often uninformed claims?
|
| You literally have folks saying GDPR is not complicated,
| and literally on the same threads making plenty of
| contradicotry claims (ie, totally illegal to not have a
| deny all button, totally banned to track before
| acceptance, ok to track before acceptance (default opt-in
| vs opt-out) etc.
|
| The folks claiming GDPR is easy don't realize how big a
| consulting industry has sprung up to try and help folks
| trying to get it right. I mean, tracking rules for the
| cookie acceptance cookies - is like perfectly up these
| consultants thing because they make so much money off all
| this.
| [deleted]
| Nextgrid wrote:
| > What about letting users control cookies browser side?
|
| I've tried to explain why this isn't sufficient in another
| comment above: https://news.ycombinator.com/item?id=29122525
|
| TLDR: GDPR covers more than just cookies and restricting
| cookies does next to nothing when it comes to tracking (in
| fact modern browsers already do restrict cookies by default,
| which is a pain to deal with as it does break legitimate
| usage such as cross-domain SSO).
| whoknowswhat11 wrote:
| The issue though here is around consent pop-ups being found
| to violate the GDPR. I'm just pointing out that the pop-ups
| continue to be very complicated for folks to deal with. My
| understanding is that the cookie set by the consent pop-ups
| may now be classified as personal data, requiring a data
| controller, permissions etc. Or am I misunderstanding this
| latest twist? Shouldn't be hard to fix, but good lord if
| you are a smaller player.
|
| Just note, politically somehow cookies have become the big
| privacy boogeyman. Meanwhile personal data is harvested at
| HUGE scale (cable TV / smart TV/ ISPs etc) at least in the
| US without consequence. Ripoffs online are insane in
| quantity without much consequence. Major issues like DoS
| attacks go unaddressed and more.
|
| And because practically while the EU says ads and analytics
| are not essential, since for free websites they are in
| reality pretty essential, there is a lot of natural tension
| there.
|
| I am bummed about SSO issues now and modal cookie popups
| particularly on mobile etc.
|
| The other issue privacy folks are missing I think is
| focusing on this endless consent and reconsent on every
| website. I've seen data that 95%+ of folks click accept
| all. So you are delivering a product feature that annoys
| 95% of your target, it's a losing game.
|
| My own expectation, in long run this compliance overhead
| will help the mega platforms win out. They are the only
| ones (youtube / google / microsoft / apple etc) with the
| scale to really manage the years long investigations,
| million page doc requests etc. Ie, if you are going to put
| a video online, you are going to need to put it on youtube
| if you want anything analytic related to it.
|
| The other side is, vast folks ignore the law and just hope
| they won't be caught, or do a random (I accept) cookie
| popup and hope they are covered.
| skinkestek wrote:
| > The issue though here is around consent pop-ups being
| found to violate the GDPR.
|
| Pop ups doesn't violate GDPR.
|
| Making a system, pop up or otherwise, that is
| significantly harder to opt out of than opting into and
| then going on to pretending that users deliberately chose
| tracking however, that is a violation.
|
| The rules are simple: tracking is opt in. You have to
| convince users there's something in it for them.
|
| And, as someone who gave especially Google the benefit of
| doubt for the longest time I can testify that for me at
| least it did not result in relevant ads at all.
|
| Relevat ads would be:
|
| - local shops (I got two ads for local shops in a decade)
|
| - family cars (I bought three used ones during that
| decade, not a single Google ad that I can remember)
|
| - programming conferences
|
| - power tools
|
| - programming tools (one for Jetbrains tools five years
| ago, also a few for WordPress hosting after I searched
| for it.)
|
| - insurance
|
| - toys for kids
|
| - family holidays
|
| - etc
|
| What I got:
|
| - ads for scammy dating sites
| Nextgrid wrote:
| > consent pop-ups being found to violate the GDPR
|
| Consent pop-ups as a whole haven't been found to violate
| the GDPR. Specific patterns that certain consent pop-ups
| implement were determined to be in violation.
|
| > My understanding is that the cookie set by the consent
| pop-ups may now be classified as personal data
|
| I have re-read the press release and I don't see that
| anywhere. A cookie saying _consent=true_ is absolutely
| not personal data. The problem is that personal data was
| being collected without proper consent (the pop-up that
| was supposed to obtain the consent does not comply with
| the regulation).
|
| > politically somehow cookies have become the big privacy
| boogeyman
|
| This is partly a holdover from the previous ePrivacy
| Directive which very much focused on cookies. Consent
| management solutions (both compliant and non-compliant)
| were designed to address that. These consent management
| solutions are now being repurposed to comply with the
| GDPR and some may not have adjusted their wording and
| still incorrectly focus on cookies even though the GDPR
| covers data collection & processing regardless of the
| technical means of doing so (so it's no longer specific
| to cookies - you can perfectly breach the GDPR without
| setting a single cookie).
|
| > Meanwhile personal data is harvested at HUGE scale
| (cable TV / smart TV/ ISPs etc)
|
| This is something that the GDPR addresses. Unfortunately
| enforcement has been severely lacking.
|
| > the EU says ads and analytics are not essential
|
| Ads aren't technically forbidden. Non-consensual data
| collection for targeting is. You are still allowed to
| serve ads as long as they aren't targeted based on the
| user's personal data (you can still target based on the
| currently viewed page's content for example).
