All this "do you agree to this and that" nonsense could be avoided by "inversion of control": instead of sites asking users whether they agree to this 100 page document, websites should be legally bound to listen and honor directives that users give about the data the sites gather.
For example, for cookies, legally force, with the cookie (with a standard protocol), transmit of "intent", like cross-site tracking, whether it is used for advertisement or something else, whether it may be shared with third parties, etc. Then the browser would simply not accept cookies with intent the surfer disagrees with.
Another possibility is, that the browser could, in a standard header, with a bunch of standardized flags, tell what the site may or may not do with the data they gather about the surfer.
> Another possibility is, that the browser could, in a standard header, with a bunch of standardized flags, tell what the site may or may not do with the data they gather about the surfer.
There was a W3C standard called P3P which is similar to what you describe. It was implemented by Internet Explorer, but fell into disuse long before cookie notices became common. Bringing back something like that would be an improvement over having to deal with cookie banners per site.
In an international internet, how would any non-technical requirement get enforced? Legal is easy to skip. Just run the website by a subsidiary housed in a less regulated country.
Isn't that just an "in theory" though? In practice, a ton of sites have these cookie warnings because the EU mandated them. If a large enough legal body mandated that websites obey prescriptive privacy statements from their users, most legitimate sites probably would.
The same way GDPR is enforced. Given the cookie popups I'm seeing everywhere, it doesn't seem to be toothless.
Realistically, if the EU were to impose such a rule, then any ad company doing business in the EU would have to follow it. Thus, any web site deriving any significant revenue from EU advertisers would have to follow it. I'd strongly assume that it's not possible to effectively monetize EU eyeballs without EU advertisers. Of course, anything operated by a EU company or hosted in the EU would also be subject to these rules.
While some local US news would certainly take the "we block all traffic from the EU" approach to avoid dealing with it, the advertising and tracking landscape would quickly and drastically improve.
If now, for example, California would also decide to copy these rules, this would very quickly be the worldwide standard.
A much more naive version of this, the Do Not Track header, was removed from major browsers (partly) because it was actually being used for fingerprinting. I strongly suspect a less naive version would be subject to more abuse: as it gets more granular it becomes a fingerprint all on its own.
I understand that you’re suggesting pairing it with legal force, but I also highly doubt that would or could be effective in any kind of consistent way.
I think another reason Do Not Track failed is that advertisers (e.g. Google) didn't like it. Microsoft setting Do Not Track on by default in Internet Explorer was likely the death knell.
The on-by-default setting was technically a violation of the standard, which meant that participants felt they could ignore the setting for IE, which didn't help the initiative for sure.
The industry-led-initiatives are all basically bad, for the obvious reasons. So many of them amount to telling ad networks whether or not the massive amount of data they have collected about you should be part of the consideration for what ads to show (for now) — many offer no possible way to opt out of recording and storing such data in the first place.
This is a situation where legislation is probably the only answer.
>The on-by-default setting was technically a violation of the standard
A standard written for advertisers by advertisers. This is the problem. There are technical solutions, but the biggest advertiser (Google) makes the browser. This is the same as "the revolution will not be televised." The adversary controls the medium.
Attach it with legal force and money, as in allow users to sue for violations, and explicitly permit class actions with the definition of class (all people similarly situated; definition frequently abused by defendants) to be anyone with a browser.
Needs more work,, but the concept is that it needs to incentivize developers to develop track-the-tracker technologies that will catch violators, which then leads fairly directly to a profitable private suit (instead of relying on the overworked govt bureaus to do it).
For example, for cookies, legally force, with the cookie (with a standard protocol), transmit of "intent", like cross-site tracking, whether it is used for advertisement or something else, whether it may be shared with third parties, etc. Then the browser would simply not accept cookies with intent the surfer disagrees with.
And then you get Facebook spending millions of dollars taking out full-page ads in newspapers telling people that you are an evil demon who kicks puppies and hates small businesses.
