
Only 9% of visitors give GDPR consent to be tracked - luu
https://markosaric.com/gdpr-consent/
======
blauditore
What really drives me crazy are prompts that start by showing two options:
"Consent to all cookies", or "customize". If you click "customize", it opens a
new modal window with a loading indicator that just doesn't seem to finish. I
literally waited 60 seconds and then tried again by refreshing the page,
ending up with another infinite loading indicator.

This means that users are de-factor forced to click "consent to all". I'm not
even sure if that's legal.

Now, this was not some obscure small website, but the official Java
documentation on docs.oracle.com! They use some third-party service for that -
I just tried again, and though it worked this time, it still took 30+ seconds
to submit my settings. I have a very hard time to believe this has technical
reasons. Either this was made slow on purpose, or built by a bunch of morons.

/rant

~~~
beshrkayali
DockerHub uses a company/product called "TrustArc: TRUSTe" and they have
_exactly_ this method. The slowdown is intentional. People who come up with
sort of tactics and those who implement them should go to jail. It's beyond
infuriating. I've decided to not upload my images to dockerhub because of
this.

Edit: jail time is not for anger obviously, but for intentionally swindling
people. It'll be handled on a case by case bases obviously, but data is worth
something, people who swindle you out of your data are like those who scam you
in the street for your wallet, and as far as I know, there's jail time for
that.

~~~
dimitrios1
Causing you to get angry is all it takes to warrant justification for jail
time in your eyes? I am thankful you aren't in charge of any lawmaking.

~~~
ocdtrekkie
Jail time is probably the only suitable enough deterrent for adtech
nightmares. Fines are just treated as a cost of doing business expense, and
doesn't directly even hurt the terrible people making these decisions.

When someone commits a wrong, the punishment is in part based on the amount of
harm. You might feel that adtech causes small harms, if you look at harm
against an individual, but adtech folks harm _billions of people, every single
day_.

If you're Mark Zuckerberg, Larry Page, or Sergey Brin, no fine is large enough
to make you regret your life choices. The only way to punish billionaires who
get rich off harming others is to take away their time/freedom, the one thing
they can't just buy back. As long as corporate CEOs can't get jailed, crime
absolutely pays in this country.

~~~
drstewart
Most studies pretty clearly show that harsher punishments are not an effective
deterrent.

~~~
bitlevel
That may be, but a threat of jail hanging over a director or CEO may make them
take the correct course of action - effectively becoming the deterrent.

~~~
drstewart
It won't. Again, this is well studied.

[https://www.psychologytoday.com/us/blog/crime-and-
punishment...](https://www.psychologytoday.com/us/blog/crime-and-
punishment/201804/why-punishment-doesnt-reduce-crime)

~~~
ocdtrekkie
Your source doesn't actually apply well here. It talks about things like
substance abuse and addiction being reasons that criminals don't act
rationally to punishment as a deterrent. For white collar crime, there's a
very different set of circumstances in play. Crime is often just a business
decision based on risk and reward. Raise the risk and the reward becomes less
worth going for.

------
davidweatherall
The author's consent form is very simple and isn't using any shady UX tricks
to get the user to consent. One action will opt you in, one action will opt
you out.

I wonder what results you would see for something like yahoo, the daily mail,
reddit, or other sites that heavily rely on ad revenue, which attempt to force
the user to accept the cookies through non-obvious no buttons, or long
processes to opt out of cookies.

~~~
bambax
Why would anyone consent to be tracked if given a real choice? What are the
benefits? The 9% look like an error.

~~~
phito
I know people who just automatically click yes. I don't think they ever even
cared to read what is says. They just have the habit to click yes to every
prompt to "make sure it works"

~~~
AnIdiotOnTheNet
Decades of bad UI design have trained people to click away these kinds of
things without reading them. Even people like you or I who should otherwise
know better frequently do it.

------
chrisacky
I signed up for a new account on a fitness website yesterday. They track
health and food and diet you enter. anyway, during the sign up they had a opt
out, I chose to do just that, however the opt out process then took over the
screen with a modal window, which gave a loading bar and took about thirty
seconds to complete... But guess what... There was a big CANCEL button. I
couldn't perform any action during sign up and opt out.

This was one of the worst dark patterns I've seen. PS. The app was
MyFitnessPal which i registered on recommendation but that felt so shady.

~~~
vorpalhex
I use "LoseIt" since MFP went overboard with having features and not a single
UI/UX review.

~~~
acheron9383
It really is impressive how many taps it takes me to do anything in MFP. Why
are there so many damn menus, I just want to input calories and see a counter.
It is so overly complex I just switched back to a legal pad and doing the math
by hand, it is faster.

------
perryizgr8
Fundamentally, the browser is the user's agent. Storing cookies, running
tracking scripts, etc. should be controlled by the browser. Some browsers may
take a strict "block everything" approach, some may be relaxed, and some may
harass the user with prompts. Users are free to choose the appropriate
browser.

Depending on websites to limit tracking by on their own is very difficult,
since it is inherently against many websites' business model. They will keep
trying to bypass the rules.

~~~
JulianWasTaken
This is nice in theory, except the amount of fragmentation in 2020 is huge.

The average user simply cannot switch browsers.

The likelihood of encountering a website that breaks even switching from
Chrome to _Firefox_ is too much for any normal user to want to bother for just
these purposes. They'll switch back the minute they find a website that
doesn't work in their new browser, if they even get that far.

So unless you're suggesting "Chrome should make it more obvious how to clear
cookies automatically and/or not accept them at all" (which seems like quite a
UX challenge itself), saying "just tell everyone to switch browsers" just
isn't going to work I don't think.

EDIT: to finish the thought -- yes I agree, browsers should provide users with
choice, and switching browsers should be available to anyone who is unhappy
with the way their browser treats their data, but that can't be the _only_ way
-- otherwise, the average user will get left behind.

