
GDPR Hasn’t Shown Its Teeth, Frustrating Advocates - donohoe
https://www.nytimes.com/2020/04/27/technology/GDPR-privacy-law-europe.html
======
crankylinuxuser
You know.... I'm still waiting for Adtech companies to request realtime log
shipping on the backend. You'd set up each server type (Apache, HAProxy,
Nginx, IIS, etc) as a log ingester type. And from there, you ask the server
admin to install a telegraf like tool that securely sends data to endpoint.

Doing this would allow websites to remove all appearances of tracking code. It
just wouldn't be there. Sure makes for some strong plausible deniability.

~~~
ThePowerOfFuet
Please don't give them ideas.

~~~
crankylinuxuser
I'm sure the people working in Adtech (primarily google) have already thought
of this long ago. It's only stopped by the fact that many websites are just
frontends and have no backend access.

~~~
Macha
The real obstacle is that solution involves trusting the publisher. The
biggest reason ads are so bloated these days is all the companies that
advertisers, publishers and ad networks tack in to try catch anyone cheating
anyone else (in terms of JS at least, obviously higher res video content also
contributes, but at least nominally most ad companies try pick something
appropriate for the connection as starting playback quickly is in their
interest too)

------
lucideer
Getting the strong impression many commenters here are reading the headline
and not the article (and tbh it kind of buries the lede), so TL;DR:

> _At the center of the dispute is Ireland, which has outsize influence over
> the law’s enforcement because Apple, Facebook, Google, LinkedIn and Twitter
> are all based there. The country is responsible for leading more
> investigations, 127, than any other country in Europe, according to Brave._

> _[...]_

> _Last year, Ireland’s data protection regulator sought a budget increase of
> €5.9 million. It got a third of that amount._

> _Helen Dixon, the chair of Ireland’s data protection agency, said she was
> frustrated by the budget restrictions but defended the work of her office._

> _She graded Ireland’s performance an “A for effort” but a “C-plus /B-minus
> in terms of output.”_

Basically, the current Irish government administration, responsible for
funding the DPC, is not a fan of GDPR.

For anyone interested in reading more about the Irish DPC's frustrations,
Cianan Brennan[0][1] of the Irish Examiner is pretty dogged in his coverage of
all things Helen Dixon & DPC (he's basically the main journalist covering GDPR
in the main country tasked with enforcing GDPR), including her
various[2][3][4] battles with the Irish government on their own GDPR-
compliance.

[0] [https://twitter.com/ciananbrennan](https://twitter.com/ciananbrennan)

[1] [https://www.irishexaminer.com/breakingnews/authors/cianan-
br...](https://www.irishexaminer.com/breakingnews/authors/cianan-brennan/)

[2]
[https://www.irishexaminer.com/breakingnews/ireland/over-6700...](https://www.irishexaminer.com/breakingnews/ireland/over-6700-data-
breaches-reported-to-data-protection-commissioner-976403.html)

[3]
[https://www.irishexaminer.com/breakingnews/views/analysis/ci...](https://www.irishexaminer.com/breakingnews/views/analysis/cianan-
brennan-dixon-determined-to-face-all-challenges-982811.html)

[4] [https://www.irishexaminer.com/breakingnews/ireland/psc-
data-...](https://www.irishexaminer.com/breakingnews/ireland/psc-data-
protection-policy-updated-after-doherty-loses-seat-981078.html)

~~~
killerpopiller
sorry, but the Irish DPA is bought. Even with a low budget she could have at
least start investigations, instead nothing. The GDPR will be revised this
year (I believe), the corrupted Irish DPA and the OneStopShop approach is the
main issue. Other DPA‘s are furious btw.

~~~
lucideer
> _she could have at least start investigations, instead nothing_

She's started plenty* of investigations but:

(a) for large cases, the legal resources of the defendant have to be
considered and a case has to be viable. Building these cases takes time

(b) even for smaller cases, actual court procedures take (too much) time, so
the cases she has taken are largely still in train

* A good portion of those cases appear to be directly against the Irish state, rather than any private corporation

------
michaelbuckbee
A lot of this gets into whether you think punishment is the desired outcome or
behavioral changes.

There has been a real and definite shift in the industry post GDPR away from
"we might need this data someday" to "please delete it at the first
opportunity".

