> These are very real, very concrete negative effects of GDPR
Your annoyance is misplaced. Don't be annoyed at GDPR: be annoyed at all the companies who have spent the last decades building an entire web-infrastructure with zero respect for user privacy. We built massive amounts of technology infrastructure that just assumed that privacy and tracking wasn't an issue. Why do these websites need all these cookies in the first place? If I'm visiting a random blog with no advertising on it, why is it asking my for cookie consent? What possible purpose could that cookie serve, except tracking users?
As an analogy, imagine taking a black-light to a hotel room and realizing that the room is absolutely filthy. Would you be angry at the black-light for revealing the filth to you? Or would you be angry at the hotel, for not properly cleaning up?
If cookie consent forms or GDPR compliance forms annoy you, don't blame GDPR. Blame the sites that have no regard for your privacy and make no effort to comply beyond throwing up annoying prompts.
If a new regulation insisted that on entering a hotel room, a member of the hotel staff had to use a blacklight and you needed to explicitly approve every illuminated mark larger than a quarter, then you would be annoyed at that regulation.
There are supposed to be all sorts of other GDPR protections, about rights to be forgotten, about being able to access and selectively remove personal data from an online profile, that I have no idea how to activate. Instead all I get, as a user, is a bunch of consent forms, like the stupid cookie warnings, that I have no idea how to respond to, and no idea what I'm committing to when I click them.
>If a new regulation insisted that on entering a hotel room, a member of the hotel staff had to use a blacklight and you needed to explicitly approve every illuminated mark larger than a quarter, then you would be annoyed at that regulation.
How about this. For the past 25 years every hotel that you checked into has kept a record of:
- How often did you visit?
- How much money did you spend?
- What type of CC do you have?
- Did you watch porn?
- If so, what is your favorite type?
- Did you pass on dietary restrictions to the chef?
- Were you alone?
- Did someone other than the person listed as your wife on FB join you for the night?
- etc... etc... etc...
And then, without your consent, without even notifying you they sold this information to credit score companies, to advertising companies and to whoever the fuck will buy it.
Without. Your. Consent.
THIS is how the internet works today. Everyone grabs as much data as they can and then sells it to whoever wants to buy it. You have no vote in this. It just happens and it says so in weird legal terms on page 373 section 44 subsection 7a of their 700 page Terms of Service.
GDPR gives you this vote.
GDPR says: if you want to resell data you harvest you HAVE to get their consent, in clear and understandable terms. Can't bury it in your TOS.
GDPR says: you cannot make your website / app / service unavailable if people refuse this.
GDPR says: you can ask companies how much and which data they got on you and they have to provide it.
GDPR protects you from an invisible industry many people don't even know exists.
>GDPR says: if you want to resell data you harvest you HAVE to get their consent, in clear and understandable terms. Can't bury it in your TOS.
>GDPR says: you cannot make your website / app / service unavailable if people refuse this.
>GDPR says: you can ask companies how much and which data they got on you and they have to provide it.
>GDPR protects you from an invisible industry many people don't even know exists.
And it does it by in effect forbidding you from interacting with parties that don't follow EU mandated criteria for what needs to happen for a packet to go from A to B. I don't care about what the EU thinks is good for me, I want to interact with server X whether or not it is GDPR compliant and whether or not it's over a protocol that lends itself to this nonsense; my data is supposedly mine, so fucking let me.
I think he is referring to websites that are now blocking all EU users because of GDPR.
I'm surprised companies aren't just pulling the same move porn/alcohol websites use with age by asking the user if they are an EU citizen/in the EU and if they answer yes, send them to a static "we don't service the EU" page at which point everyone just lies so they can still access the page with the tracking.
> And then, without your consent, without even notifying you they sold this information to credit score companies, to advertising companies and to whoever the fuck will buy it.
> Without. Your. Consent.
I'm really sure that every hotel has its terms of services. So does Facebook and every other site. What you described has always been illegal, and it has also never happened. What was sold was composed of data according to the terms of service that every person included agreed with. If agreement isn't consent, what is?
Did you read, or was even aware of, a ToS of a hotel on use of personal data? This is entering the "local planning
department in Alpha Centauri" territory.
As a regular person, you should not need to be aware of such things. What GDPR tries to do is to restore some sane defaults into the process, just like customer protection laws do.
