
GDPR consent design: how granular must adtech opt-ins be? - robin_reala
https://pagefair.com/blog/2018/granular-gdpr-consent/
======
PeterisP
All the complex illustrations are _not_ telling me that this is the solution
to GDPR consent - instead, the illustrations are clearly showing that adtech
simply will not get the consent that they had before and will have to stop
using that data. The user will look at all the information that you have to
show and say "yeah... why would I ever want to opt-in for that?".

That's the whole point. If you want to keep the whole existing model of many
networked partners using all that data for all kinds of interesting purposes,
you won't ever be able to explain all that to the users in a manner that
somehow motivates them to agree instead of simply choosing not to consent. The
question isn't how to get consent for the current practices (which isn't
plausible), the question is how to run adtech that doesn't rely on protected
personal data.

~~~
_petronius
I'm really hoping that GDPR enforcement is done in a way that is consistent
with the intent of the law, and that we don't end up with a repeat of the
cookie regulation (the end result of which was merely training users to click
through another popup with reading it at all, and no meaningful improvement in
general public understanding of what cookies are, and how or why they are
used).

The cookie thing was poorly drafted, as a result advice on complying with it
was poor, and it became something to be worked around rather than a meaningful
improvement on privacy and an understanding for the general public of how and
why tracking works. I have higher hopes for the GDPR, although I still think
it is too much of a compromise, and worry about what that means for
accomplishing its intent.

~~~
meredydd
Good news - unlike the cookie thing, GDPR mandates that you _be able to say
no_. The cookie thing was pointless because it gave nobody any meaningful
choice - "click Accept on everything, or don't use the Internet". GDPR is
going to make "Let me use your site, but don't use that fact to track me" an
option they are legally required to offer. I cannot _wait_.

~~~
amelius
That's good news, but aren't there legal ways around that for sites that are
not based in the EU?

The first question could be: are you in the EU?

yes -> no access

no -> access, but with tracking

So, basically training users to lie about their location.

~~~
BrentOzar
> The first question could be: are you in the EU?

Just to be clear - it's about EU citizens, not EU located-people, and your
location can change. You have to ask if they're EU citizens.

~~~
robin_reala
To be doubly-clear, it’s both. GDPR talks about “EU residents”, and that
potentially covers people born in EU countries, people who’ve taken EU
citizenship, people who are resident in the EU but aren’t citizens, people on
holiday in the EU and potentially even people transferring through an EU
country while travelling.

[https://cybercounsel.co.uk/data-subjects/](https://cybercounsel.co.uk/data-
subjects/)

------
mschuster91
So, basically, adtech will be dead for Europe soon. No one will implement such
an overlay on the start site as required by the law. Thank God, and good
riddance.

And to those who will complain: well, it's your greed and total lack of
transparency that prompted EU legislators to actually do something about an
issue that concerns their citizens in the firs place.

~~~
fuscy
I'm not sure that from a consumer perspective, I'm happy about this. Ads won't
ever go away so instead of getting ads that are relevant to my persona, I'm
going to start getting ads on things that don't interest me.

For example: men receiving women care product ads, or advertising for baby
products when I'm single etc.

Even if it's not related to ads, think recommendation sites for books or
movies.

Basically this entire thing will at least for a while push us back in the Web
1.0 times. I guess that eventually someone will come with some way to obtain
the same results as today (or even better) while completely skirting this
regulation.

Edit: Also as all tech regulations, this one also completely ignores the human
factor. Bounce rate will increase until people get accustomed to just clicking
'yes' especially if the 'no' button drawbacks are presented in a loss aversion
way (imagine big red letters warning about big problems if the 'yes' button is
not clicked)

~~~
the_mitsuhiko
I can count the times I bought something from a banner ad. I think it's
exactly zero. The most something does to me is retargeting and that I find
highly offensive when I notice it.

So as a customer I do think that I rather have no ads at all (if they are
ineffective on me) than tailored ones.

~~~
okr
When i search for flights or rentals, i get followed it by several days. Its
for me a good reminder. So yeah, i click on them and its a good tool for me.

~~~
alextheparrot
Imagine a store clerk doing a similar thing after going window shopping to
understand why many people would prefer to avoid such a thing.

~~~
okr
I know that other people find it creepy. I just want express my point of view
too. And I do not mind. Another example: i like it, when hotels recognize my
behaviour patterns and can adapt to it. Though i do not like to be talked to
by my first name and when they try to be my friend. :-)

------
napoleoncomplex
Any insight from HN insiders on how seriously companies big and small are
taking this?