~~~
gerland
Punishment is always the desired outcome in the journalist world. If something
dramatic does not happen, then from the perspective of NY Times nothing has
happened at all. There is no story, no people to smear that were the villains,
no heroes to glorify that fought for GDPR. The reality is, that the mundane
often impacts our lives much more than the exciting. Small incremental changes
that we do not notice shape our reality. The same way that NY Times slowly
became a parody of itself, the GDPR slowly changes the web. I still think that
we need more time to put this into perspecive and we need more initiatives
that build on top of GDPR really stands for.

~~~
dexen
Underrated comment.

Perhaps because it's laying out a mundane case, rather than making bombastic
claims...

~~~
gerland
The point is that we often overlook the things that really shape our reality.
What every ideological and/or political movement knows is that no one will
fight the ideology if it's fed in very small increments. We will simply
overlook it as insignificant. If you try to nitpick on small things then
you're sure to become the laughing stock. It's the same mechanism, but for
once it works in our favor.

I was a bit sad when I saw the initial downvotes, since this account was
already 4 times below zero points in total and I don't think there was
anything that broke the rules in that comment. I guess I was looking down on
NYT, but at this point the collapse of journalism is not an opinion, but a
measurable truth. You can just measure it by average salary in the domain. I
don't think there are any sources lately that you can trust 100%.

~~~
renewiltord
You've been paying a man to warn you if there are tigers on the main street.
Every day for the last 10 years he's been telling you there are no tigers on
the main street and you've taken the main street or he's told you there are
tigers there and you've taken the side street. Today he said that there was a
tiger on the main street but you took it anyway and didn't see the tiger. Has
his trustworthiness collapsed or was he always scamming you?

~~~
dexen
_> and [you] didn't see the tiger_

Of course; a tiger keeps hidden and attacks humans from behind.

Jokes aside, your fable is excellent and I hope to use it in the future.

Other than that, I have no useful answer beyond re-iterating my earlier
assertion: the media was always bad. Now we can see it better than before.

Perhaps _the tiger_ was a red herring all along. There just might be a _fat
cat_ getting fatter in the city hall that we were too distracted to pay
attention to.

------
rsynnott
GDPR has caused significant behavioral change for many companies. There hasn't
been much high-profile enforcement yet, granted, but I'm not sure that that's
actually that unusual for an (in EU terms) shiny new regulation.

~~~
filleokus
People keep saying this, and to some extent it's very true, I've witnessed it
myself in companies. But I mean, the aim of GDPR was never to make resonable
data collection that is done in a safe way by "the good guys" hard.

The question is rather how many companies that pre-GDPR stored my data in ways
I (as a technical person) would consider unsafe, or used it in ways I would
consider "bad", that have changed their ways.

My local bowling alley still stores my password in plaintext and use an
outdated Wordpress-plugin for bookings, and Google stills knows as much about
my behaviour online and IRL.

~~~
lukevdp
Isn’t the whole point that you can stop them from collecting your data and
also get them to delete your data if you want? Presumably you could get Google
to delete all of your data. Is this not the case?

~~~
filleokus
I don't actually know, honestly, what the point was/is exactly. Partly to
affect long-term change in how personal data is viewed (less "gold mine, let's
collect it all" and more "potentially toxic asset, let's collect as little as
possible").

But also partly deletion and opt-out also of course, and that probably works
well, for those who use it. But with the huge implementation cost (cited by
PwC as upwards of 150 billion USD in the U.S alone [0]), I wonder what the
price per delete request or opt-out is.

[0]: [https://truthonthemarket.com/2019/05/24/gdpr-after-one-
year-...](https://truthonthemarket.com/2019/05/24/gdpr-after-one-year-costs-
and-unintended-consequences/)

------
CraigJPerry
I don’t know, this article maybe makes sense through an american lens, i’m
open to that idea.

From my view, GDPR has had a few impacting benefits to me personally already.

I’ve been notified of security breaches 3 times now that i’m confident either
wouldn’t have been reported or would but 18 months later. I’ve been able to
move my ISP as a result. Getting closer to that idea that customers will
punish you if you mess up - in this case i was able to learn about their
mistake thanks to GDPR.

