The practical effect of GDPR seems to me that I have to click away about half a dozen consent popups every day. Sometimes a cookie warning in addition to that.
If I use Private Browsing (to protect my privacy) I am punished with more popups. If I open a website within a browser shell on mobile that doesn't have my cookies (some kind of webview of an app), I am punished with more popups.
Am I expected to look at every one of those dialogs and figure out what I have to click to "customize" my tracking?
Then there are the technical problems; one of those consent "solutions" that you see around actually shows a spinner while your "preferences are being saved". Sometimes it never closes.
I am frankly already so tired of this that I don't even care to look which of the buttons says "Agree" and which one says "Refuse". I just click on whatever I see. I know for certain that for less experienced users (my parents), every additional button to click is just another hindrance to achieving what they need to do. The thought "what if I click the wrong thing" is a permanent companion of their computer use.
These are very real, very concrete negative effects of GDPR. Is there something that we gained to make me feel better next time I am annoyed with all the popups?
> These are very real, very concrete negative effects of GDPR
Your annoyance is misplaced. Don't be annoyed at GDPR: be annoyed at all the companies who have spent the last decades building an entire web-infrastructure with zero respect for user privacy. We built massive amounts of technology infrastructure that just assumed that privacy and tracking wasn't an issue. Why do these websites need all these cookies in the first place? If I'm visiting a random blog with no advertising on it, why is it asking my for cookie consent? What possible purpose could that cookie serve, except tracking users?
As an analogy, imagine taking a black-light to a hotel room and realizing that the room is absolutely filthy. Would you be angry at the black-light for revealing the filth to you? Or would you be angry at the hotel, for not properly cleaning up?
If cookie consent forms or GDPR compliance forms annoy you, don't blame GDPR. Blame the sites that have no regard for your privacy and make no effort to comply beyond throwing up annoying prompts.
If a new regulation insisted that on entering a hotel room, a member of the hotel staff had to use a blacklight and you needed to explicitly approve every illuminated mark larger than a quarter, then you would be annoyed at that regulation.
There are supposed to be all sorts of other GDPR protections, about rights to be forgotten, about being able to access and selectively remove personal data from an online profile, that I have no idea how to activate. Instead all I get, as a user, is a bunch of consent forms, like the stupid cookie warnings, that I have no idea how to respond to, and no idea what I'm committing to when I click them.
>If a new regulation insisted that on entering a hotel room, a member of the hotel staff had to use a blacklight and you needed to explicitly approve every illuminated mark larger than a quarter, then you would be annoyed at that regulation.
How about this. For the past 25 years every hotel that you checked into has kept a record of:
- How often did you visit?
- How much money did you spend?
- What type of CC do you have?
- Did you watch porn?
- If so, what is your favorite type?
- Did you pass on dietary restrictions to the chef?
- Were you alone?
- Did someone other than the person listed as your wife on FB join you for the night?
- etc... etc... etc...
And then, without your consent, without even notifying you they sold this information to credit score companies, to advertising companies and to whoever the fuck will buy it.
Without. Your. Consent.
THIS is how the internet works today. Everyone grabs as much data as they can and then sells it to whoever wants to buy it. You have no vote in this. It just happens and it says so in weird legal terms on page 373 section 44 subsection 7a of their 700 page Terms of Service.
GDPR gives you this vote.
GDPR says: if you want to resell data you harvest you HAVE to get their consent, in clear and understandable terms. Can't bury it in your TOS.
GDPR says: you cannot make your website / app / service unavailable if people refuse this.
GDPR says: you can ask companies how much and which data they got on you and they have to provide it.
GDPR protects you from an invisible industry many people don't even know exists.
>GDPR says: if you want to resell data you harvest you HAVE to get their consent, in clear and understandable terms. Can't bury it in your TOS.
>GDPR says: you cannot make your website / app / service unavailable if people refuse this.
>GDPR says: you can ask companies how much and which data they got on you and they have to provide it.
>GDPR protects you from an invisible industry many people don't even know exists.
And it does it by in effect forbidding you from interacting with parties that don't follow EU mandated criteria for what needs to happen for a packet to go from A to B. I don't care about what the EU thinks is good for me, I want to interact with server X whether or not it is GDPR compliant and whether or not it's over a protocol that lends itself to this nonsense; my data is supposedly mine, so fucking let me.
I think he is referring to websites that are now blocking all EU users because of GDPR.
I'm surprised companies aren't just pulling the same move porn/alcohol websites use with age by asking the user if they are an EU citizen/in the EU and if they answer yes, send them to a static "we don't service the EU" page at which point everyone just lies so they can still access the page with the tracking.
> And then, without your consent, without even notifying you they sold this information to credit score companies, to advertising companies and to whoever the fuck will buy it.
> Without. Your. Consent.
I'm really sure that every hotel has its terms of services. So does Facebook and every other site. What you described has always been illegal, and it has also never happened. What was sold was composed of data according to the terms of service that every person included agreed with. If agreement isn't consent, what is?
Did you read, or was even aware of, a ToS of a hotel on use of personal data? This is entering the "local planning
department in Alpha Centauri" territory.
As a regular person, you should not need to be aware of such things. What GDPR tries to do is to restore some sane defaults into the process, just like customer protection laws do.
Yes, I generally check ToS of whatever services I use, including hotels. And no, it's no "local planning department of Alpha Centauri" territory, it's available on their webpage and in paper form at the reception, usually framed and hanging on the wall. I check it to see what happens if I overstay, but skim through the whole thing.
As a regular person, if I want to use a service offered by someone, I should at least look into their terms - even with GDPR in place.
I'm not saying I disagree with you - but that's an opinion; on the other hand you said that consent was not given, which is simply not true - consent has a definition and that definition was fulfilled, the law doesn't treat ignorant people differently. If you want to say "I don't think <something> should be enough expression of consent", that's OK, say it - but don't lie.
Fair enough. I do read the regular ToS of the hotel that they frame and hang on the wall; it's usually standard stuff and not once I remember reading anything there about use of my data. It's just the usual "hotel night is from X to Y, please don't do <list of ridiculous stuff that some people apparently do in hotels>". So from your comment I assumed that there must be an extra ToS that covers use of personal data. If there is, I've never noticed it.
I don't think there are many hotels handling your personal data except for legal purposes, so they mostly don't need any data policy. So far I've encountered one that simply said that data might be shared with other branches of their company, which I'm happy about.
It sounds like you agree that forcing people to read and agree to individual portions of the ToS is not a downside of GDPR, since we should all be doing that anyway.
I don't agree nor disagree. The comment I replied to was talking about the past, and in the past, the laws were different and consent was given according to them. I deliberately didn't say if I support GDPR or not, it doesn't matter; the comment said "without your consent" which is simply not true.
Freely given consent, as per the GDPR, must be explicit and optional (even if you have consent to use the data for the service being performed). A line buried in a ToS does not comply.
My point is that you can simply change the previous comment to read:
"And then, without your freely given consent, without even notifying you they sold this information to credit score companies, to advertising companies and to whoever the fuck will buy it."
No, the original point doesn't apply. Your edits make it completely different, so of course my reaction would be nonsense. "Consent" is a well defined word, and its meaning was fulfilled in the examples the comment listed - of course that would be different today.
There are supposed to be all sorts of other GDPR protections, about rights to be forgotten, about being able to access and selectively remove personal data from an online profile, that I have no idea how to activate. Instead all I get, as a user, is a bunch of consent forms, like the stupid cookie warnings, that I have no idea how to respond to, and no idea what I'm committing to when I click them.
This again, is the fault of most websites. GDPR requires opt-in for tracking, etc. A website could just, by default, not do tracking. Then provide the tracking options in the preferences. However, most sites have gotten so data hungry that they can't accept GDPR's privacy-by-default and have to bother you with pop-ups to try to get your consent to track you. Add some dark patterns, like designing these pop-up forms such that they are effectively opt-out.
I can't wait until some organization sues some big fish to send a signal that blanket data collection or using dark patterns to trick people into data collection is not an acceptable modus operandi.
Also, we as consumers of the web can also help to improve things. Contact companies and ask them to switch to opt-in (as required by the GDPR), encourage them to not collect data by default (avoiding popups), exercise your right to remove data and/or see what data is collected. If enough people request this by e-mail, companies will have to set up automated procedures (provide a webpage to see or remove data).
> There are supposed to be all sorts of other GDPR protections, about rights to be forgotten, about being able to access and selectively remove personal data from an online profile, that I have no idea how to activate.
You don’t have to do anything to “activate” these rights under GDPR. You can just email the website in question and ask them to send an accessible copy of your data, or remove some or all of it from their servers. GDPR simply requires companies to adhere to certain consumer demands about my own data and respond within reasonable time frames.
Also I disagree with your analogy. Companies are allowed to track users for internal purposes Uber GDPR. But they are not allowed to sell your data to third parties without consent. The reason all these pop ups and consent forms are so complicated have nothing to do with GDPR, and everything to do with the fact that companies are trying to nudge you into making a choice against your own best interests.
> You don't have to do anything .... just email the website ...
Okay ... let me try this.
> TO: cnn.com
> SUBJECT: Remove my data
Okay, let's send it!
> gmail: The address "cnn.com" in the "To" field was not recognized. Please make sure that all addresses are properly formed.
Oh. I've been around the block; maybe I can try admin@ or support@ or look at whois data, or browse around their website for a "Contact us" link, and maybe I can figure out how to properly assert that I do in fact own the account in question whose data I wish to remove, assuming I even have an explicit account rather than just a tracking cookie and a "shadow" profile. But isn't the GDPR supposed to be consumer-focused? What earthly consumer is going to go through these steps?
