Somewhat ironically a consent wall is exactly what TechCrunch presents to an EU visitor the first time, and there's no opting out; only way to get past the consent dialog is to consent.
I know this especially well because I automatically clear all browsing data each time I close my browser, and techcrunch.com is one of the domains I avoid on HN because of the more annoying "welcome" on any page. (edit: +n)
Oh, but you can opt out. You first need to click the other button. Then again. Then you get the list of hundreds of “partners”, for each of which you have to manually figure out how to opt out.
And then, in the end, you undo all your hard work opting out of hundreds of services by having to press the accept button anyway. :-D
/edit: Heh, yea. It’s not just “hundreds”. It is _way more than 1000_ “partners”. Insane.
What if there was a service that would automatically email their legal team to withdraw your consent after you close the tab? Like every single time you just click OK and then afterwards they'll have to manually adhere to your request and delete the data again. That would make bad consent UI incredibly expensive :)
A better solution is websites actually accepting the “do not track” requests that browsers already send. Unfortunately the most popular web browser is run by the most popular tracking company, who also almost wholly funds the second most popular browser.
The solution is to send a message by avoiding those sites thus creating a disincentive for them to maintain the practices. But as you can see from the number of upvotes even very technically literate people will get over this just for an interesting title.
Techcrunch routinely ends up on the front page on HN, ironically many times for articles that condemn the very practices they engage in. No website will change their practices because of strong, informed opinions when the clicks still come in, especially from a distinguished community like HN that just validates Techcrunch's choices.
Well, GDPR and CCPA compliance cost something. That could be made simpler using this option.
Also, Ad Blockers are becoming quite prevalent again. Personally, I’ve started using one again for privacy reasons. If a publisher would actually respect my Do Not Track request, I’d happily leave their ads up. I have no problem with contextual advertising.
The problem here is that there’s a prisoner’s dilemma among websites that rely on ad revenue. If only a few websites decide to become fully GDPR compliant, then those websites see all of their ad revenue disappear and go out of business. If, on the other hand, every website properly implements the GDPR requirements then the tracking based ad model disappears and we’re back to the pre-tracking world of ads.
The problem is: how do you get everyone to cooperate at the same time when the incentive for cheating is that your website gets all the revenue?
This dilemma is just one of many in modern society and all are aspects of Moloch [1]. Ultimately we’d like to kill Moloch but that seems very difficult right now.
> The problem is: how do you get everyone to cooperate at the same time when the incentive for cheating is that your website gets all the revenue?
By cutting to the source and making targeted internet advertisements illegal, full stop, with business-wrecking, revenue-scaled fines implemented for both offending websites and offending ad companies.
don't fine businesses, just require a certain proportion of shares be handed over. if the offences is bad enough, the government gets a majority stake and can force change. if its not, the prior owners lose income and influence on an ongoing basis, since their 10% share is now 9%.
Enforcement of laws is generally the standard solution to "how do you get everyone to cooperate at the same time when the incentive for cheating is that your website gets all the revenue". Compliance should not be voluntary - if cheaters get identified and punished, the coordination dilemma goes away.
They can’t until advertisers agree to it. Today, that means walking away from the big networks and finding your own advertisers to sign for one-off deals. Some sites do it (slatestarcodex is one) but it’s hard work.
In central Europe it is illegal to film the public space in front of your billboard without special permit. Billboards that don't film the space in front of them are still pretty common.
An effective ad on a popular website could be a single jpg hosted on the same webserver as that website itself. You wouldn't need any Cookie banner for that.
But ohh, that isn't enough. No they want to be able to show your users content you didn't explicitly approve and run code on your users computers you cannot verify.
If you had a lemonade stand would you let some company film your customers faces? Probably not.
The GDPR law just makes sure you ask them before you do it
I believe they still need to allow you to withdraw consent if they want to comply with GDPR.
So maybe it'll be fax instead of email. Or a weekly letter with a list of all the IPs that have revoked consent? I'm pretty sure this could be done very cost effectively if it's many users and only a small pool of bad UI offenders.
Exactly. These dark patterns tell me more about the corp behind a site than any regular well-designed cookie popup could. One quick look on these, and I navigate away. Haven't visited TC for a long time.. just not worth it.
Another dark pattern you see more often these days are sites having a - seemingly very good - "Reject all" choice. But when you click/tap that both "Reject all" and the default "Accept all" are now highlighted, making the result of pressing "Continue" unclear.
They also redirect you from TC to guce_advertising_com/collectIdentifiers...
If you have uMatrix installed you need to add bypass lists for that... I won't.
At some point I just stopped reading sites that make it too hard to opt out. Though I would really like to have a browser that automatically opens links to such sites in incognito mode, accepts the popup for me, and makes sure everything is thoroughly deleted afterward.
If you block the domain in umatrix it basically does that.
For instance techcrunch redirects me to some "guce.advertising.com" url and umatrix blocks it https://imgur.com/bxGAbiH
Oh, that's too much work. I've been using Cookie AutoDelete for Firefox and I've set it to clear all non-whitelisted cookies a couple of hours after last visit. This way I have to click once if I visit a couple of times a day.
I use Vanilla Cookie for Chrome (it deletes all non-whitelisted cookies after some time or after closing the browser), and have been thinking about making a browser extension that just hides all fixed elements and transparent full size elements. The reason for me thinking this, is that nowadays I just accept almost everything, and trust the Valinna cookie to clean up afterwards. What do you think about this?