|
| Analytics are frankly not essential - you don't lose
| anything if only 10% of people opt-in for example. But
| even then, it is absolutely possible to implement
| analytics in a privacy-respecting way without relying on
| any personal data (and thus not require consent); for
| example a single hit counter that just increments an
| integer every time a button is clicked should not require
| consent. You'll only need consent if you tie that
| analytics event to a persistent user session.
|
| > since for free websites they are in reality pretty
| essential
|
| This is due to a lack of proper enforcement of the GDPR.
| At the moment the big players violate the GDPR, so any
| site that decides to respect it will lose out. If the
| GDPR was enforced and everyone was complying, the playing
| field will level out and either ad prices for non-
| targeted ads will go up (as very few people opt into ads,
| so this leaves a lot of inventory on the table that
| advertisers will suddenly want to capture) or services
| will start to ask for payments, normalizing non-ad-
| supported services.
|
| > I am bummed about SSO issues now
|
| That's a problem because the lack of (enforced)
| legislation around cookies made browsers delete them
| aggressively. It would've been better if legislation such
| as the GDPR was enacted (and enforced) sooner so that
| abuse of cookies could've been dealt with legally,
| leaving the concept of cookies itself as-is so it can
| still be used legitimately.
|
| > modal cookie popups particularly on mobile
|
| That's again due to the lack of enforcement. A proper
| consent flow should allow you to easily decline all
| cookies, or even better, just not be there in the first
| place because the website doesn't have to collect &
| process any personal data for non-essential purposes
| (just FYI, cookies essential to the functionality of the
| website don't require consent - a session cookie on login
| or for a shopping cart does not need consent).
|
| > The other issue privacy folks are missing I think is
| focusing on this endless consent and reconsent on every
| website.
|
| Again see above. Most of the annoying consent flows
| aren't actually compliant. The reason they're there and
| are annoying is to trick you into clicking accept (and to
| hate on the GDPR). Hopefully this ruling will force them
| to comply with the law which says that it should be as
| easy to decline as it is to accept.
|
| > I've seen data that 95%+ of folks click accept all
|
| See previous paragraph. That's the intention behind these
| non-compliant consent flows. If it's too difficult to
| decline then people will click accept all. On the other
| hand, when the flow is implemented properly such as
| Apple's App Tracking Transparency flow (which gives you a
| system-generated modal that allows you to accept or
| decline in one-click), the opt-in rate is in the single-
| digit percentages.
|
| > in long run this compliance overhead will help the mega
| platforms win out
|
| I am not sure. They are (well, were) currently winning
| because they are big enough to risk it, but the tide is
| turning with rulings such as this one. Facebook is in big
| trouble for example because their business model (which
| relies on mandatory, large-scale data collection) is at
| odds with the GDPR and they are trying to legalese their
| way out of it, unsuccessfully:
| https://noyb.eu/en/austrian-supreme-court-facebook-
| dismissed
|
| > if you are going to put a video online, you are going
| to need to put it on youtube if you want anything
| analytic related to it
|
| If you put a video online you can easily count the number
| of views by just analyzing server logs. What you can't do
| (and Google can't either) is track users to determine
| _unique_ views for example (as that would require
| assigning each user a persistent ID).
| Nextgrid wrote:
| Could you elaborate on what you find problematic with their
| press release?
| deworms wrote:
| IAB isn't a privacy organization, it's an opposite of privacy
| organization.
| jeffbee wrote:
| The article link no longer leads to the unintelligible screed
| of the Irish privacy org.
| jan_Inkepa wrote:
| I'm slightly surprised by your comment. The release seems
| pretty factual to me? I too am sensitive to overwrought tech
| organisation prose (privacy/piracy/open source groups/basically
| _anything_ to do with Assange) but this seemed ok. What about
| it strikes you as particularly unhinged?
|
| The main word I can find that seems like it might be regarded
| as over-emotive is "plagued". Is it that kind of thing? [ OTOH,
| bad GDPR popups are pretty much a scourge... ]
|
| edit: oh I guess the stuff about advertising firms depriving
| people of their "fundamental rights" is yeah a bit over-
| wrought...(though privacy is important, at least to me, and I
| think it's ok for a civil liberties organisation to care a lot
| about it).
| whalesalad wrote:
| Aliens on other planets are observing the way we're bikeshedding
| cookie popups and laughing, then crying for us.
| tgv wrote:
| What a weird way of callinga your opinion superior.
| Nextgrid wrote:
| Aliens (and any other sentient species intelligent enough)
| would cringe at how our species is expending insane resources
| to essentially waste our peers' time (by showing them ads) and
| trick them into buying things they don't actually need all
| while destroying our planet.
| Fnoord wrote:
| Not sure it applies to this one but I regularly notice is dark
| patterns and default options which are opt-out (it has to be
| fully opt-in, even with defaults). Of course that is in breach of
| GDPR.