What earthly consumer is going to go through these steps?
I have requested the removal of my personal data from multiple business, and I can assure you I'm quite earth-bound. Copy-pasting a template and filling in my name and account ID is not that hard.
I'm going to go out on a limb and guess that you are a fairly technical user. My snarkiness in the previous reply was excessive, but reflected my frustration with being told that something is simple that is actually a multi-step process with questions that are not easy to find the answer to.
I guess the problem with email for this process is that you have a number of questions, all of which may not have an easy answer.
1. Identify an email address -- is this standardized? Searching "GDPR address for cnn" gives nothing, and similar more general queries yield little information.
2. Identify a template -- is there a standard one? I see a bunch of websites that claim to have them, looks like 'datarequests.org' is a good(?) one? It seems to have only a small set of sites that can be submitted. The template is incredibly verbose and it isn't clear how to request specific information; would that typically happen as part of a dialog?
3. Identify an account number/user name/verification of identity -- is there a standardized process for this? Could someone else send a request to remove my data? What is the process for this and how can I activate it?
4. Email is not a structured medium. I don't want to get into a whole conversation about this; I want to see the data about me and be able to remove bits of it.
Note that as a software developer #4 sounds kind of ridiculous to me, since user data can be represented in a variety of site-specific manners, and the existing pre-GDPR protections put in place for PII make this almost impossible. But to an end user it feels like it should be a natural thing and having to deal with a number of complex bespoke systems sounds like a pretty heavy load.
I can see the GDPR in this sense being useful for celebrities and the wealthy, who can afford managers or consultants to take this action on their behalf, but not for people like my parents, for whom even step 1 is daunting.
I'm going to guess you're a technical user :) my parents would never think to search for standardized or GDPR-specific email addresses. What they did was find some generic way to contact the company (phone number, possibly Facebook or email) and ask them "where should I send a request for you to delete my data?"
Regarding the content, they would find some template they can mostly understand, then change/add a paragraph to include whatever specifics they need.
As for verification of identify, they would not even think much about it. They would sign with their name, and of course send from their email. The company would have to reply back to ask for whatever they need to verify it properly.
> 1. Identify an email address -- is this standardized?
Interesting, wasn't that addressed by GDPR? For that reason does german law requires information like this to be easily accessible, aka "Impressumspflicht". Lets compare for example amazon footers links.
https://opt-out.eu/ is a service run by AFAIR someone on HN (spotted it today, can't find the source comment). Select a company, fill out a form, and you're done[0].
[0] - Maybe. I'm not endorsing it, I just found it today. I wish someone (maybe the author) could say something more about the validity of such process, and whether this kind of e-mail is enough in practice.
One of the authors here. Thanks for mentioning us! I personally use the service and can testify it works. Just used it last week following the Apollo breach to have them remove me from their database. The service is free and open source. Happy to answer any questions!
> If a new regulation insisted that on entering a hotel room, a member of the hotel staff had to use a blacklight and you needed to explicitly approve every illuminated mark larger than a quarter, then you would be annoyed at that regulation.
This analogy doesn't work because a) the vast majority of illuminated marks aren't harmful, b) the ones that are harmful aren't revealed by a blacklight, and c) you can take a shower after you leave to deal with the gross ones.
If, however, the light revealed signs of bed bugs we would be in the right ballpark.
Because:
a) everybody should want to minimize how much they deal with bedbugs
b) if you regularly sleep in places that have bedbugs you risk bringing bedbugs along with you to the other places you go
c) because of education and time constraints, people typically do not manually inspect each and every place in a hotel room that bed bugs could be. So if hotel staff could force the user to click a dialog that says, "This hotel room uses bedbugs for the following purposes..." that would be extremely useful for public health and sanity.
This is how unintended consequences happen. Complaining how rational actors work around roadblocks has no practical effect. Who someone blames has no practical effect. The downside of looking at the intent of the law and assigning blame towards the market is that it encourages doubling down on these negative actions. Why not make popups illegal, they'll say. Why not make it illegal for you to optionally trade your data/tracking for services, they'll say. We need to keep fighting the market's misapplication of our original intent with more codified words, they'll say.
Pragmatic realizations of cause and effect are required instead of blame.
> Complaining how rational actors work around roadblocks has no practical effect.
I'm not sure I agree with the 'rational'. If you are so short-sighted as a company that your main course of action boils down to 'piss off the user' while doing everything you can to skirt the law then you deserve to suffer the longer term consequences. Rationality should operate on all time-frames simultaneously.
I very much wish incentives were aligned this way. However, as the ad tech sector has shown, consumer apathy is pervasive enough that you can push the envelope quite hard against them before the costs near the benefits. Couple that with the uncertainty of an ever-changing tech landscape (especially considering impending government interference), and optimizing for short term profits is "rational". That's "rational" about money only, morality and sustainability be damned.
Hence the GDPR, which sort of makes this go full circle. These 'rational actors' are now trying with all their might to do an end-run around the law. It is interesting to see which companies 'get it' and which really don't get it. I suspect - and hope - that five years from now or so the ones that didn't get it will either have changed tack or will no longer be around.
Although they are doing an end-run around the law, I'm not sure they are trying that hard. I suspect the law will become largely ignored (or massively paid lip service just to avoid being the tiniest rare case that is punished), and hope that alternative tech overcomes the entrenched.
Everybody has to do it, so not pissing your users is not an advantage. The other options for them are: block EU visitors (that pisses me even more) or go out of business (because they need the tracking to make at least some ad money from the freeloaders who want to read their content but won’t pay a dime).
Saying “just don’t track” is magical thinking. They ARE rational in doing the minimally revenue harming thing to comply in their less lucrative market.
The only ones suffering any consequences are people like us who have to click through so much crap to read something because of the bloody GDPR we didn’t ask for. (Like we didn’t ask for Netflix to have 30% of crappy EU content. That’s EU’s next disaster in making.)
>This is how unintended consequences happen. Complaining how rational actors work around roadblocks has no practical effect. Who someone blames has no practical effect. The downside of looking at the intent of the law and assigning blame towards the market is that it encourages doubling down on these negative actions.
Bounce rates must be through the roof, especially for clickbait. I'm certain that the market has noticed and will respond to this. I strongly doubt that this persistently annoying popup situation will stick around forever.
Ultimately I'm sure some kind of technological solution will emerge - e.g. you set what level of tracking you're happy with on your browser and your browser will fill in the popups for you and report back what the website is doing.
This would only work for automatic opt-in. why would companies, that monetize your privacy stop bugging you unless you close that pop-up manually? I imagine there are a lot of people that use their browser with default settings, so there is a chance they don’t actually care about privacy
> Don't be annoyed at GDPR: be annoyed at all the companies who have spent the last decades building an entire web-infrastructure with zero respect for user privacy.
What about people who had absolutely no issue with the tracking and "privacy" concerns? I don't care if advertisers target me. If I do care, I use incognito sessions. I'm happy with all the free services I get on the internet and I don't mind giving them a bit of information about myself especially since I've literally never clicked on an ad, ever, so their efforts aren't even effective.
I think there's a small minority of people who care about this stuff, they just had loud voices and the ability to push global legislation through to make everyone else's life more difficult.
I see no issue with opt-in as default (which GDPR requires). Then people can make informed decisions and choose to be tracked, while less technical and privacy-mined people don't get tracked.
I think the grandparent post does a good job describing the problem with it. It's a UX nightmare to the point where it doesn't even accomplish what it set out to accomplish.
> Good, you can opt in to tracking and profiling, if you wish.
What we wish is to be able to opt-in once and for all, to get rid of these incessant interstitial pop-ups sprouting like mushrooms across the Internet.
Perhaps we could introduce a new HTTP header X-GDPR-Consent-Granted, controlled by a checkbox in the browser, to explicitly acknowledge that yes, we know that anyone we interact with online is going to learn various things about us, some of which may be quite personal; that we accept this; and would you please just get out of the way and let us read the article we came here for already?
If the intent was that anyone can decline without any change in service they should have just declared consent irrelevant. No one wants to be accosted 50 times a day for something so trivial, and the answer is obvious—the law prohibits offering any incentive to consent, so the only reason for anyone to grant consent is that they didn't understand the question.
I think the way this would play out is that sites would attempt to only respect the header if consent is granted, and would prefer to still show the popup to those who set a header indicating to deny consent. In that case, it would be interesting to see what percentage of users are willing to deal to trade their data in exchange for being not bothered.
I would guess though that businesses would be wary that supporting such a header would legally put them in a position to also support a deny version of it.
>"What we wish is to be able to opt-in once and for all, to get rid of these incessant interstitial pop-ups sprouting like mushrooms across the Internet."
If they implemented GDPR correctly and in a sensible manner, you would get one popup per site, once. You would give your consent to data collection and usage, and they would save that preference in a cookie or your profile settings for that site.
Instead, they want to punish and irritate you into simply accepting whatever they say, in order for the popups to go away. It's completely deliberate.
They could also simply support the Do Not Track header, or a "Please Track Me" counterpart. But they won't do that, because that would make it too easy to escape data collection and profiling, and wouldn't let them annoy you into accepting their onerous terms.
> If they implemented GDPR correctly and in a sensible manner, you would get one popup per site, once. You would give your consent to data collection and usage, and they would save that preference in a cookie or your profile settings for that site.
And how is that supposed to work, exactly? If you choose "deny" then they can't track you, so they can't set a cookie or save profile data! Of course you'll get the same prompt the next time you show up. At that point you're just another anonymous visitor of whom they have no prior knowledge. You have to consent before they are allowed to remember your preference.