Yes, I generally check ToS of whatever services I use, including hotels. And no, it's no "local planning department of Alpha Centauri" territory, it's available on their webpage and in paper form at the reception, usually framed and hanging on the wall. I check it to see what happens if I overstay, but skim through the whole thing.
As a regular person, if I want to use a service offered by someone, I should at least look into their terms - even with GDPR in place.
I'm not saying I disagree with you - but that's an opinion; on the other hand you said that consent was not given, which is simply not true - consent has a definition and that definition was fulfilled, the law doesn't treat ignorant people differently. If you want to say "I don't think <something> should be enough expression of consent", that's OK, say it - but don't lie.
Fair enough. I do read the regular ToS of the hotel that they frame and hang on the wall; it's usually standard stuff and not once I remember reading anything there about use of my data. It's just the usual "hotel night is from X to Y, please don't do <list of ridiculous stuff that some people apparently do in hotels>". So from your comment I assumed that there must be an extra ToS that covers use of personal data. If there is, I've never noticed it.
I don't think there are many hotels handling your personal data except for legal purposes, so they mostly don't need any data policy. So far I've encountered one that simply said that data might be shared with other branches of their company, which I'm happy about.
It sounds like you agree that forcing people to read and agree to individual portions of the ToS is not a downside of GDPR, since we should all be doing that anyway.
I don't agree nor disagree. The comment I replied to was talking about the past, and in the past, the laws were different and consent was given according to them. I deliberately didn't say if I support GDPR or not, it doesn't matter; the comment said "without your consent" which is simply not true.
Freely given consent, as per the GDPR, must be explicit and optional (even if you have consent to use the data for the service being performed). A line buried in a ToS does not comply.
My point is that you can simply change the previous comment to read:
"And then, without your freely given consent, without even notifying you they sold this information to credit score companies, to advertising companies and to whoever the fuck will buy it."
No, the original point doesn't apply. Your edits make it completely different, so of course my reaction would be nonsense. "Consent" is a well defined word, and its meaning was fulfilled in the examples the comment listed - of course that would be different today.
There are supposed to be all sorts of other GDPR protections, about rights to be forgotten, about being able to access and selectively remove personal data from an online profile, that I have no idea how to activate. Instead all I get, as a user, is a bunch of consent forms, like the stupid cookie warnings, that I have no idea how to respond to, and no idea what I'm committing to when I click them.
This again, is the fault of most websites. GDPR requires opt-in for tracking, etc. A website could just, by default, not do tracking. Then provide the tracking options in the preferences. However, most sites have gotten so data hungry that they can't accept GDPR's privacy-by-default and have to bother you with pop-ups to try to get your consent to track you. Add some dark patterns, like designing these pop-up forms such that they are effectively opt-out.
I can't wait until some organization sues some big fish to send a signal that blanket data collection or using dark patterns to trick people into data collection is not an acceptable modus operandi.
Also, we as consumers of the web can also help to improve things. Contact companies and ask them to switch to opt-in (as required by the GDPR), encourage them to not collect data by default (avoiding popups), exercise your right to remove data and/or see what data is collected. If enough people request this by e-mail, companies will have to set up automated procedures (provide a webpage to see or remove data).
> There are supposed to be all sorts of other GDPR protections, about rights to be forgotten, about being able to access and selectively remove personal data from an online profile, that I have no idea how to activate.
You don’t have to do anything to “activate” these rights under GDPR. You can just email the website in question and ask them to send an accessible copy of your data, or remove some or all of it from their servers. GDPR simply requires companies to adhere to certain consumer demands about my own data and respond within reasonable time frames.
Also I disagree with your analogy. Companies are allowed to track users for internal purposes Uber GDPR. But they are not allowed to sell your data to third parties without consent. The reason all these pop ups and consent forms are so complicated have nothing to do with GDPR, and everything to do with the fact that companies are trying to nudge you into making a choice against your own best interests.
> You don't have to do anything .... just email the website ...
Okay ... let me try this.
> TO: cnn.com
> SUBJECT: Remove my data
Okay, let's send it!
> gmail: The address "cnn.com" in the "To" field was not recognized. Please make sure that all addresses are properly formed.
Oh. I've been around the block; maybe I can try admin@ or support@ or look at whois data, or browse around their website for a "Contact us" link, and maybe I can figure out how to properly assert that I do in fact own the account in question whose data I wish to remove, assuming I even have an explicit account rather than just a tracking cookie and a "shadow" profile. But isn't the GDPR supposed to be consumer-focused? What earthly consumer is going to go through these steps?