The first bookmark on my bookmark bar is "Kill floater", and it removes most floating elements on the page. It even works on many sites that hide the page behind a popup. Use it on my iPad all the time.
I cleaned up and improved this a little. Now it hides the fixed elements, unless their computed top is at 0px. Also makes the body to scroll automatically, as many sites set their body to fixed before the fixed popup is gone:
```
javascript:(function () {
var i, elements = document.querySelectorAll('body *');
var style;
document.body.style.overflow-y = 'auto'
for (i = 0; i < elements.length; i++) {
style = getComputedStyle(elements[i]);
if (style.position === 'fixed' && style.top !== "0px") {
elements[i].style.display = 'none';
}
}
The chrome and firefox extension I made: https://baitblock.app has a feature called tracking resistance. It deletes cookies on websites that you are not logged into automatically
Logins are a common enough use case that browsers should simply support it directly, and drop support for cookies entirely.
There's no reason we can't have sites set an auth token, and send that in under the Authorization header. And then when you want to sign out of a website, you can have a button for that in the browser. The tooling already exists in the HTTP standard, it's just that it's only widely used for server-server communication.
Bingo. "Auth Token" simply becomes "Session ID", and the backend then tracks anything it wants as part of the session.
I don't see much of a solution other than making it a matter of policy, eg. Microsoft's "P3P" header. Otherwise authentication credentials need to be supplied with every request. Not a session id or token as a cookie, but the actual username and password being supplied with every request. Basically the old http basic auth, but with a more modern system to replace it.
I understand the core idea behind the EU's desire, but the fact is that cookies are absolutely required for login sessions, and it's impossible to allow users to opt out. The EU doesn't understand the tech behind the laws they are trying to enforce, and this is where it leads to. Absurdity.
Yes. However, there are some upsides: having an auth token which from the perspective of the browser is limited to auth, makes it more explicit when the browser is passing an auth token to the site: if the browser shows a "Log out" button, then you're providing that auth token--if you didn't log in to a website and suddenly you have the option to log out, that's very obviously weird. Of the perhaps 10 sites I visit on a regular basis, I only even have logins for 3 (email, Reddit, HN) so other sites would be slightly hampered in tracking me.
That requires separate opt-in consent according to GDPR.
GDPR is absolutely not about cookies, it's not about having private information but about uses of it. You may have a legitimate need to collect some data - that auth token for login purposes, the customer's address for delivery, etc. That's fine, it allows you to collect and use that data for that purpose. But it does not mean that you're automatically allowed to use that login token or delivery address you have on your servers for other purposes such as selling or giving it to third party advertisers.
The consent is invalid if it is harder to reject consent than give it. Another thing, the consent must be opt in. What they are offering is opt out. I will post recitals, when I get home, searching on phone is annoying.
Anyway, I boycott TC since they started their war on users.
Prequel, website owners, android developers,... PLEASE, please, check this video. You will more or less understand everything you need to know about GDPR.
I think that someone is earning large bucks to trick different websites into believing that they can avoid GDPR by simple tricks while on the other side owners are just too lazy to read simple interpretations made by Article 29 Data Protection Working Party (no, it does not matter what your lawyer thinks if it contradicts recitals). I would call it a scam but I think that some enlightment must be pushed in place:
"Without prejudice to existing (national) contract law, consent can be obtained through a recorded
oral statement, although due note must be taken of the information available to the data subject,
prior to the indication of consent. The use of pre-ticked opt-in boxes is invalid under the GDPR.
Silence or inactivity on the part of the data subject, as well as merely proceeding with a service
cannot be regarded as an active indication of choice."
(page 21):
"Article 7(3) of the GDPR prescribes that the controller must ensure that consent can be withdrawn
by the data subject as easy as giving consent and at any given time. The GDPR does not say that
giving and withdrawing consent must always be done through the same action.
However, when consent is obtained via electronic means through only one mouse-click, swipe, or
keystroke, data subjects must, in practice, be able to withdraw that consent equally as easily."
is this “equally easy” criterion met by a site that says “hi! we don't know each other yet, but you can't procede until you've either pressed the 'accept' button or found the 'manage options' link, worked evert oh good you're bored now thanks for clicking”
and then never shows it again, so i don't really know where i would go to manage consent.
i don't see why companies can't just behave like decent human beings. why do they want me to not trust them?
Consent needs to be explicit or there's no consent. Otherwise, we'd be back in the days of putting a message on the site telling "by using our website you accept our ToS and need to give use your firstborn child".
I live in the USA, the country of caveat emptor and 'who cares about citizens, anyway?'.
If I was a European citizen, then I believe by default I did not allow anything. They would be in abeyance of the GDPR if they were to track or identify me.
If I can jam up even a bit of tracking with a PiHole, ublock origin, privacy badger, Bypass Paywalls Clean, Containers, and more, good on me. Im already inexorably tied to google at the moment, and working to remove myself from their ties.
I'd love to see a blog post enumerating all the dark pattern design in all the GDPR and CCPA cookie opt-out. It could be a case study in user-hostile design.
First you see the warning banner that has the large prominent "CONTINUE (i consent)" CTA button with a tiny "options" link somewhere below.
If you catch that "options" is code for "I don't want to consent", you're then brought to a wall of legalize that you need to scroll to the bottom to find the double-negative-ambiguous-toggle labelled "Do not sell my privacy data". So you need to enable it to disable tracking. I think. But even so, it's a toggle UI instead of a checkbox, so you're not quite sure what state means what.