| ThePhysicist wrote:
| In 2018 I built a privacy-friendly open-source consent manager
| (https://github.com/kiprotect/klaro) which is used on many
| websites across Europe. From the beginning I never liked the IAB,
| didn't implement it and told people that I regard it as unlawful
| since e.g. a user cannot possibly make an informed decision that
| involves thousands of third-parties. Still many of our users kept
| asking me about it since it was "the way" to become compliant.
|
| So I finally asked the IAB how one could potentially implement
| their framework as an open-source framework. Their answer was
| basically that it's not possible. You have to register as a CMP
| provider and ensure that your users are using your software in
| their compliant (ha ha) way, which is of course impossible to
| enforce with an open-source software that everyone can self-host.
| In general, in my opinion the IAB is mostly a framework to shift
| liability from the advertisers who steal the users' data to the
| publishers and CMP providers. Therefore I'm quite happy we never
| got around to implement this "feature" in our CMP, and I hope the
| IAB will quickly die and takes all those alibi CMP providers down
| with them.
| em-bee wrote:
| could you point to an example of your actual consent form? i
| could not find any.
| ThePhysicist wrote:
| You can just follow the link to our website
| (https://heyklaro.com), we use the CMP there as well.
| enlyth wrote:
| Looks great design wise, but I still see some dark patterns
| like making the accept button green, and decline grey
|
| It's still preying on the psychology of users that have
| been taught for years that green = good, accept, happy
| path, things will work
|
| If you look at something like Apple's consent which as "Ask
| app not to track" and "Allow tracking" (can't remember
| exact phrasing), the binary choice is presented in a fair
| and equal way which makes you actually think about what
| you're pressing, because there's no clear "right" choice
| they want to you to press unconsciously
|
| Edit: I understand though, you have a paid product, you
| boast about your acceptance rates as part of your marketing
| strategy, and no company is going to pay for something that
| decreases their ability to track users.
|
| I've been in the same position as a developer where I'm
| asked to implement the maximum amount of obtrusiveness to
| coerce people to accept tracking, like overlays with the
| famous 'body { overflow: hidden }', because our marketing
| departments start to go ballistic when they can't track
| every single users every move. It just makes me sad
| sometimes that this is what we're dedicating our time to.
| spurgu wrote:
| > Looks great design wise, but I still see some dark
| patterns like making the accept button green, and decline
| grey
|
| Since all the other consent forms are like this it makes
| sense to not change the established standard. I would for
| sure misclick, since I've by now gotten this dark pattern
| ingrained (I automatically go for the grey button).
| [deleted]
| lrem wrote:
| This looks _really_ good.
| stavros wrote:
| Ugh, finally a consent manager with an "I decline" button. I
| can't believe how rare they are.
| jacquesm wrote:
| The IAB is the fox guarding the henhouse. It always was a paper
| thin figleaf and you're a hero for doing your part to expose
| that.
| sdoering wrote:
| I am a user of klaro.js and just wanted to express my thanks
| for the work you do.
|
| One question, that arose though is how one would fulfill the
| requirements of GDPR regarding the logging of consent as a kind
| of 'paper trail'. As I understand the requirements one would
| need to store some Form of identification (like an arbitrary
| ID, the time and scope of consent and also store this for the
| user or on their machine). I understand how this could work for
| email opt ins. But consent on a web page?
|
| I always wonder.
| ThePhysicist wrote:
| Thanks! So documenting consent can happen directly in the
| users' browser, this is also GDPR & ePrivacy compliant. Those
| legislations don't require server-side storage of consents,
| it's another myth propagated by CMP providers to sell
| subscriptions.
|
| Storing consent server-side only makes sense for identified
| users (e.g. those that are logged in on your site) as there
| you actually have something that you can link the consent to.
| For an anonymous user that e.g. has a Google Analytics ID
| stored in the browser you'd have to store a link to that ID
| on the server-side as well in order to link it to the
| consent, and that is not privacy-friendly. Storing IP
| addresses also isn't a good idea as you're again creating
| more privacy risks for the user than necessary.
| whoknowswhat11 wrote:
| Is this really the case.
|
| The key is that the data controller be able to demonstrate
| AND RECORD that consent was received. If I clear my
| cookies, how does data controller prove consent?
|
| "keep a record of consent statements received, so [the
| controller] can show how consent was obtained, when consent
| was obtained and the information provided to the data
| subject at the time ... [and] also be able to show that the
| data subject was informed and the controller's workflow met
| all relevant criteria for a valid consent."
|
| With that guidance in mind, and from a practical
| standpoint, consider keeping records of the following:
|
| The name or other identifier of the data subject that
| consented; The dated document, a timestamp, or note of when
| an oral consent was made; The version of the consent
| request and privacy policy existing at the time of the
| consent; and, The document or data capture form by which
| the data subject submitted his or her data."
|
| Just seems like some huge liability here if you didn't
| record the required elements in a manner that allowed you
| to produce them. Does GDPR allow me to requisition my users
| devices if I'm investigated?
|
| Of course, we are told GDPR is "easy".
| Sephr wrote:
| If you clear site data for a site tracking anonymous
| consent, you've cleared your consent. No records
| necessary unless you are linking consent to user accounts
| stored on your backend.
| throwaway14356 wrote:
| but it is. either stay under the radar or just stop
| gathering data that you dont need.