What earthly consumer is going to go through these steps?
I have requested the removal of my personal data from multiple business, and I can assure you I'm quite earth-bound. Copy-pasting a template and filling in my name and account ID is not that hard.
I'm going to go out on a limb and guess that you are a fairly technical user. My snarkiness in the previous reply was excessive, but reflected my frustration with being told that something is simple that is actually a multi-step process with questions that are not easy to find the answer to.
I guess the problem with email for this process is that you have a number of questions, all of which may not have an easy answer.
1. Identify an email address -- is this standardized? Searching "GDPR address for cnn" gives nothing, and similar more general queries yield little information.
2. Identify a template -- is there a standard one? I see a bunch of websites that claim to have them, looks like 'datarequests.org' is a good(?) one? It seems to have only a small set of sites that can be submitted. The template is incredibly verbose and it isn't clear how to request specific information; would that typically happen as part of a dialog?
3. Identify an account number/user name/verification of identity -- is there a standardized process for this? Could someone else send a request to remove my data? What is the process for this and how can I activate it?
4. Email is not a structured medium. I don't want to get into a whole conversation about this; I want to see the data about me and be able to remove bits of it.
Note that as a software developer #4 sounds kind of ridiculous to me, since user data can be represented in a variety of site-specific manners, and the existing pre-GDPR protections put in place for PII make this almost impossible. But to an end user it feels like it should be a natural thing and having to deal with a number of complex bespoke systems sounds like a pretty heavy load.
I can see the GDPR in this sense being useful for celebrities and the wealthy, who can afford managers or consultants to take this action on their behalf, but not for people like my parents, for whom even step 1 is daunting.
I'm going to guess you're a technical user :) my parents would never think to search for standardized or GDPR-specific email addresses. What they did was find some generic way to contact the company (phone number, possibly Facebook or email) and ask them "where should I send a request for you to delete my data?"
Regarding the content, they would find some template they can mostly understand, then change/add a paragraph to include whatever specifics they need.
As for verification of identify, they would not even think much about it. They would sign with their name, and of course send from their email. The company would have to reply back to ask for whatever they need to verify it properly.
> 1. Identify an email address -- is this standardized?
Interesting, wasn't that addressed by GDPR? For that reason does german law requires information like this to be easily accessible, aka "Impressumspflicht". Lets compare for example amazon footers links.
https://opt-out.eu/ is a service run by AFAIR someone on HN (spotted it today, can't find the source comment). Select a company, fill out a form, and you're done[0].
[0] - Maybe. I'm not endorsing it, I just found it today. I wish someone (maybe the author) could say something more about the validity of such process, and whether this kind of e-mail is enough in practice.
One of the authors here. Thanks for mentioning us! I personally use the service and can testify it works. Just used it last week following the Apollo breach to have them remove me from their database. The service is free and open source. Happy to answer any questions!
> If a new regulation insisted that on entering a hotel room, a member of the hotel staff had to use a blacklight and you needed to explicitly approve every illuminated mark larger than a quarter, then you would be annoyed at that regulation.
This analogy doesn't work because a) the vast majority of illuminated marks aren't harmful, b) the ones that are harmful aren't revealed by a blacklight, and c) you can take a shower after you leave to deal with the gross ones.
If, however, the light revealed signs of bed bugs we would be in the right ballpark.
Because:
a) everybody should want to minimize how much they deal with bedbugs
b) if you regularly sleep in places that have bedbugs you risk bringing bedbugs along with you to the other places you go
c) because of education and time constraints, people typically do not manually inspect each and every place in a hotel room that bed bugs could be. So if hotel staff could force the user to click a dialog that says, "This hotel room uses bedbugs for the following purposes..." that would be extremely useful for public health and sanity.
This is how unintended consequences happen. Complaining how rational actors work around roadblocks has no practical effect. Who someone blames has no practical effect. The downside of looking at the intent of the law and assigning blame towards the market is that it encourages doubling down on these negative actions. Why not make popups illegal, they'll say. Why not make it illegal for you to optionally trade your data/tracking for services, they'll say. We need to keep fighting the market's misapplication of our original intent with more codified words, they'll say.
Pragmatic realizations of cause and effect are required instead of blame.