(Ever notice that when Facebook wants to reach the most people, and the most important people, it uses newspapers, rather than its own platform?)
I guess that proves his point - Facebook itself admits how worthless their advertising platform is when it come to influencing important/powerful people.
One doesn't exclude the other. Facebook is incredibly valuable.
If they wanted to, Facebook could target directly 1:1 to decision makers on their platforms with their own data. It would probably be creepy though instead of just doing a blanket all of DC type promoted post.
Personally, I find that this [0] doesn't break many sites at all, but messes with cookies to an appreciable extent. Combine this to an extensive use of that [1] and clearing your cache and cookies every day, and I think you're in decent shape while some heavy and heavily lobbied government body inches towards doing something about it.
I went a step further and installed Temporary Containers. Unless the domain is a special one (and goes in a long-lived container), a new tab cannot share any content with other tabs. Whenever the tab is closed all site-related content is removed.
It's still a bit wonky because some sites do redirections, and it's not properly caught (unless there's some option I missed)
The next step is to disable _all_ cookies, even first-party, by default (unless I have a special relationship with the domain of course). It's working surprisingly well and I believe this should be the default.
I did this too. Another pain point I've found is when logging into websites with github or other oauth provider requires grouping that website in with the services perminent container.
You’re on the right track. Browser makers should be on the users side and websites should have to honour users preferences which are configured and sent to sites in the headers.
No one wants to be tracked though but they want the website to work. “All cookies” seem to play with that line. Don’t track me but allow website to work must be enforced on the client side. It’s what we do with uBlock origin and things in the like.
They are required to have a button to let you manage preferences, and are required to allow you to disable all cookies that aren't necessary for the site to function.
So, on any GDPR cookie banner I always click the smaller "manage" link instead of the "accept all" button. On the manage page, disable every option provided, then close the modal. I've never had a site that offered this kind of banner break in any way because of the disabled cookies.
You probably have had sites that either had no such options, or stuffed some tracking into required/legitimate interest/essential sections and tracked you anyway however.
This is more clicks, is often broken, and even if the button exist it may be tiny and hidden at the bottom of the list of all partners.
If I just clicked a link to a random article from search or social media, I'm not spending a full minute getting past the prompt on a website I'll probably never visit again. I'll click accept, and make sure my browser is loaded with all possible privacy extensions so none of it works.
> all cookies that aren't necessary for the site to function
You know what is necessary for a site to function? Revenue. Therefore advertising cookies are necessary for the site to function and we shouldn't need these banners.
Very clever, everyone else who didn't want to comply with the rules had the same thought.
However:
Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects [1]
Section 3.3, Paragraphs 51-53:
> 51. Online behavioural advertising, and associated tracking and profiling of data subjects, is often used to finance online services. WP29 has previously stated its view on such processing, stating
> > [contractual necessity] is not a suitable legal ground for building a profile of the user’s tastes and lifestyle choices based on his clickstream on a website and the items purchased. This is because the data controller has not been contracted to carry out profiling, but rather to deliver particular goods and services, for example
> 52. As a general rule, processing of personal data for behavioural advertising is not necessary for the performance of a contract for online services. Normally, it would be hard to argue that the contract had not been performed because there were no behavioural ads.This is all the more supported by the fact that data subjects have the absolute right under Article 21 to object to processing of their data for direct marketing purposes
> 53. Further to this, Article 6(1)(b) cannot provide a lawful basis for online behavioural advertising simply because such advertising indirectly funds the provision of the service. Although such processing may support the delivery of a service, this in itself is not sufficient to establish that it is necessary for the performance of the contract at issue.
That's great and all, but then they're blatantly violating the clearly written rules of GDPR.
I'm an American citizen, so I have no real recourse with that, but their European citizens can bring the case to a regulator and they could very well be fined.
That interpretation goes against the spirit, and the very plain letter of the GDPR regulations.