| ThePhysicist wrote:
| The consent and the data collected via the consent need
| to be linkable. That's why it makes sense to store
| consent records for identified users on the server-side,
| because you "know" the user in that case.
|
| For pseudonymous users, e.g. those you track via a Google
| Analytics cookie you don't know who the user is and you
| (hopefully) can't reidentify them without the Google
| Analytics cookie. Since the cookie is stored in the
| users' browser it makes sense to also store the consent
| record there. If you would store that consent record on
| the server-side you'd still need a cookie in the users'
| browser to link the consent record to them.
| Fnoord wrote:
| > The consent and the data collected via the consent need
| to be linkable. That's why it makes sense to store
| consent records for identified users on the server-side,
| because you "know" the user in that case.
|
| Yup, this is why a lot of websites try to lure you into
| logging in to the website to enjoy the full content (they
| won't tell you this is the reason, of course).
| tomjen3 wrote:
| As an EU citizen, what is the point of the consent forms? Are
| there really that many people who click accept?
| dmitriid wrote:
| When presented in a clear manner with Accept/Decline, the
| absolute vast majority of users will click decline.
|
| So the leeches at IAB, OneTrust and everyone else employ a
| variety of dark patterns to make the user just click
| "Accept".
| frankzander wrote:
| Yeah ... dark patterns - its always blue what you should
| click
| Macha wrote:
| Yes, years of computer use have conditioned users to just
| click the box to make the dialog go away. Add to that the
| minimising language and "make our products better" language
| the form's presentation is couched in and the dark patterns
| to make opting out hard, I think most users accept.
| lrem wrote:
| Apart from everyone being trained to accept everything, some
| people genuinely enjoy the "share this" buttons and so on.
| Nextgrid wrote:
| I like that your solution actually handles loading the third-
| party libraries and only does so after consent has been given,
| so that if a user opts out absolutely _no_ data (not even a DNS
| lookup) is sent to the third-party.
|
| A lot of consent management solutions appear to load the third-
| party scripts regardless and only focus on cookies, even though
| the real danger is IP-based tracking and browser fingerprinting
| which doesn't depend on cookies or any persistent data being
| stored (they've adapted as modern browsers heavily restrict
| cookies).
| aboringusername wrote:
| It deeply saddens me that for all of the greatness humanity is
| capable of we're still dealing with pop-ups and "cookies" when
| the solution is obvious and should have been in place years ago
| (and the current situation has ruined the modern web because
| "senator we sell ads")
|
| All you need is to build this in to devices sold in EU - iOS,
| Android, Windows...Each give you privacy controls at the OS layer
| that applications _must_ respect, on the browser level, this may
| be a "reject tracking and cookies". Boom. Done. All EU websites
| will be required to check for this API and their JS code must be
| plain to see for any visitor using the "view source" option.
| Going forward, we can build privacy controls at the _technical_
| layer, so regardless of the 'stack'/'layer' software and hardware
| is built with GDPR in mind. We are still a long, long way away
| from that reality and truthfully, we will likely not be there for
| many decades.
|
| Sadly, it seems this "cookie" debacle is one that is more society
| based than technical, and it's obvious cookies should probably be
| replaced by now with better solutions.
|
| Maybe the GDPR might finally yield some positive changes but I
| remain doubtful. The industries it wants to disrupt have powerful
| lobbyists (hence why most right to repair legislation doesn't
| dare challenge Apple, for example).
| tomjen3 wrote:
| We already have that: Browsers should be required to ask for
| permission to set cookies and websites should respect that.
|
| If you do that today, you will never get past the GDPR popups.
| AshamedCaptain wrote:
| The point of the cookie warning was not to give users the
| option to disable cookies (although giving the option to users
| that are not familiar with their UA is also a nice side
| effect).
|
| The point was to force websites using cookies for "dubious"
| tracking purposes to be forced to show the banner as a mark of
| shame so that users would naturally migrate to websites not
| spying on their users and therefore not showing such banners.
|
| Obviously, this universe being the dystopia that it is, every
| website started showing these banners overnight and users
| started ignoring them anyway.
|
| If you just enforce all browsers to ignore cookies period, then
| you have another X-Do-Not-Track-Me scenario (or whatever it was
| called), where everyone just sets this flag and therefore
| tracking continues, just using other methods.
| Nextgrid wrote:
| I guess the misconception about GDPR and cookies is still
| around. Presumably it's due to the earlier ePrivacy Directive
| (aka "cookie law") which I agree is completely stupid, but GDPR
| covers more than just cookies.
|
| The GDPR mandates that data subjects provide informed consent
| before you are able to collect and/or process their personal
| data for non-essential purposes (ads & analytics don't count).
|
| The technical means you use doesn't matter. It can be cookies,
| but it can also be browser fingerprinting or IP addresses
| (which you can't deny as the remote server needs to know your
| IP to communicate with you), or it can even be information you
| manually enter (such as name & address for payment processing).
|
| A purely technical solution will only cover the black & white
| case of "provide the data or not", it will not cover more
| nuanced cases where you need to provide the data for essential
| purposes (the IP so you can load the website, personal details
| for payment processing) but do not wish this same data to be
| used for other, non-essential purposes. A legal solution here
| is needed and that's what the GDPR is about.