~~~
donatj
I agree. Additionally the added ability to get my data back via take-out
features from most services has been a general boon for me, and a major upside
to the law. A far more important feature of the GDPR in my eyes than
vindictive punishments.

------
thefz
Hasn't shown its teeth... in America. For anyone working with even remotely
liable user data in the EU, GDPR has been a massive change.

~~~
jdxcode
"shown its teeth" specifically means penalties or similar remedies when
talking about laws. It doesn't mean that it hasn't had an effect.

------
Sir_Substance
Yes and no. I can't lie, I was really hoping for a significant company to be
put up against a wall and shot, maybe a major retailer that won't let you
check out online without giving a phone number or whatever. The notion of data
being a toxic asset[1] still hasn't really sunk into the higher ranks of most
large orgs.

However, I've found GDPR deletion requests to be a pretty strong cudgel. For
the last 10 years or so I've been sending deletion requests for accounts when
I no longer need them. Prior to GDPR, about 50% of responses would be along
the lines of "in the nicest possible way, we don't care about you enough to do
that so please fuck off". Reading between the lines, I assumed that about 50%
of websites were implemented poorly and didn't properly support deletion.

Post GDPR, all but one request have been given a polite "we have done as you
have requested, we hope to see you as a customer again". GDPR has both
legitimized the process of requesting that your data has been deleted after
you're finished using a service, and has legitimized the concerns of all those
developers who were never able to get engineering time to properly support
account deletion.

So it's been a success, it could be succeeding more but I'm not unhappy. I
would still like to see at least one company get ICBM'd in order to remind
larger entities that they've got responsibilities to society too, not just
their shareholders.

[1]
[https://www.schneier.com/blog/archives/2016/03/data_is_a_tox...](https://www.schneier.com/blog/archives/2016/03/data_is_a_toxic.html)

~~~
hknapp
Can you call it "your data" if it is not being stored on your hard drive?

~~~
skummetmaelk
If I write your birthday on a piece of paper is it "your" birthday?

~~~
drusepth
It's his birthday, but he definitely doesn't own your piece of paper now.

~~~
Sir_Substance
Nor do I own the banks hard drives, but I do own the money stored on them.

Much like how if I leave my phone in a taxi, either deliberately or
accidentally, I don't own the taxi, but I do still own the phone.

~~~
drusepth
I think the analogy falls apart when you consider the movement/creation of
singular objects (like your phone or your money) versus new/copied objects (a
copy of his birthday on your singular piece of paper).

If you create a replica of a taxi you rode in, you own that copy.

If you take a photo of someone, you own that photo.

If you write that person's birthday down on a piece of paper, you don't own
their birthday now. You own the piece of paper with their birthday written on
it, and they have no claim to that paper or what's written on it.

~~~
Sir_Substance
If you go through someones wallet and write down all the details required to
open a bank account in their name, you do not suddenly own all those details,
and you may not do with them whatever you wish as if you did.

Opening a bank account using those details is identity theft, because they are
not /your/ details. No one cares if you owned the paper you wrote them down
on.

------
PaulKeeble
What I really learned from GDPR and its rollout and its subsequent lack of
enforcement is that laws written with regulators being the only ones able to
enforce it are just political light shows, they achieve little of value. It is
easy for a government to effectively sidestep not implementing the law by
defunding the organisation that would do the enforcement or putting a person
in charge who doesn't pursue the big breakers.

Since individuals can't bring GDPR lawsuits themselves for breaches and fines
charged and governments have largely stopped effective enforcement it has
become a pointless law. Any company complying now has missed just how little
regulators care and are hampering their business for no good reason, it is
still open season on customer data. It has the potential to charge in the
future, a government change and some adjustments in the commissioner's office
in a country could suddenly make the law come into effect but right now it's
looking like companies have another half-decade of ignoring this law at least.

It could have been useful, in practice it just made websites more annoying to
use and those complying fully are exceptionally rare.