> Complaining how rational actors work around roadblocks has no practical effect.
I'm not sure I agree with the 'rational'. If you are so short-sighted as a company that your main course of action boils down to 'piss off the user' while doing everything you can to skirt the law then you deserve to suffer the longer term consequences. Rationality should operate on all time-frames simultaneously.
I very much wish incentives were aligned this way. However, as the ad tech sector has shown, consumer apathy is pervasive enough that you can push the envelope quite hard against them before the costs near the benefits. Couple that with the uncertainty of an ever-changing tech landscape (especially considering impending government interference), and optimizing for short term profits is "rational". That's "rational" about money only, morality and sustainability be damned.
Hence the GDPR, which sort of makes this go full circle. These 'rational actors' are now trying with all their might to do an end-run around the law. It is interesting to see which companies 'get it' and which really don't get it. I suspect - and hope - that five years from now or so the ones that didn't get it will either have changed tack or will no longer be around.
Although they are doing an end-run around the law, I'm not sure they are trying that hard. I suspect the law will become largely ignored (or massively paid lip service just to avoid being the tiniest rare case that is punished), and hope that alternative tech overcomes the entrenched.
Everybody has to do it, so not pissing your users is not an advantage. The other options for them are: block EU visitors (that pisses me even more) or go out of business (because they need the tracking to make at least some ad money from the freeloaders who want to read their content but won’t pay a dime).
Saying “just don’t track” is magical thinking. They ARE rational in doing the minimally revenue harming thing to comply in their less lucrative market.
The only ones suffering any consequences are people like us who have to click through so much crap to read something because of the bloody GDPR we didn’t ask for. (Like we didn’t ask for Netflix to have 30% of crappy EU content. That’s EU’s next disaster in making.)
>This is how unintended consequences happen. Complaining how rational actors work around roadblocks has no practical effect. Who someone blames has no practical effect. The downside of looking at the intent of the law and assigning blame towards the market is that it encourages doubling down on these negative actions.
Bounce rates must be through the roof, especially for clickbait. I'm certain that the market has noticed and will respond to this. I strongly doubt that this persistently annoying popup situation will stick around forever.
Ultimately I'm sure some kind of technological solution will emerge - e.g. you set what level of tracking you're happy with on your browser and your browser will fill in the popups for you and report back what the website is doing.
This would only work for automatic opt-in. why would companies, that monetize your privacy stop bugging you unless you close that pop-up manually? I imagine there are a lot of people that use their browser with default settings, so there is a chance they don’t actually care about privacy
> Don't be annoyed at GDPR: be annoyed at all the companies who have spent the last decades building an entire web-infrastructure with zero respect for user privacy.
What about people who had absolutely no issue with the tracking and "privacy" concerns? I don't care if advertisers target me. If I do care, I use incognito sessions. I'm happy with all the free services I get on the internet and I don't mind giving them a bit of information about myself especially since I've literally never clicked on an ad, ever, so their efforts aren't even effective.
I think there's a small minority of people who care about this stuff, they just had loud voices and the ability to push global legislation through to make everyone else's life more difficult.
I see no issue with opt-in as default (which GDPR requires). Then people can make informed decisions and choose to be tracked, while less technical and privacy-mined people don't get tracked.
I think the grandparent post does a good job describing the problem with it. It's a UX nightmare to the point where it doesn't even accomplish what it set out to accomplish.
> Good, you can opt in to tracking and profiling, if you wish.
What we wish is to be able to opt-in once and for all, to get rid of these incessant interstitial pop-ups sprouting like mushrooms across the Internet.
Perhaps we could introduce a new HTTP header X-GDPR-Consent-Granted, controlled by a checkbox in the browser, to explicitly acknowledge that yes, we know that anyone we interact with online is going to learn various things about us, some of which may be quite personal; that we accept this; and would you please just get out of the way and let us read the article we came here for already?
If the intent was that anyone can decline without any change in service they should have just declared consent irrelevant. No one wants to be accosted 50 times a day for something so trivial, and the answer is obvious—the law prohibits offering any incentive to consent, so the only reason for anyone to grant consent is that they didn't understand the question.
I think the way this would play out is that sites would attempt to only respect the header if consent is granted, and would prefer to still show the popup to those who set a header indicating to deny consent. In that case, it would be interesting to see what percentage of users are willing to deal to trade their data in exchange for being not bothered.