| JackWritesCode wrote:
| And if you're serving those pop-ups from US-controlled servers
| (even if they're in the EU), you're violating the Schrems II
| ruling.
| [deleted]
| mcguire wrote:
| Note for those of us who were confused:
|
| IAB Europe is some kind of advertising/marketing thing.
|
| No relation to the Internet Architecture Board.
| ushakov wrote:
| The most ridiculous are those "legitimate interest" checkboxes,
| which you have to uncheck manually one by one
|
| https://imgur.com/a/LIPUfCQ
| Macha wrote:
| In the last 3 months some "innovative" CMPs have also added the
| feature to have to click into a more info box per purpose to
| find the legitimate interest checkbox to untick.
| yissp wrote:
| But of course there's a convenient button to accept all of
| them.
| therealmarv wrote:
| exactly... they should be opt-in and not opt-out
| ushakov wrote:
| they also should not lie about "legitimacy"
| mhils wrote:
| Legitimate interest being opt-out makes sense, for example
| for fraud prevention. I absolutely agree though that adtech
| often blatantly claims they would have a legitimate interest,
| whereas they should ask for (opt-in) consent.
| atleta wrote:
| No, it doesn't make sense, because if it would be
| legitimate interest then they wouldn't have to ask for
| consent. That's the very point of legitimate interest. You
| can may that they are being nice, but it's obviously not
| the case and also would make no sense. You either claim
| that you are collecting data because it's your legitimate
| interest or you ask for permission. What they are hiding
| here is what you say: make some of their cookies opt-out.
| thecopy wrote:
| They dont need to ask for consent for legitimate
| interest, that is why they are opt-out (default on) as
| opposed to the consents which are opt in (default off)
| lucumo wrote:
| An opt-out for legitimate interest makes no sense. You
| either need it for a purpose or you don't. A typical
| legitimate interest is fraud detection. Being able to
| opt-out of that would defeat the purpose.
| desas wrote:
| If they're actually legitimate they don't need to ask for
| consent, they are two separate lawful basis for processing
| data.
| jacquesm wrote:
| They're not.
| thecopy wrote:
| They are (according to GDPR.)
| eitland wrote:
| Exactly: legitimate interested is an actual thing, but it
| doesn't cover > 500 third parties which is what I have found in
| these boxes (I selected all and processed them in Libre Office
| or something).
| jacquesm wrote:
| And none of which have an actual legitimate interest.
| friendzis wrote:
| As has been said since first days of GDPR.
|
| GDPR requires explicit consent and childish excuses like "your
| continued use implies ..." not only does not count, but does not
| exist as a concept.
| panic wrote:
| The site appears to be down for me right now. Here's the post
| from IAB Europe: https://iabeurope.eu/all-news/update-on-the-
| belgian-data-pro...
|
| And another article on the topic:
| https://techcrunch.com/2021/11/05/iab-europe-tcf-gdpr-breach...
| therealmarv wrote:
| lol'ed at TechCrunch... first I have to accept all to read the
| article...
| tlamponi wrote:
| FWIW, here's an archive link for the original url:
| http://archive.is/lazAg
| dang wrote:
| Ok, we've changed to the latter from
| https://www.iccl.ie/news/online-consent-pop-ups-used-by-
| goog..., which is currently down. Thanks!
| mpweiher wrote:
| This is fantastic news!
|
| In my layperson's knowledge of GDPR, these awful consent popups
| always seemed completely illegal:
|
| 1. They prevent access without a lengthy/arduous process.
| Certainly in violation of the spirit of the legislation and
| almost certainly also the letter.
|
| 2. This was of course entirely intentional, in order to annoy
| users into clicking yes and laying blame on the GDPR
| "The GDPR made us annoy you". It doesn't.
|
| 3. They often do not allow a single click deny, you have to go
| through sometimes dozens of vendors and deny them one-by-one.
| This is so obviously illegal it isn't even funny.
|
| 4. What's worse, if they _do_ have a "Deny all" button, it's
| almost certainly there to trick you. Because
| they have essentially the same list of trackers duplicated under
| the "legitimate interest" category. Which "Deny all" won't
| catch. You have to "object" to the legitimate interest. So if
| you hit "Deny all", you will instead be tracked by all.
| This is so brazen it's almost breathtaking.
|
| Anyway, good to see progress on this front. The ad-industry is
| still in deep denial about GDPR, thinking that they can continue
| their business model in the face of it. They can't. Their
| business model is illegal, and has been since GDPR came into
| force.
|
| The conflict has been brewing for some time now, weaving its way
| up through the channels.
|
| Exciting times.
| whoknowswhat11 wrote:
| Haha... What a joke.
|
| Go to the EU's own website.
|
| https://europa.eu/european-union/index_en
|
| They used to stick this pop-up at the top. Now thankfully they
| skirt the law by letting you use website, while giving you
| cookie options at the bottom.
|
| Even though you claim "This is so obviously illegal it isn't
| even funny." they don't have a deny all button.
|
| I've come to realize that 99% of the "expert advice" is
| basically bogus on GDPR.
|
| But go ahead with the ranting.
|
| The GDPR is one of the Kafkaesque laws that even the supposed
| experts don't understand (and change based on political whim
| and target). I always understood it as a hammer to basically go
| after folks that annoy the EU.