~~~
jaekash
> This is nice in theory, except the amount of fragmentation in 2020 is huge.

The GDPR popups is not nice in theory or practice.

~~~
JulianWasTaken
I think everyone agrees with this, and is now at the "what are we going to do
about it" phase.

------
Paianni
Surprised no one has mentioned the systems that, if opted out of, redirect
users to a 'privacy policy' page and won't allow access to content without
opting in.

Or the sites that don't bother with compliance and just show a message to the
effect of 'this site operates under a jurisdiction that may have different
privacy laws to your country' and leaves it at that.

~~~
Fradow
Those very much falls in the shady part.

The first option, redirect, is not GDPR-compliant, because then the "consent"
cannot be considered freely given, and thus is not valid

The second option is really borderline, and could work out for a US-only news
website, for example (arguing it doesn't cater to European residents), but
would be non-compliant for a business which knowingly serve European
residents.

~~~
tzs
> The first option, redirect, is not GDPR-compliant, because then the
> "consent" cannot be considered freely given, and thus is not valid.

I don't quite understand the reasoning on that one. In Europe, and pretty much
everywhere else, there are a bazillion interactions every day in the form of
one party offering to provide some good or service only if the other party
agrees to something.

For example, the grocery store will only give me food if I agree to let them
charge my credit card.

Why is consent considered freely given when I give someone money for a good or
service because if I do not do so they will not provide the good or service,
but not freely given when I click "agree" on a privacy policy disclosure
because if I do not do so they will not provide the good or service?

~~~
elliekelly
Under GDPR consent can’t be “freely given” when it’s bundled as a condition of
service unless the consent they’re asking for is necessary in order to perform
the service. To use your example:

The grocery store doesn’t need to ask if you consent to paying for an apple
because if you didn’t consent there wouldn’t be any transaction to perform.

Now if you paid for your apple and the cashier said okay hand over your phone
so I can poke around a bit because there’s some fine print that says by nature
of walking through the front doors you agree to allow the store to look
through your phone. Did you consent to that? Of course not.

Consent wasn’t “freely given” because the store is requiring you disclose
information (the contents of your phone) as a condition of service (you can’t
even walk through the door without “consenting” let alone make a purchase) and
that information isn’t necessary in order for the store to complete the
transaction.

GDPR says they have to ask you first (usually in the form of a giant
irritating banner as soon as you walk in the door) and that if you say no they
have to let you buy your apple anyway.

~~~
ohmaigad
> GDPR says they have to ask you first (usually in the form of a giant
> irritating banner as soon as you walk in the door) and that if you say no
> they have to let you buy your apple anyway.

Can you link to source for this (the part that says you can't deny access)?

~~~
elliekelly
Perhaps I’ve oversimplified a bit. GDPR has a paragraph that’s often called
the “coupling prohibition” - Article 7(4):

> When assessing whether consent is freely given, utmost account shall be
> taken of whether, _inter alia_ , the performance of a contract, including
> the provision of a service, is conditional on consent to the processing of
> personal data that is not necessary for the performance of that contract.

It somehow says a whole lot and not much at the same time. Since every member
state and everyone who has to comply needs to interpret what GDPR means there
are various “recitals” that offer official guidance. One of those is Recital
42 - Burden of Proof and Requirements for Consent[1] which says:

> Consent should not be regarded as freely given if the data subject has no
> genuine or free choice or is unable to refuse or withdraw consent without
> detriment.

So a person must be able to refuse consent “without detriment” and the company
is meant to provide an equivalent, but necessarily identical, service to those
who do not consent.

What that means exactly is, of course, the subject of much litigation. For
example is it a “detriment” to require a subscription fee to those who do not
consent to information sharing? So far one ruling (Austria) has said no,
provided the fee is reasonable while another (UK) has said yes, the equivalent
service must also be free.

As far as how the coupling prohibition should or will apply to a company like
facebook - where harvesting user data is the _entire_ business model - I think
that is yet to be clearly determined. As are most of the nuances and
technicalities in GDPR.

Edit: I should also note that consent is just _one_ avenue to legally allow a
company to process user data under GDPR. It’s not the _only_ avenue.

[1][https://gdpr-info.eu/recitals/no-42/](https://gdpr-
info.eu/recitals/no-42/)

~~~
ohmaigad
This really shouldn't be left to interpretation, both Article 7(4) and Recital
42 define what is "freely given consent" and in no way limits the actions i
can take as a site owner. It is clear that a "cookie wall" isn't considered a
"freely given consent" so you can't process personal data based on that.

~~~
elliekelly
Correct you can’t process personal data based on it. And the underlying
implication is that _none_ of the consent you’ve obtained via a cookie wall is
valid because you haven’t given _any_ users the opportunity to “refuse without
detriment” (because their options are to consent or see nothing). So the
information you’re processing on behalf of users who clicked “I agree” - even
the users who _do_ in fact knowingly and willingly agree to the information
processing - might be lacking a legal basis.

------
TekMol
I would say that it means 9% of visitors "click away" any banner they see
without reading it.

And usually clicking "yes" will do away the banner in the most hassle free
way.

I am surprised the number is so low.

I surely click "Yes" on any banner immediately without reading it.

My guess is that the number was so low because his banner (by its simplicity)
looked unusual enough that many people read it.