I mean, they rightly wouldn't accept the argument, because it's a poor argument given the protections that Europe has decided should exist for the privacy of individuals.
I happen to agree with the European values more than I agree with your values.
My data privacy should be a more important and more fundamental right than your ad revenue.
what about an even simpler mechanism - a website offers cookies to the browser, and the browser can choose to either store or not store that cookie. if the browser chooses not to store the cookie, it's up to the website to inform the user that their browser has rejected the cookie and explain what functionality won't be provided.
Would making all HTTP requests embed a header with a CCPA / GPDR claim be binding? It is as verifiable as any request through their form... its my original connection, so if they associate tracking data with me then they must associate this with me as well. Businesses should agree to my terms to make socket connections to me, else I should be able to see them in court. Proliferation is one way to end the modern shitty tracking madness.
> x-ccpa I do not consent to the sale or disclosure of my personal data and demand the deletion of my personal data per Californa CIV 1798.120, 1798.121, and 1798.105
At a basic level, you shouldn't have to declare that you haven't agreed to something. You have only agreed to it if you actually do something to agree to it. The only advantage this could possibly have is if the web sites stop asking you to agree if you tell them in advance that you won't. However, I can't see that it would be illegal for them to ask anyway, so they will.
Secondly, this is another thing that would be used to fingerprint the web browser.
We sometimes like to pretend that if a law is in force somewhere, it's in force everywhere, but that isn't the case. Otherwise, I'd be in serious trouble for saying I support Hong Kong independence. So you're creating these massively granular permissions and then passing some law, somewhere, saying they can't be used to fingerprint, but that's precisely what they will be used for everywhere the law isn't in force, which will likely be most of the world.
I said the same thing in a recent thread about cookies, and someone pointed out that there had been some kind of proposal along these lines, but it hadn't gotten any traction. I don't recall the name of it tho. (it wasn't Do Not Track, it was more complex, where cookies had some kind of "intent"/category associated with them).
eventually all sessions will have to operate like they are in a private window keeping the cookies permanently isolated to the host site visited and quarantine any third party cookies perhaps even find a means to spoof them.
in effect our browsers will need a db type tech to manage cookies and only serve them back when appropriate. a lot of what sites want to preserve for us; log in and such; can easily be done without cookies
Take a look at Global Privacy Control (GPC) which aims to do similar to what you’re describing, and is legally binding under CCPA and could be under GDPR too: https://globalprivacycontrol.org/
The most egregious violation I've seen is weather.com's cookie process. Go to https://weather.com/en-GB/ and click "Proceed with required cookies only". It's almost theatrical: first a spinning loading wheel, then the message "We are processing your request, this could take up to a few minutes to process." Then wait for their "Processing 0%" countdown take a few minutes to reach 100%. Anyone would think they are trying to discourage people from choosing that option?
Looking at the network requests when you hit that button it seems to be hitting a lot of tracking providers opt out API endpoints. Which is good I suppose, though better not to even include their scripts until you agree to it
There's another one of these things that's used on lots of sites, that takes three (3!) minutes, with no network requests or anything happening after the first couple of seconds. I forget the name of the company behind it, but it's a large one, one of the ones that sites proudly proclaim with a "protected by X" image.
It's beyond a dark pattern - it's plain fucking disgusting behaviour.
Still getting a unique finger print when I open a "private" browsing window. Might as well skip hard hats and use paper bags instead, the effectiveness is similar.
You'll be faced with 330+ individual agree/disagree toggles. THERE IS NO REJECT ALL BUTTON. If you're not technically inclined, you have to manually click them all.
You also have to choose block/remove consent (or whatever it is called) for similar crap hidden under the "Legitimate uses" category moniker. Same shit.
For this, and similar idiotic dark patters, there's a Firefox addon called "Unchecker".
Once the article got to opening the Dev Tools, I was surprised at the next approach: Copying the HTML into an editor, reformatting, copying into a C# project, setting up build rules for the copied HTML code, etc.