I would guess though that businesses would be wary that supporting such a header would legally put them in a position to also support a deny version of it.
>"What we wish is to be able to opt-in once and for all, to get rid of these incessant interstitial pop-ups sprouting like mushrooms across the Internet."
If they implemented GDPR correctly and in a sensible manner, you would get one popup per site, once. You would give your consent to data collection and usage, and they would save that preference in a cookie or your profile settings for that site.
Instead, they want to punish and irritate you into simply accepting whatever they say, in order for the popups to go away. It's completely deliberate.
They could also simply support the Do Not Track header, or a "Please Track Me" counterpart. But they won't do that, because that would make it too easy to escape data collection and profiling, and wouldn't let them annoy you into accepting their onerous terms.
> If they implemented GDPR correctly and in a sensible manner, you would get one popup per site, once. You would give your consent to data collection and usage, and they would save that preference in a cookie or your profile settings for that site.
And how is that supposed to work, exactly? If you choose "deny" then they can't track you, so they can't set a cookie or save profile data! Of course you'll get the same prompt the next time you show up. At that point you're just another anonymous visitor of whom they have no prior knowledge. You have to consent before they are allowed to remember your preference.
The same issue applies if you grant consent but take your own measures to thwart tracking, such as limiting cookie lifetime. The next time you show up they don't remember you and must ask again, or else give up and assume that no one ever grants consent.
If you are already signed in to an account that is a different matter, of course, but even for the minority of sites where I would have an account signing in would generally be more trouble than dealing with the pop-up, and thus not an improvement.
> ... into accepting their onerous terms.
There is nothing "onerous" about their terms. They have every right to require your consent in exchange for their services, the GDPR's infringement of that right notwithstanding. For that matter, they have every right to collect, store, and make use of whatever data they are able to gather from your interaction with their service without your consent. The law in this case is blatantly one-sided, and consequently unjust—you aren't forced to beg for their consent to remember and/or communicate whatever data you can gather about the them. For that matter, where is the GDPR equivalent for the government? They collect more information, and more personal information, than anyone else. Based on the same principles as the GDPR, you should be able to opt out of all those income and sales tax reporting forms, for a start, or demand that they delete you from all their databases, with no change in services received.
Abolish the popups entirely, move the consent forms to a voluntary options page. Implement a user profile system, so people can create a profile and opt-in to tracking and profiling through that. Turn off tracking and profiling completely for anonymous users who choose not to create a profile, or who haven't opted in.
I know there will be an outcry of "but the amount of data we would be able to gather is miniscule!", and I say that's a good thing. Companies have absolutely no right to my personal data and to infringe on my privacy, unless I explicitly grant them access to do so.
The default should be to not track and not profile and not store privacy-infringing data, unless the user has taken specific and deliberate action to allow it.
>"There is nothing "onerous" about their terms. They have every right to require your consent in exchange for their services, the GDPR's infringement of that right notwithstanding."
They have absolutely no right to my private data, unless I specifically give them permission. They do not have any right to success, no right to a specific business model being viable forever.
>"For that matter, they have every right to collect, store, and make use of whatever data they are able to gather from your interaction with their service without your consent. The law in this case is blatantly one-sided, and consequently unjust—you aren't forced to beg for their consent to remember and/or communicate whatever data you can gather about the them."
No, they do not have that right. There are very clear differences between corporations and people. Corps are not people, they do not have the same rights a person does.
>"For that matter, where is the GDPR equivalent for the government? They collect more information, and more personal information, than anyone else. Based on the same principles as the GDPR, you should be able to opt out of all those income and sales tax reporting forms, for a start, or demand that they delete you from all their databases, with no change in services received."
The GDPR applies to governments as well. There are very specific rules in place for what information they're allowed to keep, any PII data can only be kept if there is valid purpose. The same rules go for companies, they're certainly allowed to keep information, as long as it's appropriate and necessary to provide the services they provide to you. And yes, taxation is part of the overall service government provides you to, specifically it's the payment for those services.
Facebook doesn't need to endlessly track, profile and monetize you, in order to run a social network that lets you chat with people, exchange cat videos and arrange events. Google doesn't need to endlessly track, profile and monetize you in order to provide search, email, calendars and their other services. It's perfectly fine to keep your calendar data, because that's a service they provide to you. But it is not OK for them to analyze and monetize your calendar data to target ads, unless you give them explicit consent.