With the typical spammy pseudo consent banner, the number would probably be
much higher. Even without dark patterns. People are just trained to click yes.

~~~
dottedmag
I'd be interesting to perform another test, with "No" and "Yes" buttons
swapped (and the banner text updated accordingly).

------
Fiveplus
The article says mobile users are more likely to engage with the banner.
Rightly so, cause it takes up precious screen real estate. What are some ways
I can protect myself more when browsing the web through my phone?

~~~
encom
Depends on the phone, but generally you can't protect yourself as well as on
PC, because phones (sadly) are locked down devices running proprietary
software. Best you can do is probably DNS-level blocking.

~~~
maest
Firefox on Android with ublock works just fine.

~~~
distances
Additionally, set Firefox to clear all data when selecting Quit from the menu.
It's then easy enough to do a reset of any lingering bits every now and then.

------
yladiz
I helped implement a consent tool in our SaaS product that has users from a
lot of different regions, many of which are more technical/"developer
persona", and the tool we use isn't shady (it depends on the region, but for
example in Germany it is opt-in by default and the options are presented
immediately rather than behind a modal).

During the initial stages we had worried that consent rates would be low, and
while Germany was "low" at around 70-75%, we found that overall consent rates
across all countries were 90%+ with exceptions for Germany, France, and a
couple other European countries. This was consistent across both the
application and our marketing website, and across 10s of 1000s of users.

So while I don't doubt that the author ran an experiment and got these
results, I strongly disagree that you will get "only 9%". Specifically, these
lines in the blog post:

> And if you give them an easy way to ignore your banner or to say no to be
> tracked, most of them will simply do that.

> Most web users will simply select “no to tracking” once in their browser and
> the browser will block all the trackers for them as they surf the web.

is not correct, at least from my experience, and it absolutely can't be used
as a blanket statement like this. Of course my anecdote is, well, anecdotal,
so take it with a grain of salt, but I don't think it's fair to say that users
will simply reject it no matter what, and it really depends on both context
and trust levels.

------
lmilcin
I would say of 9% who gave consent the vast majority gave their consent
through error, deceit or because they don't know what tracking really means
and they wanted the service anyway.

Why not outright outlaw opt-out tracking and be done with this silly state of
things?

There are legitimate uses of tracking and any company would still be able to
provide it for the users, but you would have to have legally binding contract
and opt in for the service.

~~~
Nextgrid
Tracking already has to be opt-in according the GDPR. The issue is that the
GDPR is not enforced so sites get away with non-compliant consent prompts.

~~~
WealthVsSurvive
The issue here simply seems like enforcement needs to be formalized to be as
cost-effective and simple as possible. It starts with fines, ramps up to full
investigations if bad faith is shown. Turns out when you write laws they also
need to be enforced.

------
cpcallen
Ironically, if you disable cookies in your browser you won't be able to see
the images in this blog post.

~~~
RealStickman_
Works for me on Firefox mobile with cookies blocked in the settings.

~~~
drcongo
Works for me in Safari with cookies blocked too.

------
Angostura
I'm one of those strange people who will happily opt in to your Measurement
cookies and opt out of the other stuff.

------
cm2187
Unless they do browser fingerprinting, the number will be overinflated by all
the people like me who clear their cookies regularly, if not on every browser
session, and are therefore re-asked consent on every single visit.

~~~
innocenat
I'd imagine the people who do that to be a very small percentage.

~~~
lysium
I know many people who only browse in incognito mode.

~~~
smilespray
I do, too, but fingerprinting still works for these people. In fact, using
Incognito Mode is part of the fingerprint.

------
franciscop
I tried your website Metomic and I really like the preview example! The
preview, overlay, etc. is very well done.

------
fabiospampinato
I hate ads as much as everybody else, and this reads to me like "given the
choice only 9% of people would pay for their meal", should we forbid charging
for food then? Probably not.

As sad as the current ads-powered internet is becoming I haven't seen any
promising viable alternative, and sure non-tracking-based ads is not the same
thing as having no ads, but it significantly moves the needle in that same
direction in terms on revenue.

~~~
alkonaut
A meal paid for by money is a transaction where both parties understand what’s
being exchanged. Not paying for it criminal.

A viable alternative: show non tracking ads and see if it keeps the lights on,
otherwise shut down?

~~~
fabiospampinato
> A viable alternative: show non tracking ads and see if it keeps the lights
> on, otherwise shut down?

I'm not sure that'd be viable in general, like what would the economic impact
globally if all websites that barely can manage to keep the lights on today
because of effective ads just disappeared? Maybe the impact could be even
positive, like by disallowing politically very-targeted ads, among all other
kinds of targeted ads, maybe we can prevent idiots from being elected, but if
I had to guess I'd say I wouldn't like to see those websites disappear.

Like imagine if YouTube disappeared because it can't make enough money to host
all that staggering amount of content.

~~~
ianhorn
I wouldn't miss it. If they can find a viable non-tracking business model, I'd
imagine most would. People used to pay for newspapers so there's pretty good
precedent.

~~~
fabiospampinato
I have friends who a few years ago switched away from WhatsApp because it was
charging 1 buck per year, and for that amount of money they gave you instant
global unlimited text messaging, and those same people would have happily paid
10x that for a one-time meal.

I think you are grossly overestimating how much the average person is willing
to pay for a digital service.

And I don't think newspapers are a good precedent giving how nobody buys
newspapers anymore, compared to pre-internet levels at least.

------
AnthonyMouse
I wonder how much of this is the Lizardman constant. Do people even exist who
actually volunteer to be tracked in exchange for nothing?

~~~
WealthVsSurvive
No, the entire transaction relies on coercion and/or deceit. If companies
aren't going to listen, maybe it's easier to just ban any sort of unnecessary
tracking across the board in order to cut down on enforcement costs, so it
stops becoming a process and more of a draconian whip. We tried the carrot,
it's time for the stick!