The same issue applies if you grant consent but take your own measures to thwart tracking, such as limiting cookie lifetime. The next time you show up they don't remember you and must ask again, or else give up and assume that no one ever grants consent.
If you are already signed in to an account that is a different matter, of course, but even for the minority of sites where I would have an account signing in would generally be more trouble than dealing with the pop-up, and thus not an improvement.
> ... into accepting their onerous terms.
There is nothing "onerous" about their terms. They have every right to require your consent in exchange for their services, the GDPR's infringement of that right notwithstanding. For that matter, they have every right to collect, store, and make use of whatever data they are able to gather from your interaction with their service without your consent. The law in this case is blatantly one-sided, and consequently unjust—you aren't forced to beg for their consent to remember and/or communicate whatever data you can gather about the them. For that matter, where is the GDPR equivalent for the government? They collect more information, and more personal information, than anyone else. Based on the same principles as the GDPR, you should be able to opt out of all those income and sales tax reporting forms, for a start, or demand that they delete you from all their databases, with no change in services received.
Abolish the popups entirely, move the consent forms to a voluntary options page. Implement a user profile system, so people can create a profile and opt-in to tracking and profiling through that. Turn off tracking and profiling completely for anonymous users who choose not to create a profile, or who haven't opted in.
I know there will be an outcry of "but the amount of data we would be able to gather is miniscule!", and I say that's a good thing. Companies have absolutely no right to my personal data and to infringe on my privacy, unless I explicitly grant them access to do so.
The default should be to not track and not profile and not store privacy-infringing data, unless the user has taken specific and deliberate action to allow it.
>"There is nothing "onerous" about their terms. They have every right to require your consent in exchange for their services, the GDPR's infringement of that right notwithstanding."
They have absolutely no right to my private data, unless I specifically give them permission. They do not have any right to success, no right to a specific business model being viable forever.
>"For that matter, they have every right to collect, store, and make use of whatever data they are able to gather from your interaction with their service without your consent. The law in this case is blatantly one-sided, and consequently unjust—you aren't forced to beg for their consent to remember and/or communicate whatever data you can gather about the them."
No, they do not have that right. There are very clear differences between corporations and people. Corps are not people, they do not have the same rights a person does.
>"For that matter, where is the GDPR equivalent for the government? They collect more information, and more personal information, than anyone else. Based on the same principles as the GDPR, you should be able to opt out of all those income and sales tax reporting forms, for a start, or demand that they delete you from all their databases, with no change in services received."
The GDPR applies to governments as well. There are very specific rules in place for what information they're allowed to keep, any PII data can only be kept if there is valid purpose. The same rules go for companies, they're certainly allowed to keep information, as long as it's appropriate and necessary to provide the services they provide to you. And yes, taxation is part of the overall service government provides you to, specifically it's the payment for those services.
Facebook doesn't need to endlessly track, profile and monetize you, in order to run a social network that lets you chat with people, exchange cat videos and arrange events. Google doesn't need to endlessly track, profile and monetize you in order to provide search, email, calendars and their other services. It's perfectly fine to keep your calendar data, because that's a service they provide to you. But it is not OK for them to analyze and monetize your calendar data to target ads, unless you give them explicit consent.
> The GDPR applies to governments as well. There are very specific rules in place for what information they're allowed to keep, any PII data can only be kept if there is valid purpose. The same rules go for companies, they're certainly allowed to keep information, as long as it's appropriate and necessary to provide the services they provide to you.
Services you personally asked them to provide to you. That's an entirely different standard. The GDPR doesn't permit companies to decide unilaterally what services they will provide and what information (much less funds) they are entitled to collect from you in order to provide those unasked-for services.
> Don't be annoyed at GDPR: be annoyed at all the companies who have spent the last decades building an entire web-infrastructure with zero respect for user privacy.
Actually, I think we should be annoyed at browser vendors for letting the problems with cookies get to this point. They're obsessed with backwards compatibility, but sometimes you need to break things to fix a problem.
This is one of those times. Consider, what is the greatest lever we have in this scenario? There are hundreds of thousands of companies and billions of users. Measures to change the behaviour of this huge set of people are futile.
However, there are only a handful of browsers, and the past few years they're somewhat responsive to user feedback. Browsers are our greatest lever, and the privacy solution will have to come from there. Remove cookies or neuter them significantly, like removing JS access to cookies and/or making cookies opt-in only for sites storing login info.
If necessary, add new types of concepts for gathering anonymous analytics data that's guaranteed to respect privacy, and new concepts to specifically store persistent credentials rather than general data and to which JS again has no access.
Chrome is the biggest browser by market share and is maintained by a company whose entire business model revolves around tracking users to feed them ads. They have zero incentive to remove cookies. Same goes for Safari and Edge, even though they're not as dependent on ad revenue.
This is a textbook example of negative externalities that can't be solved by market forces. That's where regulators should be stepping in.
> Chrome is the biggest browser by market share and is maintained by a company whose entire business model revolves around tracking users to feed them ads. They have zero incentive to remove cookies.
Not true. If they don't do something, legislators are going to impose hamfisted regulation like GDPR which does impact their bottom line and hampers their business.
So Google's incentives overlap somewhat with users here. It's possible there's a middle ground in this overlap where the browser includes features specifically for ad-driven content rather than relying on general data load/store mechanisms like cookies which can be easily abused for more nefarious purposes.
Although regulation specifically targeting browser vendors to develop such features would also do the job. It's a mistake to try and push this on websites though.
GDPR may affect Google's bottom line in EU markets (we are still awaiting proof as it's too early too tell). But seeing how the FCC dealt with the issue of net neutrality, I have serious doubts that they'd get anywhere near a consumer-first policy regarding Internet privacy.
Can we have this without forcing it? Ideally browsers would be extensible enough for you to build these things. I miss the document days of yore where implementing a browser would be a reasonable endeavor. And that the limited size of the choices is now seen as a benefit to enforce change is scary. Sure, some see it as a good thing, I mean look at all these features and all the places they've steered the web (e.g. HTTPS). I see it as too much bad with the good and I'm becoming wary of the non-neutrality of my browser. I'm at the point where I want them all to stand still or work backwards fixing bugs and improving what exists. When you get what you want by browsers leveraging their user share to make sites change their practices, you just have to know you fostered the environment for them to do that in places you might not want.
> like removing JS access to cookies and/or making cookies opt-in only for sites storing login info
To this point specifically, making a simple AJAX call to have my web server set and/or send me back the cookies from the HTTP headers is trivial. A browser is not going to be able to tell the purpose of the cookie, and opt-in is user hostile to the point that never-ask-me-again will become the norm.
> Ideally browsers would be extensible enough for you to build these things.
The generality of the environments available in browsers is exactly the problem: we can't tell what they're doing because opaque programs are manipulating opaque data. Making the problem tractable means restricting the ability to communicate via well-defined channels with well-defined data, possibly with specific purposes.
> opt-in is user hostile to the point that never-ask-me-again will become the norm.
You're assuming a lot. Opt-in is not blanket user hostile, it depends on the frequency and circumstances the user encounters it.
My first thought is that opt-in dialogs would be triggered only for forms with password inputs, just like it works now in browsers where users can save their passwords. The cookie is tied to that form submission only so we know its origin and uses, and all other cookies are forbidden. It doesn't strike me as user-hostile at all to then ask the user if they want to permit the site to store a persistent authentication token.
But is GDPR really making the kind of difference people wanted?
What I see, is that mostly companies continue the same behavior, but now with a disclosure you are prompted to accept.
I predicted everyone would just accept those terms in exchange for free services they already have invested into. Now we just have an extra annoyance. Has anything substantially changed?
Just a few hours ago there was an article on the front page about yet another tech giant getting hacked and losing contact info on hundreds of millions of users [1].
A GDPR in the US should have the power to audit companies and ensure compliance, just like the FDA does with health-tech companies.
On the user side you might only see the effects of GDPR in the form of cookies that were added as a quick-and-dirty solution for companies that have built an infrastructure whose revenue model requires collecting user information. On the other side, law also gives a vector for the government to step in and demand changes to companies that are fast and loose with user data.
If we'd had an effective GDPR in the US, the Equifax breach that lost everyone's social security number may have been prevented and they might have faced some kind of real repercussion when it did happen. Instead, data companies still get to privatize gains and externalize losses.
> GDPR in the US should have the power to audit companies and ensure compliance, just like the FDA
This is wanton overregulation.
All we need is strict liability for data loss. After a few years of watching cases play out in the courts, we can revisit to see if more onerous regulation is required.
I think auditing needs to be part of it too. Otherwise what's to stop companies from just never disclosing data loss? The way I understand it, right now companies intentionally don't look for data breaches so they can claim ignorance if anything comes to light.
Such exchanges are illegal under the GDPR. Consent must be freely given; if access to a service (that doesn't require that data, or that use of the data) is dependent on it, then it's not valid.
That was OP’s point. Some people, like me, want to freely accept such terms. I don’t give a damn about some cookies tracking. What I do give a damn about is making my own choices.
The entirely predictable consequence of making this trade illegal is that I can’t even access information on sites that have minuscule EU revenue, are too big to be afraid they might become a target, and can’t afford to provide me their services for nothing.
European news sites work fine without problems for Europeans.
What does one in Europe gain with reading, say, American news sites which have a mostly local (e.g. American West Coast) focus?
Sure, one may find more entertaining news in a way, and get perhaps another perspective, but I would say that this perspective is obtainable via other means. It is usually even spelled out in the news articles themselves, but perhaps not explicitly. So what does a European really lose by not being able to read, say LA Times, or a news provider from Kentucky?