There's one particular provider of these consent forms out there that a lot of sites use... I'm sure their marketing materials say "our world-class designers have identified the best and most clear user-design principles, which we have inverted to minimize your opt-out conversion rate!"
The key part is that it's defined based on the intent and outcome. The company has to demonstrate that each user made an intentional, fully informed, freely given opt-in choice - that they knew what they agreed to and wanted to agree. If users did not intentionally want to opt in to you doing X with their data, then you don't have a valid legal basis for processing no matter what they clicked, since whatever system you built apparently did not truly capture what the user wanted.
If a site wants to use data in ways that need consent (by the way, most reasonable uses don't need consent because 'legitimate need' applies - it's pretty much only things like "use all your private data for targeted advertising" and "share your private data with these 1000 trusted partners" that need consent) then it's the burden of the site to ensure that the options are presented in a clear, nonconfusing way, that users get fully informed, etc, and demonstrate to the data protection agency that whatever they implemented achieves these goals.
"Just highlighting the ‘no consent button’ after a massive set of options" most likely is not effective to that goal, and a data protection agency can easily verify that (run a study with 10 new users signing up for the site and fill out a questionairre of what they wanted to consent) so it should invite administrative action from the DPAs, with mandates to change the system and/or fines depending on the circumstances. It's just that they're not really bothering with random websites (yet?) since the majority of their work is on how the all the EU non-web businesses (e.g. retailer loyalty programs, phone providers, banks, etc) handle private data.
> The company has to demonstrate that each user made an intentional, fully informed, freely given opt-in choice
How is this even possible without setting up a video meeting where a consent officer interviews you and quizzes you to make sure you understood your rights and what you were consenting to?
This seems like an exceedingly onerous thing to demonstrate
By giving them a dialog that clearly describes what they are opting in to, with a clear "I do not agree" button, that does not degrade the user's use of the website. What you should do to comply is literally in the guidance; both the old guidance and the newly published guidance.
The EU does not act like the US - if there's a piece of law, there is guidance on how to comply with that law. You follow it and you're safe, until someone publishes updated guidance.
A number of companies are betting that doing something short of what the guidance recommends will still result in a compliant website. They are in a situation where, if they attract the attention of a regulating body, they may be fined.
> By giving them a dialog that clearly describes what they are opting in to, with a clear "I do not agree" button, that does not degrade the user's use of the website.
And what if your cat walks across the keyboard and accidentally consents, but you never even realized it? Should there be a consent banner across the top at all times? Or what if you are drunk when you are surfing the web and didn't understand your rights when you accidentally consented (drunk people can't consent - the website raped your privacy)?
Then, assuming that you can evidence that you followed the guidance, and you implement the rest of the GDPR, which gives the person in question a mechanism to revoke their consent, you're pretty much definitely fine. You realise that we're not out on a witch hunt here, right?
If a user complains, the data protection agency will evaluate your process and evidence. As you say in another comment, "Here are the logs, here is the dialogue they were shown." - that's it, if you're compliant, that's all you need to do. But you need to be able to make a convincing case that the dialogue is reasonable, fits the criteria ("the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language") and the choices a reasonable person would make on that dialogue would reflect their intent.
But this discussion is full of examples of "consent" dialogues that clearly are made to trick users into making a different choice than what they want. In such cases showing the logs and dialogues would demonstrate that a valid consent was not obtained.
It's not a novel thing - for example, I recall that many years ago website opt-in patterns were being reviewed in the Ryanair case where the consumer rights agencies analyzed their website order process where a bunch of 'dark patterns' were used so that people accidentally "opting in" to things they did not want to. There's an administrative process that determines whether your process is honest or tries to cheat users into "agreeing" to things they don't intend to agree. In the latter case, you'll be forced to change how your stuff works.
if there's a process, why are dark patterns so prevalent? i might have seen a clear and straightforward choice once or twice; usually, it is hard to find the reject flow and hard to understand whether i am correctly triggering it.
i am sure there are many databases out there which i am marked as having consented it, although i did no such thing. the standard is to make it hard to express your desire to opt out despite the rules requiring entirely the opposite.
Mostly because enforcement has not gotten to them yet - lots of the really bad examples are from non-EU companies, and the priority of the enforcement has been mostly with local businesses, and most of that for all kinds of privacy issues with more real world impact.
E.g. at the launch of GDPR a local major supermarket chain tried to use a bunch of dark patterns for their loyalty card program (mostly offline) process so as to continue their tracking, they were forced to change last year. It's clear that issues like that have a much larger impact on privacy of people than some foreign news website, and that's prioritized accordingly.
For the major multinational social networks, the delays are (intentionally?) caused by the lack of capacity in the Ireland data protection agency, as many of these multinationals have their EU HQ in Ireland because of tax purposes, so all their cases are being handled there and that means that enforcement for them is going to take a long time. But if I look at random local websites today and compare it to what was happening a year ago, the dark patterns are not prevalent anymore. They appear occasionally, but they're really rare now locally.
You make it obvious and unambiguous so that if you argue your case in front of a judge they will agree with you. Same way as you demonstrate a paper consent form is valid.
If it was accidental (as in the form was clear, but my cat pressed the wrong button), then the user just needs to ask the company to remove the consent.
If the company refuse, or if the user claims he was tricked into agreeing, then there is cause for further investigation.
And it's not going to be a judge from the start, but whatever organism is charged with compliance.