------
12bits
If I need to figure out what they’re actually asking I’m out. This article
makes it clear the majority of these consent boxes are not really compliant.
On a side note if someone says they’re in advertising I automatically hate
them, this terrible I know, but they’re usually pompous assholes and that’s
how I feel of that industry as a whole.

~~~
latexr
> if someone says they’re in advertising I automatically hate them

You might enjoy Bill Hicks’ take:
[https://youtu.be/tHEOGrkhDp0](https://youtu.be/tHEOGrkhDp0)

------
amelius
The real question is: is the other 91% not being tracked?

~~~
smilespray
Of course they're being tracked through any and all means. The whole adtech
biz is one big shady shitshow.

You can probably count the ethical, law-abiding adtech firms on one hand.

~~~
distances
I work on mobile apps, and I can promise there's no tracking on the apps I've
been building if you opt out. The SDKs I've seen seem to do what they promise:
no communication to backend when tracking is disabled.

Of course, I can only speak for the apps I've been building and SDKs I've
used.

~~~
smilespray
Do you have to explicitly opt out to stop tracking? If so, are you sure your
apps are GDPR compliant?

~~~
distances
They are not my apps per se, that part is for the company lawyers. I'm just
taking care of the technical implementation. It's always some way of opting
out/opting in during the onboarding.

------
oregontechninja
One click opt out should be mandatory. It's obviously unscrupulous to force
you to go through several pages of text when I could've clicked one button.
Most the time I just use a special blocker script or reader mode.

~~~
hedora
One click opt-in, zero click opt-out would be better.

------
red_admiral
General rule: most people pick the default option if there is one. For
example, organ donation [1]: Germany and Austria are culturally very similar,
but in Germany 12% of citizens are organ donors and in Austria 99%. The
reason: Germany is opt-in, Austria is opt-out.

The interesting thing about GDPR is it officially bans "opt out" tracking
cookies - you need someone's consent, although lots of sites interpret that in
a way which ... let's just say if they applied the same standards of consent
to their private lives they'd very quickly find themselves at the center of
the next #MeToo campaign.

GDPR does allow you to make the "Yes" and "No" buttons the same size, so
"equal choice" rather than "opt in" \- maybe that gets you better conversion
rates?

[1] [http://www.behaviouraldesign.com/2015/08/11/why-99-of-
austri...](http://www.behaviouraldesign.com/2015/08/11/why-99-of-austrians-
donate-their-organs/)

------
sloshnmosh
Now is a good time to remind users that to easily remove large cookie consent
banners from view is to use uMaytrix to block CSS and refresh your browser.

Gorhill’s browser extensions are a must when browsing the web these days.

------
dwild
The position of the "no" is what made the most difference. My SO constantly
click on "Ok" without thinking. The number of time she told me something
didn't work, I asked her for the error, she said there was none, I then ask
her to reproduce the problem and then she mechanically click on "Ok" of an
error warning...

Is it really less disingenuous to place it to fit what HE wants versus what
SOMEONE else wants? Both still abuse this mechanic... it's just the goal that
we agree with.

------
Shared404
"On the lifestyle site, three permissions were being asked for. Web statistics
(Google Analytics), personalized advertising (Doubleclick) and social media
sharing (Pinterest).

Only 1 person out of the 774 who opted into being tracked drilled down and
made a more granular choice. That visitor said no to stats but said yes to
advertising and social media."

This seems weird to me. Why would you block google from getting the
statistics, and then give it to them anyways via doubleclick?

------
chrisxcross
Relevant Study examining different types of banners and their impact on
interaction:
[https://dl.acm.org/doi/10.1145/3319535.3354212](https://dl.acm.org/doi/10.1145/3319535.3354212)
(Preprint:
[https://arxiv.org/pdf/1909.02638.pdf](https://arxiv.org/pdf/1909.02638.pdf))

------
veselin
There are some sites (e.g. sites by Vox Media like TheVerge) that are outright
illegal according to GDPR. There is only "Accept" and cookie information links
that don't include any opt-out options. This is not just a dark pattern, but
actually not having the settings on the site. Maybe I can email them not to
track me. I wonder why aren't they fined a few hundred millions so that this
kind of practice stops.

So my guess overall is that GDPR is not enforced at a larger scale and we are
very far from enforcing the requirement to have "Accept"/"Decline" buttons
equally usable.

------
jiveturkey
complain complain complain. these threads exist so that people can gripe,
together. it's tiring.

instead let's talk about solutions.

safari's cookie and localStorage policy is great and automatic. beyond that,
firefox containers are good, albeit effectively limited to isolating a few
"top sites" like FB. and then of course, UBO, ABP, ghostery and the like.

it's actually not that hard to take a few small steps (or just do the default
things on MacOS) to stop this from affecting you, without impacting your
(ahem) user journeys.

first-order fixes are easy. now let's get ahead of these assholes and work on
fixing fingerprinting.

TFA is ironically quite interesting in that it itself is SEO content, aka an
ad. targeting those that care about not being targeted. i, for one, have
bookmarked it.

------
argon81
Wait. You tracked users after they opted out of tracking? How else did you get
this data?

~~~
GlitchMr
It's not personal data, so it's not under the scope of GDPR.

~~~
BeniBoy
Yeah, no. This about the ePrivacy directive, if you don't have proper consent,
you can't read/write tracers regardless of wether this is personnal data or
not, except for tracers needed to establish the communication or demanded by
the user (carts, login, etc).