~~~
M2Ys4U
>Since individuals can't bring GDPR lawsuits themselves

They absolutely can:

Article 79

Right to an effective judicial remedy against a controller or processor

1\. Without prejudice to any available administrative or non-judicial remedy,
including the right to lodge a complaint with a supervisory authority pursuant
to Article 77, each data subject shall have the right to an effective judicial
remedy where he or she considers that his or her rights under this Regulation
have been infringed as a result of the processing of his or her personal data
in non-compliance with this Regulation.

2\. Proceedings against a controller or a processor shall be brought before
the courts of the Member State where the controller or processor has an
establishment. Alternatively, such proceedings may be brought before the
courts of the Member State where the data subject has his or her habitual
residence, unless the controller or processor is a public authority of a
Member State acting in the exercise of its public powers.

------
belorn
We are moving into a world where every thing we do will leave a data history
behind. To take a single example of a single act of buying a milk at the
store: The store want a record in order to manage inventory, sale history and
sale predictions. They also want location path data in order to determine
effectiveness of product placements. Your bank want a record in order to
facilitating money exchange and manage money laundering laws. The recipient
bank want a record too to do the same for the store owner, but also to keep
track of the market which the store is under. The government want a record in
order to know how much money has changed hand and for what product in order to
determine taxes for the seller and buyer. The mall want a record for the
location of the store you bought the milk and how you traversed the mall to
reach it in order to evaluate property values and advertise placements. Other
milk producers and milk alternatives want a record in order to make a better
case arguing for their competing product. The secret police want a secret
record in order to verify that you did not buy something that could be made
into a threat. The regular police want a copy of the record and a video record
in case a crime happened while buying the milk. The local government want a
location record in order to manage traffic of people who travel around in
order to buy milk. The health department want a record to help researcher
determine the potential benefit of milk drinkers.

GDPR is really just a small stop gap to manage a fraction of all the records
we leave behind. It is unlikely to be the last one trying to create the laws
needed to handle the fact that everyone a record of everything everyone does,
but that we also likely going to end up where everyone has a record of
everything everyone does because it saves money, makes strategies more
efficient and reduces the need for manual labor. Unrestricted data records has
a history full of recorded abuse, and a lot of current use today is explicitly
designed to harm people by manipulation and predatory strategies. GDPR is a
small step forward, but it is mostly just testing the water for the real legal
work needed to make the behavior of all those data collectors safe enough that
a person can do something as simple as buying milk at the store without
exposing themselves to harm.

~~~
lazyjones
You completely missed the point: GDPR is not a "small step" in the right
direction, but counter-productive and detrimental for future efforts. Big
companies will manage to comply with the legal requirements but ignore the
spirit and intention of the GDPR, small companies will have more stumbling
stones in competing with big corporations.

~~~
M2Ys4U
The GDPR _is_ a small step.

It's an evolution of data protection rather than a revolution.

All of the fundamentals included in the GDPR were in the Data Protection
Directive from 1995!

