
GDPR – The Aftermath - aychedee
https://medium.com/tsengineering/gdpr-aftermath-8960feba768e
======
Nextgrid
I can see there are still major problems/loopholes in the GDPR.

First off, it doesn't mandate _technical_ measures to prevent tracking. Most
GDPR "consent management" solutions work by setting opt-out cookies - they do
not actually prevent any of the tracking crap from loading, and thus rely on
the trackers being honest (we all know how this ends, see "Do Not Track" for
an example).

Second, it doesn't enforce tracking being opt-in at a technical level - again,
most consent management solutions today set opt-out cookies, which means you
have to enable cookies (aka trade some _real_ security) to let the trackers
know you don't want to be tracked (honest trackers - if such exist - will
respect that and also disable non-cookie tracking like browser fingerprinting
so it's good in theory - however this now exposes you to dishonest trackers
who can abuse the fact you enabled cookies).

The second point becomes even worse when some tracker's answer to opting out
is to disable cookies, making it impossible to _completely_ opt-out on a site
that uses both the kind of tracker that uses a cookie to opt-out and the kind
that relies on the user disabling cookies to opt-out.

Also, it has no consideration for tracking companies that defy the law and
(possibly) get away with it. A tracking company can claim they respect
privacy/opt-outs and thus a product that uses their solution becomes GDPR
compliant, even in cases where the tracking company has been caught lying many
times (Facebook) or its business model is at odds with privacy. I want to be
able to say "I do not want _any_ of my data or metadata shared with Facebook -
I don't care if you think it's legitimate interest because they claim they
won't use it for advertising" \- at the moment I cannot do that.

Finally, reporting non-compliance is _hard_. In the UK, the ICO (the privacy
regulator) requires that 1) you contact the company directly (and try to make
them understand the problem which is hard work - imagine throwing the points
above at a typical customer support advisor) and after getting a final
response from them (after a reasonable time, which I guess is _at least_ a
week) you have to 2) fill a PDF form, provide evidence of your contact with
the company and send all of that by email.

That is a _huge_ amount of effort. There should be a button in my browser or a
simple form on the ICO's website where I can provide the URL of the offending
page and be done with it.