| LogonType10 wrote:
| You can't make someone understand something when their salary
| depends on them not understanding.
| akvadrako wrote:
| That GDPR popup seems fine. It's allowed to require some
| cookies. It would only be a problem if they tracked you
| before you clicked "Accept All".
| whoknowswhat11 wrote:
| We are being told
|
| "They often do not allow a single click deny, you have to
| go through sometimes dozens of vendors and deny them one-
| by-one. This is so obviously illegal it isn't even funny."
|
| The site sets two cookies on landing regardless of any
| clicks anywhere.
|
| Edited because I can't reply:
|
| There are lots of lies being told on this discussion. The
| EU websites track you even if you don't hit accept. It's a
| 13 month cookie.
|
| Go here:
|
| https://ec.europa.eu/info/privacy-policy/europa-
| analytics_en
|
| " When opening a page where Europa Analytics is enabled,
| the browsing experience is registered by the service.
|
| If you refuse cookies, you will also stop the Europa
| Analytics service. If you choose, though, to contribute
| your browsing experience on our websites as part of the
| anonymous statistics, you will enable us to significantly
| improve the performance of our communication, its outreach
| and its cost-efficiency."
| akvadrako wrote:
| Setting cookies if fine according to the GDPR. It's
| tracking cookies which are of relevance.
| whoknowswhat11 wrote:
| I went to their website in incognito mode.
|
| https://ec.europa.eu/info/privacy-policy/europa-
| analytics_en
|
| Before accepting any cookies I got a _pk_id cookie
| expiring in 13 months.
|
| They are clear this is what will happen.
|
| Just check it for yourself before you listen to the lies
| / blather you read here.
|
| The EU's own websites track you on first landing.
|
| Note - I have been following this. They used to do a
| blocking cookie pop-up. This actually had nothing set on
| pop-up, but blocked you from using their websites until
| you gave consent or denied it.
|
| The problem was, these required cookie popups are so
| annoying that many folks have (perhaps illegally) moved
| to the EU's new model, where they stick it at the bottom,
| they set the cookies, and if you just use the website you
| get them.
| Nextgrid wrote:
| > until you gave consent _or denied it_ [emphasis mine]
|
| That seems fine. Not the greatest UX but as long as
| you're able to decline it should be compliant.
| whoknowswhat11 wrote:
| I'm not giving a legal opinion, but some say that
|
| "Consent must be freely given, specific, informed and
| unambiguous."
|
| So a question remains, if you give someone the option to
| decline to be tracked, is that enough? Or do you need
| actual consent?
|
| The EU website is doing the tracking with option not to
| be. Other experts say you really should have consent
| first before doing any tracking.
|
| Anyways, not giving my opinion on which is right, just
| that there are different views, and even EU does it in
| ways I think that folks here do not understand.
|
| The one thing, the EU sites are extremely CLEAR about
| things, I do like that.
| emn13 wrote:
| There are multiple ways to satisfy the requirements, but
| that's hardly Kafkaesque. It's simply convenient for the ad
| business to pretend the rules are incomprehensible, because
| they'd really rather not understand them.
|
| I'm sure there are real problems with the GDPR (e.g. perhaps
| how and particularly where it's enforced, and how it favors
| large business over small, and that there aren't enough
| practical exemptions for small-scale data collection), but
| the fact that there's no reasonable and clearly legal
| loophole for the ads/tracker-business isn't one of them.
| That's not Kafkaesque, that's by design.
| deworms wrote:
| The rules are actually very simple, you have to obtain a
| clear, explicit consent given out of a user's own free will
| to track him, or you're breaking the law. Don't like it?
| Tough luck.
| ethbr0 wrote:
| "Do not track", set once and effective until changed, should be
| the legal end all, be all.
|
| I have signalled my default intent, and I have not changed it.
| Respect it.
|
| Of course, the ad industry is hell-bent on preventing anything
| convenient.
| Ekaros wrote:
| It should be other way around. Some browser addon like "Do
| track". Which would explicitly allow tracking. In all other
| cases no tracking.
| dmitriid wrote:
| Do Not Track was removed from browsers because it was used
| for ... fingerprinting browsers and tracking
| mnw21cam wrote:
| Yeah, I still don't quite get the argument against do not
| track, and why its clear declaration of intent couldn't be
| made binding. I mean, you're effectively telling web sites
| "Do not track me", and they are responding with "Hi, we'd
| like to track you - please spend ten minutes working through
| our dark patterns if you're not OK with that".
| Nextgrid wrote:
| They obviously wouldn't want to just comply with DNT (or
| any other easy way to opt-out) as they'd be signing their
| own death certificate.
|
| Instead they exploited the apathy & incompetence of the
| regulators with their so-called "consent" flow. Considering
| the GDPR was supposed to be enforced since 2018 and they've
| made it to 2021 without any consequences I'd say that
| strategy paid off.
| scatters wrote:
| Unfortunately, DNT is not a clear declaration of intent,
| because privacy evangelists view it as their moral duty to
| make that decision for everyone.
|
| It's an inconvenient fact that - perhaps a decade ago - we
| _had_ DNT, and advertisers were starting to respect it, but
| then browser makers decided to default it to on, making it
| pointless.