Then, if they have a case, a judge gets involved.
I was on a mainstream site yesterday (can't recall now which) it had a cookie dialog with no options checked, and a "accept and go to site" button, so I assumed it meant "accept the above settings". Nope, it fills in all the unchecked options, then "accepts" those settings and goes to the site. It was so incredibly devious I was almost impressed as I immediately closed the tab.
It will likely be up to the courts to interpret around the edges, such as "can the modal have everything turned on by default?" That said, at a baseline it means that if you didn't click a "consent" button or some equivalent action, they can't assume they have your consent.
There's a lot of detail, but the most important part is this: "...inactivity should not therefore constitute consent."
While I'm not sure there's an EU-wide ruling, the Greek DPA has specifically called out the "Consent" option being more visually prominent than the "Not Consent" option. They also mention the anti-pattern of bugging for consent daily but not bugging for un-consent afterwards, but that probably runs more afoul of "consent must be as easy to withdraw as to give" rather than "freely given."
TechCrunch works without javascript, which is quite nice from them though. Compare it some others, where the content is literally loaded after consent, using js.
Clearly the matter isn't simply presenting the ad. The issue is being able to trace and identify the user. Sites will put walls that identify blockers which when passed through by declining will still display ads! Showing the ad isn't nearly as important as tracking who is looking at them.
Typically, disabling JS (e.g. with NoScript) prevents most of the annoying dialogs like this. Also it helps with some paywalls. Of course, it adds a bunch of other annoyances with websites which won't work properly without JS (that is, most of them).
Yes, restricting access when users do not consent to data collection is generally illegal. There are exceptions, like in the case of fraud detection, but restricting access to this article is not justified.
Companies like Verizon can get away with this abuse because we're all too lazy to report them in an instant.
Verizon has offices in the United Kingdom, Ireland, Belgium and the Czech Republic, but you can also use the online form of your country to report them in the EU.
File a complaint against Verizon and TechCrunch here:
> Yes, restricting access when users do not consent to data collection is generally illegal.
So, if sites can't provide users with anything in return for consenting, doesn't that make consenting not a valid contract? Or does the EU not require a contract to have an exchange of value?
Not any data, personal data. You can't collect personal data unless is necessary to the service you want to offer, and only after the user gave its consent
Do EU laws apply when the target user base of a website is non-EU customers? e.g. if Verizon Wireless only operates in the US, do they have to comply with EU laws despite them not attempting to localize content for EU users (aka they get shown what US users get shown)?
However, EU GDPR legislation permits the EU to do whatever it can go after noncompliant sites in any jurisdiction. The legislation also requires all new trade agreements between the EU and other countries to be GDPR-compliant. The legislation permits them to go after "noncompliant" sites for 4% of worldwide revenue. So it's quite brutally extraterritorial by design.
The interpretation of the regulation does not require large fines for small infractions by non-EU-focused sites, and indeed the regulators presently work to be eminently reasonable about such things, but the lines are fuzzy and the interpretation could change without further legislation — and even if you could defend yourself against such a case, it may be ruinous anyway.
The GDPR applies to personal data of all EU citizens and permanent residents. Even a tourist in the US who browses a website which is only available in the US.
But if the company has no offices, bank accounts or other business presence in the EU, there is no practical way to enforce it.
Yes, it's also against the rules to auto select all of the trackers as accepted but many sites still do this. By default everything should be deselected and you need to accept all of them to allow tracking.
I've found that sites are slowly changing over to this method but it will probably take a big court case for the likes of TechCrunch to change.
> I thought that sites must give you the option to not provide consent and still visit the site.
What the heck? That seems a bit overbearing.
It's my server. Don't agree to my rules? GTFO. Why should you have the right to ignore my rules and still use my server? That's like having your cake and eating it too.
"Thanks, I don't consent to your monetization scheme but I'll go ahead and use your bandwidth for free."
The right to not be tracked if you don't want to is (now) a fundamental legal right that overrides any rules you can implement.
It's not that they don't consent to your monetization scheme, is that a monetization scheme that involves tracking people who don't really want to be tracked is illegal as such, you can't have one. You can deny access to whoever you want, but the key point is that if you "threatened" them to deny service if they don't accept, then that does not really indicate that they wanted you to use their data, does it?
You can't say "oh but I gave them some goodies to influence them to click 'Accept'" - nope, if they don't really want to be tracked, then you aren't allowed to do so, the consent is not something that people can trade away in a contract for some content, server time, money, lentil soup or whatever.
Ok, then EU shall not have a free option on any of my services. Pay or GTFO. Harms the poor, IMO, but at least the poor's privacy will be protected from ad companies.
Everyone's privacy will be protected - the same consent restrictions will also apply to your paid customers. Free webservices are not the majority of the world's businesses, a big part of why GDPR was needed is because all the paid online and offline services also traded all their subscriber private data; and with GDPR you can't just have a line in your paid service terms&conditions that allows you to screw their privacy.
Yes, I understand that. However, do you acknowledge that current monetization methods for "free tiers" of services generally involve cookies/tracking? If so, you also acknowledge said free tiers must go away if the service is to operate in EU, correct? If so, wouldn't you agree the EU poor will have access to fewer online services than their USA peers?
> do you acknowledge that current monetization methods for "free tiers" of services generally involve cookies/tracking?
I guess it depends wether you consider free plans to be a loss leader for the paid plans.