In my experience, the buzz around this is much more serious compared to
previous efforts, "the cookie law" for example, though I have no idea on the
actual impact.

In our company, we've decided to implement the necessary changes, because a
lot of them just make sense (be clear with the user on tracking, don't store
personal data you don't need...). It could turn out to be a competitive
advantage, but only if the rules really are enforced.

Otherwise it will be the same as the cookie law, the companies following it
had a shittier user experience, and the ones that didn't were never penalized
(the cookie law was absurdly bad legislation in my opinion to be clear).

So any insight from the HN crowd would be much appreciated!

~~~
ust
Hi, I'm involved with GDPR for my work, although in academic context, i.e. the
primary motive in processing of personal data is in security, provisioning
services, accounting purposes, etc. Also, I'm not a lawyer, and this is just
my personal opinion.

So, while I do work in academic environment, I do have contact with people
from industry, and they are taking this seriously. (Of topic, this actually
created a new business opportunity, for compliance with the GDPR). However,
GDPR is not that different from the Directive, if you were compliant with the
Directive, chances are, you're probably (mostly) compliant with the GDPR. Yes,
the conditions for consent are strengthened, and since now we have a
Regulation, it is valid in all countries. There are other differences, and it
is more stringent now, but it is not drastically different from the Directive.
BTW, this link[1] have a nice overview (I'm completely unaffiliated with that
firm, I just like how they structured it...):

[1] [https://www.whitecase.com/publications/article/gdpr-
handbook...](https://www.whitecase.com/publications/article/gdpr-handbook-
unlocking-eu-general-data-protection-regulation)

One thing that people lost sight of, at least in my opinion, that GDPR is not
just about punishment, or stopping the processing of personal data, it is also
about transparency. People should not be coy/evasive/unclear about what kind
of data one is collecting and for which purpose. This is one of the most
important things (again, in my opinion). Processing of personal data has a
valid and important purpose, and the GDPR is not there to stop it.

And for the question will the GDPR be enforced, I think it will. For the
moment, though, all data protection authorities (DPAs) are a bit overloaded,
and I suspect that will be the case in the near future. But obviously, EU and
EC are taking GDPR quite seriously.

Hope this answers your question.

(Edited for grammar...)

~~~
cJ0th
> One thing that people lost sight of, at least in my opinion, that GDPR is
> not just about punishment, or stopping the processing of personal data, it
> is also about transparency. People should not be coy/evasive/unclear about
> what kind of data one is collecting and for which purpose. This is one of
> the most important things (again, in my opinion). Processing of personal
> data has a valid and important purpose, and the GDPR is not there to stop
> it.

But doesn't that make the GDPR just another "Cookie Law" (albeit with more
effort to implement it)? The average person will not reflect on the
permissions they give I am afraid. They'll mechanically accept them like they
do with EULAs.

I don't think that the GDPR is bad it's just that before launching it they
should have made sure that people (especially kids in school) really
understand what kind of madness they're currently engaging in.

------
dmitriid
There's adtech, and there's Facebook.

Facebook's stance so far can be summarized as "Meh, we don't care, it's _you_
who should comply to local laws, not us".

I really really really which the EU actually delivers on its GDPR promise and
hits them with a fine of 4% of global revenue[1]

[1] [https://medium.facilelogin.com/understanding-
gdpr-9201e13564...](https://medium.facilelogin.com/understanding-
gdpr-9201e1356418)

"4% of the annual global turnover or €20 Million (whichever is greater)."

~~~
KozmoNau7
I work in IT at a major telco, and GDPR is our A number 1 absolute top
priority, _anyything_ else (barring natural disasters) will get pushed back if
the Four Letter Word is brought into the discussion.

We are somewhat hampered by a large amount of legacy systems (think COBOL on
mainframes, in some cases), so we are taking this very seriously, and are
fully expecting the EU to wield the full force of their ability to fine,
should we be shown to be non-compliant after the deadline. There will probably
be a grace period, but we're taking a "better safe than sorry" approach.

As a private citizen, I hope the EU chooses to wield the GDPR Hammer of Doom
swiftly and mercilessly against any company found to be noncompliant.