Of course, the extraterritoriality is new, the level of administrative fines
is much higher, but it's not like this popped out of nowhere.

~~~
lazyjones
> _The GDPR is a small step._

Some people wish it to be, but it isn't just because they do.

In order to be a small step forward rather than backwards, it would have to
show actual positive results. It doesn't, all major data leeches claim to
comply with it while retaining more data than ever before, all small companies
struggle with it without bad intentions. Don't be deluded by idealism, look at
the facts. It's about as effective at keeping your data safe as cookie banners
are in preventing cookies, while having similar adverse effects on everyone.

------
pnw_hazor
IMO the only way GDPR would have worked the way its advocates hoped is if the
enacting statutes created a private right of action. (I don't even know if
private rights of action is a thing in the EU.)

In the US some (though not enough) consumer protection or civil right laws
expressly grant plaintiffs the right to bring their own lawsuit in court.
There are edge conditions depending on the laws or jurisdictions involved. For
example, some laws provide a private right of action only if the state agents
decline to pursue the case. While other laws may require the plaintiff to give
notice to some agencies first.

Otherwise, laws that may look bold on paper become toothless based on inaction
by the state agents that must enforce them. In contrast, if a law includes a
private right of action and reasonable fee shifting provisions, private
attorneys will pick up the slack and then some.

For example, in the US, the medical privacy regime, HIPAA, is considerably
weakened by its absence (as far as I know) of a private right of action. For
example, if your medical privacy is violated by your HR department or your
doctor, you cannot sue under US Federal HIPAA laws, you need to sue under some
other law and prove real damages. Note, there may be other laws that cover the
same facts, such as, state privacy laws, or the like. And, in some
circumstance, proven HIPAA violations may be used as evidence of negligence,
or the like, to meet the requirements of the other laws.

~~~
M2Ys4U
>IMO the only way GDPR would have worked the way its advocates hoped is if the
enacting statutes created a private right of action.

Article 79

Right to an effective judicial remedy against a controller or processor

1\. Without prejudice to any available administrative or non-judicial remedy,
including the right to lodge a complaint with a supervisory authority pursuant
to Article 77, each data subject shall have the right to an effective judicial
remedy where he or she considers that his or her rights under this Regulation
have been infringed as a result of the processing of his or her personal data
in non-compliance with this Regulation.

2\. Proceedings against a controller or a processor shall be brought before
the courts of the Member State where the controller or processor has an
establishment. Alternatively, such proceedings may be brought before the
courts of the Member State where the data subject has his or her habitual
residence, unless the controller or processor is a public authority of a
Member State acting in the exercise of its public powers.

------
jp555
What hasn't worked: Expensive bureaucracy that big incumbents can easily
afford to navigate but new entrants would be easily crippled by?

Shocked. /s

~~~
cultus
It's damn near impossible for very small organizations to follow the GDPR in
good faith, especially without a lawyer. The intent is good, but not the
execution.

~~~
modo_mario
What bs. There's plenty arguments against it but people act like it's some
arcane thick book with legalese written in runes. That's very far from the
truth and a quick read-trough the law to identify where it applies to you
won't leave many with much if any questions

~~~
derekp7
A quick read through doesn't necessarily make it easy to follow. For example,
Sarbanes Oxley compliance is a huge business, that is fairly expensive for a
company to implement correctly. And the compliance requirements of it stems
from essentially one paragraph of law.

------
Cenk
Here’s a handy website to keep track of GDPR enforcement and fines:

[https://www.enforcementtracker.com](https://www.enforcementtracker.com)

------
jddj
Don't let perfect be the enemy of the good.

GDPR did a lot to shift the window back and put the behaviour of the big
adtech companies in the sunlight for a while.

The enforcement side is definitely lacking, and black mirror might still have
done more to shift opinion, but it's not all bad.

Consumers all over the world now have the ability to request data takeouts and
deletions, etc. And anecdotally I've noticed more and more sites honouring the
opt in requirement for 3rd party tracking scripts.

It's a solid improvement over the status quo of 2017.

~~~
JeanMarcS
Sadly it mostly still is opt out options.

Not later than this morning I wanted to access a forum post. So I go to the
privacy page (as a popup proposed me) and then arrived to a page with the list
of all the « partners » with access authorized by default.

Around 50 of them. No button to refuse all and had to do it one by one. And I
visit sites like that every day.

I agree that there have been a lot of progress but we are still far from
completion.

~~~
colejohnson66
I’m an American, so forgive my ignorance, but I thought GDPR required explicit
opt-in?

------
scoot_718
All the GDPR did was make it harder for the smaller players. It was a massive
win for Facebook and Google.

