> Grindr is now relying on a new consent system and alleged "legitimate interest" to use data without user consent. This is in conflict with the decision of the Norwegian DPA, as it explicitly held that "any extensive disclosure ... for marketing purposes should be based on the data subject’s consent".
This "legitimate interest" shenanigans is coming up more and more often, where you have a modal with lots of options to opt in to specific forms of tracking which. Most of those are now off by default, as it should be, except that if you scroll down you still see a number of "legitimate interest" ones enabled, even though you can turn them off manually.
Edit: And worst of all is this very confusing pattern with two columns of toggle buttons, one of which concerns "legitimate interest": https://toot.cafe/@peter/105367185171860458
The various dark patterns employed by these consent systems are fairly opaque to anyone who bothers to open them, and are clearly deliberate attempts at maintaining the old status quo of "opt-in by default". Frankly, I am surprised at how few of these fines are flying around, though I am quite happy to hear they _are_ happening.
I do get that this type of regulation is very disruptive to many companies, but if they cannot survive with informed consent, then perhaps they should not have been so successful without it in the first place.
It’s almost impressive what these people have created. Now, when I stumble across the rare “Reject All” button on one of those pop ups, I don’t know if they even really mean “all” or if it keeps the trackers under “legitimate interests” enabled because they’re... “legitimate”. So the only safe option ends up being disabling all of them manually, which is absurd when these websites list hundreds and hundreds of trackers.
It’s as if they used decades of HCI research precisely to make the user experience as horrible as possible. No wait, I’m sure they did exactly that.
On some websites I get a tracking / cookie consent popup which, if I choose not to consent to everything, leaves me hanging for a _very_ long time while "saving my settings". I am talking about 30-60 seconds here. That must be deliberate to keep you from denying consent. I forgot which company it was but I immediately recognize those popups.
Once again proof that what we need is the opposite approach;
companies need to actively get explicit permission not just from
the end user, but also from authorities to collect and share
data, and the full report should be publicly accessible. Also I
wouldn't mind a general ban on using personal data for marketing
purposes, I don't know a scenario where this would be necessary
and beneficial for the user.
Right now companies just keep doing what they always did and
hope for the best. As long as they're convinced they can just
try not to get too much attention this data sharing problem will
persist with barely a dent.
Most of these data consent forms are purposefully complicated so that many opt in to all to save time. The “advanced options” menu even loads suspiciously slowly at times.
It should be required by law that there be a simple to access “opt out to everything” option that should be as easy to access as an “opt in to everything” option.
Also, I would not be opposed if some browser standard were developed under governmental oversight that sends a blanket “opt out to everything” that websites would be required to respect by law.
> Edit: And worst of all is this very confusing pattern with two columns of toggle buttons, one of which concerns "legitimate interest": https://toot.cafe/@peter/105367185171860458
That's pretty awful, how are you even supposed to interpret that? I'm guessing it's something like "first || !second", because that would be the sleaziest.
My biggest bugbear with these multi-modals is that much of the time the buttons that turn consent on or off are not labelled. You're supposed to guess from their colour and default position what is on and what is off, so when I make a choice I never know for sure how the website interpreted my choice.
Some have an "accept all" button that could perhaps reveal which is "on" and which is "off", since when you press it all the buttons go to "on". But this happens so quickly and the modal is closed immediately afterwards, that there's no time to tell. And of course by then you've already accepted so it doesn't matter.
Most of those are now off by default, as it should be, except that if you scroll down you still see a number of "legitimate interest" ones enabled, even though you can turn them off manually.
Taking a page from the RealNetworks playbook from twenty years ago, I see. Put the shit you don't care about up top and unchecked, keeping the interesting stuff checked but below the fold.
This is a great example, that I intend to hang on to. I've run into a few people online with some severe willful ignorance about the GDPR. The worst was somebody arguing that since targeted advertising was their business model, that in itself constituted a "legitimate interest". So, pretty much exactly the sort of thing that GDPR forbids.
They are sending all of their user's data with an "opt out" flag and leaving it to the ad companies to honor it? Slow clap?
It also caught my eye that their TOS didn't allow users a choice in data sharing, it was either agree or don't use the app. That might have some wide ramifications, I've encountered many web sites that won't let you past the sharing opt-in until you click agree - i.e. it is impossible to disagree. It is a completely foreign concept for US companies.
Wikipedia says Grindr is based in California, US. I wonder if they will pay the fine or refuse. If they have no assets in Norway I imagine it may be hard to collect from them.
Yeah, same thoughts. The gdpr didn’t change much but made small companies like these more vulnerable and web browsing more unbearable. Data is still getting collected and big companies don’t care.
Grindr presents me the third party data choice dialog every day. Sometimes multiple times per day. I reject every time. Also, it forgets that I set my units to metric regularly. Grindr is a mess. Besides it big user base, it is a garbage app.