Not trying to troll.
After the GDPR I noticed I was not able to read some sites. First I was a bit annoyed, then realized the links I tried to access were to some random US news sites. I realized I should be interested in more local happenings versus those in a remote place that is beyond a vast ocean. Also, I wanted to know in more detail what world events mean for me and my area, since that is where I live. And I want to avoid political paint in my news, as far as possible.
The cost of determining the tracking behavior of every dependency of every part of your web site is prohibitive. Can you be sure that every hosted font and JavaScript framework you use is hosted on a server that isn't, say, logging IP addresses? Why bother? It's much easier to just throw up a warning popup, which users universally dismiss.
I would argue that you should be able to and then follow that up as to why its prohibitive (and what prohibitive means)?
At least on the library side, there tends to be a default-to-trust to the point where large projects put dependencies on libraries that are built by literally one-guy-with-a-github. I posit that developers should be more critical of including dependencies, and factors like "can we guarantee support" and "how do we know it doesn't have malware, both now and in the future, and who can we hold responsible if it does" should be considered for every dependency we add. As it is, I find a lot of developers will uncritically slurp in any dependency or library that saves them a bit of effort.
If the tooling isn't there to help with this problem then it should be built.
Most of these sites do have high regard for your privacy. It's not all for ads. Much of it is just for tracking logins and preferences, but warnings for that are required now too.
In most circumstances, I would expect things like logins to fall under the 'legitimate interests' basis rather than the 'consent' basis, and interestingly, if login is required to provide service it shouldn't fall under consent anyway.
I think the majority of the consent popups I've seen do not in fact comply with my reading of the GDPR. It's strange, but apparently people don't read the legislation or guidance before making these changes to their sites.
I don't really care where is my annoyance aimed at, I just don't want to be annoyed. All websites use cookies to track users. In this context getting consent is noise.
Your comment is being downvoted because you're just rambling like an old man grumpy about kids on his lawn. Not a single shred of evidence, or even an attempt at making an actual reasoned point.
Every time there's comments like this I can't help but think I'd be extremely surprised if the people writing them knew any of the names of the people who worked on the law.
I wonder what you even define as "having an idea what you're doing".
Whether it was poorly drafted legislation remains to be seen. The "unintended consequences" people are talking about here are minor, what matters are the intended consequences such as the augmented rights europeans have over their data, their privacy, etc. I personally don't give a shit about the annoying cookie popups, I'm just glad I can finally delete my account and email address from various websites when I want them gone.
GDPR has given me a ton of rights over my data that I should have, and everybody should have. It has given me access to my own data. It has given me the power to delete it. This shit is important, and now it's law. That there's cookie popups because the companies in question suck? I don't care. If it makes you close the page, that's a positive side effect IMO. This shit must be bad for conversion in order for businesses to start getting a clue. It's a version of the "tax on privacy" that a lot of people on HN like talking about.
Regarding #2, I dispute that for the same reasons. GDPR is achieving its goals of securing user data in europe. Companies are scared straight into following it so far.
There are issues with it (especially a lack of compliance material). None of them point to "the authors had no idea what they were doing".
In other words, no, GP isn't "right" just because you have to click off some annoying popups. That's not the only thing GDPR does.
Edit: Lacking replies, I'm going to assume those downvoting this comment are the usual no-privacy-apologists who are annoyed they now have to put legalese in front of users and don't ask themselves why they have to.
I agree with you that an important and useful part of the GDPR is deletion of your data. Good examples: No advertising and spam. Prevention of later hacking and theft of your data like e.g. credit card numbers or private messages. You have revealed your true identity on social media and want to remove your posts.
But maybe GDPR gives a false sense of safety and security and control:
- What is technically possible ? When I cite you, must my posts be deleted as well ?
- Who controls what companies do outside of the EU or even within the EU ?
- National police and secret services in the USA and EU might be more interested in the data than some US company. They have no moral problem with installing spyware on your computer.
- Banks and maybe even insurance companies have already the right to know much about you.
IANAL so I can't address most of your questions, but
> When I cite you, must my posts be deleted as well ?
You mean for comments and such? What I write on a site's comment section falls under copyright law, with the usual attribution reservations etc. So no.
> Banks and maybe even insurance companies have already the right to know much about you.
I shouldn't have used the word "privacy" in my comment. I think calling GDPR a privacy law is a shortcut a lot of people take (myself included), but it really is a data protection law. (It's even in the name!)
GDPR doesn't talk about privacy very much. In fact, I just searched the full english text of the law: There isn't a single instance of the word "privacy".
In other words, it doesn't so much say who can and cannot store and analyze your data. Instead, it lays out your responsibilities if you are storing/analyzing personal data, and your (consumer) rights as someone whose data is stored/analyzed somewhere.
I was attacking the contents of the comment, not the person. As for ignorance, I usually give the benefit of the doubt, but I've seen enough of those types of comments regarding GDPR that I'm cynical. They're almost always from non-EU business owners annoyed at having to suddenly comply to EU laws, or business owners in general annoyed at having to care about privacy (where they didn't before).
Uninformed consumers who think GDPR is a cookie law also exist, but they're not HN's usual audience.
Edit: A quick stroll through scoom's comments reveals an nauseatingly unsurprising picture. I'm so very shocked.
The fact that companies can simply continue what they have always been doing “but with pop ups” is evidence that the GDPR did not go far enough.
Also, still waiting for the first major company-wrecking GDPR fine everyone was losing their minds over... any day now. There are doubtless plenty of companies still in violation.
It's pretty much having the same impact as California Prop 65, which requires warning signs about "chemicals known to the State of California to cause cancer and birth defects or other reproductive harm" to be displayed where ever you may come into contact with them.
Of course, the state of "what the State of California knows" changes every few days, and there's no penalty for being proactive and posting your signs without actually verifying that one of the ~800 chemicals exists on your property. So every business just places a warning sign anyway, and consumers ignore the signs.
As others have said, you should direct your anger towards every company showing you a GDPR popup. The more complex it is, the more they're trying to fuck with you, and the more they did fuck with you in the past.
I know it's too much to ask, and I'm happy the GDPR went through as it is, but I wish EU could nudge browsers to centralize cookie and GDPR consent forms. Both to fix the UX (a standard browser interface would be much better than most of the popups out there), and to enable me to select "decline everything" once and for all, and never be bugged by it again.
Yeah I don't want to sit down with the digital form of someone's lawyers each time I visit a site, and if I have to I imagine I and others all just click away to get the dang content already.
The way GDPR works out it sort of expects us to care to follow this annoying process, and I don't think people do / want to and thus ultimately won't make good choices.
GDPR demands users engage in the process on the web in a very particular way. As far as that goes I suspect it will fail on that aspect.
I find it fascinating how people blame the solution while it's the symptom that bothers them and they don't even notice the disease.
GDPR isn't only related to internet services. I received a phone call today from my mobile operator, they got bought by a larger company and it was a sales call. However, they were asking to speak to person in charge in regards to company-wide mobile subscription and services - we use none.
What was disturbing is that I was contacted on my private phone number in regards to a sales call related to the company I work at.
The details I left when buying their mobile service (which was 20 years ago) don't contain where I work at. I didn't work at all at the time, but I kept paying for the service.
I didn't update my account details so I found it a huge surprise when they knew exactly who to call and on what number.
Being a EU citizen, I went GDPR on them. I don't want people to call my personal number and disturb me in my own free time with sales calls in regards to my company. How did they get my details? Who authorized them to contact me? I've many questions and luckily - now I have legal backing when asking them to anonymize my data.
I think people get too tied up in the problem (and I agree it is a problem) that they just dismiss the flaws with GDPR.
I really think (like the one I describe) that for many cases GDPR isn't going to have the desired effect, if the result is that we have to sit through notices on every site and click away to get through them.
> The way GDPR works out it sort of expects us to care to follow this annoying process, and I don't think people do / want to and thus ultimately won't make good choices.
This is simply false. GDPR only allows opt-in for these choices, companies are just implementing GDPR incorrectly.
I keep seeing this response but I've seen no articles about the EU laying down the law and punishing these so blatantly obvious infractions. So either companies are not implementing it incorrectly or the GDPR has no teeth. The EU needs to act on these bad actors sooner than later if they want people to actually respect the spirit of the law.
Enforcement is only still starting up. Officially as of May this year, with the possibility of handing out fines for violations up to two years back from that date.
I really hope it doesn't take the EU over 4 full months to prove a cookie banner is in violation. That seems like a straight forward infraction if the way people have interpreted the law is accurate.
> Is there something that we gained to make me feel better next time I am annoyed with all the popups?
Hopefully you'll choose not to use those sites.
For the first couple of months, I clicked all the "manage my choices" buttons. I felt the pain, but decided it was worth it. Then I discovered that for many sites, I would have had to enable 3rd party cookies in order for the choices to stick. That made me realise that I simply didn't want the marketers to even know that I didn't want them to track me; that I didn't want to enable the malpractice of companies that hadn't offered me the choice to disable their options; that I wasn't prepared to rely on the devs behind those dialogs to implement the design implied.
So now, I just close the tab and read something else. My hope is that others make similar choices.
I don't see any such things. What I got is many emails when GDPR started and companies asked me to click a link so that they can keep my data and emails saying that they changed privacy. I didn't click any of those links.
BTW I use ad blocker and that hides many nonsense. Even before GDPR there were too many of these dickbars[1] everywhere and I'm annoyed at those. Every site has those subscribe to email popup and other dickbars floating around.