EDIT: Thought about it, and if you only record the button click and does not
identify the user, it works, and I am wrong! In general ePrivacy is very
restrictive, only about access to terminal and not about personnal data ( and
btw PII is not a GDPR thing, we say personnal data), but here it's ok! So
yeah, no to me!

~~~
kevsim
There’s no tracer. Just a counter of how many said yes vs how many said no.
There’s no personally identifiable information there

~~~
afiori
the downside of this method is that it is impossible to discard duplicated
negative answers.

~~~
iso1631
Functional cookies (e.g has displayed banner to this user) are fine, you don't
need consent

------
morpheuskafka
There is a setting in every web browser that controls which sites can store
cookies on your computer. They are a core part of the standard web
specification along with JavaScript, <img> tags, etc.

If you need a reminder every single freaking time you visit a website, that's
your problem not the government's. If you don't want them, turn them off in
your browser, install a blocking/auto-wipe extension, use lynx, whatever you
want.

Now, I completely agree that websites should clearly state what they are doing
with data the user uploads, if it is end-to-end encrypted, etc. The user
otherwise has no way of knowing, and it is material to assessing the accuracy
of the often-BS "military-grade security"-type marketing and other claims like
that. But there is no need for users to "consent" to using a public API of
their web browser.

------
jyriand
I’m wondering if i should implement the consent prompt myself or use some
plugin? If i were to implement it myself is it enough to give two options
Yes/No or does the law require me to give some additional customisation
options?

Edit:typos

~~~
Macha
A "I do not consent to any of this" option that you actually respect is
perfectly compliant. All of these granular options are to "provide full
control to allow users to customise the partners that they trust" (read: extra
complexity to put off users exercising their right to not be tracked, plus the
marginal improvement to telemetry from the 1% of users that will allow google
analytics but not ad tracking).

That said, you do need to inform users of who specifically they're sending the
data to (and what they're going to do with it) in the consent option. So "Yes,
track me with all your unspecified partners" doesn't quite cut it for the yes
option.

------
pcora
I for one have been enjoying the verge and weather.com without any crap or
slowness.. just ignoring the consent at the bottom :P

for websites that do not allow me to navigate or do not have a refuse button,
I simply navigate away.

------
lowwave
If allowed. NO Body, and I mean No Body wants to be tracked in any kind of
way.

~~~
hobofan
Sure I do. I opt into any kind of "voluntary user experience research"
tracking that a lot of desktop apps offer. As long as a website does the same
thing (and doesn't try to gather PII to tie it to my identity), I'm also open
for it.

------
wnmurphy
When you're made aware of the tracking, why would anyone willingly choose it?
It's a sad state of the internet when you're doing 90% of your Google searches
in an incognito window.

------
jacquesm
The worst offenders are the ones that give you instructions on how to disable
your ad/tracking blockers. If I wanted them disabled I wouldn't have them in
the first place.

------
serpent
I'm actively working on a cookie banner blocker for iOS. Feedback, questions
and suggestions appreciated!

[https://213tec.com](https://213tec.com)

------
dang
Current related thread:
[https://news.ycombinator.com/item?id=23757272](https://news.ycombinator.com/item?id=23757272)

------
hedora
This law (and the California one) should be amended so that it takes the same
number of clicks to opt in as to opt out, and so that ignoring the banner is
an opt out.

~~~
richv
This is actually already the case with the GDPR, just very few websites
practise it that way

------
bewareandaware
I must say I'm really surprised. I'm a frontend developer and probably more
keen to keep an eye on this stuff but there are lots of times where I just say
yes because the popup is in-my-face and I just want to scroll to the content.

I guess where the article falls flat is where the author says a "proper GDPR
content banner" was implemented. No online publication will do this. At least
they will trick you with button colors, or some kind of double negative mind
trick. Sometimes they will require you to tick all the checkboxes out.

GDPR was a good idea from the start but it's implementation is rather dull -
they shifted responsibility to each country without penalization for relaxed
enforcing, and now there are countries like mine (Portugal) where we have less
than a hundred fines.

~~~
_Understated_
> but there are lots of times where I just say yes because the popup is in-my-
> face and I just want to scroll to the content.

I am exactly the same. I use UBlock Origin and Privacy Badger so pretty much
nothing gets through anyway but just to get rid of the banner, I click on OK.

However, that being said, I only do it if the other choice is "Manage
Preferences" or something equally vague: If I am given a clear yes-or-no
choice, I always choose "No".

~~~
8fingerlouie
> I use UBlock Origin and Privacy Badger so pretty much nothing gets through
> anyway

And yet the cookie is still there and can be used to track you. They don't
need to serve you adds to track you. A simple check for the presence of the
cookie is enough to track.

------
rendall
I usually reopen the site in private / incognito and "agree all". I don't
trust these sites to abide by the modal agreement anyway.

------
IshKebab
I've noticed on most sites even if you click deny you still get tracking
cookies. Enforcement is nonexistent.

------
marvinblum
This is one of the reasons server side tracking becomes more and more
important. Even if users agree, tools like uBlock block client side scripts
like Analytics. I build a library for Go [1] to solve this. Check it out!

[1] [https://marvinblum.de/blog/server-side-tracking-without-
cook...](https://marvinblum.de/blog/server-side-tracking-without-cookies-in-
go-OxdzmGZ1Bl)

------
qxxx
20 years ago we had popups, popunders, etc... nowadays we have this crap. I
don't care about GDPR, I don't care about cookies... I just want the content.
That's why I use a browser extension called "I don't care about cookies" which
removes these things from websites.

Accepting to GDPR / Cookies: This should be some kind of a web standard ,
built inside a browser so user can accept it once, ignore or whatever, but
seeing this on every website drives (drived) me nuts.