| TheCoelacanth wrote:
| Defaulting to no tracking is the correct default for
| advertisers that are respecting GDPR. If someone wants to
| be tracked, they can opt in by turning it off.
| guitarbill wrote:
| "Browser makers" - you mean Microsoft in IE10? Were there
| any other browsers that did this? And what did privacy
| evangelists have to do with it?
|
| I'm not sure that was the sole downfall; DNT also had no
| teeth because it couldn't really be enforced.
| deworms wrote:
| Why shouldn't the default be to not be tracked, and only
| start being tracked if you explicitly want to?
| Advertisers always frame this conflict as though it's
| absurd to expect them to just stay out of our lives, and
| anything that makes it easy or default to avoid them
| should be rejected as impossible.
| ethbr0 wrote:
| The perfect is the enemy of the good.
|
| There's a _lot_ of money in advertising.
|
| The feasible choices are between (a) DNT, off by default,
| that the more responsible and regulated side of the ad
| industry respects or (b) DNT, on by default, that
| everyone ignores.
|
| Which one is the greater good?
|
| In other words, you're welcome to walk up to me, slap me
| in the face, and call me a son-of-a-bitch... but that's
| probably not a great start to a conversation that ends
| with "Would you please work with me on this?"
| deworms wrote:
| They didn't respect that, though.
|
| And no, I don't want to "work on this", I want to not be
| tracked by default.
| gpvos wrote:
| Yet default-on is the only reasonable default setting.
| tomjen3 wrote:
| Not pointless. We know that most people are not okay with
| tracking (the opt out on iPhones are 90+%), so the right
| setting is to be one by default.
|
| However while the ad industry might be okay with a few
| nerds opting out they weren't okay with most of the
| general public opting out and so they spread stories like
| the one you repeated.
| scatters wrote:
| To get to 90%+, Apple had to present their users with a
| forced choice. The majority of users might prefer not to
| be tracked if they're put on the spot and required to
| give an answer, but how many would actually go to the
| trouble of changing a default?
| Zarel wrote:
| You're very close, but I think "browser makers" makes it
| sound like it was more than one. Microsoft Internet
| Explorer defaulted it to on. Every other browser was in
| agreement that it would only get advertising industry
| buy-in if it was defaulted to off.
|
| I think Microsoft's default-on stance was likely
| intentional sabotage - Google operates a big ad network
| and would have to deal with a lot of the fall-out.
| tomjen3 wrote:
| The EU wisely choose not to dictate the technical means for
| which consent is to be given.
|
| Unfortunately they didn't specify that it should be up to the
| consumer how they wanted to signal their intent and not the
| website.
| PaulKeeble wrote:
| I have also see some sites that are also using a pattern where
| you either accept their tracking of you or you can't use the
| site at all, they just block the content or send you to a
| useless site. That isn't legal either, consent has to be
| something people actively give and not giving it can't be a
| reason to reject service. Quite a lot of gyms are getting this
| wrong in regards fignerprints, they don't get to force that
| mechanism on you and deny you access if you wont provide it.
|
| When the legislation first came in I reported about 100
| websites that were breaking the law in obvious ways, they are
| still like that and the ICO hasn't even responded to those
| complaints.
| Nextgrid wrote:
| This has been my experience as well - the complaints take
| lots of time to write and manage (you have to first complain
| to the company and give them 30 days to respond, etc) and in
| the end the ICO was completely useless anyway.
| dmitriid wrote:
| > This was of course entirely intentional, in order to annoy
| users into clicking yes and laying blame on the GDPR
|
| And this worked. Even on HN an awful lot of people blame the
| prevalence of cookie banners and consent forms on GDPR, and
| call GDPR a stupid law.
| JCWasmx86 wrote:
| Fantastic news!
|
| Sadly the majority of cookie "consent" banners is still in breach
| of GDPR.
| indymike wrote:
| Next headline: the web, email and computers in general declared
| in breach of GDPR.
| whoknowswhat11 wrote:
| Good lord.
|
| Now the consent pop-ups are a violation.
|
| Are we going to have pop-ups for the pop-ups next in Europe?
|
| Kind of funny.
| brtkdotse wrote:
| Or you could, you know, not track your users.
| havkd wrote:
| Good luck making any money if you can't show relevant ads to
| users. But who cares about business owners. Certainly not the
| EU.
| tomjen3 wrote:
| Write about tree, show an add for outdoor shoes.
|
| I mean I will still block it, but most people wouldn't.
| C19is20 wrote:
| And, indeed - good luck to you.
| Nextgrid wrote:
| Good luck making money as a shitty restaurant that doesn't
| care about food safety and hygiene. But who cares about
| restaurant owners. Certainly not the EU.
|
| Snark aside, if you can't make money without stalking
| users, maybe you shouldn't be in business.
| whoknowswhat11 wrote:
| Is GDPR coming to restaurants somehow? Oh god! This
| really is getting worse and worse. Is this for things
| like remembering your favorite orders etc? I could see
| some GDPR arguments there. What if a waitress just
| remembers your orders in their head - will they need a
| consent form? If they put it in their CRM / sales system?