> The GDPR applies to governments as well. There are very specific rules in place for what information they're allowed to keep, any PII data can only be kept if there is valid purpose. The same rules go for companies, they're certainly allowed to keep information, as long as it's appropriate and necessary to provide the services they provide to you.
Services you personally asked them to provide to you. That's an entirely different standard. The GDPR doesn't permit companies to decide unilaterally what services they will provide and what information (much less funds) they are entitled to collect from you in order to provide those unasked-for services.
> Don't be annoyed at GDPR: be annoyed at all the companies who have spent the last decades building an entire web-infrastructure with zero respect for user privacy.
Actually, I think we should be annoyed at browser vendors for letting the problems with cookies get to this point. They're obsessed with backwards compatibility, but sometimes you need to break things to fix a problem.
This is one of those times. Consider, what is the greatest lever we have in this scenario? There are hundreds of thousands of companies and billions of users. Measures to change the behaviour of this huge set of people are futile.
However, there are only a handful of browsers, and the past few years they're somewhat responsive to user feedback. Browsers are our greatest lever, and the privacy solution will have to come from there. Remove cookies or neuter them significantly, like removing JS access to cookies and/or making cookies opt-in only for sites storing login info.
If necessary, add new types of concepts for gathering anonymous analytics data that's guaranteed to respect privacy, and new concepts to specifically store persistent credentials rather than general data and to which JS again has no access.
Chrome is the biggest browser by market share and is maintained by a company whose entire business model revolves around tracking users to feed them ads. They have zero incentive to remove cookies. Same goes for Safari and Edge, even though they're not as dependent on ad revenue.
This is a textbook example of negative externalities that can't be solved by market forces. That's where regulators should be stepping in.
> Chrome is the biggest browser by market share and is maintained by a company whose entire business model revolves around tracking users to feed them ads. They have zero incentive to remove cookies.
Not true. If they don't do something, legislators are going to impose hamfisted regulation like GDPR which does impact their bottom line and hampers their business.
So Google's incentives overlap somewhat with users here. It's possible there's a middle ground in this overlap where the browser includes features specifically for ad-driven content rather than relying on general data load/store mechanisms like cookies which can be easily abused for more nefarious purposes.
Although regulation specifically targeting browser vendors to develop such features would also do the job. It's a mistake to try and push this on websites though.
GDPR may affect Google's bottom line in EU markets (we are still awaiting proof as it's too early too tell). But seeing how the FCC dealt with the issue of net neutrality, I have serious doubts that they'd get anywhere near a consumer-first policy regarding Internet privacy.
Can we have this without forcing it? Ideally browsers would be extensible enough for you to build these things. I miss the document days of yore where implementing a browser would be a reasonable endeavor. And that the limited size of the choices is now seen as a benefit to enforce change is scary. Sure, some see it as a good thing, I mean look at all these features and all the places they've steered the web (e.g. HTTPS). I see it as too much bad with the good and I'm becoming wary of the non-neutrality of my browser. I'm at the point where I want them all to stand still or work backwards fixing bugs and improving what exists. When you get what you want by browsers leveraging their user share to make sites change their practices, you just have to know you fostered the environment for them to do that in places you might not want.
> like removing JS access to cookies and/or making cookies opt-in only for sites storing login info
To this point specifically, making a simple AJAX call to have my web server set and/or send me back the cookies from the HTTP headers is trivial. A browser is not going to be able to tell the purpose of the cookie, and opt-in is user hostile to the point that never-ask-me-again will become the norm.
> Ideally browsers would be extensible enough for you to build these things.
The generality of the environments available in browsers is exactly the problem: we can't tell what they're doing because opaque programs are manipulating opaque data. Making the problem tractable means restricting the ability to communicate via well-defined channels with well-defined data, possibly with specific purposes.
> opt-in is user hostile to the point that never-ask-me-again will become the norm.
You're assuming a lot. Opt-in is not blanket user hostile, it depends on the frequency and circumstances the user encounters it.
My first thought is that opt-in dialogs would be triggered only for forms with password inputs, just like it works now in browsers where users can save their passwords. The cookie is tied to that form submission only so we know its origin and uses, and all other cookies are forbidden. It doesn't strike me as user-hostile at all to then ask the user if they want to permit the site to store a persistent authentication token.