------
K0nserv
This research is interesting because it's highly relevant given Apple's
upcoming changes to tracking consent in iOS 14. Unlike the DNT[0] header Apple
are in a position to enforce apps actually respecting the users consent
preference, either by technical means or by kicking offending apps off the App
Store. The walled garden has many problems but this is one of the benefits.
Given that almost all apps and websites have implemented GDPR's consent
management in a supremely user hostile way[1] that is far from an equal binary
choice I suspect we'll see much higher opt out rates in iOS 14. I've seen
people argue that users will just continue to click accept at high rates as
they do with current consent management solutions, but I think this is the
wrong analysis. Users click accept precisely because the amount of effort
required to opt out is unreasonable, when both options require equal effort
the number of users clicking accept will plummet.

0:
[https://en.wikipedia.org/wiki/Do_not_track_header](https://en.wikipedia.org/wiki/Do_not_track_header)

1:
[https://twitter.com/K0nserv/status/1279361112627167234](https://twitter.com/K0nserv/status/1279361112627167234)

------
ThePhysicist
Small changes in UI can have a significant effect on acceptance rate. I'm
developing an open-source consent tool (Klaro -
[https://klaro.kiprotect.com](https://klaro.kiprotect.com), Github:
[https://github.com/kiprotect/klaro](https://github.com/kiprotect/klaro)) and
where to put the different buttons, which colors to give to them and how easy
to make opt-out is a large debate in our community. By default we favor a very
user-friendly approach but we give our users (i.e. the website owners)
different ways to ask for consent: A mandatory modal, a consent flow that
accepts all cookies/apps (or customize) and a consent flow that accepts only a
pre-selection of cookies/apps by default. In every flow there's a "Decline"
button that visitors can use, so declining consent is just as easy as giving
it. Most website publishers prefer the "Accept all" flow as they usually have
a good reason for including a given app/tracker on their website, so only
choosing a subset doesn't make much sense. A few sites also implement the
mandatory flow, where the visitor won't be able to see the website content
until he/she has chosen to either give or decline consent (and again, both
options are equally simple to reach).

From a GDPR and ePrivacy perspective it's clear that opting out needs to be
just as easy as opting in. Most websites violate this principle as opting in
is in fact way easier, and often the UI is designed to be deliberately
confusing to the user.

IMHO the consent problem one of the central unsolved issues in privacy though,
as most people would not opt-in to tracking if they were given a real choice.

~~~
wongarsu
I now see a lot of websites now complying with the "opt-out as easy as opt-in"
part by giving you checkboxes for configuring your cookies, with a faint "save
choice" button that effectively opts out, and a really obvious, well
contrasted "accept all" button. I think that ticks all checkboxes of the law,
while still being an obvious dark pattern designed to trick the user into
opting in.

------
jillesvangurp
Of course they don't; and even if they do, their browser might still block the
cookies or discard them frequently.

Tracking effectively is getting harder both technically and legally; and
that's a good thing long term but leads to chaotic and desperate behavior
short term.

Long term, there are three ways to adapt:

\- drive users to apps instead of browsers. E.g. Google and Apple do this
serve most of their news via apps where they control the ad experience,
tracking, and user signin. There are no anonymous users there. GDPR still
applies of course but practically speaking users only have the choice whether
to use it or not. And none of the legales specific to browser based things
like cookies apply. \- tap into other sources of revenue (subscription based,
sponsored, donations, etc). Ad revenues have in any case been declining for
lots of news sites so this is something they need to do in any case. \- switch
to non personalized advertising that can still be lucrative if you have access
to large amounts of users. E.g. most big brands still advertise this way and
still lots of money floating around here. No cookies required.

------
simias
I enjoy the GDPR if only because it forces websites, even big ones like Google
or Reddit, to show me that they value tracking me over everything else, even
if it means ruining the user experience and using every dark pattern in the
book.

Those websites that are usually all about streamlining and reducing friction
to a maximum suddenly don't hesitate to trick me into a maze of slow-loading
menus with weird conventions and a purposefully broken and confusing UI in an
obvious attempt to trick me into opting in by mistake, even though the mere
fact that I clicked the "more options" button means that I'm almost certainly
looking to opt out.

These are tactics that I expect to encounter on shady websites, not some of
the biggest websites in the world.

Advertising is a cancer that offers next to no added value in our hyper-
connected society. Tricking people into seeing ads to trick them into buying
stuff they don't need has become the foundation of the web economy. An utter
travesty that puts our industry to shame.

------
germinalphrase
So we have an entire industry built upon a coercion? Gonna be a long fight.

------
miki123211
In my opinion, GDPR, if properly enforced, is going to be a disaster for many
users.

Not everyone can pay for the content they consume. Some people are poor, under
18, live in a country where Visa/Mastercard isn't widely supported or can't
pay for some other reason. Internet has made the lives of those people much,
much better. They definitely prefer being tracked over having to pay for
Facebook, Snapchat, Youtube and all the other sites they use. GDPR forces
providers to provide their services to customers who opt out of tracking, and
most of them will. That means switching to a payment-only model is going to
become the only viable option, hurting a large part of the population.

The "just force them to pay" attitude that I often see here is extremely
elitist. For someone making six figures, being tracked matters. For someone
barely scraping by or without a credit card, that's an acceptable price to pay
for all the goodies they get.

------
lessname
Still, many web sites make it hard for their users to opt out tracking.

~~~
cuu508
Or, they set their cookies first and then ask.