|
| The issue folks have is many users if given a choice,
| will take the free service (instagram / tiktok / free
| gmail) in return for being tracked if they are given a
| choice.
|
| Feel free to start up the business that doesn't do this
| (protonmail etc). But MAJOR services are built the other
| direction (ie, billions of users worldwide).
| Nextgrid wrote:
| > If they put it in their CRM / sales system?
|
| Yes, this would be covered by the GDPR and for good
| reason. If I join tonight's waiting list and provide a
| phone number in case they suddenly have a table become
| available I do not want that phone number to be reused
| for marketing spam down the line.
|
| > The issue folks have is many users if given a choice,
| will take the free service [...] in return for being
| tracked if they are given a choice.
|
| Apple's recent App Tracking Transparency stats suggest
| that when given a free choice, only 4% of users actually
| opt-in:
| https://appleinsider.com/articles/21/05/07/only-4-of-ios-
| use...
|
| So clearly, when given the choice, most people would
| rather not be tracked. The problem the GDPR is trying to
| address is that people are not given the choice.
|
| > But MAJOR services are built the other direction
|
| There were plenty of businesses in the past that were
| built on basics that we now deem harmful. Back in the
| early 20th century, it was legal to sell _radioactive_
| water and market it as a miracle cure:
| https://en.wikipedia.org/wiki/Radithor
|
| Society has since determined this is harmful and outlawed
| that. The same thing is currently happening with
| environmental pollution, and the GDPR is trying to do the
| same for noxious business models on the web.
| deworms wrote:
| I don't want advertisers and people who rely on tracking to
| stay relevant to survive.
| whoknowswhat11 wrote:
| Even the EU's own website using cookies.
|
| https://europa.eu/european-union/index_en
|
| Most users don't care about a session cookie or whatever. In
| fact for some sites / SPAs etc where users are behind NATs
| are CGNATs they are pretty needed / useful. Or if the website
| is being hosted behind a load balancer, you can do a sticky
| session with the cookie, and many more uses.
| tchalla wrote:
| There's a simple way to opt-out
|
| https://europa.eu/european-union/abouteuropa/privacy-
| policy/...
| stan_rogers wrote:
| Session cookies (and other cookie types that are _actually
| necessary_ for proper site functioning) do not require, and
| never have required, consent. It 's all of the other crap
| that does.
| whoknowswhat11 wrote:
| Do you understand that even if you don't click accept, if
| you browse the EU's own websites, they track you?
|
| https://ec.europa.eu/info/privacy-policy/europa-
| analytics_en
|
| The anti-google / pro-gdpr stuff is almost religious
| orthodoxy now in terms of its unwillingness to evaluate
| facts.
| timeon wrote:
| Anonymized matomo tracking strips parts of ip address -
| it is not so precise but it does not track you across
| those sites. So they have some kind of page counter but
| it is not same as full analytics.
| whoknowswhat11 wrote:
| They are not doing that. Matomo anonymous Ip is separate
| (and google and others use similar features).
|
| They claim no cookie consent is needed because:
|
| * tracking cookies are not used
|
| * the data is not used for any other purpose than
| analytics
|
| * a user cannot be tracked across days within the same
| website
|
| https://matomo.org/faq/new-to-piwik/how-do-i-use-matomo-
| anal...
|
| Reality is EU website sets a 13 month cookie, they
| clearly explain they will track a lot of data about you.
|
| Anyways, some folks here claim that just using things for
| analytics is NOT an allowed exception to GDPR notice
| rules. I mention this to just again show that GDRP is not
| simple (despite claims here that it is "so easy").
| Nicksil wrote:
| >Do you understand that even if you don't click accept,
| if you browse the EU's own websites, they track you?
|
| >https://ec.europa.eu/info/privacy-policy/europa-
| analytics_en
|
| >The anti-google / pro-gdpr stuff is almost religious
| orthodoxy now in terms of its unwillingness to evaluate
| facts.
|
| No, you can set your browser's do not track preference
| and this website will honor it (among the vanishingly few
| who do).
| whoknowswhat11 wrote:
| Again, this illustrates are badly understood and hard
| GDPR is.
|
| Browser preferences are opt-out currently. ie, users has
| to go set some flag. The GDPR requires informed
| affirmative consent.
|
| "Consent must be freely given, specific, informed and
| unambiguous."
|
| So having a website that track you unless you set some
| browser flag is not enough. Many folks say that you need
| specific consent to track. That is why there are so many
| pop-ups on EU websites.
| Nicksil wrote:
| >Even the EU's own website using cookies.
|
| What's the argument here?
|
| >Most users don't care about a session cookie or whatever.
|
| Where did you hear this? Most users don't know what a
| cookie is.
| Nextgrid wrote:
| The fact that it took so long clearly demonstrates the
| incompetence (or potential conflicts of interest?) of the
| regulators, but better late than never. I guess they could no
| longer maintain their charade for any longer under the pressure
| of various pro-privacy organizations.
|
| Note that even then this seems to be just a ruling and actual
| consequences are still dependent on individual regulators. Given
| their prior lack of action it will presumably take years before
| we see any fines resulting from this.
___________________________________________________________________
(page generated 2021-11-05 23:01 UTC)