~~~
bzb3
That's how regulation works mostly. Even if the intentions are noble, this has
happened so many times that politicians should know better.

~~~
llcoolv
Come on. Intentions are never noble. All politicians have their respective
owners. Be it officially through lobby groups or unofficially by local
oligarchs without middle men.

~~~
aguyfromnb
> _All politicians have their respective owners._

Who owns you, or do you consider yourself immune?

~~~
llcoolv
Am I a career politician? But actually you might be right - just noticed
Massie[0]. If he was to act like a typical politician he would let the food
shortage strike and only then go solving it to gather extra points. Rand Paul
also seems to have something like a conscience. Guess when such people would
have any say on real matters though. Never. And with nation states still being
the main actor, there is no such person in Brussels, unless we count the hell-
raising clowns like Korwin-Mikke and Farage who raise hell for the sake of
raising hell.

0\. [https://noqreport.com/2020/04/26/rep-thomas-massie-has-a-
pla...](https://noqreport.com/2020/04/26/rep-thomas-massie-has-a-plan-to-
prevent-the-coming-food-shortage/)

------
buboard
GDPR was meant to spite google, it ended up killing all their competition. Who
knows, maybe that was the plan?

~~~
number6
Main Problem with the Big Companies is that these are located in Ireland.

The Commissioner there has no resources [0] to pursue these cases but he can't
be bypassed when it comes to fees (at least convention of the other
Commissioners if not by the GDPR itself).

The other Commissioners are becoming more and more upset with this and planing
to institute a board to overrule Ireland's Commissioner. But all of this is
very slow...

You can't imagen the frustration over this on part of the other Comissioners

[0] [https://technology.ie/data-protection-commissioner-double-
wo...](https://technology.ie/data-protection-commissioner-double-workforce-
new-dublin-office/)

~~~
leoc
> [0] [https://technology.ie/data-protection-commissioner-double-
> wo...](https://technology.ie/data-protection-commissioner-double-workforce-
> new-dublin-office/)

/r/nottheonion

> The other Commissioners are becoming more and more upset with this and
> planing to institute a board to overrule Ireland's Commissioner. But all of
> this is very slow...

Interesting, do you know of a news article or something similar about this?

~~~
number6
Alvar Freude (Employee at a DPO in Germany) talked about it in
"Auslegungssache"[0] Episode 9. The whole talk is in German, though.

[0][https://www.heise.de/ct/artikel/Auslegungssache-Der-
Datensch...](https://www.heise.de/ct/artikel/Auslegungssache-Der-Datenschutz-
Podcast-des-c-t-Magazins-4571821.html)

~~~
leoc
Thanks!

------
calibas
What I don't like about the GDPR is how it handled cookies. We could have much
tighter control and explicit consent at the browser level, which makes sense
because it's a browser feature.

Instead of something useful like that, we have annoying popups on millions of
websites.

~~~
Nextgrid
The cookie thing is a myth most likely perpetuated by the cancerous
advertising/marketing industry in an attempt to make the regulation look more
annoying than it is.

Cookies for strictly necessary technical reasons (like a session cookie set
when you log in) or those that contain non-identifying information like
language or font size do not require disclosure or consent.

Oh the other hand, _any_ tracking technology that collects personal
information (whether cookies, local storage, server logs or browser
fingerprinting) for non strictly necessary purposes (like analytics, A/B
testing or conversion tracking) needs explicit, opt-in consent, and as far as
I know personal information includes IP addresses or anything that can be used
to identify someone uniquely with reasonable accuracy (so browser fingerprints
fall in this category too).

When consent is requested, it should _freely given_ , so if saying yes is
easier than saying no (which often requires unticking hundreds of checkboxes
one by one or waiting 30 seconds for a fake "we are applying your ad
preferences") then that consent is considered invalid and you may as well just
not ask for it in the first place because you're in breach of the regulation
anyway, but at least you wouldn't be annoying your users.

