
Clarifying GDPR - bhalp1
https://dev.to/xowap/clarifying-gdpr-1gld
======
SheinhardtWigCo
I’m a US resident visiting my European home country for Christmas, and I’m
astonished at how much worse the web browsing experience is, now that the GDPR
is law.

The cookie notices of old have turned into full-screen modal dialogs that are
deliberately designed to be as obnoxious as possible. These dialogs list
hundreds of cookies under multiple tabs and are filled with legalese that any
normal person will immediately dismiss. A common trick seems to be to have an
“accept all” button that is prominently displayed, but if you want to reject
every cookie you have to click onto another tab, click a button to toggle all
the switches off, then click “save & exit”. The “save & exit” button is often
initially off-screen, and the worst offenders even disable elastic scrolling
on mobile to make it as annoying as possible to reach. These shenanigans make
private browsing mode particularly intolerable. I hope to see a legal
judgement that makes these dark UX patterns explicitly illegal, but I’m not
holding out hope. Either way, asking users to decide which third-party
companies can set cookies is plain stupid and ripe for abuse.

To this lay user, so far this law appears to be a complete disaster for web
usability, and business as usual for the big players (Google, Facebook,
Quantcast etc). In fact, you could argue that the GDPR concentrates power in
the hands of those megacorps. I am a privacy advocate but I think the GDPR is
a joke, at least as far as tracking cookies are concerned.

~~~
cpx86
I would expect to see at least some legal judgement against dark UX patterns.
I was quite heavily involved on the technical side in GDPR compliance (EU
company) and my understanding from the legal folks was that the regulation
strictly forbids at least certain types of UX patterns, e.g. opt-out is a big
no-no, consent should always be opt-in, you can nudge the user towards
consent, the purpose of data processing must be expressed in an understandable
language, etc.

------
icebraining
Seems good overall, but unfortunately the article reinforces the myth that the
GDPR applies to EU citizens. The regulation never mentions citizenship; for
non-EU companies¹, it applies to "data subjects who are in the Union". A
French citizen living in the US is not "in the Union", yet an US citizen
living in France is.

¹ EU companies/organizations have to apply the GDPR to _everyone_

~~~
ksec
So why can't we have a GDPR notice only for IP coming from EU, and the notice
will have a single accept all button and call it a day ?

GDPR is so much hassle right now that hurt small business more than those big
Internet giants.

~~~
Doxin
"accept-all" style buttons are explicitly no longer allowed. This is a good
thing as now on most websites I get a decline option that actually works, as
opposed to previously where the options were "accept" or "gtfo".

------
CM30
Surprised it didn't mention that consent doesn't mean 'agree to everything or
get lost'. For many sites, it seems the only thing they do is ask you to agree
to every tracker in existence sight unseen or leave, with no option to choose
what cookies you want to allow or to view the content without them running.

Would also be interesting to see a legal critique of the equally common
practice of assuming the user gave consent the minute they scroll the page or
click anything on it. Seen a few companies argue that, and I suspect it's
probably not compliant with GDPR (no matter how they spin it).

