Hacker News new | past | comments | ask | show | jobs | submit login

The practical effect of GDPR seems to me that I have to click away about half a dozen consent popups every day. Sometimes a cookie warning in addition to that.

If I use Private Browsing (to protect my privacy) I am punished with more popups. If I open a website within a browser shell on mobile that doesn't have my cookies (some kind of webview of an app), I am punished with more popups.

Am I expected to look at every one of those dialogs and figure out what I have to click to "customize" my tracking?

Then there are the technical problems; one of those consent "solutions" that you see around actually shows a spinner while your "preferences are being saved". Sometimes it never closes.

I am frankly already so tired of this that I don't even care to look which of the buttons says "Agree" and which one says "Refuse". I just click on whatever I see. I know for certain that for less experienced users (my parents), every additional button to click is just another hindrance to achieving what they need to do. The thought "what if I click the wrong thing" is a permanent companion of their computer use.

These are very real, very concrete negative effects of GDPR. Is there something that we gained to make me feel better next time I am annoyed with all the popups?




> These are very real, very concrete negative effects of GDPR

Your annoyance is misplaced. Don't be annoyed at GDPR: be annoyed at all the companies who have spent the last decades building an entire web-infrastructure with zero respect for user privacy. We built massive amounts of technology infrastructure that just assumed that privacy and tracking wasn't an issue. Why do these websites need all these cookies in the first place? If I'm visiting a random blog with no advertising on it, why is it asking my for cookie consent? What possible purpose could that cookie serve, except tracking users?

As an analogy, imagine taking a black-light to a hotel room and realizing that the room is absolutely filthy. Would you be angry at the black-light for revealing the filth to you? Or would you be angry at the hotel, for not properly cleaning up?

If cookie consent forms or GDPR compliance forms annoy you, don't blame GDPR. Blame the sites that have no regard for your privacy and make no effort to comply beyond throwing up annoying prompts.


Counterpoint: be annoyed at GDPR.

If a new regulation insisted that on entering a hotel room, a member of the hotel staff had to use a blacklight and you needed to explicitly approve every illuminated mark larger than a quarter, then you would be annoyed at that regulation.

There are supposed to be all sorts of other GDPR protections, about rights to be forgotten, about being able to access and selectively remove personal data from an online profile, that I have no idea how to activate. Instead all I get, as a user, is a bunch of consent forms, like the stupid cookie warnings, that I have no idea how to respond to, and no idea what I'm committing to when I click them.


>If a new regulation insisted that on entering a hotel room, a member of the hotel staff had to use a blacklight and you needed to explicitly approve every illuminated mark larger than a quarter, then you would be annoyed at that regulation.

How about this. For the past 25 years every hotel that you checked into has kept a record of:

- How often did you visit?

- How much money did you spend?

- What type of CC do you have?

- Did you watch porn?

- If so, what is your favorite type?

- Did you pass on dietary restrictions to the chef?

- Were you alone?

- Did someone other than the person listed as your wife on FB join you for the night?

- etc... etc... etc...

And then, without your consent, without even notifying you they sold this information to credit score companies, to advertising companies and to whoever the fuck will buy it.

Without. Your. Consent.

THIS is how the internet works today. Everyone grabs as much data as they can and then sells it to whoever wants to buy it. You have no vote in this. It just happens and it says so in weird legal terms on page 373 section 44 subsection 7a of their 700 page Terms of Service.

GDPR gives you this vote.

GDPR says: if you want to resell data you harvest you HAVE to get their consent, in clear and understandable terms. Can't bury it in your TOS.

GDPR says: you cannot make your website / app / service unavailable if people refuse this.

GDPR says: you can ask companies how much and which data they got on you and they have to provide it.

GDPR protects you from an invisible industry many people don't even know exists.


>GDPR gives you this vote.

>GDPR says: if you want to resell data you harvest you HAVE to get their consent, in clear and understandable terms. Can't bury it in your TOS.

>GDPR says: you cannot make your website / app / service unavailable if people refuse this.

>GDPR says: you can ask companies how much and which data they got on you and they have to provide it.

>GDPR protects you from an invisible industry many people don't even know exists.

