
(Un)Informed Consent: Studying GDPR Consent Notices in the Field [pdf] - Tomte
https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2019/09/05/uninformed-consent_Yl7FPEh.pdf
======
chris_engel
When I browse the web, it feels like 100% of websites do it wrong. Consent
needs to be active and cannot be enforced unless technically necessary.

Telling people "by continuing to browse, you accept our cookies" is wrong. You
need to clearly offer a decline option and you can NOT force people out the
door when they dont want to be tracked.

Nobody does this right.

~~~
TeMPOraL
Consent form is not needed when cookies are _technically necessary_. If user's
login state or shopping cart would break if they didn't store a _first-party_
cookie, you don't need to ask them for consent for that cookie (as long as
it's limited to that purpose).

In other words: if a site displays a consent form, it's _already doing
something wrong_. Not horribly wrong - that's why it's a consent form
requirement, and not immediate fine or jail time for the site operators - but
wrong nonetheless. GDPR is purposefully structured in such a way that consent
is needed only for things that are abusive to users, or were found to carry a
significant risk of being used to abuse users.

~~~
vonmoltke
> GDPR is purposefully structured in such a way that consent is needed only
> for things that are abusive to users, or were found to carry a significant
> risk of being used to abuse users.

What the regulators intend is one thing. What paranoid legal teams,
particularly common law legal teams, think is another.

------
iwalton3
Most of these opt-outs are nearly useless because they require so much effort.
(And of course this is by design.) I personally prefer just using uBlock
Origin and a DNS black hole. It's less effort, and it's more likely to prevent
abusive behavior. (And it also cleanses the internet of most advertising.)

------
buboard
It's true that most websites outside Google/fb etc just don't get it right.
Makes you wish that google/FB could silo in all the web's content so peoples
privacy can be better protected

~~~
chris_engel
I remember the FB consent process that was worded in a very specific way to
create fear within the user when no consent is given. That was not cool.

------
lioeters
The results explain why I keep running into Oath (and Q..something) popups
that only present a single button "Confirm" to give consent, with minimal
information on what that means. There's usually a de-emphasized link to change
the hidden consent settings, with a hundred checkboxes, all on by default.
It's downright insulting and malicious.

Choices (visible):

\- No option (27.8%)

\- Confirmation with no opt-out (68%)

\- Binary (3.2%)

So ~96% of websites sampled are not GDPR compliant, inadvertently or
intentionally.

I agree with the conclusion of the study:

"The business model of online behavioral advertising, which targets ads based
on large amounts of personal data, should be challenged, and alternative
models like privacy-friendly contextual advertising or other ways of
monetization for web services need to be developed."

------
pintxo
> Our results further indicate that the GDPR’s principles of data protection
> by default and purposed-based consent would require websites to use consent
> notices that would actually lead to less than 0.1% of users actively
> consenting to the use of third-party cookies.

~~~
teddyh
Tough cookies.