I'm pretty happy that GDRP finally starts being used to limit that type of data agglutination. Max Schrems and NYOB are doing a great job pushing for better privacy protection in Europe. I just hope that the big ones also either change their behavior or get forced to account for it.
>Consent must also be freely given. The DPA highlighted that users should have a real choice not to consent without any negative consequences. Grindr made use of the app conditional on consenting to data sharing or to paying a subscription fee.
I thought that this was allowed. Kind of puts companies depending on advertising in really bad position. One would expect that having choice of paying or getting tracked would be, at least for some people, better than just having to pay to get to the content.
'Preying' is a bit much. Nobody is forced to use grindr and the whole point of the app is to meet same-sex people geographically close to you.
This whole case seems to revolve around whether the 'Legitimate Interest' legal basis is valid or not. It was only a matter of time before it was legally challenged.
The GDPR has always amazed me. It changed the playing field from "you can use our free app as long as you give us data for marketing or not use it" to "you can provide a free service in the EU as long as you dont collect data for marketing or dont provide it"
Without making a judgement on the merits of the approach, as a user/individual I appreciate the power this gives to protect my data. As a company/developer the conplexity of navigating the landmines that this poses makes me understand why a lot non EU companies decide to just block EU users. Is it "good riddance " in both cases? Maybe, but still the fact that innovating becomes more expensive sits there.
Question in regards to the user consent pop-ups on websites: On sites that continue to let you browse without making a selection (say the consent banner in on the bottom of the browser window), If I don't make any choice, accept or reject, what happens? Am I giving consent by default?
I was a little surprised by this: "The DPA highlighted that users should have a real choice not to consent without any negative consequences."
Does this mean that it is unacceptable to run a service which requires consent to share data? That seems overly restrictive - where does that leave services in which sharing data is the whole point of the service?
The article goes on to say: "Grindr made use of the app conditional on consenting to data sharing or to paying a subscription fee."
Is this the unacceptable part? I.e. Grindr is creating a financial penalty for users who exercise their data privacy rights?
Would it be acceptable under GDPR to run an app where the choice is "consent to sharing data or do not use this app at all"?
"Companies cannot just include external software into their products and then hope that they comply with the law. Grindr included the tracking code of external partners and forwarded user data to potentially hundreds of third parties - it now also has to ensure that these 'partners' comply with the law." – Ala Krinickytė, Data protection lawyer at noyb
GDPR contains special protections for LGBT people, but Grindr shared their users private information with third parties anyway, since they argued that Grindr users might be straight...
There's no special protection for LGTB, but sexual orientation is considered sensitive information. If you tell advertisers (implicitely or explicitely) whether a user is gay or straight, that requires explicit consent.
[+] [-] Vinnl|5 years ago|reply
This "legitimate interest" shenanigans is coming up more and more often, where you have a modal with lots of options to opt in to specific forms of tracking which. Most of those are now off by default, as it should be, except that if you scroll down you still see a number of "legitimate interest" ones enabled, even though you can turn them off manually.
Edit: And worst of all is this very confusing pattern with two columns of toggle buttons, one of which concerns "legitimate interest": https://toot.cafe/@peter/105367185171860458
[+] [-] danielbarla|5 years ago|reply
I do get that this type of regulation is very disruptive to many companies, but if they cannot survive with informed consent, then perhaps they should not have been so successful without it in the first place.
[+] [-] sseneca|5 years ago|reply
It’s as if they used decades of HCI research precisely to make the user experience as horrible as possible. No wait, I’m sure they did exactly that.
[+] [-] dthul|5 years ago|reply
[+] [-] alpaca128|5 years ago|reply
Right now companies just keep doing what they always did and hope for the best. As long as they're convinced they can just try not to get too much attention this data sharing problem will persist with barely a dent.
[+] [-] Blikkentrekker|5 years ago|reply
It should be required by law that there be a simple to access “opt out to everything” option that should be as easy to access as an “opt in to everything” option.
Also, I would not be opposed if some browser standard were developed under governmental oversight that sends a blanket “opt out to everything” that websites would be required to respect by law.
[+] [-] ardy42|5 years ago|reply
That's pretty awful, how are you even supposed to interpret that? I'm guessing it's something like "first || !second", because that would be the sleaziest.
[+] [-] YeGoblynQueenne|5 years ago|reply
Some have an "accept all" button that could perhaps reveal which is "on" and which is "off", since when you press it all the buttons go to "on". But this happens so quickly and the modal is closed immediately afterwards, that there's no time to tell. And of course by then you've already accepted so it doesn't matter.
[+] [-] dmitriid|5 years ago|reply
[+] [-] switch007|5 years ago|reply
It reminds me of "reasonable" wording in English law.
[+] [-] mikestew|5 years ago|reply
Taking a page from the RealNetworks playbook from twenty years ago, I see. Put the shit you don't care about up top and unchecked, keeping the interesting stuff checked but below the fold.