And it does it by in effect forbidding you from interacting with parties that don't follow EU mandated criteria for what needs to happen for a packet to go from A to B. I don't care about what the EU thinks is good for me, I want to interact with server X whether or not it is GDPR compliant and whether or not it's over a protocol that lends itself to this nonsense; my data is supposedly mine, so fucking let me.


How does not selling your personal information to a third party block you from visiting a website?

GDPR is fine with the selling of information, as long as you have given consent in clear language and not buried in TOS.


I think he is referring to websites that are now blocking all EU users because of GDPR.

I'm surprised companies aren't just pulling the same move porn/alcohol websites use with age by asking the user if they are an EU citizen/in the EU and if they answer yes, send them to a static "we don't service the EU" page at which point everyone just lies so they can still access the page with the tracking.


> And then, without your consent, without even notifying you they sold this information to credit score companies, to advertising companies and to whoever the fuck will buy it.

> Without. Your. Consent.

I'm really sure that every hotel has its terms of services. So does Facebook and every other site. What you described has always been illegal, and it has also never happened. What was sold was composed of data according to the terms of service that every person included agreed with. If agreement isn't consent, what is?


Did you read, or was even aware of, a ToS of a hotel on use of personal data? This is entering the "local planning department in Alpha Centauri" territory.

As a regular person, you should not need to be aware of such things. What GDPR tries to do is to restore some sane defaults into the process, just like customer protection laws do.


This quote seems apropos:

“It is difficult to get a man to understand something, when his salary depends on his not understanding it.” --Upton Sinclair


Yes, I generally check ToS of whatever services I use, including hotels. And no, it's no "local planning department of Alpha Centauri" territory, it's available on their webpage and in paper form at the reception, usually framed and hanging on the wall. I check it to see what happens if I overstay, but skim through the whole thing.

As a regular person, if I want to use a service offered by someone, I should at least look into their terms - even with GDPR in place.

I'm not saying I disagree with you - but that's an opinion; on the other hand you said that consent was not given, which is simply not true - consent has a definition and that definition was fulfilled, the law doesn't treat ignorant people differently. If you want to say "I don't think <something> should be enough expression of consent", that's OK, say it - but don't lie.


Fair enough. I do read the regular ToS of the hotel that they frame and hang on the wall; it's usually standard stuff and not once I remember reading anything there about use of my data. It's just the usual "hotel night is from X to Y, please don't do <list of ridiculous stuff that some people apparently do in hotels>". So from your comment I assumed that there must be an extra ToS that covers use of personal data. If there is, I've never noticed it.


I don't think there are many hotels handling your personal data except for legal purposes, so they mostly don't need any data policy. So far I've encountered one that simply said that data might be shared with other branches of their company, which I'm happy about.


It sounds like you agree that forcing people to read and agree to individual portions of the ToS is not a downside of GDPR, since we should all be doing that anyway.


I don't agree nor disagree. The comment I replied to was talking about the past, and in the past, the laws were different and consent was given according to them. I deliberately didn't say if I support GDPR or not, it doesn't matter; the comment said "without your consent" which is simply not true.


Freely given consent, as per the GDPR, must be explicit and optional (even if you have consent to use the data for the service being performed). A line buried in a ToS does not comply.


That's today, I replied to a comment talking about the GDPR-less past.


My point is that you can simply change the previous comment to read:

"And then, without your freely given consent, without even notifying you they sold this information to credit score companies, to advertising companies and to whoever the fuck will buy it."

And the point still applies.


No, the original point doesn't apply. Your edits make it completely different, so of course my reaction would be nonsense. "Consent" is a well defined word, and its meaning was fulfilled in the examples the comment listed - of course that would be different today.


There are supposed to be all sorts of other GDPR protections, about rights to be forgotten, about being able to access and selectively remove personal data from an online profile, that I have no idea how to activate. Instead all I get, as a user, is a bunch of consent forms, like the stupid cookie warnings, that I have no idea how to respond to, and no idea what I'm committing to when I click them.

This again, is the fault of most websites. GDPR requires opt-in for tracking, etc. A website could just, by default, not do tracking. Then provide the tracking options in the preferences. However, most sites have gotten so data hungry that they can't accept GDPR's privacy-by-default and have to bother you with pop-ups to try to get your consent to track you. Add some dark patterns, like designing these pop-up forms such that they are effectively opt-out.

