Can we kill off anything that takes more than a second or two to 'not opt-in' as well?
It's obviously against the spirit of the law to have 200 different boxes that must be individually unticked, or the sort of nonsense that Oracle were pulling a while back (maybe still do) with the intentional delay spinner if you don't 'opt-in'.
Thats actually what the new ePrivacy regulation is planning. It's just not been adopted still, although it originally should have been 2018.
To quote:
"Simpler rules on cookies: the cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user-friendly as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history) or cookies used by a website to count the number of visitors."
It's been a little while since I researched[1] this, but I'd recommend spending a little time to find out what the latest state-of-play is.
There was definitely a prior movement to push these cookie consent settings down to the browser (where I think they have the most chance of being respectful of the user and their consent choices) - but the situation changed later during subsequent ePrivacy regulation drafts.
Please voice your concerns with your MEP if you can - displays of support can and will change policy directions.
Finally! EU should have required browser vendors in the first place to handle the intent of the privacy regulation on GDPR, to avoid having this discussion...
A law requiring websites to honor 'do not track' header would be sufficient and require no big changes to internet protocols or browsers.
People say that DNT failed because it was selected by default - but no, it failed because compliance was voluntary. The EU principles require explicit opt-in confirmation, so a browser setting that's set to "not track" by default is a reasonable way to do it, it only needs enforcement to ensure that websites (in EU jurisdiction) treat the DNT header as binding instruction to not track that user.
There are plenty of laws that would have been sufficient.
One of them would be to make browsers responsible for providing sensible defaults. And while the public perception might think the webpages are at fault it was the browsers that were responsible for storing and broadcasting private data. Arguably without clear and informed consent.
Of course there are problems with requiring software to have sensible default settings, but I reckon most problems with any legislation are due to the fact that none of them address the fact that cookies are a perfectly private system (with the user in full control of their own data) provided browsers don't send this data with every request without permission.
Oh, so why it didn’t happen so that browser vendors and W3C did not add some HTTP header to disallow tracking, and browsers did not represent users options to manage their privacy, instead of these mandatory annoying popups?
I would define this as: if a site deliberately makes it any easier to "opt-in" than not, then a user giving up and just clicking the opt-in does not constitute freely giving consent, and any data gathered that way is not in compliance.
If the rule was applied literally and strictly, that would be even better.
Is consent given by agreeing to a huge banner that pops up anew every time you load the page?
Fine, you can do that, but then you have to pop up a huge "withdraw consent" banner every time a user that gave consent visits your site. Which you probably don't want, so you can't do the obnoxious opt-in banner either.
In practice, that would make any obnoxious way to ask for consent untenable, because you couldn't use it to annoy users into consenting (and staying in consenting state).
And I feel even that is giving publishers some leeway. Even if a button is theoretically as easy to hit as another button, if it's just a bit of underlined text vs a button with a solid and bright background, they'll still get most of their users "consenting".
(I'm wondering if they're teaching me to hit the de-emphasised button by default.)
It's even more amazing how regulators have been tolerating such blatant abuses instead of just grabbing the Alexa Top 1000, filtering for sites in their jurisdiction, and then going top-to-bottom slapping every violator with a fine.
Start from the top of the list every month, and slap any continued violator with 10x the previous fine. Go as far as time allows within the month.
I bet by the start of month 3, 90% of the sites would be compliant instead of 99% of them blatantly violating the rules.
Well, would you rather the site just not exist then? Because I'm pretty sure that most of these sites already aren't making much money. If you make it much much much harder for them to get money then they won't survive.
Users have a choice to use the website. Do you complain that a bar is violating your basic human rights if it has a camera in it? Should all bars with that be shut down? Same for shopping centers and everywhere else. If you don't like it then simply don't use the website. It's really not that difficult.
GDPR definitely applies to cameras in bars or shopping centers - in fact, much more of GDPR enforcement has been about issues such as those, the web world is not that important.
If a shopping center would want to distribute surveillance camera data to 'trusted partners' for marketing research without informed consent of the customers, that would definitely be a GDPR violation, and there would not be a "if you don't like it then don't go to that supermarket" situation but "if your supermarket can't survive without that income, then tough luck".
the GDPR does apply to a camera in a bar. As long as it is used exclusively for security and data purged regularly, it can be claimed to be required.
Certainly the bar owner cannot distribute the videos without explicit consent. And yes, that can be problematic in many cases (for examples, capturing faces of people in a concert).
Yes, I would. I would prefer that adtech as it is became unviable. People will come up with better schemes to pay for content online. Just showing ads without the ubiquitous targeting and tracking worked fine for television.
The harm that can and most likely will be done by under-regulated trade of peoples intimate information is far greater than the harm of showing them ads. Targeted disinformation has already made a huge mess of US politics. Turning "personal computers", phones, and IoT junk into surveillance devices a la 1984 was either profoundly short-sighted and stupid or a very clever attack on individual liberty and agency, depending on intent of each actor involved. To the extent that knowledge is power, people are being tricked into giving up far too much. I say tricked because of what isn't immediately obvious when transacting with some tracking system on an otherwise free website:
When you give up a small piece of seemingly insignificant data about yourself a million times per year, the aggregate is wildly more significant than the sum of those pieces. When you and everyone you know give up the aggregate of each persons aggregate information, again, its value is compounded. Finally, since no one has any insight into nor control over where their data ends up or how it's used down the road, the danger of sharing is even less evident.
Good can and does come from transparency, but this is one-way transparency. It's top-down and is begging for abuse. If we had a truly voter-representative government, it would have already created laws to mitigate the easy-to-anticipate problems that arise from massive accumulations of personal information, and we would no doubt have a better, if less profitable, WWW as a result.
And while we're at it, let's forbid putting a cookie in your browser that says you opted-out as the opt-out mechanism. It's so stupid. I specifically said I didn't want any of your cookies on my machine, and now to not get your cookies, I have to accept a cookie. Nope, just blocking all cookies instead. If that makes your site not work, I'll just tell my friends your site is broken instead of sending them links to it.
I'd base it if clicks and not time. You shouldn't need to do more than 2 clicks and any usage of the site for that process shouldn't be deemed implicit consent.
Both are necessary. Otherwise, you get the 'opt-in = site loads immediately, opt-out = site takes >1 minute to load' scenario and everyone opts in anyway.
It's obviously against the spirit of the law to have 200 different boxes that must be individually unticked, or the sort of nonsense that Oracle were pulling a while back (maybe still do) with the intentional delay spinner if you don't 'opt-in'.