If you don't want to operate a free service that is without tracking, then don't. No-one is forcing you to, but you should be aware that you still need to follow the law for paying users too.
> It's my server. Don't agree to my rules? GTFO. Why should you have the right to ignore my rules and still use my server? That's like having your cake and eating it too.
It's european society. Don't agree to its rules? Don't try to monetize european citizens. Why should you have the right to ignore their rules and sell their personal information? That's like having your cake and eating it too.
Privacy is a consider a basic right in the EU, so no, you cannot operate monetisation schemes that violate it. It would be like having a 'by entering our restaurant you are agreeing to our reduced-hygiene policy' sign at the door. If a business cannot survive with clean hands, then it should not.
Your point definitely makes a lot of sense, but there are many of us who believe that we should be able to make our own decision to give up certain types of privacy in exchange for something of value.
Everything involves some level of risk/reward. Should I not be allowed to skydive because of the increased risk of death? Generally, I think my rights end where others’ rights begin, so I fail to see how sharing or withholding my personal information affects anyone else.
> we should be able to make our own decision to give up certain types of privacy in exchange for something of value
This is what these laws are all about.
People volunteer personal information because they believe the website will use it with their best interests in mind. There is a well-defined goal and achieving it is the only reason the website even has access to such data. For example, people give their home address to an online store so they can ship orders. Selling this data to marketers so they can spam the consumer's mailbox with advertisements is outside the scope of that goal.
Websites should collect only what's strictly necessary for them to do whatever it is that they do. They should use this data only for this purpose and ideally delete it afterwards.
I do agree with you that you should be able to freely exchange your privacy as you see fit. But the difficulty, as I see it, lies in determining whether the exchange is truly free or coerced by some means. The GDPR takes a strong stance on this (that consent is only freely given if withholding it would have no drawbacks) and it does have false negatives, i.e. situations where the exchange was fair but prevented.
However, there are two reasons why I think this is still reasonable (with 1. being more important):
1. The reality of the current situation is that invasions of privacy come bundled with other services, which you are pressured to use due to external factors. So I believe that the vast majority of cases are modelled well.
2. I see a privacy as similar to herd immunity, in that society benefits if lots of people have it, even if the individual does not profit from it directly. (In particular, it may prevent certain kinds of power from accumulating or centralising.) In these kinds of situations it can be necessary to restrict individual rights to achieve optimality.
"Ok, then EU shall not have a free option on any of my services. Pay or GTFO. Harms the poor, IMO, but at least the poor's privacy will be protected from ad companies."
Sure. Just like I didn't click on the techcrunch link above, I'm sure I'll live without your server as well :)
There won't be many sites you will be able to click on, nor services. No more free email, no more free news, no more free chat forums. Your web will be a lonely place with a very small number of sites you're able to visit without paying.
Great, this is exactly how capitalism should work. You don't like the rules, don't use my service. If I want you to use my service, I'll change the rules.
Yeah, I agree with you. If people don’t like that a site uses cookies, then don’t visit it and maybe it will naturally go out of business. They shouldn’t be forced to still provide content.
Or not. Personally I have no problem with cookies. Maybe they will just lose traffic from a small fraction of HN users instead of going out of business.
It’s kind of like paywalls. I get annoyed whenever I visit a news website and a paywall pops up, but I just leave the site unless I’m interested in subscribing. If enough people leave instead of paying (i.e. providing something of value in exchange for accessing interesting content), then the publication goes out of business.
The GDPR limits your rights insofar. You may find that "overbearing", I find it okay. Your rights end where my rights begin. Where the line is, is debatable, of course.
Remember that the law came only because web site owners took things way too far. Pendulums swing both ways.
Well in that case I disagree where EU has drawn the line, so I'll just not serve EU customers (or if I do, it will not have a free option, only a pay option) and we'll both have all of our rights.
it is easy to determine if a user has consented. but if you go out of your way to mix in “i consented” and “i want this box to stop annoying me as quickly as possible” into one bucket, the fact that you have trouble separating them is a problem you created
Yeah, some other comments made that point more clearly. I think I understand better (it seems to be similar to anti-prostitution laws, where it is illegal to trade something you can give for free)
It does seem to lead to some strange loopholes though, like requiring an account for access.
> It does seem to lead to some strange loopholes though, like requiring an account for access.
That's false.
Requiring an account or even payment for access does not replace or imply consent of any kind, and all rules still apply even if the user is still logged in or paying.
In fact, it's probably more complicated for logged-in users since you have to comply to requirements of data-scrubbing, removing/anonymising logins/emails/passwords from your database upon request, etc.
Let's say I have a club, you have to do certain things to gain membership to my club if you don't do those things you can't get in. How is that any different? The club should be able to set the rules as it deems fit.
> The club should be able to set the rules as it deems fit.
That's only true under ideological assumptions that are far from universal. I think most people would be OK with society putting reasonably-justified restrictions on the kinds of rules the club can set.
Sure, I'm not a psychopath, I understand the usefulness of laws. I just don't think the restriction in question is reasonable. To me, it seems like a choice an individual should make for themselves: access or data?
It may be optional but it seems to be the standard rather than the exception.
I just don't see people really caring about their privacy. When given the choice between convenience and privacy people generally choose convenience. As someone who doesn't have a dog in this fight, I just end up annoyed.
Just because something is a standard doesn't mean it's right. It also doesn't mean the law shouldn't discourage it.
And just because people don't care doesn't mean a company is automatically allowed to track people.