I can't wait until some organization sues some big fish to send a signal that blanket data collection or using dark patterns to trick people into data collection is not an acceptable modus operandi.

Also, we as consumers of the web can also help to improve things. Contact companies and ask them to switch to opt-in (as required by the GDPR), encourage them to not collect data by default (avoiding popups), exercise your right to remove data and/or see what data is collected. If enough people request this by e-mail, companies will have to set up automated procedures (provide a webpage to see or remove data).


> There are supposed to be all sorts of other GDPR protections, about rights to be forgotten, about being able to access and selectively remove personal data from an online profile, that I have no idea how to activate.

You don’t have to do anything to “activate” these rights under GDPR. You can just email the website in question and ask them to send an accessible copy of your data, or remove some or all of it from their servers. GDPR simply requires companies to adhere to certain consumer demands about my own data and respond within reasonable time frames.

Also I disagree with your analogy. Companies are allowed to track users for internal purposes Uber GDPR. But they are not allowed to sell your data to third parties without consent. The reason all these pop ups and consent forms are so complicated have nothing to do with GDPR, and everything to do with the fact that companies are trying to nudge you into making a choice against your own best interests.


> You don't have to do anything .... just email the website ...

Okay ... let me try this.

> TO: cnn.com

> SUBJECT: Remove my data

Okay, let's send it!

> gmail: The address "cnn.com" in the "To" field was not recognized. Please make sure that all addresses are properly formed.

Oh. I've been around the block; maybe I can try admin@ or support@ or look at whois data, or browse around their website for a "Contact us" link, and maybe I can figure out how to properly assert that I do in fact own the account in question whose data I wish to remove, assuming I even have an explicit account rather than just a tracking cookie and a "shadow" profile. But isn't the GDPR supposed to be consumer-focused? What earthly consumer is going to go through these steps?


What earthly consumer is going to go through these steps?

I have requested the removal of my personal data from multiple business, and I can assure you I'm quite earth-bound. Copy-pasting a template and filling in my name and account ID is not that hard.


I'm going to go out on a limb and guess that you are a fairly technical user. My snarkiness in the previous reply was excessive, but reflected my frustration with being told that something is simple that is actually a multi-step process with questions that are not easy to find the answer to.

I guess the problem with email for this process is that you have a number of questions, all of which may not have an easy answer.

1. Identify an email address -- is this standardized? Searching "GDPR address for cnn" gives nothing, and similar more general queries yield little information.

2. Identify a template -- is there a standard one? I see a bunch of websites that claim to have them, looks like 'datarequests.org' is a good(?) one? It seems to have only a small set of sites that can be submitted. The template is incredibly verbose and it isn't clear how to request specific information; would that typically happen as part of a dialog?

3. Identify an account number/user name/verification of identity -- is there a standardized process for this? Could someone else send a request to remove my data? What is the process for this and how can I activate it?

4. Email is not a structured medium. I don't want to get into a whole conversation about this; I want to see the data about me and be able to remove bits of it.

Note that as a software developer #4 sounds kind of ridiculous to me, since user data can be represented in a variety of site-specific manners, and the existing pre-GDPR protections put in place for PII make this almost impossible. But to an end user it feels like it should be a natural thing and having to deal with a number of complex bespoke systems sounds like a pretty heavy load.

I can see the GDPR in this sense being useful for celebrities and the wealthy, who can afford managers or consultants to take this action on their behalf, but not for people like my parents, for whom even step 1 is daunting.


I'm going to guess you're a technical user :) my parents would never think to search for standardized or GDPR-specific email addresses. What they did was find some generic way to contact the company (phone number, possibly Facebook or email) and ask them "where should I send a request for you to delete my data?"

Regarding the content, they would find some template they can mostly understand, then change/add a paragraph to include whatever specifics they need.

As for verification of identify, they would not even think much about it. They would sign with their name, and of course send from their email. The company would have to reply back to ask for whatever they need to verify it properly.


> 1. Identify an email address -- is this standardized?

Interesting, wasn't that addressed by GDPR? For that reason does german law requires information like this to be easily accessible, aka "Impressumspflicht". Lets compare for example amazon footers links.