In this case I would always reach for typing a JavaScript oneliner into the dev console, using a couple of tricks:
1. Right click the element in the Inspector and choose "Copy" -> "CSS Selector".
2. Start typing the oneliner in the web dev console: Use [].slice.call(document.querySelectorAll("PASTED CSS SELECTOR")) to turn the elements into a JS array.
3. Use (...).map((o, i) => {...}).join("") to turn the JS array into a long formatted text string.
The result is the following, which took me a minute to type up and debug - from my perspective, a thousand times faster than firing up an IDE and setting up a new "project" to simply run a regex against some HTML.
{const rows = [].slice.call(document.querySelectorAll("li.vendor-item")).map((o, i) => {const idx = 1 + i; const name = o.querySelector(".vendor-title").textContent.trim(); const url = o.querySelector(".vendor-privacy-notice").href; return `|${idx}|${name}|[${url}](${url})|\n`}).join(""); `Listing As At 30 December 2020 08:10 GMT\n\n|-|Vendor| URL |\n|---|---|---|\n${rows}`}
Clever! It depends probably on the tech you are most comfortable with. I would probably copy to vscode and then use search & replace with regex there, or use multiline edit.
It isn't meaningless, it just means that users don't consent by default. That's the default state; permission should always be explicit.
Perhaps the header should be made to be easy to apply per domain, so websites can request tracking permissions, but in my opinion the necessity of the header is exactly the point of enabling it by default.
The header is simple: I do not want to be tracked. Do not track me. If you want to track me, ask me to disable the header so I can leave your website.
Honestly, I don't understand why this header wasn't mentioned in the ePrivacy directive the EU passed recently. There's a perfectly good way to communicate intent about tracking options to websites, and it's being blatantly ignored.
Honestly I think people accepted this claim too easily. First of all only one browser did that AFAIK. Second of all even if it were entirely opt in it’s another fingerprinting target and was actively being used for that. I really don’t think the people who would fingerprint DNT care one bit whether it’s an explicit statement of intent or not.
It didn't. Advertisers like to think that they have a moral right to track people unless explicitly told not to stalk people. In that framework, changing the default means that a DoNotTrack header doesn't necessarily show intent on the part of the user.
Instead, the appropriate framework is that advertisers do not have a moral right to track users unless the user has consented to it. By having the DoNotTrack header be on by default, it means that a user removing it shows consent to be tracked, where previously its absence could also have indicated that the user was unaware of the header.
The default has never changed from the point of view of the user. The default is "don't steal my data". DNT was just reflecting the reality of the situation: user not making a choice indicates they don't want you to steal their data.
> DNT was just reflecting the reality of the situation: user not making a choice indicates they don't want you to steal their data.
Advertisers don't need a header telling them what they should do by default. They can get that information from elsewhere. DNT was going to be a way to opt-out, and some advertisers promised to listen to that. Setting DNT without user action removes the "opt".
In the sense that browser vendors decided to put on a privacy protection facade by enabling a "privacy protection" flag that webshites can easily ignore. The earn kudos from users while websites can keep abusing said users. Win-win for greed.
Somewhat related: Just yesterday the EU ePrivacy regulation took the first hurdle in Brussels. This will most likely bring some changes to the whole consent drama.
I'm not good at reading legalese and there seems to be no commentary for the current version[1] yet. What I understand is that they "encourage" browsers to implement "whitelists" (their choice of word, not mine) as a solution to "end-users [..] overloaded with requests to provide consent". I'm not sure there is an update regarding first-party analytics cookies which some hoped will be there.
I really wish this law had forced websites to respect a toggle in the browser UI instead of being allowed to engage in all their dark pattern shenanigans.
The cookie policies and laws are broken. The ever-annoying cookie popups are breaking the internet in more ways than it fixes it. The choice to make each website show their own cookie selection screens is part of all this.
