Yes, I can't fathom why the hate is on the law, and not the companies now being exposed by the law.. Seriously, if you don't do shady shit your site doesn't need a popup asking for consent.
But even Github has misunderstood it's not about the cookies. They had an article earlier about removing the popup since they managed to do stuff without cookies. The law doesn't care about cookies, it cares about tracking and illegitimate use of personal data. If you send data to third parties or track by other means, consent is still needed.
The law forced the companies to be explicit about what they do, and ask for consent.
The user experience is made shit by the companies doing shady things.
If they didn't do shady shit, they wouldn't have to display any banner.
I'd rather be informed, at least I can make a decision that way.
Why shoot the messenger?
The part that is missing is making rejecting as easy as accepting. So far there are a lot of dark patterns, but there are sites that make it very clear and easy, and I appreciate it.
How is something like having Google Analytics on your site "shady shit"? I would think counting unique visitors is a legitimate business interest for most businesses. And there is no way to do that without a cookie, or without storing IP address (which is considered personally identifiable info).
The law could have been much better if it simply asked browser makers to provide a single place to configure your preference, and then forced companies to abide by that setting.
> How is something like having Google Analytics on your site "shady shit"? I would think counting unique visitors is a legitimate business interest for most businesses.
Just because it's free and somewhat nice looking, doesn't mean it isn't shady shit. Maybe all you care about is counting unique visitors, but by doing that with Google Analytics, you're exposing your visitors to a complex surveillance product that collects data for its own purposes, and it sees much more than what's needed to just count unique visits.
What people don't see about GA, is that the data doesn't stop at you: "here is your data, X unique visitors, have a nice day".
It has a wider lifecycle: "this is YOUR data, and we collect, maintain, process, sell these data to a myriad other sources for a myriad other purposes". GA just feeds these monsters.
Most GA users just don't care about their clients/readers privacy. Or they care 'a little' but they care 'a lot more' in monetizing.
We externalize the costs, or find shady revenue streams. As long as people think "it's free therefore it is good and I like it" we are not progressing.
Use first-party, privacy-friendly tracking solutions. Usually, first-party cookies don’t require consent.
I would love to have a technical solution for browser-wide consent management, but it wouldn’t solve the issue of granular, informed consent for all the shady things that are possible in adtech.
Also, the law certainly doesn’t prohibit a technical solution, but that really is something that the industry should work out.
I'm sure it's possible to do analytics in a user friendly way - you can do basic analytics without storing IPs or using cookies.
The problem is that Google Analytics isn't _just_ collecting data for you, it's collecting a trove of other data that it's using to track and link users accross other websites.
There was a simple place — Do Not Track (DNT), ignored by industry.
Truly open culture does not accept tracking, for example there is no way to count Linux users. And people would not be kin to those who track physical news papers.
The purpose of the tracking matters, though. Truly open culture also doesn't attempt fraud, DoS attacks, data breaches, and all the other nasty things that some people who are hoping not to get caught and punished do online. Unless you can prevent all such threats, it's unreasonable to expect websites whose operators might be held responsible for the consequences not to monitor how their own systems are being used and who is using them.
DNT never worked - and never could, because it had no legal backing.
What happened was entirely predictable to anyone who understands how the market works: there were some volunteers who honored DNT while it was opt-in, but that mostly ended when one of the browsers decided to make sending DNT enabled by default.
The industry wasn't, isn't, and is never going to self-regulate itself out of a significant revenue stream. That's why we ended up with GDPR - a proper solution with legal backing - which almost works. It would be working, if EU member states were more eager to pursue violations and issue fines.
> I would think counting unique visitors is a legitimate business interest for most businesses. And there is no way to do that without a cookie, or without storing IP address (which is considered personally identifiable info).
Setting a cookie is not in itself a GDPR violation. Collecting personally identifiable information is. You can collect unique visitors by setting a cookie but without collecting personally identifiable information, so no consent popup would be required for that:
1. Set a "site last visited: <date>, <serial-of-the-day>" cookie if it is not set.
2. Count hits as appropriate by examining the cookie - without collecting IP addresses.
Since no personally identifiable information is being collected with this scheme, consent is not required.
Whether you parse log files locally, or in the cloud, or use a cookie really doesn't matter to the GDPR. They only mention the word "cookie" once in the entire law, it's independent of technology, as it should be. If you store personal information (like IP address) in your log files, you still need consent.
There is no cookie law. There was a privacy directive 7 years earlier, but it did not have any fines associated with it so no one really cared. We are discussing the GDPR that superseded the GDPR.
GDPR is a highly complex piece of legislation that is very hard to navigate and therefore only established companies with big bucks to spend on lawyers and extra engineering can profit from the ecosystem while everybody else is put at risk.
Complex legislation and regulations is the best way to keep monopolies in place. Same goes for the financial sector, telecoms, etc. It's nearly impossible for new players to emerge.
This complex frameworks are put it place so that big companies that do nasty things can get away with it because they will be able to demonstrate that they have complied with the regulations while emerging players will break their teeth on it.