Amazon.com

> Conditions of Use | Privacy Notice | Interest-Based Ads | © 1996-2018, Amazon.com, Inc. or its affiliates

Amazon.de

> Conditions of Use & Sale | Privacy Notice | Imprint[0] | Cookies Notice | Interest-Based Ads Notice | © 1998-2018, Amazon.com, Inc. or its affiliates

[0] https://www.amazon.de/gp/help/customer/display.html/ref=foot...


https://opt-out.eu/ is a service run by AFAIR someone on HN (spotted it today, can't find the source comment). Select a company, fill out a form, and you're done[0].

This is the template they seem to be using for erasure requests: https://github.com/opt-out-eu/opt-out/blob/master/src/email-....

--

[0] - Maybe. I'm not endorsing it, I just found it today. I wish someone (maybe the author) could say something more about the validity of such process, and whether this kind of e-mail is enough in practice.


One of the authors here. Thanks for mentioning us! I personally use the service and can testify it works. Just used it last week following the Apollo breach to have them remove me from their database. The service is free and open source. Happy to answer any questions!


I have no idea how to respond to, and no idea what I'm committing to when I click them.

Actually, it's easy. You can say "NO" to everything and still use the service. If the site denies service, they're violating the GDPR.


> If a new regulation insisted that on entering a hotel room, a member of the hotel staff had to use a blacklight and you needed to explicitly approve every illuminated mark larger than a quarter, then you would be annoyed at that regulation.

This analogy doesn't work because a) the vast majority of illuminated marks aren't harmful, b) the ones that are harmful aren't revealed by a blacklight, and c) you can take a shower after you leave to deal with the gross ones.

If, however, the light revealed signs of bed bugs we would be in the right ballpark.

Because:

a) everybody should want to minimize how much they deal with bedbugs

b) if you regularly sleep in places that have bedbugs you risk bringing bedbugs along with you to the other places you go

c) because of education and time constraints, people typically do not manually inspect each and every place in a hotel room that bed bugs could be. So if hotel staff could force the user to click a dialog that says, "This hotel room uses bedbugs for the following purposes..." that would be extremely useful for public health and sanity.


This is how unintended consequences happen. Complaining how rational actors work around roadblocks has no practical effect. Who someone blames has no practical effect. The downside of looking at the intent of the law and assigning blame towards the market is that it encourages doubling down on these negative actions. Why not make popups illegal, they'll say. Why not make it illegal for you to optionally trade your data/tracking for services, they'll say. We need to keep fighting the market's misapplication of our original intent with more codified words, they'll say.

Pragmatic realizations of cause and effect are required instead of blame.


> Complaining how rational actors work around roadblocks has no practical effect.

I'm not sure I agree with the 'rational'. If you are so short-sighted as a company that your main course of action boils down to 'piss off the user' while doing everything you can to skirt the law then you deserve to suffer the longer term consequences. Rationality should operate on all time-frames simultaneously.


I very much wish incentives were aligned this way. However, as the ad tech sector has shown, consumer apathy is pervasive enough that you can push the envelope quite hard against them before the costs near the benefits. Couple that with the uncertainty of an ever-changing tech landscape (especially considering impending government interference), and optimizing for short term profits is "rational". That's "rational" about money only, morality and sustainability be damned.


Hence the GDPR, which sort of makes this go full circle. These 'rational actors' are now trying with all their might to do an end-run around the law. It is interesting to see which companies 'get it' and which really don't get it. I suspect - and hope - that five years from now or so the ones that didn't get it will either have changed tack or will no longer be around.


Although they are doing an end-run around the law, I'm not sure they are trying that hard. I suspect the law will become largely ignored (or massively paid lip service just to avoid being the tiniest rare case that is punished), and hope that alternative tech overcomes the entrenched.


Everybody has to do it, so not pissing your users is not an advantage. The other options for them are: block EU visitors (that pisses me even more) or go out of business (because they need the tracking to make at least some ad money from the freeloaders who want to read their content but won’t pay a dime).

Saying “just don’t track” is magical thinking. They ARE rational in doing the minimally revenue harming thing to comply in their less lucrative market.

The only ones suffering any consequences are people like us who have to click through so much crap to read something because of the bloody GDPR we didn’t ask for. (Like we didn’t ask for Netflix to have 30% of crappy EU content. That’s EU’s next disaster in making.)