~~~
delibes
My understanding is there is no grace period. It starts 25th May, and affects
any existing data you have. So for example, if I have 1 million users today
with a weaker form of consent agreement, I need to ask them all to re-affirm a
much clearer consent statement before May 25th in order to carry on similar
data processing.

~~~
danieka
While there may not be a grace period I think that the law allows some leeway
with regards to the time it takes to become fully compliant. If you're audited
but are not fully compliant it should be enough if you can show how you are
working to correct the problems that you have.

If for example data is stored in an inappropriate way but you've not yet had
time to migrate it you will not be fined if you can show how you are working
towards correcting the problem.

IANAL and that.

~~~
KozmoNau7
That is my understanding as well.

------
flipbrad
Bear in mind that there are many legal grounds for collecting, using and
sharing personal data under the GDPR (depending on the circumstances), and
consent granularity is just one of the issues you'll face if you decide to
rely on consent rather than the alternatives.

------
majewsky
Why do they cram the "View details" part into this tiny box?

Oh wait, I think I know why.

------
jstanley
I hate those sliding radio buttons with text.

If I click "off" does that turn it off, or does that turn it on?

And this example is even worse: am I turning on GDPR protection or turning on
invasive tracking?

~~~
calcifer
> If I click "off" does that turn it off, or does that turn it on?

It is required to be off by default, so you'll be turning it on by clicking.

> am I turning on GDPR protection or turning on invasive tracking?

You'll be protected by default unless you _explicitly_ opt-in to tracking.

~~~
majewsky
> It is required to be off by default

It's not a good sign when knowledge of data protection law is required to
understand the UI.

~~~
calcifer
But it's not? Let me try to rephrase that: If you do _nothing at all_ your
privacy will be protected by the GPDR. You, as the _consumer_ , are not
required to know or do _anything_ if you want your privacy.

~~~
thisacctforreal
You need to know to do nothing at all. Even when presented misleading UX.

~~~
TheCoelacanth
Misleading UX would presumably violate GDPR because it requires that consent
be "freely given, specific, _informed_ and unambiguous".

------
amelius
How granular? Per pixel please!

------
danieltillett
The thing I really, really, really don't like about the GDPR is how the EU
thinks it can impose it on companies that have no presence in the EU. While
the GDPR requirements might be reasonable, this is a very slippery slope that
will only end in disaster.

~~~
_petronius
> companies that have no presence in the EU

Just because you don't have a business presence (in the form of an office and
employees) doesn't mean you don't have a presence: collecting data from, and
making a profit on, users and customers in the EU is a presence. The
alternative would be to surrender the obligation to regulate business practice
and the protection of citizens to other countries, with no political
accountability.

~~~
danieltillett
No political accountability is what the EU is doing right now. As a non-
citizen of an EU country I have no say in this regulation or its enforcement,
but somehow I am supposed to abide by it because the EU says so.

The EU is trying to imposing a huge regulatory burden on companies over which
it has no authority. Why do I or any other non-EU company have to put up with
this? What happens when the laws in my country conflict with the laws the EU
imposes on me from afar?

~~~
TeMPOraL
> _Why do I or any other non-EU company have to put up with this?_

You _don 't_ have to. Just don't do business in the EU / with EU citizens.

> _What happens when the laws in my country conflict with the laws the EU
> imposes on me from afar?_

You have a choice - either break the laws or your country, or... just don't do
business in the EU.

(I do hope GDPR doesn't affect your company much; it seems to be doing God's
good work, unlike most of the companies GDPR is targeted at.)

~~~
wav-part
> _" don't do business in the EU"_

This does not make sense on web.

EU resident streaming a movie from netflix. Is netflix doing business in EU ?
Or Is it the customer doing business in USA ? For example, it can be argued
that its as if the customer went to USA, bought the dvd.

~~~
jen20
[https://jobs.netflix.com/locations/london-united-
kingdom](https://jobs.netflix.com/locations/london-united-kingdom)

Yes. Furthermore they have licensed content for this purpose.

~~~
wav-part
Ah did not know that. Replace netflix with a company with no EU establishment.

~~~
majewsky
As a company with a website, there is no obligation for you to serve customers
from around the world. Just restrict yourself to customers within a certain
region (e.g. by checking where their credit card is registered, or geoblocking
based on IP if you don't take payments) that does not include the EU and you
don't have to care about EU law.

~~~
Feniks
Exactly. As a European I can't get access to Hulu or Funimation.