So GDPR didn't make things worse like you say. Although the internet has become worse with tracking everywhere and stupid designs making us suffer.
I usually browse the web from within the EU, and I have really begun to mentally filter out the popups because there's just so darn many, but on a recent trip back to the US, the difference was remarkable. A visit to commonly used sites like SourceForge or Washington Post were suddenly just seamless, and on some other sites I was no longer even searching around for the obnoxious cookie warning so that my screen didn't feel so cluttered.
I can’t agree more. The popups are insanely stupid, frustrating, and a usability and design disaster. I would adamantly oppose any US regulation that could lead to something similar here.
That’s just the tip of the iceberg of the problems with GDPR. Watch as the enforcement side becomes selectively weaponized as a political tool against unpopular sites and the other shoe will have dropped.
GDPR is a regulatory bandaid to a technical problem. That geeks are calling for more regulation to fix their own failings to design privacy resilient network protocols and decentralized software which truly and actually puts users in control of their own data, is shameful.
It’s a common trope that users don’t care enough to seek out and use privacy enhancing and protecting solutions. I think that’s a load of crap. The current solutions are alpha quality and are not ready for general use. But the technology will improve and I am convinced they will destroy the competition when they get there.
It's much to early to understand any of the effects of the GDPR yet. We'll need to see some case history before we can even understand what companies will be penalized for, or how they can come into compliance.
It might not be necessary, or even compliant, to notify and gather consent for cookies via popup. This is just something that many web site operators are assuming will bring them into compliance, but there's no way to know that yet. Just like there's no way to know if you'll still be clicking through cookie prompts 5 years from now once we have a few GDPR test cases.
This is my biggest problem with GDPR. Noone knows how to comply with the rules, because the rules won't be understood until someone gets punished for violating them. Good intentions, imho, do not make for good laws.
> The practical effect of GDPR seems to me that I have to click away about half a dozen consent popups every day. Sometimes a cookie warning in addition to that.
At this point I just want those consent forms to be standardized via ARIA tags or whatever so that some extension can click the "yea, sure, whatever" button for me.
That would be fine. But honestly I do the opposite. If I start seeing popups and prompts I just close the tab and move on. The internet is too big and your content just isn't that special.
Me too. So that I could click the "reject all" button, having also marked the "save as default preference" checkbox, and be done with it forever.
Integration of legalese into browsers should have been done a long time ago (another useful thing would be a "ToS" button in the address bar, so you don't have to go hunting for ToS and privacy statements, and read them in whatever painful CSS flavouring the site uses).
I believe this is more due to lack of enforcement of the GDPR. The dark UX patterns you mention are not technically legal. There a numerous stipulations about how the consent must be freely given, simple and concise, opt-in, withdrawable, etc.
I think an equivalent of the GDPR becoming US law would go a long way to improving the problems of enforceability.
You say they are not legal, but then list all the requirements that they do comply with. That’s precisely why they are popups before first interaction, ask you to opt in (or not) and spend half a screen ( but not 50 pages) explaining themselves - concise yet clear and exhaustively explanatory as required.
Most services I've seen set tracking to the maximum by default, then present the user with an "OK, accept everything" and a less obvious "more options", where they must disable numerous default-on tracking options. That's opt-out, not opt-in, hardly simple or concise.
There are also plenty which simply say: accept our tracking or you can't use the service. Which is plainly in breach of Ch. 2 Art. 7.4 of the GDPR.
I have started using https://www.i-dont-care-about-cookies.eu (along with uBlock Origin and Cookie AutoDelete) for this reason. It just gets rid of as many of those dialogues as possible, haven't seen one in a month.
This should be temporarily as it shows (IMO) an extreme misunderstanding of the GDPR:
- by default they are not allowed to collect more data than strictly necessary.
- additional collection must be opt-in, and there can be no punishment for not opting in.
- showing these dialogs that are opt-out seems like a way to beg for a fine: "We hereby declare to all our visitors that by default we collect way more information than we are allowed to."
But the windows aren’t opt-out (that would actually provide better UX if you don’t care, see cookie banners).
They are annoying precisely because they do comply and require explicit opt-in into tracking. In other words, they ask you to make your choice as the first interaction.
By default, they collect nothing - and immediately show the form. You are not punished for opting out and can continue the same way as those opting in.
But everybody is annoyed by being asked. Regulators perhaps expected this to be some setting hidden somewhere, but that’s so incompatible with free content business models that it was clear that won’t happen. This is the compliant consequence.
Interesting and well written, you made me think, thanks.
I do not think it us that easy to fool seasoned regulators the second time though (the first time being the cookie law).
Also:
> but that’s so incompatible with free content business models that it was clear that won’t happen.
There is no reason why they need to track me around the we to serve ads.
Im fact, given the recent accuracy of the biggest actor in that space I'd argue that you'd do significantly better in many cases by using contextual ads.
I agree that these are real negative effects of GDPR. However, the concrete design of these pop-ups is mostly not GDPR-compliant: for example, users not agreeing to being tracked must not be disadvantaged, and having to click through a cumbersome array of options is certainly a disadvantage. At least for European web sites, the authorities will hopefully take action after a while, and then these bad practices will stop.
In addition, this is a bit like fire safety regulations. Sure, they are very annoying. All of us probably have experienced the empty battery beep of a smoke sensor in the middle of the night, and many have experienced a false alarm. That's the price you pay for lowering a significant risk.
Wait a few years, and you will see significantly lower risks of your data being collected and distributed without your consent.
I'd like to add that the GDPR is truly disruptive, and it will probably take a few 'product iterations' to get it perfectly right. That alone would be a reason to wait a bit and learn from experiences before rolling such regulations out everywhere. (I'm saying this as an EU citizen)
I don’t get the disadvantage comment: everyone gets the popup crap, whether you say no or yes. Maybe I visit different sites, maybe I don’t notice because I reflexively click the closest button? In any case, the disadvantaging language is hardly meant that way: it’s about withdrawing actual content or features from you.
We have waited a few years with cookies law and nothing changed. Unless some browser based fix takes place, this degradation of web is staying with us.
The way it is supposed to work is you are supposed to be able to visit the site and get the same experience whether or not you accept the popup and ridiculous opt-out dark patterns. So declining should not disadvantage you.
Most of these pop ups appear to go against both the spirit and letter of the law, so will hopefully see some regulator response. Now whether regulators have enough budget to respond to all the wilful evasion remains to be seen.
GDPR has learned from the cookies law:
- you cannot 'comply' by forcing the user to accept
- better enforcement options (of course only when the site provider is under EU jurisdiction)
The jury is still out, but it is only a few months since GDPR is in place.
What we are experiencing is years of years of web development with zero thought around user privacy and how it actually could be a nice, safe experience that also protects the user from mostly selfish corporate interests.
> Am I expected to look at every one of those dialogs and figure out what I have to click to "customize" my tracking?
Most of the sites you're talking about are probably in violation of the GDPR. They're hoping that by adding a big notice telling you about their violations they'll be OK. We'll have to see. But there should be a "Refuse" option that's just as prominent as the "Accept" option.
Same here. Not sure what goes behind the scenes but I have to click on "accept" to remove the pop-up window. So far worse for me, unless, there's something I don't know.
Yes that's what is most annoying that many companies by default assume opt-in to their spying activity, despite GDPR regulation saying that all consents should be opt-out by default. As a result, after clicking on 21 pop-up and opting out suddenly I notice that I stop caring... so in this area it seems GDPR is effectively dead regulation.
Something might have changed here recently; the past couple of days I noticed all GDPR popups I get have "reject" set as default for everything in the "Details" view. Unfortunately, they don't communicate this on the initial view, so I still need to review the details before continuing.
1. Private Browsing, separate sessions in web previews, etc. are all somewhat less privacy protecting than you'd hope (IP tracking[A], browser fingerprinting, etc.) the GDPR mandates that companies ask you about tracking before they do it. Those notices are a sign that they're trying to do that.
2. I do work in the tech, marketing and security arenas and the GDPR was like kicking a beehive. Everyone at least looked around and asked themselves: "Do we really need to keep this data?" and in many/most cases the answer was: "No". So they got rid of it.
The GDPR is a lot like a vaccine, the power is in the prevention. Which won't make splashy headlines, nobody is going to write: "A million records weren't leaked today b/c they were deleted off the server 6 months ago as they weren't needed."
A - every time GDPR comes up on HN, someone complains about IPs (either that it doesn't matter and/or that their Apache log file is full of them, so why bother). GDPR regs focus on what data a company is collecting, how are they using that data and did they get consent for that. In the case of IPs, you can consider implicit consent b/c they're browsing your site. But you did _not_ consent to have your IP tracked as part of a 3rd party marketplace for retargeting ads.
That is illegal under GDPR. I’ve yet to see it. The only dark pattern I’ve seen mentioned is “agree” and “fine tune the settings” (with rejecting all as level 2).
TL;DR yes, yes you do; the sites have to ask for explicit content, and that's the patterns they use to give you (or, the EU) what you/they want (fine-grained control over what they can use your data for). In practice, it's not something people care about because they just want to get to the content and don't care about the cost. The EU / GDPR and internet rights activists care for your sake.
Of course, these fine grained access controls are also a dark pattern, make it annoying and look difficult just so you consent. There's even a few out there that take a minute with a spinner going "Please wait, storing your preferences..." even if just hitting "accept" is instant. As is "cancel". Dark patterns.
Somehow, I feel like the old, unregulated internet was better. I wonder if that is just nostalgia or there is something to it.