Instead of regulating _how_ data collection and processing should be done, we should penalise _what_ is done with the data in simple clear terms, and make _people_ (CEOs, etc.) responsible not just giving fines to companies. Basically, reintroduce skin in the game.
GDPR is sooo easy to follow as a startup. Just gather the data you need and not everything else,and ask for consent.
If anything, it was the big players getting work to do. Thousands of people on mailing lists with no control of how they got there. Asked and kept insane amounts of not necessary data. Data floating in hundreds of database tables spread over various services and third party vendors and data centers with no control. Cleaning up that was a huge job.
It really isn't that easy. Something like an IP address is considered personally identifiable information, and most web servers and frameworks log that by default. If you really want to comply it takes quite a bit of effort you are not accidentally logging IP addresses somewhere. You can argue you need that info for the operation of your site, but it's been established that you would still need to ask permission in that case, did you do that?
Of course, they are unlikely to come after a startup for an infringement like that, but the point is that they could if they wanted to.
Just Google "IP addresses GDPR" and you will see several different conclusions. I actually looked at the site of the enforcement authority in my country and they say you can only store the first 3 bytes of an IP address. But enforcement authorities in other countries may claim differently.
My point is: it's really not that easy. It should be easy to get clear guidance on something straightforward like this, and not have to resort to Stack overflow answers.
You can argue you need that info for the operation of your site, but it's been established that you would still need to ask permission in that case, did you do that?
Where and how was that established? There are obvious operational and security reasons why the operator of a website might reasonably log access information, and there are lawful bases for processing data under the GDPR other than having the subject's explicit consent.
I highly doubt you as a non shady actor will be punished because of your server logs as such.
Start selling or otherwise sharing them with ad companies, directly or indirectly and you deserve and should expect a GDPR fine as soon as they can if you are in a jurisdiction where GDPR applies.
Same if you involuntary leak data because of gross negligence: passwords in cleartext, unnecessary data collected and stored and later leaked etc etc
In many cases I understand authorities will even contact companies first and try to guide them toward a compliant solution first instead of fining tjem right away.
That said I wish there were some clarifications given wrt to server logs and IP addresses; running without is in many cases gross negligence in itself.
Basic logging is first year defense against black arts curriculum.
GDPR is sooo easy to follow as a startup. Just gather the data you need and not everything else,and ask for consent.
Clearly we're not going to ask for consent to track someone who is systematically probing our site for vulnerabilities, or someone who is attempting to use us to validate presumably stolen credit card details, or a group who are obviously sharing a password to gain unauthorised access in violation of our terms of service.
Also, the purpose(s) of data processing matter, not just the data itself. It's not as simple as only gathering what you need. You also have to ensure that what you gather is used appropriately, and that you have the means to respond to the various rights that subjects have by law.
Thousands of people on mailing lists with no control of how they got there.
Actually, that was one of the tricky areas when the GDPR came in, and something almost no-one got right despite good intentions. Specifically, the widely accepted best practice for managing a mailing list had long been to use double opt-in, thus verifying that the subscriber really did intend to receive the messages, and to provide a simple, automated unsubscribe facility. However, unless you had kept all the confirmation replies, under the GDPR you might not have met the required standard for evidence of each list subscriber actively opting in to receive your mails.
That led to a wave of messages being sent out to mailing lists asking subscribers to confirm they still wanted to receive the mails. This was particularly ironic because if those subscribers hadn't already intended to consent then those messages were probably themselves in violation of existing law in much of the EU even before the GDPR came in. The difference was that before, no-one was seriously worried that a legitimately operated mailing list with double opt-in was going to be targetted for business-crippling penalties, but with all the ambiguity around the GDPR and the uncertainty around how it was going to be enforced, a lot of people panicked.
I don't recall having ever seen a mailing list following that best practice. It's always a
[] keep me informed about products
checkbox hidden somewhere in a purchase form, often pre-checked even though that's illegal. Recently I was somehow added to the mailing list of a car dealership after getting my car checked up there, and can't even unsubscribe without creating an account on their website.
I'm sure there are some legitimate mailing lists out there, but there are so many others that are scummy and in flagrant violation of the law. It's hard to shake the feeling that making things harder for mailing lists in general is going to be a net win for consumers.
Mailing list manager software operated that way almost universally for many years. You sent a mail to xyz-subscribe@example.com and then had to reply to a challenge message to confirm the subscription.
More recently, it's more about web forms and hosted services and so on, but typically you can't add subscribers on popular mailing list management services without either having the service run that kind of double opt-in check automatically or going through some kind of alternative process that involves explicitly confirming to the service that you have the required consent from somewhere else when adding the addresses directly.
There are loads of legitimate mailing lists, and the software and services running them have worked reasonably for decades, you just apparently haven't come across them. Not that I disagree with you that there are plenty of scummy ones as well, sadly.
Is every startup hiring a lawyer who specializes in data protection laws? Publishing an impact assessment and waiting 8±6 weeks for permission to deploy? GDPR is the size of a novel and adds a lot of bureaucracy beyond not doing bad things. I think everyone in other jurisdictions needs to consider whether revenue from serving EU users covers compliance costs and risks.