But is GDPR really making the kind of difference people wanted?
What I see, is that mostly companies continue the same behavior, but now with a disclosure you are prompted to accept.
I predicted everyone would just accept those terms in exchange for free services they already have invested into. Now we just have an extra annoyance. Has anything substantially changed?
Just a few hours ago there was an article on the front page about yet another tech giant getting hacked and losing contact info on hundreds of millions of users [1].
A GDPR in the US should have the power to audit companies and ensure compliance, just like the FDA does with health-tech companies.
On the user side you might only see the effects of GDPR in the form of cookies that were added as a quick-and-dirty solution for companies that have built an infrastructure whose revenue model requires collecting user information. On the other side, law also gives a vector for the government to step in and demand changes to companies that are fast and loose with user data.
If we'd had an effective GDPR in the US, the Equifax breach that lost everyone's social security number may have been prevented and they might have faced some kind of real repercussion when it did happen. Instead, data companies still get to privatize gains and externalize losses.
> GDPR in the US should have the power to audit companies and ensure compliance, just like the FDA
This is wanton overregulation.
All we need is strict liability for data loss. After a few years of watching cases play out in the courts, we can revisit to see if more onerous regulation is required.
I think auditing needs to be part of it too. Otherwise what's to stop companies from just never disclosing data loss? The way I understand it, right now companies intentionally don't look for data breaches so they can claim ignorance if anything comes to light.
Such exchanges are illegal under the GDPR. Consent must be freely given; if access to a service (that doesn't require that data, or that use of the data) is dependent on it, then it's not valid.
That was OP’s point. Some people, like me, want to freely accept such terms. I don’t give a damn about some cookies tracking. What I do give a damn about is making my own choices.
The entirely predictable consequence of making this trade illegal is that I can’t even access information on sites that have minuscule EU revenue, are too big to be afraid they might become a target, and can’t afford to provide me their services for nothing.
European news sites work fine without problems for Europeans.
What does one in Europe gain with reading, say, American news sites which have a mostly local (e.g. American West Coast) focus?
Sure, one may find more entertaining news in a way, and get perhaps another perspective, but I would say that this perspective is obtainable via other means. It is usually even spelled out in the news articles themselves, but perhaps not explicitly. So what does a European really lose by not being able to read, say LA Times, or a news provider from Kentucky?
Not trying to troll.
After the GDPR I noticed I was not able to read some sites. First I was a bit annoyed, then realized the links I tried to access were to some random US news sites. I realized I should be interested in more local happenings versus those in a remote place that is beyond a vast ocean. Also, I wanted to know in more detail what world events mean for me and my area, since that is where I live. And I want to avoid political paint in my news, as far as possible.
The cost of determining the tracking behavior of every dependency of every part of your web site is prohibitive. Can you be sure that every hosted font and JavaScript framework you use is hosted on a server that isn't, say, logging IP addresses? Why bother? It's much easier to just throw up a warning popup, which users universally dismiss.
I would argue that you should be able to and then follow that up as to why its prohibitive (and what prohibitive means)?
At least on the library side, there tends to be a default-to-trust to the point where large projects put dependencies on libraries that are built by literally one-guy-with-a-github. I posit that developers should be more critical of including dependencies, and factors like "can we guarantee support" and "how do we know it doesn't have malware, both now and in the future, and who can we hold responsible if it does" should be considered for every dependency we add. As it is, I find a lot of developers will uncritically slurp in any dependency or library that saves them a bit of effort.
If the tooling isn't there to help with this problem then it should be built.
Most of these sites do have high regard for your privacy. It's not all for ads. Much of it is just for tracking logins and preferences, but warnings for that are required now too.
In most circumstances, I would expect things like logins to fall under the 'legitimate interests' basis rather than the 'consent' basis, and interestingly, if login is required to provide service it shouldn't fall under consent anyway.
I think the majority of the consent popups I've seen do not in fact comply with my reading of the GDPR. It's strange, but apparently people don't read the legislation or guidance before making these changes to their sites.
I don't really care where is my annoyance aimed at, I just don't want to be annoyed. All websites use cookies to track users. In this context getting consent is noise.
Your comment is being downvoted because you're just rambling like an old man grumpy about kids on his lawn. Not a single shred of evidence, or even an attempt at making an actual reasoned point.