I am one of the few that (most of the time) actually takes the time to click "Reject all" whenever possible. Some websites are EXTREMELY shady when it comes to this though and hides their targeted advertisement and user-profile building into their "legitimate interests" section that IS NOT automatically turned off even if you "reject all". You have to manually go trough them and "object" to each and every one of them. Often no "object to all" button.
Imagine if sex used the same notion of "consent":
"Ok so you rejected having intercourse with me, but I have a 'legitimate interest' in fellatio that you didn't specifically say no to, so now you have to!". It is just terrible..
"Legitimate interest" is a broken term in those cookie forms. Legitimate to whom? Of course any company has a legitimate interest in making buckets of money.
Every browser should have a mandatory "cookie preferences" section where you can set your preferences for each of the typical use-cases for cookies.
Strictly functional cookies? OK. Targeted advertisement? NO. Tracking between websites? NO. Measure site performance? OK. etc.etc.
Whatever role the current cookie panes now fill, the browser should take over using some standard. The preferences could get sent directly over HTTP with the initial page-load and the server/site would have to comply or face extreme fines.
With the browser approach you could maintain your own allow/blocklist for site-specific settings. All this could be synchronized across your various devices.
Only then would we not be annoyed by those popups again.
It isn't the law that is broken, but rather the enforcement.
All the concerns you raise here are covered by the law. It's illegal for it to take longer to reject tracking than to allow it, which should ban all these web site that try to get you to scroll through several hundred options turning them all off. "Legitimate interest" means that the whatever data they want to process is a necessary step in order to do what the user has asked for - for instance, the web site has to be able to set a login token cookie when you log in, and that's allowed because you literally just asked to log in, and that's the only way the web site can do what you asked.
All these web site are illegally making the cookie experience dire. They are doing it so that they can:
1. Collect data from people who get fed up and click accept, people who accidentally click accept, etc.
2. Annoy everyone and make people think that the laws are broken, which increases the chances that the laws will be changed in the future.
Enforcement would help with this, but there's little sign of it happening.
There's various attempts to enforce the law, the problem is the legal system is pretty slow and it also relies on other websites actually conforming when the law is clarified by another being fined, and they really do not want to.
I would argue no, because the problem can be fixed without changing the laws, and I'm not convinced that it can be fixed by just changing the laws. People doing things that are illegal doesn't get fixed by making another law against it. So no, I don't think it means that in practice it is the same thing.
The concept of tracking as per the GDPR goes beyond cookies though. It includes any kind of personal data collection, and personal data refers to anything that can uniquely identify a person with reasonable certainty.
So cookies aren't the only thing that requires consent - things like browser fingerprinting and even collecting IP addresses for non-essential purposes (aka you can probably claim legitimate interest if you collect them for technical or fraud prevention reasons, but using that data for analytics or marketing would require consent).
This is also why I think clicking "accept all" on the cookie prompts with cookies disabled at the browser level isn't a good idea. You're still giving them permission to stalk you using other means than cookies, and they very well know that. At least use an ad-blocker which blocks the consent prompts completely - technically you never provided permission, so while they might still stalk you at least they don't have a legal basis for doing so.
The GDPR is less about the technical aspect of data collection and more about the intent behind said collection and the planned use for the collected data, something the browser can't really tell.
TL;DR: Thanks Europe for fixing something almost nobody cared about, by making the internet worse for everyone and by forcing society as a whole to spend money building terrible UIs.
And in the end, people still just Accept All because it's the fastest way to content.
It kind of seems like a second attempt to the do-not-track switch which was a failure. There must be strong backing in the laws for such feature to be meaningful otherwise nobody will respect it
Gods, but that sounds brilliant. Having a single toggle for non-essential cookies, even if it's on a site-by-site basis, would be a whole lot better than every website having it's own, different (and often highly dubious) way of handling things.
The cookie debacle has been going on for so long now, and is obviously not going away any time soon - surely there must have been draft RFCs or even W3C proposals along these lines at some point?