There is also the aspect that apparently there are plenty of people who are completely happy with exchanging data for free services.

For example:

"No Cash Needed At This Cafe. Students Pay The Tab With Their Personal Data" https://www.npr.org/sections/thesalt/2018/09/29/643386327/no...


The students can't buy coffee from that joint even if they want to: Their money's no good, they only take data. Wow.


Risky. If you ever run for political office the media will find out how much alcohol you REALLY drank at university.


>This is how unintended consequences happen. Complaining how rational actors work around roadblocks has no practical effect. Who someone blames has no practical effect. The downside of looking at the intent of the law and assigning blame towards the market is that it encourages doubling down on these negative actions.

Bounce rates must be through the roof, especially for clickbait. I'm certain that the market has noticed and will respond to this. I strongly doubt that this persistently annoying popup situation will stick around forever.

Ultimately I'm sure some kind of technological solution will emerge - e.g. you set what level of tracking you're happy with on your browser and your browser will fill in the popups for you and report back what the website is doing.


This would only work for automatic opt-in. why would companies, that monetize your privacy stop bugging you unless you close that pop-up manually? I imagine there are a lot of people that use their browser with default settings, so there is a chance they don’t actually care about privacy


> Don't be annoyed at GDPR: be annoyed at all the companies who have spent the last decades building an entire web-infrastructure with zero respect for user privacy.

What about people who had absolutely no issue with the tracking and "privacy" concerns? I don't care if advertisers target me. If I do care, I use incognito sessions. I'm happy with all the free services I get on the internet and I don't mind giving them a bit of information about myself especially since I've literally never clicked on an ad, ever, so their efforts aren't even effective.

I think there's a small minority of people who care about this stuff, they just had loud voices and the ability to push global legislation through to make everyone else's life more difficult.


I see no issue with opt-in as default (which GDPR requires). Then people can make informed decisions and choose to be tracked, while less technical and privacy-mined people don't get tracked.


I think the grandparent post does a good job describing the problem with it. It's a UX nightmare to the point where it doesn't even accomplish what it set out to accomplish.


You’re not in EU, are you?

Everyone defending GDPR around here should be required to take a one week trip to EU and spend some time online while there.


Good, you can opt in to tracking and profiling, if you wish.

The rest of us would rather abolish this flagrant abuse of personal information.


> Good, you can opt in to tracking and profiling, if you wish.

What we wish is to be able to opt-in once and for all, to get rid of these incessant interstitial pop-ups sprouting like mushrooms across the Internet.

Perhaps we could introduce a new HTTP header X-GDPR-Consent-Granted, controlled by a checkbox in the browser, to explicitly acknowledge that yes, we know that anyone we interact with online is going to learn various things about us, some of which may be quite personal; that we accept this; and would you please just get out of the way and let us read the article we came here for already?

If the intent was that anyone can decline without any change in service they should have just declared consent irrelevant. No one wants to be accosted 50 times a day for something so trivial, and the answer is obvious—the law prohibits offering any incentive to consent, so the only reason for anyone to grant consent is that they didn't understand the question.


I think the way this would play out is that sites would attempt to only respect the header if consent is granted, and would prefer to still show the popup to those who set a header indicating to deny consent. In that case, it would be interesting to see what percentage of users are willing to deal to trade their data in exchange for being not bothered.

I would guess though that businesses would be wary that supporting such a header would legally put them in a position to also support a deny version of it.


>"What we wish is to be able to opt-in once and for all, to get rid of these incessant interstitial pop-ups sprouting like mushrooms across the Internet."

If they implemented GDPR correctly and in a sensible manner, you would get one popup per site, once. You would give your consent to data collection and usage, and they would save that preference in a cookie or your profile settings for that site.

Instead, they want to punish and irritate you into simply accepting whatever they say, in order for the popups to go away. It's completely deliberate.

They could also simply support the Do Not Track header, or a "Please Track Me" counterpart. But they won't do that, because that would make it too easy to escape data collection and profiling, and wouldn't let them annoy you into accepting their onerous terms.


> If they implemented GDPR correctly and in a sensible manner, you would get one popup per site, once. You would give your consent to data collection and usage, and they would save that preference in a cookie or your profile settings for that site.