With an unregulated internet, any internet user has to take care of their own privacy and anonymity. Barriers for entry for new websites and services are very low. Data breaches and abuses of data can lead to users being concerned about giving their data to tech monopolies, which can enable competition.
Regulations like GDPR arguably make users complacent and lowers their guard, as well as strengthens the tech monopolies by adding to their moats. Would Facebook have been able to displace Myspace in the current environment? Or Google displace Yahoo?
The internet was doing fine for decades with minimal involvement from governments - why change things?
The internet of old was something better. Of course it was, it was full of techies, scientists and hobbyists having absurdly involved discussions on Usenet and IRC. That was before Eternal September and the rampant commercialisation, tracking and grabbing all the data possible as often as possible.
The earliest years of commercialisation were pretty good too - hundreds of small sites, all trying really hard, but all with terrible site design. :) The worst that adtech could yet come up with was an ugly animated gif and a little flash - which was super easy to block.
"Regulations like GDPR arguably make users complacent and lowers their guard"
What guard? How does a non IT expert envisage the ways that harvested data impacts their lives? Or the countless ways it can be connected up with other sources until it becomes pervasive? How are they meant to know that the news article they read has 15 different trackers on it along with the ads, or the reason some creepy retargeting ad turns up later in the day as though it knew what they were thinking?
Sometimes I wonder if _I_ know enough to take care adequately, and I've been online since before the www.
Now add the dark patterns and misinformation to completely misrepresent what most of these sites are doing with that data. Some of the big names excel at this.
"why change things?"
Facebook, Google, Microsoft and a hundred others got so greedy about data and tracking that the overreach was impossible to ignore. If GDPR wasn't already in progress, Cambridge Analytica and similar stories would have ensured it would get a reaction soon. Probably a worse reaction.
> Somehow, I feel like the old, unregulated internet was better. I wonder if that is just nostalgia or there is something to it.
>With an unregulated internet, any internet user has to take care of their own privacy and anonymity. Barriers for entry for new websites and services are very low. Data breaches and abuses of data can lead to users being concerned about giving their data to tech monopolies, which can enable competition.
How is this the 'old internet' and not still the current internet. With exeption maybe to the EU with GDPR now, this is what the internet is: everyone has to take care of their own privacy and anonimity.
Barriers for entry for new website and services are lower than they've ever been. You don't even need your own hardware, just rent it.
>Regulations like GDPR arguably make users complacent and lowers their guard,
So according to this theory, people living outside GDPR territory, like the US, are less complacent regarding their data?
Do you really think the _average_ American is less complacent than the average European? I hardly think so.
>The internet was doing fine for decades with minimal involvement from governments - why change things?
The internet was literally built by government(s).
Why Change things? Because we are now finding out people are building massive databases with personal information, bought from small, medium and bigger websites who happily sold it without telling users they did.
GDPR prevents this.
How can I be 'less complacent' and 'have my guard up' if I don't even know that companies sell my data behind my back?
> How can I be 'less complacent' and 'have my guard up' if I don't even know that companies sell my data behind my back?
By assuming they will, and taking steps to not provide your data to all and sundry. At the end of the day, companies can sell your data because they have it.
>By assuming they will, and taking steps to not provide your data to all and sundry. At the end of the day, companies can sell your data because they have it.
Okay I now assume that all companies will harvest as much data as they can. I will now take steps to prevent this.
I am now offline and there is no way to know if they do.
> Okay I now assume that all companies will harvest as much data as they can.
You say harvest, as if they are taking something. The reality is, people always gave the data. The companies just kept what it was freely given. It's a bit hypocritical if I get upset that you keep something I gave you. The reality is, the problem wasn't with the users who gave the data, or the companies who kept what was given, but rather the people who made it possible to do it so easily in the first place. Browser makers share the majority of this responsibility. We look to them to create secure browsers that can't be hacked, but completely ignore the fact that they created browsers that are easily tracked. And then we adopt Chrome, a browser made by a company built on tracking.
And I find it funny that Brendan Eich's creation is probably the biggest reason we are in this situation in the first place.
People - not the ones here on HN - have no clue what they 'give' away. They also have no clue how often small companies, indie game devs etc make a living by selling said information that was 'given' to them.
These data aggregators can build profiles on people by buying data from as many sources as possible.
How is the average user supposed to know this happens on the background when they load www.nytimes.com? How are they supposed to know that those flashy banners contain entire programs designed to track them?
How should the average user now that the ad banners on acb.com are the same as on xyz.com?
How should the average user know that a FB button on every website also tracks you. As does G+ button, as does Twiter etc...
How are regular users supposed to know how much data they produce online.
Honestly it even scares me to see how many JS is loaded on average websites. Just for tracking, just for profile building.
Right, and the logical conclusion of this is to stop interacting with companies. Any companies. All companies. Always. Because they are all doing it to an offensive degree. GM want to know where your car has been, and what radio stations you listen to. Facebook want everything, Google have everything. The pretty light bulb you bought is both a privacy risk and an attack vector.
Phone apps want to know your location all the time, Google maps constantly nags you to enable constant location tracking. Every other app has dark patterns to accidentally get the land grab on every mis-click, like Facebook's "Accept", "not yet" and no is buried many clicks deep in a new set of check boxes in some 8th level settings page.
Presumably if I had made my career in a different field like medicine or plumbing you would expect me to "educate" myself enough about IT to understand the real implications too, and the ways the tables can be joined. The genius who tunes your classic car should be learning advanced Wireshark to understand the complete fucking liberties and data mugging the weather app his friend recommended is taking multiple times daily.
It doesn't occur to you that this is ever so slightly asymmetric? Each individual should "take steps" whilst single-handedly going up against the combined might of regulation-free corporate America, where we learn everything can be sold and probably already has been. So what steps if it's not "go live in a cave and buy nothing made since 1999"?
Next week how Vatican City can successfully invade Russia and USA at the same time.
I was thinking more along the lines of don't post stuff online you don't want anyone to know, but sure you could make a whole big deal arguing against a straw man too if that's your bag. There's also some fundamental industry practices that want changing but if you want to do anything more practical than stomping your feet, avoiding posting personal info is a good start.
> The internet used to be accessed by highly sophisticated and technical users.
Quaint but that's simply not true unless you're talking pre 90's. No point in kidding ourselves.
The internet was accessed by people who accessed the internet.
They popped a floppy/cd in a drive and followed instructions. They then opened a browser and typed a url.
Nothing sophisticated about it.
Nobody was creating electrical signals by hand and sending them down a home made wire.
> Nobody was creating electrical signals by hand and sending them down a home made wire.
I think we're talking about completely different levels of sophistication.
You're talking about electrical engineers vs regular users, I'm talking about levels of functional literacy... Don't forget that the average Joe/Jane has a level of functional literacy of somewhere around mid to late secondary school.
The earliest internet adopters were universities (so a entirely different level of education) and after that it was middle or upper class people who could afford a PC and an internet connection plus had the interest in doing so, considering that PCs until Windows 95 were either too expensive or not very user friendly.
The current internet, thanks to mobile devices and cheap, ubiquitous internet access, is truly accessible universally.
It wasn't wealth, it was interest. There was a period where the Internet (or PCs in general) were more of a curiosity than anything else, and you had to have some motivation to jump over the complexities of operating a computer and going on-line (not to mention some motivation to buy a PC/get your parents to do it). It served as a natural quality filter for a while.
Nowadays, the vast, vast, vast majority of Internet users don't have the necessary background knowledge to understand how to protect their privacy online, and the people who do have that knowledge tend to concentrate into organizations that have a lot of financial incentive not to respect others' privacy.
> With an unregulated internet, any internet user has to take care of their own privacy and anonymity.
Not really, because much of the information data brokers have about you comes from other people. Oh, your mom gave LinkedIn access to her contact list? Now they’ve got your phone number, mailing address, email address, a contact photo for facial recognition, and lord knows what else.
Oh, your friend and confidant gave an app access to their text messages and email? Great, some data broker now has a copy of every email and text message sent between you. Hope there wasn’t anything private in there.
The argument that you can somehow protect your own privacy on the internet rings hollow when it’s invaded without any action on your part.
> any internet user has to take care of their own privacy and anonymity.
Easy to say, hard in practice when there's some really dodgy shit going on and given that most people don't actually (want to) dive into the subject, this isn't something that can apply to the modern age.
I mean while I agree, you postulate some libertarian ideal - freedom for all on the internet. And while I agree, there's some scummy companies that take liberties with that - and when they have a data leak, it's your information that's out there, despite your own protection.
I mean you could advise people to use an adblocker, but when said adblockers are exploited (so that advertisers can be unblocked if they pay a fee, mafia like schemes), or when the creator takes the money and hands over the code and effectively silently-auto-updating backdoor into the user's machine, they're fucked - not because of your best intentions, not because of their ignorance, but because something outside of their control.
When there's a big government with the power to shut down companies looming over there telling people to not allow said breaches in the first place, you'll be better off.
My main concern is that the big government will be used by big corporations with massive compliance and legal departments to shut down any emerging competition that refuses to be bought out.
The internet was fine before adtech and data hoarders. I don't know why you think this is the fault of the government. New things pop up and we need regulations to protect citizens.
So then, one can advocate against the use of social media in general or Facebook in particular, (ironically) run targeted ads on these platforms to educate the users, etc.
In truth, I think social media as we know it is on the way out anyway. The new generation will rebel against it, and might go back to writing hand-written letters to each other for all I know. I feel like giving these companies all this attention and treating them as "the new utilities" that are forever to stay here and must be regulated also psychologically cements their position as such.
