Can you give me a reference for that, please. I have only found [1]:
>It states that you should integrate data protection from the designing stage of processing activities. Article 25 of GDPR lists the requirements for data protection by design and default.
But that's the processing, not the agreement.
And about consent [2]:
>Freely given - the person must not be pressured into giving consent or
suffer any detriment if they refuse.
>Specific - the person must be asked to consent to individual types of data processing.
>Informed - the person must be told what they're consenting to.
>Unambiguous - language must be clear and simple.
>Clear affirmative action - the person must expressly consent by doing or saying something.
But freely given doesn't forbid using the default or does it?
Thats a subjective interpretation of "clearly affirmative" that matches more closely with "obvious and clear or straightforward". An option can be obvious to find and yet worded unclearly as we have all encountered "do you want to opt out or not?" Y/N - wait what did the text blob above this say?
Pretending this isnt a delicate issue creates more loopholes and bench time than helping consumers.
I think "clearly affirmative" is only possible when it's "clear" - the consumer cannot clearly affirm to an unclearly-worded question.
You can also cover it under "easy to select by mistake [the unintended answer]".
I think the root of the problem in most cases is that companies don't want to help consumers, they actively want to mislead them and then claim plausible deniability.
I don't understand which sense you mean by "pretending this isn't a delicate issue..." here. I can't even tell if you are pro-GDPR or anti-GDPR from that, and which of those positions you consider to be helping consumers more. Ironic, Y/N? :-)
They, like I, are not arguing for a side (I assume). We are pointing out that the legal situation is not as clear as the article suggests.
Judging by the lack of won cases, a default ok button seems to be 'clearly affirmative' enough.
The law states [1]:
>It shall be as easy to withdraw as to give consent.
Nothing states that consent has to be more difficult than non-consenting.
>the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
The request has to be distinguishable, not the consent.
> Nothing states that consent has to be more difficult than non-consenting.
Nobody is arguing that consent should be more difficult.
The complaint is that non-consent is often much more difficult than consent, sometimes ridiculously so.
In my personal experience I have been unable to find the no-consent option at all on some sites. Just links that go around in circles, sometimes to hundreds of ambiguous and mixed-polarity yes/no-or-was-it-no/yes-style options (one for each of hundreds of "partner sites" I've never heard of), with the only clear option being consent-to-all.
If I eventually click on "ok" that is not freely given consent, it's coerced due to me being unable to find or understand how to decline it.
It is technically easy to provide a "decline-to-all" option whenever they have provided a "consent-to-all" option.
Therefore, clearly companies which provide an easy consent-to-all but make decline-to-all virtually impossible to select, or actually impossible, are doing so deliberately, intending to frustrate the consumer from exercising their rights.
The law says that a person should be able to decline if they choose, that it should be easy enough to do, and easy to understand which option they are choosing. Such sites are not compliant with that principle, and it looks like deliberate non-compliance to me.
> The request has to be distinguishable, not the consent.
Well, "the request" is what we've been talking about. It means the UI. Things like "Ok" and "decline" buttons, how the options are presented, how they are explained clearly and unambiguously, the ease and accessibility of selecting the freely chosen option, that sort of thing.
>Therefore, clearly companies which provide an easy consent-to-all but make decline-to-all virtually impossible to select, or actually impossible, are doing so deliberately, intending to frustrate the consumer from exercising their rights.
Yes, that's their business concept and it is legal.
>The law says that a person should be able to decline if they choose, that it should be easy enough to do, and easy to understand which option they are choosing.
The law states:
>>It shall be as easy to withdraw as to give consent.
>Such sites are not compliant with that principle, and it looks like deliberate non-compliance to me.
I rather think that they follow the law to the T. People would love if their behavior would be illegal but they forgot that companies are involved in the law making process, too. The EU wants its companies to be competitive on the internet. Making it impossible for companies to finance themselves with advertising in their home market would kill their already weak internet economy. Who would accept the sharing of private data if a rejecting would be as easy as accepting?
GDPR is a compromise between the protection of the netizens and the business interest of the economy. As such, it protects against the worst abuse but the world is not free. In one way or the other, somebody has to pay.
>>>It shall be as easy to withdraw as to give consent.
>>Such sites are not compliant with that principle, and it looks like deliberate non-compliance to me.
> I rather think that they follow the law to the T.
I think "as easy" is plainly incompatible with "much harder" or "impossible".
You cannot make something plainly much harder than something else, and still pass the "as easy" test in the law to a T.
You also cannot pass the "accessible" test that way.
>> intending to frustrate the consumer from exercising their rights.
> Yes, that's their business concept and it is legal.
I don't believe it is legal, because these are statutory rights.
To use an analogy that involves another statutory right, it would be like a company preventing you from exercising your right to return a broken product "because it's their business model to ship defective products and we cannot kill the economy by preventing that business". Companies do get away with that, because people can't find the energy to pursue it, especially for small violations, but when sued those companies do lose.
You cannot determine that it's legal just from the fact that companies get away with it.
Not if the rejection is made so difficult, or impossible, or inaccessible, or incomprehensible, or ambiguous, that the consent fails to meet the standard of freely given consent.
Clicking the "ok I consent" button does not count as consent under the law if the user believes they have to click it to use the service, assuming what is attached to that button isn't technically necessary for delivery of the service.
And holding PII for marketing and tracking purposes does not count as necessary, despite any economic argument that it pays for the service. That argument is disallowed.
>the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. [1]
On which part of the law do you base your first paragraph? The text that fits for me is all about the consent, not the rejection. It must be easy to understand to which a person consents, but the rejection can be difficult.
There is also:
>When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Services have to point out that consent is not necessary. If that's usual not done, then this abuse can be ended by notifying the EU. I thus assume that most services offer that notice. Then it is very difficult to argue in court that a user still believed that they didn't mean to give consent. People have to argue for their legal incapability if they want to get out. Who would do that?
The compromise of the law is that people in general mindlessly click ok so that targeted advertising is possible. People who mind tracking can easily opt out. This leaves the ignorant to be tracked. How else should free services be financed? The only other option is making people pay for everything which is ok but a radical shift for the internet.
>It states that you should integrate data protection from the designing stage of processing activities. Article 25 of GDPR lists the requirements for data protection by design and default.
But that's the processing, not the agreement.
And about consent [2]:
>Freely given - the person must not be pressured into giving consent or suffer any detriment if they refuse.
>Specific - the person must be asked to consent to individual types of data processing.
>Informed - the person must be told what they're consenting to.
>Unambiguous - language must be clear and simple.
>Clear affirmative action - the person must expressly consent by doing or saying something.
But freely given doesn't forbid using the default or does it?
[1]https://www.cookielawinfo.com/gdpr-privacy-by-design-and-def... [2]https://www.privacypolicies.com/blog/gdpr-consent-examples/