If a website had me jumping through too many hoops, I just don't bother. Many websites refuse to work without an egregious amount of third party JavaScript which makes it a pain in the ass to visit if you use uBlock Origin/uMatrix.
Let's be honest most of the websites that won't work without JavaScript aren't even really worth it. The content is usually garbage anyway.
(Warning: hyperbole) I feel like the consent notices are a form of torture. You might browse 10s or 100s of sites a day, and instead of being shown what you want, you're presented a consent notification with all kinds of cognitive processing needed to ensure you don't do something you didn't mean and to get at the information you wanted.
Maybe lockdown is making me cranky, but I'm getting really, really tired of the popups.
I came here for the comments but then went back and read the article. It's a deep dive into the cookie popup and all associated links, including 647 "partners" each with their own privacy policy. There are a lot of screenshots.
One thing I would like to see (and it shouldn't be too hard to code, using the example) would be a mirror of the entirety of text of all the privacy policies and everything else pasted back to back.
The screenshots and implication of having 647 privacy policies is bad enough, but I really want to see my scroll bar shrivel up and die.
It amazes me how bad the internet experience gets when using a VPN server in the EU.
I thought cookie popups were annoying, but I didn't realize how much more ubiquitous they are when you have an EU origin ip address. If you haven't tried it before, it's worth doing it just to see what those poor people put up with.
The neighbouring town publishes data on water quality, and you pity the poor souls because the data shoes their water quality is horrible. Thing is, you are using the same water source. If anything, your water is likely worse because there is no transparency and some of the pipes might be leaded and you wouldn't even know it.
Same with cookies. The internet is polluted with aggressive tracking everywhere. In the EU you see how horrible it is - in the rest of the world people aren't even half as aware.
That said, people either start using browser plugins or just click yes and sacrifice their soul to the gods of dark patterns. In either case you don't see those banners as frequently unless you use private browsing.
You seem to think that the cookie popups are doing something useful, but that's up for debate. Cookie popups could be making it worse by normalizing tracking and programming everyone for an "Accept all or get nothing" compliance culture.
Btw, some of my message was lost in your attempted analogy: If we both are drinking toxic water, then I feel bad that you have to additionally click through a legislator's theater of concern and sign through various permission-granted-to-poison-me slips while you drink from the same tap.
Part of it is lack of enforcement. The GDPR requires that rejecting tracking be as easy as accepting it. If there is an "Accept all" button, then there must also be a "Reject all" button. Furthermore, there can be no penalties for rejecting the tracking. So clicking the "Reject all" button may not bar the user from the site.
doesn't matter how long I need to scroll I always try to reject everything for every website that I know I will visit multiple times.
And I also use NoScript and uBlock Origin
But this is a prime example for a "dark pattern"
And also, if I can't reject most of the stuff I just close the site
What the author discovered here is the full list of publishers as given by the IAB consent framework [1], which is an attempt at self-regulation by the ad industry and website publishers.
Presenting the user with the full list of advertisers is indeed silly and not compliant IMHO. We also offer an open-source privacy & security tool for websites (Klaro! - https://github.com/kiprotect/klaro) and we have decided against implementing the IAB framework as it's clear that it does not conform to the intent of the GDPR. We also opted against using dark-patterns and making declining more difficult than accepting. Overall this results in slightly less opt-ins (around 50-70 % for most websites) but in any case those dark patterns will have to go sooner or later.
I love that the post doesn't answer the question in the title, just shows that its inconceivable that any layperson would be able to answer the question on their own.
Not trolling - I genuinely wanted to know what the article says. I tried to read it, and got through, I don't know, 5 or 10 screenfuls before giving up, my mind numb.
The article would be much improved with an opening paragraph that summarises the findings.
It would also be improved with formatting that clearly differentiates the article text from the extensive site text it quotes. That site text is designed to numb users and put them off reading. It worked for me.
It's not cookies though, despite the title. GDPR banners regulate sharing of personally identifiying data, which are a wider category, with things like browser fingerprints or IP addresses in it too.
