I may be mistaken, but I think it falls under some sort of discrimination ruling? I.e.: you can't discriminate against those users who don't want to give consent.
That seems like a weird choice. I mean, it makes sense to ban discrimination based on traits that people have no control of (e.g. all the protected classes in the US), but a refusal of consent is a behavior choice, not an unavoidable trait.
So all regulations are necessary because it keeps corporations in check? I guess that means there is no room for bad regulations with that tautological definition.
That’s not what I said. There’s good and bad regulation. Things aren’t black and white; a truly free market with no government intervention at all will harm consumers, and governments with a hand in everything will harm consumers too.
"All regulation against corporations limits the corporation’s rights, but it’s necessary as it keeps them in check."
Your original statement made it sound as if you were saying all regulation is justified. Thanks for the primer on free-market/regulatory trade-offs though I never realized there was room for nuance.
But we've built a world where a large fraction of the population has [apparently] willingly traded their privacy for free product. I completely support making this trade transparent, so people can make an explicit choice, but what's the justification in making it one-sided and requiring companies to provide their service for free?
But is there any company that survives solely by collecting and trafficking personal data? Facebook and Google don't count, they make money selling ads.
If there is such a company I'm completely ok with them not being viable anymore.
i guess we'll find out if they really are willing, given a proper choice, and not just forced to click "accept" like in some perverse skinner box.
i don't know where all the misinformation comes from, but companies don't need to provide their services for free. they can still show ads - just untargeted ones. or is ads = tracking nowadays?
They can even show ads that are related to the content on the web page! Are you on a page that is about breeds of dogs you might want to adopt? Why not buy a Halti collar, and a package of dog training sessions, and donate to the RSPCA?
This is what Google's advertising product started out as, basically automated magazine advertising at scale; it turned into this perverse tracking system once everyone was hooked onto free web content and nobody could get away from it.
Why? If a company is transparent about what they're collecting and how it's used, I don't see how there is anything wrong with them refusing you service if you refuse to accept their terms. Websites and the businesses that run them aren't public property that you have a right to use. The problem comes when they secretly gather and exploit your information.
Data protection laws would still limit what companies could do with the data after they obtained it, even if they required that data to access the site.
It's not really that weird - it's almost the whole point!
The idea of GDPR generally is to prevent some undesirable behaviour (i.e. indiscriminately vacuuming up all the personal data you can and being careless with it), in part by establishing a regulation that says "you need to have good reasons if you want to process personal data". This means we have to define, among other things, what "good reasons" are.
In GDPR terms this would be the "lawful basis" for processing data. There are a bunch of these, including "you gave explicit consent", "it is a legal requirement", and "we have a legitimate interest in doing so".
The thing is, if "consent" is the basis on which you are processing data, then you cannot reasonably refuse service to someone who witholds consent – because that action would itself demonstrate that consent is not the lawful basis you are using. It's not a ban on discrimination, but the fact that your argument for why you need to process personal data would no longer be valid.
> The thing is, if "consent" is the basis on which you are processing data, then you cannot reasonably refuse service to someone who witholds consent – because that action would itself demonstrate that consent is not the lawful basis you are using. It's not a ban on discrimination, but the fact that your argument for why you need to process personal data would no longer be valid.
This seems backward to me - by allowing access to users who don't consent, you are implying that consent to track is not at all necessary to your functioning, and thus doing the tracking at all is now for invalid reasons... yea?
This is all obviously simplified, but “consent” and “necessary to functioning” are two different justifications for processing data. The GDPR does not require consent; it requires some kind of justification—a “lawful basis”— for processing, and “consent” is just one of those.
Think of it like this - if you want to process some personal data, regulations now oblige you to have a justification for doing so. That’s what GDPR calls a “lawful basis”, and there are six of them that can be used:
- Contract – "processing your data is required to offer or fulfil a contract with you"
- Consent – "we asked to process your data and you explicitly said it was okay"
- Legal obligation – "we need to process your data to comply with the law"
- Vital interest – "you were likely to die unless we processed this data"
- Public task – "we need to process your data to perform some kind of officially sanctioned public service"
- Legitimate interest – "we need to process this data for some other legitimate reason and promise that we won't do anything unexpected or unreasonable with it"
So, if you're running a website and you want to collect visitor data, you now need to justify why you are doing so, using one of these reasons. Each of these reasons outlines when they can be used, and what conditions apply to their use as a justification.
If you were running e.g. an insurance comparison site, you'd use the "contract" basis – processing a subject's data is necessary to fulfil some kind of service. A separate "consent" is not required. If you wanted to log requests to your site so you can detect intrusion attempts, you have a "legitimate interest" basis and again "consent" is not required – instead, you need to ensure you have evaluated the data you collect and demonstrated why it is required to fulfil that function.
To the specific point you raised – if your website legitimately needs to process data for reasons that are "necessary to your functioning", then you do not need consent to do so. You do need to document why this is the case, communicate it to users, provide adequate safeguards etc. but don't need to obtain an explicit consent. If you aren't able to use this approach, you still need a justification for your processing; if you want to use "explicit consent" as your reason, then that comes with the requirement that the consent is freely-given, explicitly opt-in, and is not a precondition for accessing the service.
If you decided to make "consent" a requirement to access a service, you would inherently be demonstrating that you did not meet the requirements for making that your "lawful basis" for processing.
Sorry that came out quite long, but I think it's important that anybody working with personal data understands these ideas!
In the US, "discrimination" only applies to protected classes. This includes sex. race, religion, nationality, skin color, age, or disability status. Unless one's stance on accepting cookies is enshrined in a widely acknowledged and mainstream religious text I'm not sure it would apply.
Even sexual orientation isn't really protected in that way FWIW, which is why a lot of anti-discrimination rulings surrounding LGBT rights can often feel a bit convoluted.