------
JeanMarcS
In France, for example, the GDPR law haven’t still been transcribed in French
law.

Even more, the IT privacy agency (CNIL) gave time to adv. parties to comply,
as in « you can continue to do as usual for now » Big shame.

~~~
anoncake
Regulations, unlike directives, don't have to be transformed to national law
to be applicable.

------
SpicyLemonZest
Frankly, I think advocates are just wrong about what GDPR means. A lot of
people expected every tech company to face huge fines, because they got it in
their heads that the regulation grants you a right to opt out of targeted ads,
and as far as I can tell that's just not true.

The obvious explanation for why "no major fines or penalties have been
announced against Facebook, Amazon or Twitter" is that those companies don't
have any major violations.

------
filleokus
IMHO GDPR has been (as of yet at least) a net loss to society. It hasn't, and
probably never will, change the status quo of the biggest data hoggers
(Facebook, Google et.al). It have increased my annoyance on the web with even
more crap interruptions about cookies etc. It has increased administration in
so many places in our society where data is collected in totally non-harmful
ways with no real functioning opt-out, like phone numbers in kids football
associations or contact info for parents in schools etc. Remember that even
data stored on papers are covered by GDPR.

I think my gripe is that organisations becoming "GDPR compliant" mainly has
created systems for collecting consent or focusing on which cloud platform to
not use, rather than creating any real change by e.g not using systems with
piss poor security to begin with.

Almost like if we created regulation around banning bad roads, and all that
happened was that people had to start signing papers saying they accepted the
risk of bad roads.

But I guess it will take some time to see real change, hopefully it will come
someday.

~~~
simion314
>Almost like if we created regulation around banning bad roads, and all that
happened was that people had to start signing papers saying they accepted the
risk of bad roads.

Really?, did you not see the popups with the giant list of "partners" that
have access to your data, you need to click on the show details button but now
you can see the shit, where in your road example people would not see the
wholes in the road.

I am fine with even more transparency.

~~~
filleokus
I mean it's nice that it's transparent and even opt-out. But would be
interesting to see the stats of how many people click the details-link on
pages like [https://www.elle.com](https://www.elle.com) or even
[http://techcrunch.com](http://techcrunch.com).

My hunch is that its way less than 0.01%.

Imho it would been as effective, and much nicer, if they could just assume
consent and have a setting accessible via the footer. The small small
percentage of people caring about it enough to be bothered would find it as
easily, and the rest could just go about their day as before.

~~~
simion314
You only click Accept once and you never see that popup again on that website.
Do you also dislike that all emails have now one paragraph on how to
unsubscribe and should be a small link hidden somewhere in the footer?

~~~
searchableguy
I would argue that those buttons train consumers for worse in the future. Next
time it will be a button that says we retain access to your mind while you are
using this service and all the consumers will just agree like they did before.

It's as flawed as false sense of security or all tos are legally enforceable
click check mark buttons. They aren't. Stop trying to pretend they are and
cause a chilling effect in people. It's social_manipulation!

So yeah I absolutely hate that banner. it's terrible.

~~~
simion314
>Next time it will be a button that says we retain access to your mind while
you are using this service and all the consumers will just agree like they did
before.

This is not true for all users, some users will always click on the big blue
button and the problem is not GRPR but shit designers, like PayPal is pushing
me into some new thing with a page with a giant blue button and a super small
"No now" link, shit companies will always be shit , they will always screw you
but this time GRPR forces them to be transparent on how bad are they screwing
you.

The popups are annying but you know what, some users are deciding to click NO,
and go to a different web page. So if news website A has annoying popups and
shit design with tons of ads users will find eventually the website with less
ads and popups or will install an extension that block all the tracking and
ads. So if the GDPR popup will convince some people to install ad blocking to
block the popup and the tracking then is great.

Power users like myself are running with JS off and white-listing good
websites to allow JS. If some link shared here is not opening then I just read
something else.

------
whatsmyusername
Requiring everyone to post those stupid cookie popups is not going to win you
any advocates.