1. First go to cookies and reject all cookies except the strictly necessary ones
2. Then go to “Legitimate interest” and then simply click “Object all”.
At my primary browser level -
3. In Firefox settings, choose “Block all cookies” (Hasn’t messed with my browsing experience, yet)
4. Periodically keep on deleting your browser cache and cookies. Don’t delete browsing history and saved logins.
I am currently looking for ways to minimize JavaScript usage. If anyone has any ideas, kindly proffer.
Caveat :- I am fully conscious that despite the painstaking activity of rejecting all cookies and objecting to all legitimate interest, I cannot rest easy that all websites I visit are scrupulous, cognizant and conscientious of my choice.
Also, I don’t get to option to reject and object on all websites, in which case I first check if there’s an archived snapshot on the Wayback Machine[1], or I simply forego reading the article altogether. For ex - www.BBC.co.uk, and even Reuters as mentioned in the OP’s post.
“Strictly Necessary Cookies” being defined as cookies that are necessary for a site to function always frustrates me. In what way does a news website need cookies in order to function? What exactly would break in showing news articles when I disallow all cookies to be stored in my browser?
I think a common example is any site that requires authentication will need to store some kind of session cookie in the browser. I suspect many news sites have subscriber accounts that you can log in with.
Many subscription news sites might consider the "how many free articles has this visitor viewed this month" to be a strictly necessary cookie, but that's just speculation on my part.
Safari used to make it easy to reject all cookies with an exception list. I wish this feature would return. They have also made it very difficult to access and manage cookies outside of Safari. Seems inconsistent with Apple's public stance on tracking.
IMO, cookie consent should not be a website's reponsibility. It should be built into the user agent, which should block all cookies/analytics by default and prompt for consent when first visiting a site. Of course, this would most likely break adtech so it won't happen.
That law/regulation would seem difficult for a court to uphold – e.g. a company being diligent and detailed in explaining its complicated policies, but getting dinged when someone is misled by their arbitrarily word-count-limited summary. But in any case, the example provided by the article does have a top summary [0] (it's the very prompt that the author investigates). And the individual line item settings are each summarized in a single sentence [1].
That said, the actual example summaries given seem to IMHO make a case for mandating specific and explicit language, akin the "Surgeon General's" warning text on cigarette packs, to accompany whatever euphemistic language companies continue to use. We're far enough into the Internet age to be pretty confident that the vast majority of people just do not and cannot comprehend that "We use cookies to improve the site, measure performance, understand our audience, enhance our experience and provide you with advertising based on your browsing activities" means actual tracking.
Not a summary, the whole legally binding thing. But I'd allow 280 characters.
It would be good to define some phrases in the law that then have unambiguous legal meaning so that privacy policies don't have to spend time defining things in full.
I like the open source license pattern. Anyone can make any agreement they want, but most of the time you just need to see "Apache" or "GPL" and you know the deal. And when you see a new one you wonder what exactly is going on here.
But really, most of the time the cookie deal is "do you agree to have all kinds of information gathered about you and sold at will to other companies, our future management, and mysterious government entities in perpetuity, in exchange for seeing a few cat pictures? oh, and also we can make this even more unfair at any time without your agreement." They really should just be illegal, period.
> Why not have a law that your policy must have a summary that is less than 140 characters long?
Not as explicit as 140 characters, but it's already covered the GDPR
From the preamble, paragraph 32:
> If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
From article 7, paragraph 2:
> 2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
What strikes me as strange is the different levels of scrutiny the web gets vs. real life.
If we walk outside of our house then we're likely on camera, potentially with facial recognition. Cameras will track our cars' license plates. Cellular networks know where our phone is at all times. Our payment card networks and the stores we shop at gather data on what we buy. This is effectively public information because normal everyday citizens can just look around and see us and recognize us and what we're doing. I assume every action I take is probably observed and logged by someone. Those folks share the information with their business partners.