Or, they don't ask anything, and just set their cookies. (case in point: each
and every status page by Atlassian Statuspage)

------
pyepye
Before I found out about ublock origins filter lists I always wanted to opt-
out of these GDPR cookie banners, modals etc but I got a lot of fatigue having
to follow all the steps for each website.

I tried to make an open source extension to try and do it for me:
[https://github.com/pyepye/GDPR-opt-out](https://github.com/pyepye/GDPR-opt-
out)

Although I hit a snag where some GDPR banners / buttons didn't return when
using `querySelector` in the extension but do when you use the inspector /
console and do it manually.

Does anyone know why and how to work around it? It was always something I
wanted to know why but didn't find the time to dig into (and wasn't important
while using ublock origin)

------
grx
Regarding "engagement rate": is your banner filtered by ad blockers? In my
session, there's no banner displayed. Could also be a hint on why mobile
browsers are more likely to enable engagement, since they might lack CSS
filtering techniques (used to hide the banner).

Other point: third party hosters. It's good to see you as the website creator
put effort into GDPR compliant behaviour! Did you also include Netlify and
your GDPR-provider into the evaluation? Do they use additional tracking
technologies?

btw, your post was copied to
[https://www.facebook.com/BloggersWorldToday/posts/6238368718...](https://www.facebook.com/BloggersWorldToday/posts/623836871864402)
fyi

------
hmd_imputer
yet another EU law with tons of loopholes.

------
monadic2
It’s like ads are something nobody wants.

------
2T1Qka0rEiPr
> But writing is on the wall. If your business model requires user consent,
> chances are that your business will suffer if and when GDPR gets enforced.
> The implication of users not giving the required consent is that the ad-tech
> industry might collapse.

Is the writing on the wall? GDPR came into enforcement over 2 years ago, and
I'm not aware of improvements having been made with respect to clarity,
because I'm not aware of any punitive measures actually having been taken.
Would love to hear comments to the contrary.

------
alkonaut
The GDPR is designed to be explicitly opt-in. Given compliant consent dialogs,
of course very few opt in. Hopefully few enough that keeping the tracking
infrastructure just for that minority isn’t worth it.

The GDPR is and should be effectively a ban on tracking ads once sites
actually comply (or, in many cases - leave the EU market or go under instead).

Whether the alternative is a good solution for paying for content or if it’s
the end of the majority of content online isn’t really interesting as both
outcomes are better than the status quo.

------
billysielu
We value your privacy. Accept.

------
jefftk
This looks like an ePrivacy (cookie) consent dialog, and not a GDPR dialog?
[https://markosaric.com/wp-content/uploads/gdpr-banner-on-
mob...](https://markosaric.com/wp-content/uploads/gdpr-banner-on-mobile.jpg)
It's asking for consent to store cookies "to power statistics".

------
coldtea
GDPR consent should be mandated for, added, and enforced at the browser level.
Not a different popup for every website, but some way for the website to
include some JSON say and have its rules shown in a browser native UI.

And once set, the browser should pass the user decisions to the website, and
enforce those that can be enforced locally (at the browser level).

------
dariosalvi78
is this the end of tracking in the ads industry? Hopefully so.

------
paulie_a
The amazing thing is that the vast majority of websites do not even need to
display a warning or anything. The gdpr doesn't apply to vast portions of the
internet. He it doesn't apply to the vast majority of the internet

------
sergeykish
Why would one need GDPR consent for blog?

Privacy Policy should be enough for server logs (without PII). It would be
nice to have standard Privacy Policy though (like we have MIT, BSD licenses).

~~~
nicbou
I run a blog. It has Google Analytics. I could probably host my own analytics
solution, but that's not easy. I'll get to it eventually, but content benefits
my users more.

I need analytics because this blog pays the bills. I need to see what works
and what doesn't. When building partnerships, I'm usually expected to share
some numbers with them. It also lets me spot issues with the website.

~~~
sergeykish
Thank you, I understand convenience for author / inconvenience for reader.

I do not use Google Analytics but it looks like it is possible to disable
Cookies [1], anonymize IPs, disable data sharing with google [2]. Effectively
making it almost third party server logs analytics (no consent required).
Would remaining functionality be sufficient for you?

[1] [https://law.stackexchange.com/questions/36105/can-usage-
of-g...](https://law.stackexchange.com/questions/36105/can-usage-of-google-
analytics-without-consent-be-considered-a-legitimate-inter)

[2] [https://law.stackexchange.com/questions/35528/is-it-
really-p...](https://law.stackexchange.com/questions/35528/is-it-really-
possible-to-use-google-analytics-without-consent-and-if-so-why-ex/35587#35587)

~~~
nicbou
Yes, that would be far more than I need. That's the problem, actually. I could
track a fraction of that and be really happy.

I tried Plausible today, but their event handling is completely insufficient
for my needs. It's basically a key-based counter. The keys have to be created
in advance, and can't be categorised. This means I couldn't track outbound
clicks without first creating a new event for every known URL on my website.
It just doesn't work.

It's a shame, because I loved every other aspect of Plausible.

------
black_puppydog
Assuming for a moment that the test websites didn't give a specific reason to
trust them more or less than any other website operator. This means that if
your website has significantly _more_ than those 9% consent, you're either
perceived as very trustworthy, _or_ your GDPR banner is confusing (or, less
charitably, deceiving) users.

Would be interesting to see how the consent rates for big offenders like
techcrunch, newspapers etc are. IIRC there were specific studies about which
brands are _trusted_ by consumers, and Comcast et al. didn't fare all that
well in those.

~~~
rightbyte
I tried Tech Crunch without adblocker and I would have to click out 16
"partners" after clicking "read more" two times. There is like hundreds of
"IAB Partners" of which an unspecified amount need separate opt-out on their
websites. It is not clear if "select all" opts out or in on the "IAB
Partners".