It's funny, I was listening to the Hanselminutes, and in a recent episode, his guest (a lawyer) was underlining that the US partially created the current situation where current its companies are at loss in front of GDPR: by refusing to take the lead on data privacy issues, the US didn't have a framework for privacy laws, and couldn't negotiate a convergence of laws with the EU (I'm paraphrasing).
While I haven't listened to your linked episode, 'privacy laws' by definition come into direct conflict with the 1st amendment (i.e. free speech) to the U.S Constitution.
I admit I'm not an American citizen, and have never actually stepped foot on American soil, but I do see the "first amendment" and "free speech" arguments being trotted out for almost anything that involves communication between two parties being restricted. This, in my experience has been common in (privately owned) web forums when an American user is banned for misbehaviour, or rules are changed to prohibit certain types of content or speech on those forums.
The text of the amendment, as I'm sure you're aware, reads as follows:
> Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.
I admit I fail to see how this prohibits introducing a law preventing an organisation from collecting data from individuals without them explicitly opting in to it.
I'm also not an American, so I might miss subtle cultural context, but I would also be astonished to learn that the first amendment is absolute. There must be at least provisions that limit speech that would harm others, as [1] suggests (child pornography, fighting words,...).
The EU (you might be surprised to learn) also recognises the freedom of speech (in fact it's a universal human right, see [2] article 19). However, this does not mean GDPR is not valid law, just as I have a hard time understanding how the first amendment would prohibit privacy laws to exist.
I would prefer starting small and cautiously scaling up. “If you lose my data, you are strictly liable” is a good start because it lets case law work through the holes. (It also causes companies to see personal data as an asset and a liability, not just the former.)
Full-blown GDPR is overkill. It makes more sense to wait a few years and see if the situation in Europe evolves differently from the U.S. I personally believe the law fails to incentivise the sort of behaviour it aspires to, but that’s merely a hunch—better to wait until we have data.
I agree with the sentiment of starting small, but your example of strict liability might be starting too strong. Personally, I would start with a lower mens rea. Maybe I see the situation differently, but I believe most of the subjects covered by GDPR are distinguishable from areas of law such as, e.g., products liability, that utilize strict liability.
That’s disengenuous. I’m saying this is the time to talk about data. But instead of coming out of the gate with a gargantuan salvo or complicated, expensive and unpredictable regulation, let’s start small and work gradually.
1) I don't agree. I prefer to have GDPR in Europe, no GDPR in the USA, and see which turns out to be better for human rights. I suspect that GDPR will very soon start to be used by corrupt politicians and other criminals who want "to be forgotten" for their misdeeds (ie, censor us when we want to remind the public).
2) I can't help but notice that GDPR is a great idea for Brave / BAT. And look: I'm long on BAT (I'm not wealthy enough to be a whale or anything, but I bought a small amount in the very early days). But this seems self-interested to me, rather than an assessment of the proper course for American politics.
Eich admits this in part, of course, saying early in the letter that "I view the General Data Protection Regulation (GDPR) as a great leveller. The GDPR establishes the conditions that can allow young, innovative companies like Brave to flourish."
But he also says "The enormous growth of ad-blocking by people across the globe (to 615 million active devices by late 2017) proves the terrible cost of inadequately regulating the tracking-based advertising system."
Does it? It seems to me that people are working to find ways to improve their lives, and that they'll keep doing so to the shegrin of the internet behemoths absent any "regulation". In other words, the state is not needed to make this phenomenon regular - it's already quite regular and becoming moreso.
Let Brave and Chrome fight it out and the best (not the most politically expedient) one win. For now, I'm using Firefox.
> GDPR will very soon start to be used by corrupt politicians and other criminals who want "to be forgotten" for their misdeeds
GDPR isn't the right to be forgotten, it's mainly about ownership of customer data, consent & privacy. You can have a look at this developer guide: https://techblog.bozho.net/gdpr-practical-guide-developers/ for what it means as a developer.
I'm aware of this article, it's only for personal data (and especially targeted against data leaks & data gathering in its wording), you can't take off an article of the BBC with that. It's nothing like the French law about the Right to be forgotten.
There are experts on this topic who have this exact view of the "right to be forgotten" elements of this article. I'm literally at CANS in Naples right now and someone spoke on this subject yesterday.
I don't see anything about it that makes it "especially targeted against data leaks". It offers protections for free speech without being specific about what that means or how it is balanced.
Of course it's not the same as the French Law, but it's still a vector for threatening legal action against someone who wants to maintain and publish facts about an individual.
There was substantial hullabaloo about this here yesterday.
I mean, look, I'm a US national, so my knowledge is limited. But I've spent time in Europe and talked to many people (again, including some leading thinkers and European activists) and I'm telling you, without a shred of a doubt, that this concern exists here.
As with every law, we will see how it's actually used in practice but on my case I did not have much doubts about how it's supposed to be applied, I never understood it as an equivalent on the French one. For me, one of the goals here is when you delete your Facebook account, the data is actually deleted unlike what probably happens now.
There's been public analysis of the right to be forgotten. A few good reads: A summary article from NPR [1] and a research paper with a lot more details [2].
Ironically, I want an ad-blocker that hides all GDPR consent popovers, cookie warnings, etc. They are constant annoyance, especially on mobile. Also a browser that automatically uses a VPN when an American news site blocks European IPs.
Cookie "warnings" and forced "consent" popups (with no or difficult opt-out) are not GDPR compliant. GDPR mandates that all tracking and related bullshit should be opt-in. So the annoyance isn't the GDPR, it's the lack of enforcement of it that allow shit websites to get away with not being compliant.
That would be fantastic, at least for sites that comply with the GDPR - they don't get to bug me, and since I also don't explicitly opt-in, they also don't get to track me.
> It seems to me that people are working to find ways to improve their lives, and that they'll keep doing so to the shegrin of the internet behemoths absent any "regulation"
I'd agree with you if ad & tracking blocking was mainstream, or even better, built into major browsers & operating systems and enabled by default. We are not there yet (and might never be since a major OS developer - Google - has a vested interest in keeping the cancer that is called advertising alive) so we need regulation.
In these conversations "advertising" is a very loaded term, not all advertising is tracking, not all advertising is invasive and not all advertising is served by shady clickbait companies.
With a little stretch even a review of a movie or a game is advertising. The GDPR might push toward a more sustainable advertising model and honestly I cannot see anything negative in that.
(also not all advertising is fake news and product discovery is a hard problem for both sellers and buyers)
Not all advertising is tracking and clickbait, but in general it is still a cancer on the Internet, and on the modern society. The world is oversaturated with advertising, and we're all forced to look at it everywhere, day in, day out. Advertising is eating absurd amount of resources directly and indirectly (through support industries - from graphics design to printing, transportation and distribution), mostly to shift the split of a fixed pie of customers, in what's pretty much a fractal of zero sum games.
> I'd agree with you if ad & tracking blocking was mainstream
But isn't Eich making the argument that it is mainstream? That's the whole reason I'm quoting him here.
Which is it?
Is Eich correct that the "enormous growth of ad-blocking by people across the globe" is evidence of some desire on the part of a global community to fight back on the ability of internet giants to track us?
If so, isn't this evidence that this phenomenon is already "regular" without needing any further "regulation" by the state?
If legislation is really required, and I'm not convinced it is, can we start small? This stuff never gets rolled back and tech companies' use of personal data is the new terrorism.
Again I'll take none, but if this ridiculous fervor that's been built requires something, how about not-tech-specific rules around data sharing transparency? Just require details on what's shared and with whom for those seeking it (ideally companies publish it to prevent requiring individual request/response scaling issues, but their choice). You're gonna find most people don't care anyways, so they shouldn't be burdened with more hardline privacy requirements. Just increase the visibility for now.
And please please learn from EU mistakes and establish enforcement mechanisms. Don't just make exorbitant ceilings and move on. Have a framework to punish violators, and again start with small legislation until it can be shown enforcement occurs and is working.
Having said all that, can we just start with pro-privacy PSAs, education, targeted advertisement awareness, punitive measures for breaches, and relaxation of legislation preventing me from scraping/manipulating/proxying these sites however I want? If we all have to hire lawyers and/or compliance assistance, then the first step is too large. We can make our way towards delete-all-my-data-on-request laws later. Not sure what made this an emergency (actually I do know based on media and political driven fervor, but that will be best studied through the lens of history). But all these tech people, OP and commenters here especially, don't speak for many people who accept the current state or reasonably understand heavy-handed government regulations on the internet bring more bad than good.
And for goodness sake, don't use the domain of your should-be-neutral software to make a political post. You aren't gonna feel any pain now because you are in the same line with other popular pitchfork wielders, but your political leanings have bit you before, why would you associate your company with them?
> And please please learn from EU mistakes and establish enforcement mechanisms. Don't just make exorbitant ceilings and move on. Have a framework to punish violators, and again start with small legislation until it can be shown enforcement occurs and is working.
There are enforcement mechanism in the GDPR. IMO they also are quite good. The max fine are huge, but there are mechanism to help misbehaving companies into compliance and also protect companies from random lawsuit by individuals.
> There are enforcement mechanism in the GDPR. IMO they also are quite good.
Based on my research into the lax enforcement of GDPR predecessors and GDPR leveraging those same enforcement bodies, I disagree. This is why I advocate an incremental approach; so you can prove you are adept at implementing the measures you write down lest it become just words, or worse, an economic warfare tool to subjectively apply on a whim. Sometimes you even have to temper those words knowing your enforcement mechanisms aren't yet prepared. Nobody's asking for going after all offenders, just reasonable attempts at equitable large-scale enforcement.