This has been going on since at least the 1980s to various extents; there isn't a way to opt out of participating in public spaces unless one is particularly wealthy, and then the risk is becoming a celebrity and losing even more privacy.
If anything, the web is slightly less intrusive despite occurring in public (I argue that the Internet is just as public as any real public space; we rely on third-parties to forward all our traffic. We use TLS if we want to hide the details of what we're doing). It's not technically us being tracked but our devices and we can wipe them, block javascript or cookies or network requests, etc. Maybe tracking is more effective for being fully automated and granular, but I'm not sure if that's worse from a privacy point of view.
I think collectively we need to decide whether we want more privacy or anonymity. Full anonymity is nearly impossible to achieve but would mean that no matter where we went or bought or did no one else would be the wiser. Presumably we'd only see shadowy hooded figures in public so that even we had no idea who they were. It sounds draconian in the other direction. Privacy, to me, is a polite fiction that we won't individually bother each other by using all the information we know about each other. For the most part this is already done in real life and the web. Companies don't wholesale dump/sell every piece of data they collect about us; they aggregate and categorize it. This is the middle ground of privacy where people mostly mind their own business but don't blind themselves to trends and patterns of behavior occurring in public.
Yes those are in breach of the regulation, and technically there are incentives - the maximum fines under GDPR can be quite large.
The problem is that it doesn't seem like the regulation gives the right to a wronged party to sue for those sums of money. You can sue (I guess technically you can sue for anything anyway) but this would involve proving some damages.
The only parties that can enforce the regulation (and levy the promised fines) are privacy regulators (such as the ICO in the UK, or the CNIL in France). Sadly, they've all demonstrated their incompetence and unwillingness to improve multiple times.
I've changed my web browsing habits quite drastically: I usually just click "Save preferences", as opposed to the "Accept all" default on the most common form of Cookie dialog which hopefully opts me out of most shenigans. On some sites, I used to accept their defaults even. For example, heise.de (respected German computer news) used to be among the latter group, but when I saw they're carrying Facebook videos/pixels I've stopped going there. I'm leaving many sites when their draconian tracking/Cookies seems not worth it so overall, I visit a lot less sites than I used to, and in particular I find myself ignoring the one-time content marketing sites/blogs often linked from HN submissions greeting me with heavy Cookie dialogs. So for me personally, Cookie dialogs work as expected I guess. But I've yet to see actual figures on surfing behavior post-GDPR published anywhere. And I'm entirely unsure if people across the pond or publishing from other non-EU locations are even aware.
I want to browse every dark corner of the web to discover useful facts and build my own ideas on subjects, not limit myself to the few most popular websites, driven by the wealthiest companies, that 90% of the people see.
Between cookie banners and GDPR forcing newspapers to ban European visitors, I have to go through more hoops in order to see what I want.
Just because you care about a website tracking you, that doesn't mean someone else cares.
Legislation shaping the internet in this way and forcing everyone to think in a certain way is an authoritarian behaviour that I don't tolerate.
I find the gdpr-popups themselves to be far worse than any ads I’ve ever encountered. I really don’t care that they profile my data, build models, try to trick me into spending as much money as possible etc. I’m like the meme dog in the house fire - This is fine!
I was using the skyscanner app to check some tickets the other day and there was blatant price manipulation(used another device from browser and vpn from halfway around the world to compare).
Then I tried to use the web page from yet another device from an anonymous chrome tab, the "minimal cookies for essential functionality would not go away. Europe. No declaration what that means anywhere, not sure how this is in harmony with gdpr laws. Infuriating.
For example, for cookies, legally force, with the cookie (with a standard protocol), transmit of "intent", like cross-site tracking, whether it is used for advertisement or something else, whether it may be shared with third parties, etc. Then the browser would simply not accept cookies with intent the surfer disagrees with.
Another possibility is, that the browser could, in a standard header, with a bunch of standardized flags, tell what the site may or may not do with the data they gather about the surfer.