And how is that supposed to work, exactly? If you choose "deny" then they can't track you, so they can't set a cookie or save profile data! Of course you'll get the same prompt the next time you show up. At that point you're just another anonymous visitor of whom they have no prior knowledge. You have to consent before they are allowed to remember your preference.

The same issue applies if you grant consent but take your own measures to thwart tracking, such as limiting cookie lifetime. The next time you show up they don't remember you and must ask again, or else give up and assume that no one ever grants consent.

If you are already signed in to an account that is a different matter, of course, but even for the minority of sites where I would have an account signing in would generally be more trouble than dealing with the pop-up, and thus not an improvement.

> ... into accepting their onerous terms.

There is nothing "onerous" about their terms. They have every right to require your consent in exchange for their services, the GDPR's infringement of that right notwithstanding. For that matter, they have every right to collect, store, and make use of whatever data they are able to gather from your interaction with their service without your consent. The law in this case is blatantly one-sided, and consequently unjust—you aren't forced to beg for their consent to remember and/or communicate whatever data you can gather about the them. For that matter, where is the GDPR equivalent for the government? They collect more information, and more personal information, than anyone else. Based on the same principles as the GDPR, you should be able to opt out of all those income and sales tax reporting forms, for a start, or demand that they delete you from all their databases, with no change in services received.


>"And how is that supposed to work, exactly?"

Abolish the popups entirely, move the consent forms to a voluntary options page. Implement a user profile system, so people can create a profile and opt-in to tracking and profiling through that. Turn off tracking and profiling completely for anonymous users who choose not to create a profile, or who haven't opted in.

I know there will be an outcry of "but the amount of data we would be able to gather is miniscule!", and I say that's a good thing. Companies have absolutely no right to my personal data and to infringe on my privacy, unless I explicitly grant them access to do so.

The default should be to not track and not profile and not store privacy-infringing data, unless the user has taken specific and deliberate action to allow it.

>"There is nothing "onerous" about their terms. They have every right to require your consent in exchange for their services, the GDPR's infringement of that right notwithstanding."

They have absolutely no right to my private data, unless I specifically give them permission. They do not have any right to success, no right to a specific business model being viable forever.

>"For that matter, they have every right to collect, store, and make use of whatever data they are able to gather from your interaction with their service without your consent. The law in this case is blatantly one-sided, and consequently unjust—you aren't forced to beg for their consent to remember and/or communicate whatever data you can gather about the them."

No, they do not have that right. There are very clear differences between corporations and people. Corps are not people, they do not have the same rights a person does.

>"For that matter, where is the GDPR equivalent for the government? They collect more information, and more personal information, than anyone else. Based on the same principles as the GDPR, you should be able to opt out of all those income and sales tax reporting forms, for a start, or demand that they delete you from all their databases, with no change in services received."

The GDPR applies to governments as well. There are very specific rules in place for what information they're allowed to keep, any PII data can only be kept if there is valid purpose. The same rules go for companies, they're certainly allowed to keep information, as long as it's appropriate and necessary to provide the services they provide to you. And yes, taxation is part of the overall service government provides you to, specifically it's the payment for those services.

Facebook doesn't need to endlessly track, profile and monetize you, in order to run a social network that lets you chat with people, exchange cat videos and arrange events. Google doesn't need to endlessly track, profile and monetize you in order to provide search, email, calendars and their other services. It's perfectly fine to keep your calendar data, because that's a service they provide to you. But it is not OK for them to analyze and monetize your calendar data to target ads, unless you give them explicit consent.


> The GDPR applies to governments as well. There are very specific rules in place for what information they're allowed to keep, any PII data can only be kept if there is valid purpose. The same rules go for companies, they're certainly allowed to keep information, as long as it's appropriate and necessary to provide the services they provide to you.

Services you personally asked them to provide to you. That's an entirely different standard. The GDPR doesn't permit companies to decide unilaterally what services they will provide and what information (much less funds) they are entitled to collect from you in order to provide those unasked-for services.


> I use incognito sessions.

If you think these do anything at all to prevent tracking, you're unfortunately sadly mistaken :(

> a bit of information about myself

"A bit"? That's... well, the only thing I can say is that you indeed seem not to care about this.