If the law were followed by the letter and companies weren't using dark patterns or ambiguous marketing-speak to convince people to allow cookies, only people with pro-tracking stances would allow it.
My point was about meeting requirements to gain access. Not about following the law. However, would it be against the law to have a club that is only open to ex-cons?
I understand that the GDPR makes it illegal to make it necessary to consent to give up your data before gaining entry. I was just questioning that portion of the law. It would be a pointless conversation to question points of a law and have someone respond back "but that is the law".
> However, would it be against the law to have a club that is only open to ex-cons?
Actually, in some countries, outside narrow restricted cases like support groups, yes; criminal record is a protected class in some cases.
However, being an ex-con isn't illegal. Having a club where you required members to consent to a crime being committed against them, which is more analogous here, wouldn't be legal.
The law in question is the GPDR. I’m not sure what your point is. If you change the law to allow people to choose to consent or not see content then it is no longer illegal. If we can’t have that discussion because it is currently illegal then I guess it’s pointless.
I mean, that change _could_ be made, but why on earth _would_ it be made? It would largely defeat this portion of the GDPR. Who actually wants that change beyond advertising companies?
Why would it not be made? Each person has agency in the decision to share their data. If it is indeed _my_ data then _I_ should be able to choose to sell it or move on. Forcing a companies hand, I predict, will just move more content behind a paywall, decrease access to legitimate information and further fringe conspiracies.
But this thing where big sites say "data or else" isn't a proper negotiation. It's a contract of adhesion, and those get regulated for good reason.
If things get moved behind expensive paywalls, that's a shame. But if there is more truely free access, or content behind paywalls that charge as much as an ad is worth, that can be a net benefit.
I may be mistaken, but I think it falls under some sort of discrimination ruling? I.e.: you can't discriminate against those users who don't want to give consent.
That seems like a weird choice. I mean, it makes sense to ban discrimination based on traits that people have no control of (e.g. all the protected classes in the US), but a refusal of consent is a behavior choice, not an unavoidable trait.
So all regulations are necessary because it keeps corporations in check? I guess that means there is no room for bad regulations with that tautological definition.
That’s not what I said. There’s good and bad regulation. Things aren’t black and white; a truly free market with no government intervention at all will harm consumers, and governments with a hand in everything will harm consumers too.
"All regulation against corporations limits the corporation’s rights, but it’s necessary as it keeps them in check."
Your original statement made it sound as if you were saying all regulation is justified. Thanks for the primer on free-market/regulatory trade-offs though I never realized there was room for nuance.
But we've built a world where a large fraction of the population has [apparently] willingly traded their privacy for free product. I completely support making this trade transparent, so people can make an explicit choice, but what's the justification in making it one-sided and requiring companies to provide their service for free?
But is there any company that survives solely by collecting and trafficking personal data? Facebook and Google don't count, they make money selling ads.
If there is such a company I'm completely ok with them not being viable anymore.
i guess we'll find out if they really are willing, given a proper choice, and not just forced to click "accept" like in some perverse skinner box.
i don't know where all the misinformation comes from, but companies don't need to provide their services for free. they can still show ads - just untargeted ones. or is ads = tracking nowadays?
They can even show ads that are related to the content on the web page! Are you on a page that is about breeds of dogs you might want to adopt? Why not buy a Halti collar, and a package of dog training sessions, and donate to the RSPCA?
This is what Google's advertising product started out as, basically automated magazine advertising at scale; it turned into this perverse tracking system once everyone was hooked onto free web content and nobody could get away from it.
Why? If a company is transparent about what they're collecting and how it's used, I don't see how there is anything wrong with them refusing you service if you refuse to accept their terms. Websites and the businesses that run them aren't public property that you have a right to use. The problem comes when they secretly gather and exploit your information.
Data protection laws would still limit what companies could do with the data after they obtained it, even if they required that data to access the site.
It's not really that weird - it's almost the whole point!
The idea of GDPR generally is to prevent some undesirable behaviour (i.e. indiscriminately vacuuming up all the personal data you can and being careless with it), in part by establishing a regulation that says "you need to have good reasons if you want to process personal data". This means we have to define, among other things, what "good reasons" are.
In GDPR terms this would be the "lawful basis" for processing data. There are a bunch of these, including "you gave explicit consent", "it is a legal requirement", and "we have a legitimate interest in doing so".
The thing is, if "consent" is the basis on which you are processing data, then you cannot reasonably refuse service to someone who witholds consent – because that action would itself demonstrate that consent is not the lawful basis you are using. It's not a ban on discrimination, but the fact that your argument for why you need to process personal data would no longer be valid.
> The thing is, if "consent" is the basis on which you are processing data, then you cannot reasonably refuse service to someone who witholds consent – because that action would itself demonstrate that consent is not the lawful basis you are using. It's not a ban on discrimination, but the fact that your argument for why you need to process personal data would no longer be valid.
This seems backward to me - by allowing access to users who don't consent, you are implying that consent to track is not at all necessary to your functioning, and thus doing the tracking at all is now for invalid reasons... yea?
This is all obviously simplified, but “consent” and “necessary to functioning” are two different justifications for processing data. The GDPR does not require consent; it requires some kind of justification—a “lawful basis”— for processing, and “consent” is just one of those.