> how about not-tech-specific rules around data sharing transparency
Such as... a General Data Protection Regulation?
GDPR is not "tech-specific", it applies to technical solutions, yes, but also to business requirements and administration, and non-technical data collection. One non-tech consequence here is that stores are encouraged not to ask your SSID equivalent, since that exposes deeply personal information to others nearby.
> Just require details on what's shared and with whom for those seeking it
That's a big part of GDPR, actually. You're allowed to collect data, with certain rules about transparency and anonymization, and as long as there are reasonable motivators for collecting it. Within reason and with exceptions, I'm sure, but nonetheless, that's a big part of it.
> You're gonna find most people don't care anyways
I'm willing to bet few people cared about regulations on traffic safety and alcohol as well. That doesn't mean that regulations to hold bad actors responsible aren't necessary, as has been proven countless times through leaks, sometimes very large or sensitive leaks.
> And please please learn from EU mistakes and establish enforcement mechanisms.
What do you mean by this? What "mistake" has the EU made? They have enforcement mechanisms in place to target companies for violations of GDPR. It will take time to work out the details and establish case law, but I don't see anyway around that. Even if you introduce "small" regulations, companies will fight the charges or fines that you bring to establish precedent.
> If we all have to hire lawyers and/or compliance assistance, then the first step is too large.
You all don't. Larger corporations probably do, but that's unavoidable. GDPR was announced something like two years before implementation, and published in a lot of different ways beforehand. There were compliance consultants, yes, but there were also PSAs, education, advertisement, easy-to-read summaries and tons and tons of material to read up on.
> heavy-handed government regulations on the internet bring more bad than good
The view of pre-GDPR internet as something free of regulation, or free from government involvement, or as nothing but a land of milk and honey seems to me like a pretty severe case of rose-tinted glasses, especially if we're talking the last 10-15 years.
There have been a lot of issues with the internet, even without mentioning all the severe privacy breaches, or breaches that are a concern for national security.
> Such as... a General Data Protection Regulation?
Without the rest, sure. Law's also exist for consumer data sharing transparency in the US, they just need to require more detail and have their scope increased (again, if we're resigned to the fact that something must happen).
> That's a big part of GDPR, actually
Right, my whole point is starting small, i.e. without all the other big parts.
> I'm willing to bet few people cared about regulations on traffic safety and alcohol as well
We have to stop debating like this. I could bring up drug laws or prohibition to bolster my point about government regulatory overreach and its consequences. But doing this at a high level negates the nuances in the debate on this issue which has no historical equivalences from which to draw.
> What do you mean by this?
I have not seen large scale equitable enforcement of EU internet laws to justify their size. It's becoming a more rational approach to ignore the laws. Even proponents of the GDPR use subjective enforcement to allay small business fears of compliance. This is why I promote proving you can enforce before expanding scope.
> You all don't
That is a product of levels of risk, legislation scope, and market reaction to the general murkiness of how it will be interpreted and enforced. It's like telling a business they don't need an accountant, the information is all out there.
> The view of pre-GDPR internet as something free of regulation, or free from government involvement, or as nothing but a land of milk and honey seems to me like a pretty severe case of rose-tinted glasses, especially if we're talking the last 10-15 years.
Agree and I definitely don't share that view. I am proud of my peers for fighting it where we have, I just wish we could separate what we want vs how we get it.
Speaking of breaches, I think that's a great initial place to direct legislation and build citizen support against reckless companies without going all in on legislation of data specifically. It also has the benefit of punishing violations instead of prescribing specific maintenance rules.
It's somewhat amusing watching the overt rhetoric of advocating for data privacy enforced by governments when the majority of even technical people understand covert exploitation that is happening by said governments (and leaked to n number of 3rd parties [non govs, ngos, even the public occasionally via incompetence/leaks/hacks, etc] around the world on an increasing basis), which has the dual benefits of making the uniformed or willful ignorant feel good without actually changing the state of things.
Yup, and notice not a single person crying about privacy has been materially harmed from companies using their information to target ads or provide better products.
That's great. I don't want my information stored, analyzed, cross-referenced and re-sold around without me knowing what's going on.
Oddly enough, you're frustrated about "degraded UX", but for several years now - UX has been terrible with annoying popups asking you for your email, advertisement-ridden websites that attracts traffic via well-crafted titles while the content is something to be desired...
Don't be a peon. But if you decide you want to be one, think about your other fellow humans - maybe they don't want to be peons.
Your information is still “stored, analyzed, cross-referenced and re-sold” and even though the GDPR doesn’t stop that, you feel better because you “know that’s going on”.
I don’t get it. Have you ever been materially harmed by businesses storing, analyzing, or reselling information regulated by the GDPR?
Gdpr makes using websites a terrible user experience with the million cookie prompts. My parents will click on anything to make popups go away. Please no.
No, big companies have the greatest business-plan, tech, and compliance debt and are slowest to change -- the bizplan debt alone can be retired rapidly only at great risk of breaching fiduciary duty to shareholders.
Neither Google nor Facebook is in compliance with GDPR. FB was busted using 2FA phone number for ad targeting. Google has been taking data for various purposes for decades and linking it all together for other purposes. These are bright-line violations of GDPR's purpose-limitation design.
Smaller companies, by contrast, can change more quickly or start with compliance by construction, as Brave has.
It's a silly slogan that GDPR only helps big incumbents. Regulation tends to help incumbents under varying degrees of regulatory capture, as in the US. Europe is different, and India, Brazil, and others jurisdictions are following suit. California's CCPA is weaker (on protected data, opt out rather than opt in, ambiguity about duress = denial of service if off-purpose data not provided, enforcement), but also in line.
The GDPR is mostly good. The right to find out and delete the data is excellent. The bad thing is the constant consent popups which have become synonymous with the GDPR.
Obviously there are also still a lot of sites that try to wiggle around the GDPR by saying "By entering the site you agree to X", a practice that should soon be found to be in violation of the regulation. If that is allowed, the regulation for storage/processing becomes almost pointless.
That data collection should be opt in if it isn't an essential function of the app/site/service.
I am sick and tired of auto playing videos, popups etc. It is not GDPRs fault, media companies are milking us. Yesterday I got to an article that was covered with overlays and popups. You couldn't even see the title. I realized, I didn't care that badly to read it anyway and abandoned it.
Strangely, we are still enduring this terrrible UX experience, mostly because we don't have good alternatives or those that exist, are not known. I think we should spend time creating those and discovering and promoting healthier information sources.
"Right to be forgotten" is a core tenant of GDPR. It'd be interesting to see if the U.S. would enforce the hard delete of social media profiles upon opting out.
Really strange that the Brave website of all places includes a Javascript that hijacks your native scroll. Why is that smooth scroll library so popular? It's really obnoxious.
No we don’t. There’s no privacy problem that needs solving.
Brendan Eich is seeking protection for his failing business from the government. He wants to use the force of law to make his browser more competitive.
I’ve got a better idea: let’s make JavaScript illegal. That’ll hurt the advertising industry too!
What specifically do you take exception to with regard to GDPR/EU Internet laws? Having hands-on experience with compliance, I find GDPR to be quite reasonable - if anything, I'd say it's overly lax with regards to deletion of data that's not visible to the user (i.e. logs, 'shadow profiles', etc.).
Maybe GDPR is okay, I'm not terribly well informed about it. But every couple weeks the entire internet is up in arms against a new attempt by the EU to censor the entire internet, and I've been dealing for too long with the damn "We use cookies" pop-up they ignorantly required.
So I'm just saying their track record isn't great.
> the entire internet is up in arms against a new attempt by the EU to censor the entire internet
I must be out of the loop because I'm not familiar with what "the entire Internet" is up in arms about. Can you give a specific example?
Re:cookies - you do realize that "we use cookies" almost universally means "we use third-party cookies" and that third-party cookies are the number one way that advertisers and other unsavory entities track your Internet usage across sites, right? Don't you think people deserve to know that their Internet usage is essentially being tracked granularly without their consent or knowledge for profit? If not, why not?
What material harm or damage would you suffer if I snooped on all of your Internet browsing activity with the knowledge of who you are in real life and kept that information around forever to use for whatever purposes I so choose?
Straw man. That’s not analogous to what was being discussed. A better analogy is: HN can see my email because I gave it to them to login. I don’t need to request what HN is doing with my email, because I already know I gave it to them. Giving them my email doesn’t harm me. Using it to do something illegal might, but the GDPR wouldn’t be able to stop that.
You misunderstand how third-party cookies & tracking work. You also misunderstand the intent of the legislation if you think GDPR is about preventing 'illegal' things. It's about protecting individual citizens' sovereignty and privacy.
That's acute, considering there's at least a couple of major competitors in every area of Chinese internet economy, unlike the Google, Facebook, YouTube and Amazon de-facto monopoly.
If I use Private Browsing (to protect my privacy) I am punished with more popups. If I open a website within a browser shell on mobile that doesn't have my cookies (some kind of webview of an app), I am punished with more popups.
Am I expected to look at every one of those dialogs and figure out what I have to click to "customize" my tracking?
Then there are the technical problems; one of those consent "solutions" that you see around actually shows a spinner while your "preferences are being saved". Sometimes it never closes.
I am frankly already so tired of this that I don't even care to look which of the buttons says "Agree" and which one says "Refuse". I just click on whatever I see. I know for certain that for less experienced users (my parents), every additional button to click is just another hindrance to achieving what they need to do. The thought "what if I click the wrong thing" is a permanent companion of their computer use.
These are very real, very concrete negative effects of GDPR. Is there something that we gained to make me feel better next time I am annoyed with all the popups?