So I guess _exactly zero_ visitors opt out there in the intended way. So 100%
"opt-in".

I tried to opt-out from all to see how many cookies would be set anyway but
gave up after 5 minutes.

~~~
3131s
Yes, I've also seen the GDPR notices where there is no "select all" function
and you have to manually disable hundreds of separate options.

------
orangecat
This is why the GDPR is a bad law. Of course nobody wants to be tracked. If
you believe that the harms of tracking outweigh the benefits of increased
revenue, then just ban tracking altogether. Instead, the GDPR incentivizes
sites to come up with these dark patterns so they can claim that users
"voluntarily" "consented", when everyone knows that's not the case.

------
dwaltrip
How can we report websites who use the blatant dark patterns? I’m sure they
must be violating GDPR.

------
PietdeVries
How cycnical - an article further down (Two young scientists built a $250M
business using yeast to clean up wastewater) links to Forbes.com that indeed
allows me to set my tracking preferences.However, anything other than 'accept'
will result in a message stating 'we are processing the request <snip> this
may take up to a few minutes'. So they can set hundreds (yeah - that is right,
I have seen pages tell me they wanted 500+ cookies to set, some of them to
last 20 years) of cookies in a second or so, but will take minutes of me
waiting for the page to show while they 'process my preferences'?!?

~~~
Silhouette
This is like the companies that mysteriously lack the ability to unsubscribe
you from their mailing lists in less than 30 days, even though plenty of us
manage to run systems that normally do it in real time.

~~~
jtnjns
There is an interesting Twitter thread about how this process worked in a UK
bank, although their turnaround was about 4 days

[https://mobile.twitter.com/Joe8Bit/status/115631296526570701...](https://mobile.twitter.com/Joe8Bit/status/1156312965265707013)

------
dr_dshiv
GDPR opt-in questions train people to accept forms without reading or
thinking. I think this will be dangerous.

And I'm really irritated that I can't access local news sites in America
because they aren't compliant -- so they blanket ban European access. That's
deeply problematic.

~~~
Mirioron
> _And I 'm really irritated that I can't access local news sites in America
> because they aren't compliant -- so they blanket ban European access. That's
> deeply problematic._

The usual answer I get when I complain about this is either "It doesn't happen
to me" or "They wanted to steal your data. You're better off without being
able to use their site."

I've yet to be convinced by either argument as a European. It's almost like a
knee-jerk reaction by some Europeans that if Americans do something we don't
like then they're automatically in the wrong.

~~~
afiori
I personally see as usual business of the internet. Every country has their
rights to regulate internal markets and every company need to decide how many
markets to cover.

Personally I like GDPR more than no-GDPR and think that it would be nice if
the US had a GDPR compatible regulation (as in the EU and the US
diplomatically agree that it is enough for US company to respect the US
regulation and for European companies to respect the GDPR to be compliant
under both). On the other hand as laws stands I appreciate that they take this
law seriously, even if not in the way I would like most.

Overall I do not think that losing access to local US news sites warrants
remaining in a GDPRless world

~~~
Mirioron
But it's not just local US news sites. Plenty of other businesses won't do
business with Europeans as a result. Even video games shut down over this
(Ragnarok online, I believe). But the real question is the signal GDPR sends -
how many online businesses will simply not get created (especially in Europe)
because of GDPR? The nebulousness of the situation is why I've decided to not
create at least one website before. I'm sure the lack of my website is no loss
for the world, but what about others?

And keep in mind that none of this will actually save your privacy. A Chinese
service could steal all of your data, sell it, and nothing would happen
because they're outside the jurisdiction of the EU. The only thing that will
save your privacy is not giving out the information in the first place.

~~~
crawlcrawler
>> how many online businesses will simply not get created

How many online businesses [that aim to quietly collect PII for their own
monetary gain] will simply not get created?

Hopefully none of those actors will get created.

------
PaulKeeble
I am not convinced that GDPR will ever really be enforced. Severe breaches
have mostly been ignored so far and the minor dark patterns that dominate GDPR
compliance popups and wrong defaults are going to be the tail end of
compliance enforcement. Just like cookie laws before it GDPR will probably
just make websites annoying with obnoxious implementations and remain largely
unenforced until the EU does something else to try and fix this class of data
problems and the cycle will continue.

~~~
locallost
One really incredibly annoying trick that I see more and more is when they
pre-check only the "mandatory cookies" option, but then when you want to
confirm this selection you end up allowing all tracking cookies. It's because
they make the confirmation button less prominent, and something that looks
more like the typical confirm button is actually "allow all cookies". I guess
a lot of people just click on it automatically.

edit: sorry, replied to the wrong post

~~~
PaulKeeble
There are a lot of dark patterns. The most common stuff I am seeing (and its
basically everwhere) are:

1) Accept being brightly coloured and decline as white so its less prominent.

2) Having accept all be a simple thing but decline being a more information
that requires turn lots of individual things off.

3) Requiring the decline to be individual across hundreds of individual
cookies.

4) Clicking accept all is stored and used forever but decline is asked
everytime you come back to the website.

5) Having the decline process take minutes to complete as if significant
processing is required.

6) Having the default be acceptance.

I think breaches of GDPR are the normal, 95% of the websites I see these
popups on is breaking the law in some way or another and at this point have
been doing so for years.

------
rezeroed
And a large proportion of that 9% is tricked with misleading labels on
buttons.

~~~
RealStickman_
There are three buttons with very clear functions in the popup the author
used.

~~~
rezeroed
In general.