Think of it like this - if you want to process some personal data, regulations now oblige you to have a justification for doing so. That’s what GDPR calls a “lawful basis”, and there are six of them that can be used:
- Contract – "processing your data is required to offer or fulfil a contract with you"
- Consent – "we asked to process your data and you explicitly said it was okay"
- Legal obligation – "we need to process your data to comply with the law"
- Vital interest – "you were likely to die unless we processed this data"
- Public task – "we need to process your data to perform some kind of officially sanctioned public service"
- Legitimate interest – "we need to process this data for some other legitimate reason and promise that we won't do anything unexpected or unreasonable with it"
So, if you're running a website and you want to collect visitor data, you now need to justify why you are doing so, using one of these reasons. Each of these reasons outlines when they can be used, and what conditions apply to their use as a justification.
If you were running e.g. an insurance comparison site, you'd use the "contract" basis – processing a subject's data is necessary to fulfil some kind of service. A separate "consent" is not required. If you wanted to log requests to your site so you can detect intrusion attempts, you have a "legitimate interest" basis and again "consent" is not required – instead, you need to ensure you have evaluated the data you collect and demonstrated why it is required to fulfil that function.
To the specific point you raised – if your website legitimately needs to process data for reasons that are "necessary to your functioning", then you do not need consent to do so. You do need to document why this is the case, communicate it to users, provide adequate safeguards etc. but don't need to obtain an explicit consent. If you aren't able to use this approach, you still need a justification for your processing; if you want to use "explicit consent" as your reason, then that comes with the requirement that the consent is freely-given, explicitly opt-in, and is not a precondition for accessing the service.
If you decided to make "consent" a requirement to access a service, you would inherently be demonstrating that you did not meet the requirements for making that your "lawful basis" for processing.
Sorry that came out quite long, but I think it's important that anybody working with personal data understands these ideas!
In the US, "discrimination" only applies to protected classes. This includes sex. race, religion, nationality, skin color, age, or disability status. Unless one's stance on accepting cookies is enshrined in a widely acknowledged and mainstream religious text I'm not sure it would apply.
Even sexual orientation isn't really protected in that way FWIW, which is why a lot of anti-discrimination rulings surrounding LGBT rights can often feel a bit convoluted.
You can charge money, you can have special rules outside of the scope of the GDPR... what you cannot do is make people’s personal data the price for content. Under the GDPR personal data is non negotiable.
Edit: I'm surprised that elondaits's explanation isn't at the top of my thread. It makes clear that "exchanging your data as payment for 'free' services" is the target of GDPR and seems to me that's the only sensible explanation. Is someone willing to refute their explanation?
Yeah, I guess it could be thought of like laws against prostitution... you can give your data away for free, but you can't give it in return for something.
Price for a service isn't guided by how expensive the service is to offer, but by what the market will pay.
In this case, however, I was using it as an example of setting a price you don't expect to be paid... you want everyone to pay with their data, but you are required by law to offer an alternative payment form... so you set the price for the alternative to so high no one pays it.
Because the EU is a dumpster fire when it comes to tech companies (probably not a coincidence). This means that few websites are actually based in the EU. If the EU doesn't like them then they can block the sites.
The downvotes are no doubt because you've violated the site guidelines with name-calling and flamebait. The damage that does is more important than the value of the information you're adding, so downvotes and flags are correct. It's too bad, because there's the kernel of a good comment there too.
Would you please review https://news.ycombinator.com/newsguidelines.html and use HN as intended? It's not hard if you want to, and you're a good user otherwise. We've had to ask you this many times.
It is probably related to the complete lack for jurisdiction in calling the US "lawless" that attracts the downvotes.
Most people understand that Saudi Arabian Blasphemy laws mean jack shit if you have no connection their laws can't apply. Making any pretense of validity beyond ability to enforce the laws just makes any making claims utter tools. Just because the other block is an EU nation instead of a backwards monarchy petrostate doesn't change that one bit.
What if the law said that the company has to serve EU users the same way it serves non-EU users, and to do otherwise would be considered an act of trade war by a private US corporation against the EU (the same as if e.g. a US private defense contractor, hired by some other power, hacked into EU corporations and caused property damage against them)—basically making the whole thing into a “diplomatic incident” each time it happened?
Heck, what if they said that everyone doing things their way is their condition on staying in WIPO, and if a country can’t bring its corporations into line, then the EU will declare all WIPO IP-right assertions originating from that country null and void within the EU, free for any EU corporation to exploit?
I don't think anyone should be forced to service foreign nations. As a citizen of a non EU country, I'd take issue with being compelled to work with them.
EU would effectively be declaring war on a significant percentage of the world. They have no jurisdiction beyond their borders.
Taking your ball and going home, while not the best for business, should be an option.
I mean, you're not forced to service foreign nations. But if you are trading with foreign nations, then you've got to realize that that is fundamentally a voluntary relationship—trade doesn't exist by default, it is created by a spirit of mutual cooperation, on a foundation of compromise. If that spirit of cooperation and foundation of compromise don't exist, then the trade cannot exist.
Or, to put that another way: WIPO itself is something the US "forced" on the rest of the world. But it wasn't actually force; it was just a condition on other nations continuing to trade with the US.
As I said, taking your ball and going home should be an option. That implies NOT trading with EU.
As per wiktionary.org:
"To cease participating in an activity that has turned to one's disadvantage, especially out of spite, or in a way that prevents others from participating as well."
I doubt that is the intent, content can be behind paywalls so I see cookie acceptance as a form of paywall. if they are claiming otherwise you get stuck with only paid content.