[+] [-] rawbot|5 years ago|reply
[+] [-] MereInterest|5 years ago|reply
[+] [-] ffpip|5 years ago|reply
I have heard of their lawsuits against Apple, Facebook and now a large fine against Grindr.
If anyone wants to help them - https://noyb.eu/en/support-us . (no affiliation)
[+] [-] Lapland|5 years ago|reply
[+] [-] helmholtz|5 years ago|reply
[+] [-] StavrosK|5 years ago|reply
[+] [-] zxcvbn4038|5 years ago|reply
It also caught my eye that their TOS didn't allow users a choice in data sharing, it was either agree or don't use the app. That might have some wide ramifications, I've encountered many web sites that won't let you past the sharing opt-in until you click agree - i.e. it is impossible to disagree. It is a completely foreign concept for US companies.
Wikipedia says Grindr is based in California, US. I wonder if they will pay the fine or refuse. If they have no assets in Norway I imagine it may be hard to collect from them.
[+] [-] magicalhippo|5 years ago|reply
[1]: https://www.forbrukerradet.no/news-in-english/historic-victo...
[2]: https://www.forbrukerradet.no/side/new-study-the-advertising...
[+] [-] matsemann|5 years ago|reply
[3]: https://news.ycombinator.com/item?id=22043209
[+] [-] orangepanda|5 years ago|reply
A bit ironic, for a dating app.
[+] [-] jhanschoo|5 years ago|reply
[+] [-] Laarlf|5 years ago|reply
[+] [-] Traubenfuchs|5 years ago|reply
Grindr presents me the third party data choice dialog every day. Sometimes multiple times per day. I reject every time. Also, it forgets that I set my units to metric regularly. Grindr is a mess. Besides it big user base, it is a garbage app.
[+] [-] metalliqaz|5 years ago|reply
[+] [-] tyfon|5 years ago|reply
[+] [-] esarbe|5 years ago|reply
[+] [-] Hitton|5 years ago|reply
>Consent must also be freely given. The DPA highlighted that users should have a real choice not to consent without any negative consequences. Grindr made use of the app conditional on consenting to data sharing or to paying a subscription fee.
I thought that this was allowed. Kind of puts companies depending on advertising in really bad position. One would expect that having choice of paying or getting tracked would be, at least for some people, better than just having to pay to get to the content.
[+] [-] stemnic|5 years ago|reply
[+] [-] ganzuul|5 years ago|reply
[+] [-] peteretep|5 years ago|reply
[+] [-] moritonal|5 years ago|reply
[+] [-] secondcoming|5 years ago|reply
This whole case seems to revolve around whether the 'Legitimate Interest' legal basis is valid or not. It was only a matter of time before it was legally challenged.
[+] [-] xtracto|5 years ago|reply
Without making a judgement on the merits of the approach, as a user/individual I appreciate the power this gives to protect my data. As a company/developer the conplexity of navigating the landmines that this poses makes me understand why a lot non EU companies decide to just block EU users. Is it "good riddance " in both cases? Maybe, but still the fact that innovating becomes more expensive sits there.
[+] [-] gingericha|5 years ago|reply
[+] [-] pbhjpbhj|5 years ago|reply
You have to be able to use the site without giving consent too.
[+] [-] anticristi|5 years ago|reply
[+] [-] robertlagrant|5 years ago|reply
[+] [-] progre|5 years ago|reply
https://www.lexology.com/library/detail.aspx?g=34dfb199-c9ab...
[+] [-] mjw_byrne|5 years ago|reply
Does this mean that it is unacceptable to run a service which requires consent to share data? That seems overly restrictive - where does that leave services in which sharing data is the whole point of the service?
The article goes on to say: "Grindr made use of the app conditional on consenting to data sharing or to paying a subscription fee."
Is this the unacceptable part? I.e. Grindr is creating a financial penalty for users who exercise their data privacy rights?
Would it be acceptable under GDPR to run an app where the choice is "consent to sharing data or do not use this app at all"?
[+] [-] user-the-name|5 years ago|reply
This has a pretty wide impact, I'd say.
[+] [-] stevespang|5 years ago|reply
[deleted]
[+] [-] jellygraph|5 years ago|reply
[deleted]
[+] [-] ChrisRR|5 years ago|reply
[deleted]
[+] [-] abstractbarista|5 years ago|reply
[+] [-] kristofferR|5 years ago|reply
Pretty shocking and absurd.
[+] [-] yarcob|5 years ago|reply
[+] [-] cblconfederate|5 years ago|reply
[+] [-] eplanit|5 years ago|reply
[+] [-] detaro|5 years ago|reply
> data concerning a natural person’s sex life or sexual orientation
is among the things with stricter rules under Article 9: https://gdpr-info.eu/art-9-gdpr/