How is it helpful if most institutions are terrified? Doesn't it indicate that the regulation is unreasonable instead? If the EU commission can't run a website without a popup, then why would you expect anyone else to be able to?
>"But I want to track what users are doing!" - Well, then you have to show them a popup about that.
I think most website owners don't care about that, but they do care about earning money to actually run the website.
>The GDPR holds that data protection is a fundamental right.
The GDPR says that if the user asks to use your service then you have to offer them the service regardless whether they're willing to pay for it or not. You cannot not show content to users who refuse to share the data. Effectively, everyone else has to subsidize them.
And that's why you have a labyrinth of pop ups - GDPR breaks the normal monetization methods of the web. Suddenly they're surprised that this led to dark patterns.
Sure, but then your users will flock to an alternative that doesn't charge them money. Maybe the alternative is propped up by government funding or funding by some giant corporation or maybe they're based outside of GDPR jurisdiction or maybe they just don't care about the laws. Whatever it is, you're getting outcompeted.
And if every alternative charges money, then that means you're shutting out a large portion of people. For example, I can't pay for anything online right now. It doesn't matter whether it costs $5 or just a single cent - I have no way to pay. It'll be sorted eventually, but even then paying for anything online for me will be a 5-10 minute process. Not exactly something I'm willing to do for almost anything. And a lot of people in the world are in a similar position - credit cards aren't as accessible in most of the world compared to the US. If services like paypal don't accept bank transfers from your country, then they don't help either.
> I think most website owners don't care about that, but they do care about earning money to actually run the website.
Again -- the GDPR recognizes the right to data as a a fundamental right, and thus the ability to earn money with a website comes second to user's rights.
Argumenting against this is a bit like Big Tobacco complaining that they're not allowed to sell cigarettes to children.
> The GDPR says that if the user asks to use your service then you have to offer them the service regardless whether they're willing to pay for it or not. You cannot not show content to users who refuse to share the data. Effectively, everyone else has to subsidize them.
Sure you can. All you have to do is offer two models: (a) a model where the user pays for the service, and (b) a model were the user receives the service in exchange for a agreeing to tracking etc.
I'm not sure why you're downvoted, but (b) isn't allowed under GDPR. Consent has to be given freely. It means that you can't block content if the user is unwilling to have their information shared.
(b) is allowed. This has been confirmed by the Austrian Data Protection Agency. (I haven't checked other DPAs, but they coordinate with each other.)
In the case above, a newspaper offered access to paywalled content for a small monthly subscription fee, and readers would consume it with zero ads, zero tracking.
Alternatively, they offered access with no monetary cost, but instead in exchange for tracking.
The DPA ruled this as fair because readers had a choice, and because the paid model was reasonable for a newspaper subscription (€6/month).
The key here is that starting with alternative (a) makes it a paywalled service, which is clearly legal (think Netflix). Also offering (b) just offers another mode of payment.
You wrote earlier: "GDPR breaks the normal monetization methods of the web." Well, smoking regulation broke (some of the) monetization methods of Big Tobacco.
Arguing against the GDPR here is besides the point. The GDPR is not an end, it is a means. The end is recognition of right to data as a fundamental right.
Re-writing your statement in light of this, the point becomes "Data as a fundamental right breaks the normal monetization methods of the web." Opinions will differ here.
Oh yeah, thanks EU, now I can't read most USA local newspapers because they don't have money to waste complying with this and it's easier to region ban users
> Yes, I can't fathom why the hate is on the law, and not the companies now being exposed by the law.. Seriously, if you don't do shady shit your site doesn't need a popup asking for consent.
What problem do you believe is being solved by the popup? The idea that it will get consumers to boycott garbage websites and internet services (read: the vast majority) is wishful thinking. Consumers do not care in the slightest and just want to be cool and fit in and use the same thing as everyone else. Anyone who is tunnel visioned on web privacy (which doesn't and will never exist, due to how webcrap is built) will go to the bottom of the page and click "privacy policy". Websites shouldn't have means of collecting data about you at all in the first place. Banking and shopping should be done with software instead of insecure web scripts. Yes smaller steps can be taken but there is such thing as too small.
EDIT: Oh I think you're saying that the popup is indeed redundant because your website shouldn't have it because if it does your website is crap. I agree, but I don't agree with the law since I still use those websites regarldess of how trash they are and all the popup does is make it more annoying.
The EU's site is actually a pretty nice example. The banner is small, non-obtrusive and simple. It has the positive and negative options on equal footing. I don't think many would complain about that.
It's still a popup. And yeah, of course a website that doesn't ever have to care about paying the bills has leeway. Make the commission's website pay for their own hosting, maintenance, and development and see whether their website stays the way it is.
Also what is your source that the commission isn't paying for their website? I don't mean to say that it's a relevant point, but I'm curious where you got this information. Does the commission not budget for their own hosting?
As I understand it PECR does require affirmative consent to use cookies specifically. Often same mechanism is used for data processing bases for GDPR as for PECR consent.
But even Github has misunderstood it's not about the cookies. They had an article earlier about removing the popup since they managed to do stuff without cookies. The law doesn't care about cookies, it cares about tracking and illegitimate use of personal data. If you send data to third parties or track by other means, consent is still needed.