top | item 28134774

(no title)

pieno | 4 years ago

That’s actually the entire point: this should not be standardised. That would make it useless. The purpose of GDPR is that, in principle, you need consent to process personal data. The consent must be specific both in terms of what data is processed, and in terms of why it is processed. The consent must also be explicit (no opt-out or implicit consent by browsing a site) and voluntary (no coerced consent by refusing service for not giving away personal data that is not specifically required for the service you’re asking for). Standardised widgets are exactly the opposite of all that.

In a way it’s very frustrating to see all these nonsense cookie banners that absolutely do not comply with GDPR at all. Why nag visitors with annoying cookie banners when your website is just as “illegal” as when it wouldn’t have a nag screen at all. This is really the worst of both worlds.

Then again, it’s perfectly understandable for companies to comply just a little, as they can then start long arguments with regulators on whether their implementation is compliant or not and whether they are getting valid, specific, express and voluntary consent (rather than just getting fined right away because there’s clearly no consent being asked at all which would make it too easy for the regulator).

So I’m really glad to see someone picking up this battle to actually enforce GDPR and call out the complete joke/smokescreen that most companies have made of it…

discuss

withinboredom|4 years ago

I think what they mean is a standardized end-user interface with some drag-drop/easy configuration on the dev side. Every site on earth doesn't need to develop their own modals/UI to gather consent.

pieno|4 years ago

But why ask for consent right away when someone just visits your website for the first time? Imagine that you walk into a shop and the owner starts harassing you right away, blocking your path and your view and nagging you whether you consent to them following you around the shop tracking what you’re looking at, what you touch, what you actually purchase, and then give the shop next door a call to tell them all about your visit so that they can all “improve your shopping experience by giving you personalised recommendations”. Pretty sure almost no one would keep shopping there. In fact, this is pretty clear from Apple’s new do not track option where Facebook said in their quarterly report that it’s really hurting then (contrary to their statements that all of their users already happily consented to tracking and that they’re actually doing their users a favour by tracking them).

What should really happen is that sites just stop asking for bullshit consent to being tracked. No one will consent to being tracked if given an actual, clear and explicit opt-in choice, if there’s absolutely no downside in refusing consent and no one is tricked into giving consent by dark patterns.

Websites should just abstain from processing personal data until the visitor does something that actually requires personal data (e.g. sign up, make a purchase, …). In those cases, most obvious processing of personal data can be done based on other grounds (performance of contract, legitimate purposes, …) so really there should not be any consent nag screens needed at all except for some very specific exceptional cases…