
UI/UX tricks against GDPR and users - janvdberg
https://medium.com/@giacomo_59737/ui-ux-tricks-against-gdpr-and-users-ef62ff12c272
======
domysee
Actually, this is not valid under the GDPR. It explicitly states that data
sharing must be opt-in. To make it valid, everything must be deselected by
default.

But there is another pattern, that actually is allowed. Have everything
deselected, put a "select all" button somewhere people easily click it by
mistake, and offer no "deselect all" button.

------
Raed667
This looks like its against the "informed consent" part of GDPR. The entire
goal of the concept is to prevent the mechanical click on "I accept TOS".

Its up to the EU authorities to rule on this tho.

------
gregknicholson
Under the GDPR you can hold and process user data if you have a valid excuse.
If you don't have a valid excuse, you can still hold and process data if you
get informed consent.

“Sounds Good, Thanks” doesn't seem like informed consent to me, so it doesn't
grant the site owner any extra permission.

------
martin-adams
MBNA (credit card company) do a similar anti-pattern. I recorded a video of
you accepting the settings which had service improvements and targeting turned
off by default. Click 'Accept and continue' and you literally see the option
flip to on and you can't get back to the dialog again.

[https://twitter.com/Martin_Adams/status/1006439897270546434](https://twitter.com/Martin_Adams/status/1006439897270546434)

Only until now, I notice the optional actually says 'Accept all and continue'.
I fell for it. It's relying on people's habit of not expecting a confirmation
button to change the state of the options.

------
throwaway2016a
This is my first time seeing a site allow you to ban individual third parties.
Is that a best practice for GDPR? Most site's I've seen only allow you to see
what they are.

With that said, obviously clicking 300+ checkboxes instead of having an
"uncheck all" is absurd. But, I can see how a site that has been around for
years could have 300+. I just cleaned up a website the other day that had 50
(we pruned it down to 20 after 30 of them couldn't give us info on their GDPR
policy).

I'm also concerned about the blanket statement that companies that say they
care about your privacy don't. I've told people I care about their privacy and
I actually mean it... :(

------
r1ch
These kinds of consent forms are often designed by advertising companies using
the IAB consent framework. The idea is that once a user has opted in on one
site, their consent will carry over to every other site using the same
framework. Naturally it's in their best interests not to allow you to mass opt
out.

This kind of behavior may be going against the spirit of the GDPR, which
states consent must be "freely given". Presenting hundreds of check boxes to
click may be considered coercing the user into consenting. Will be interesting
to see the first rulings about these kinds of popups and the even riskier
"consent-walls".

------
bmelton
> 338 clicks taught me a very important lesson. Whenever someone says: "We
> care about your privacy." you know they don’t care about you at all. It’s
> just deception

Probably I'm just picking a nit here, but since is the crux of the last
paragraph, I'm taking it as thesis, and as a thesis, it seems overblown...
unless there are really no companies out there who care about your privacy.

Undoubtedly, there are companies who will choose to say "We care about your
privacy" when they don't really mean it, but I think the assertion that no
company does needs more evidence than this single data point.

~~~
dvfjsdhgfv
Yes, the author is exaggerating, but he definitely has the point: the "we care
about your privacy" is utter hypocrisy in the modern web-world. There are a
few companies that do care, but most don't and yet they have the courage of
putting up all these false claims.

You know what's great about the GDPR? It's that all this is stripped naked and
lies just in front of our eyes. The requirement to click hundreds of buttons
in order not to be tracked is a slap in the face of each European user.

~~~
bmelton
I definitely agree that in this case, the company is playing dirty. One-click
opt-in, 338 click opt-out is downright malicious. I just don't think it's
representative of everybody, or that one data point makes the assertion
complete.

Honestly, I'd be surprised if InfoWorld even intended this behavior, while it
seems just as likely that some requirements got lost in the shuffle of trying
to hurriedly get GDPR compliance on the page.

Considering how few people still understand what GDPR actually does and
doesn't allow, it's not really shocking to me that their attempt at compliance
was done so ham-handedly, or that it might even have made them less compliant
than they were before.

------
troydavis
To “Never register to their services. Never trust their TOS. Never click their
Ads. Never accept defaults.”

… I’d add “never trust their information” - in the case of InfoWorld, their
written articles. If a site is willing to manipulate readers to obtain
consent, there’s no reason to think that its sponsorship disclosure policy or
even its writing wouldn’t reflect the same priorities.

------
oblio
Even better, do it like forbes.com: put a pop-up asking for selection of
preferences. Then wait for ages for a spinner to move from the 6% where it
blocks for half an hour.

And then, when it's finally unblocked, you get this:

"Thank you for sharing your preferences with us. We are in the process of
preparing the site to accommodate your privacy preferences and appreciate your
patience as we do so during this temporary period. Please check back soon. In
the meantime, if you would like to change your preferences, click below."

Screw you, forbes.com. Before they had a thing which blocked adblockers. Of if
you disabled the adblocker you'd still have to wait about 10 seconds for an
interstitial page to show you ads. I just wish I could remove you from my
Google searches forever (as in, I wouldn't have to filter it out all the
time).

~~~
gnode
I too would very much like to see a browser extension which removes all
content from and links to GDPR violators such as them.

------
dingo_bat
Why would you click 338 times though? I'd just block js for the website.

~~~
sempron64
Just blocking JS does not work against ads. Ads track you using cookies which
can be set upon the loading of any web resource including images.

~~~
dingo_bat
Then block cookies too. No reason to click, is my point.

~~~
jinglebells
You'd still leave a fingerprint in the logs. There's plenty of analytics tools
that just harvest logs.

Mind you, not sure how much of the modern web would work once you disable JS
and cookies, so I guess you might as well close the browser and go outside.

------
ofrzeta
Nice one. Let's just sue everyone into oblivion.