Every time there's comments like this I can't help but think I'd be extremely surprised if the people writing them knew any of the names of the people who worked on the law.
I wonder what you even define as "having an idea what you're doing".
Whether it was poorly drafted legislation remains to be seen. The "unintended consequences" people are talking about here are minor, what matters are the intended consequences such as the augmented rights europeans have over their data, their privacy, etc. I personally don't give a shit about the annoying cookie popups, I'm just glad I can finally delete my account and email address from various websites when I want them gone.
GDPR has given me a ton of rights over my data that I should have, and everybody should have. It has given me access to my own data. It has given me the power to delete it. This shit is important, and now it's law. That there's cookie popups because the companies in question suck? I don't care. If it makes you close the page, that's a positive side effect IMO. This shit must be bad for conversion in order for businesses to start getting a clue. It's a version of the "tax on privacy" that a lot of people on HN like talking about.
Regarding #2, I dispute that for the same reasons. GDPR is achieving its goals of securing user data in europe. Companies are scared straight into following it so far.
There are issues with it (especially a lack of compliance material). None of them point to "the authors had no idea what they were doing".
In other words, no, GP isn't "right" just because you have to click off some annoying popups. That's not the only thing GDPR does.
Edit: Lacking replies, I'm going to assume those downvoting this comment are the usual no-privacy-apologists who are annoyed they now have to put legalese in front of users and don't ask themselves why they have to.
I agree with you that an important and useful part of the GDPR is deletion of your data. Good examples: No advertising and spam. Prevention of later hacking and theft of your data like e.g. credit card numbers or private messages. You have revealed your true identity on social media and want to remove your posts.
But maybe GDPR gives a false sense of safety and security and control:
- What is technically possible ? When I cite you, must my posts be deleted as well ?
- Who controls what companies do outside of the EU or even within the EU ?
- National police and secret services in the USA and EU might be more interested in the data than some US company. They have no moral problem with installing spyware on your computer.
- Banks and maybe even insurance companies have already the right to know much about you.
IANAL so I can't address most of your questions, but
> When I cite you, must my posts be deleted as well ?
You mean for comments and such? What I write on a site's comment section falls under copyright law, with the usual attribution reservations etc. So no.
> Banks and maybe even insurance companies have already the right to know much about you.
I shouldn't have used the word "privacy" in my comment. I think calling GDPR a privacy law is a shortcut a lot of people take (myself included), but it really is a data protection law. (It's even in the name!)
GDPR doesn't talk about privacy very much. In fact, I just searched the full english text of the law: There isn't a single instance of the word "privacy".
In other words, it doesn't so much say who can and cannot store and analyze your data. Instead, it lays out your responsibilities if you are storing/analyzing personal data, and your (consumer) rights as someone whose data is stored/analyzed somewhere.
I was attacking the contents of the comment, not the person. As for ignorance, I usually give the benefit of the doubt, but I've seen enough of those types of comments regarding GDPR that I'm cynical. They're almost always from non-EU business owners annoyed at having to suddenly comply to EU laws, or business owners in general annoyed at having to care about privacy (where they didn't before).
Uninformed consumers who think GDPR is a cookie law also exist, but they're not HN's usual audience.
Edit: A quick stroll through scoom's comments reveals an nauseatingly unsurprising picture. I'm so very shocked.
The fact that companies can simply continue what they have always been doing “but with pop ups” is evidence that the GDPR did not go far enough.
Also, still waiting for the first major company-wrecking GDPR fine everyone was losing their minds over... any day now. There are doubtless plenty of companies still in violation.
Your annoyance is misplaced. Don't be annoyed at GDPR: be annoyed at all the companies who have spent the last decades building an entire web-infrastructure with zero respect for user privacy. We built massive amounts of technology infrastructure that just assumed that privacy and tracking wasn't an issue. Why do these websites need all these cookies in the first place? If I'm visiting a random blog with no advertising on it, why is it asking my for cookie consent? What possible purpose could that cookie serve, except tracking users?
As an analogy, imagine taking a black-light to a hotel room and realizing that the room is absolutely filthy. Would you be angry at the black-light for revealing the filth to you? Or would you be angry at the hotel, for not properly cleaning up?
If cookie consent forms or GDPR compliance forms annoy you, don't blame GDPR. Blame the sites that have no regard for your privacy and make no effort to comply beyond throwing up annoying prompts.