So can they do previews only without running afoul of the law and they specifying cookies for full access?
So it's up to you to decide if the information is worthy? After already seeing that information? And you promise you will forget that information after not liking it and not paying for it?
Consent can't be a form of paywall under GDPR. GDPR defines that valid consent must be freely given, and explicitly mentions that if providing service is conditional on providing consent then that is not freely given consent.
Consent that's not freely given is not valid legal basis for processing personal data according to GDPR. If users clicked "I agree" under these circumstances, then that "agreement" click is worthless, it does not grant any extra permission that the website owner did not already have.
In essence, GDPR makes that consent to processing private data is not for sale, it's not something you can legally trade away in a contract for some money or benefit.
It's valid to have informative click-through walls - to gather assertions that the user has been informed that you're going to do stuff with their data because you have a legal basis to do it even if they don't opt-in; but a click-through wall fundamentally can not be a mechanism of obtaining valid consent to some processing where consent is needed. GDPR consent must be opt-in, fully informed, and freely given - something that some of your users intentionally choose because they want to. If you expect all users to "consent" to some processing then that's impossible - you would rather have to argue that the "legitimate need" or some other part of GDPR allows you to process that data without consent. You can have all users acknowledge something, but you can't have all users consent to something, that's not how opt-in consent works.
Websites are not required to give their content for free - a "Pay money or go away" popup is completely valid.
But websites are not allowed to track people who don't really want to be tracked. If the choice was "accept tracking or go away" then clicking "accept tracking" does not give them a legally valid consent to track me. There's nothing illegal about that popup as such, it's the tracking without consent that would be a violation.
Can you give me a link to some of these Austrian and German newspapers so that I can try out their approval pipeline? If that's really the case (all kinds of minor nuances may change the situation) then my intent is to click "accept", followed by a GDPR request of how they're using my data, and if their response indicates "consent" as the basis for processing something, then I'll submit a complaint to my local DPA (which may get resolved by the end of year..)
My point is that some EU companies still doing X is not a sign that X is permitted - often all it means that GDPR is not enforced for them yet. I see a lot of local practices that are still happening despite our local DPA clearly stating that this is not 'kosher' - it takes a lot of time to make all industries comply, there have been a lot of changes (mostly for the mass market companies handling offline customers, everything from hospitals to the rental markets to supermarket loyalty cards) but there's a lot of noncompliance out there. Every now and then another subindustry gets investigated (probably prioritized by the number of complaints) and after some action gets taken, all the other local companies in that industry tidy up somewhat.
Consent can't be a form of paywall under GDPR. GDPR defines that valid consent must be freely given, and explicitly mentions that if providing service is conditional on providing consent then that is not freely given consent.
Which is absurd. Did I not "freely give" $20 when I bought a pizza because if I had been able to get the pizza without paying I would have?
GDPR consent must be opt-in, fully informed, and freely given - something that some of your users intentionally choose because they want to.
And there's no reason for customers to opt-in when you're not allowed to offer anything in exchange. I would respect the GDPR a lot more if it directly banned "unnecessary" data collection, rather than going through these silly rituals of companies using dark patterns to try to claim that users agreed.
"And there's no reason for customers to opt-in when you're not allowed to offer anything in exchange." is kind of the point - the goal of GDPR is to stop the unwanted invasions of privacy, not extract some additional compensation from companies in exchange for being permitted to continue all these things. It's designed so that it would not be possible for a standard privacy-violating website to become GDPR compliant by writing some legalese or showing some popups or offering some discounts in exchange, the only way for the industry to become compliant should be by actual change in behavior so that there's much less tracking and violating the user's privacy.
The valid reasons for customers to opt-in are in scenarios where they desire the result to be customised according to that private data - where the customer wants you to use that data because that actual use benefits them. E.g. a dating site user might want you to use all kinds of private data for the purposes of finding better date matches. And the same user might not want you to use that same data for any other purposes or share it with third parties. And the intended result of GDPR (as the enforcement slowly changes the common practices) is a world where these user's privacy preferences are actually respected.
So the consent question comes down to essentially "are the users gifting you this data because they want you to have it?" - if so, knock yourself out, everyone's happy. But any selling or trading that consent is not binding or enforceable.
The most effective analogy that I can think of is sexual consent.
Like, if I sign a contract saying "You can fuck my arse and I get 5 euros for that" then that by itself does not count as valid consent, that's a nonenforceable term, it's null and void. At every future point I'm free to not have my arse fucked unless I really want to (or there's some other legal basis, IDK, a warrant for a cavity search), that's an unalienable right, it's not something that I can sign away in a contract, and doing so without my actual consent would be rape no matter what I signed in the contract.
In the exact same manner, under GDPR if I sign a contract saying "You can violate my privacy and I get 5 euros for that" then that by itself does not count as valid consent, that's a nonenforceable term, it's null and void. At every future point I'm free to not have my privacy violated unless I want to (or there's some other legal basis), that's an unalienable right, it's not something that I can sign away in a contract, and doing so without my actual consent would be a privacy rights violation despite the contract.
Because douchebags like TC and whatever service they're using will come up with ways to annoy the fuck out of you so that people will go back to blind consent.
One additional point should've been added to GDPR: malicious techniques to acquire consent will result in triple the amount of fines.
I know this especially well because I automatically clear all browsing data each time I close my browser, and techcrunch.com is one of the domains I avoid on HN because of the more annoying "welcome" on any page. (edit: +n)