> If you think these do anything at all to prevent tracking, you're unfortunately sadly mistaken :(

It definitely stops them from identifying me as logged into Facebook, Twitter... via social share buttons.

> "A bit"? That's... well, the only thing I can say is that you indeed seem not to care about this.

Correct, and I wonder what harm people who complain about this have actually ever come to?


> Don't be annoyed at GDPR: be annoyed at all the companies who have spent the last decades building an entire web-infrastructure with zero respect for user privacy.

Actually, I think we should be annoyed at browser vendors for letting the problems with cookies get to this point. They're obsessed with backwards compatibility, but sometimes you need to break things to fix a problem.

This is one of those times. Consider, what is the greatest lever we have in this scenario? There are hundreds of thousands of companies and billions of users. Measures to change the behaviour of this huge set of people are futile.

However, there are only a handful of browsers, and the past few years they're somewhat responsive to user feedback. Browsers are our greatest lever, and the privacy solution will have to come from there. Remove cookies or neuter them significantly, like removing JS access to cookies and/or making cookies opt-in only for sites storing login info.

If necessary, add new types of concepts for gathering anonymous analytics data that's guaranteed to respect privacy, and new concepts to specifically store persistent credentials rather than general data and to which JS again has no access.


Chrome is the biggest browser by market share and is maintained by a company whose entire business model revolves around tracking users to feed them ads. They have zero incentive to remove cookies. Same goes for Safari and Edge, even though they're not as dependent on ad revenue.

This is a textbook example of negative externalities that can't be solved by market forces. That's where regulators should be stepping in.


> Chrome is the biggest browser by market share and is maintained by a company whose entire business model revolves around tracking users to feed them ads. They have zero incentive to remove cookies.

Not true. If they don't do something, legislators are going to impose hamfisted regulation like GDPR which does impact their bottom line and hampers their business.

So Google's incentives overlap somewhat with users here. It's possible there's a middle ground in this overlap where the browser includes features specifically for ad-driven content rather than relying on general data load/store mechanisms like cookies which can be easily abused for more nefarious purposes.

Although regulation specifically targeting browser vendors to develop such features would also do the job. It's a mistake to try and push this on websites though.


GDPR may affect Google's bottom line in EU markets (we are still awaiting proof as it's too early too tell). But seeing how the FCC dealt with the issue of net neutrality, I have serious doubts that they'd get anywhere near a consumer-first policy regarding Internet privacy.


The previous Democratic administration FCC rule was pro-NN.

The GOP FCC has undone all that. Vote for Democratic congresscriiters this year and begin to undo the damage.

Vote Trump and his FCC out of office in 2020 and a GDPR may be possible.


Can we have this without forcing it? Ideally browsers would be extensible enough for you to build these things. I miss the document days of yore where implementing a browser would be a reasonable endeavor. And that the limited size of the choices is now seen as a benefit to enforce change is scary. Sure, some see it as a good thing, I mean look at all these features and all the places they've steered the web (e.g. HTTPS). I see it as too much bad with the good and I'm becoming wary of the non-neutrality of my browser. I'm at the point where I want them all to stand still or work backwards fixing bugs and improving what exists. When you get what you want by browsers leveraging their user share to make sites change their practices, you just have to know you fostered the environment for them to do that in places you might not want.

> like removing JS access to cookies and/or making cookies opt-in only for sites storing login info

To this point specifically, making a simple AJAX call to have my web server set and/or send me back the cookies from the HTTP headers is trivial. A browser is not going to be able to tell the purpose of the cookie, and opt-in is user hostile to the point that never-ask-me-again will become the norm.


> Ideally browsers would be extensible enough for you to build these things.

The generality of the environments available in browsers is exactly the problem: we can't tell what they're doing because opaque programs are manipulating opaque data. Making the problem tractable means restricting the ability to communicate via well-defined channels with well-defined data, possibly with specific purposes.

> opt-in is user hostile to the point that never-ask-me-again will become the norm.

You're assuming a lot. Opt-in is not blanket user hostile, it depends on the frequency and circumstances the user encounters it.

My first thought is that opt-in dialogs would be triggered only for forms with password inputs, just like it works now in browsers where users can save their passwords. The cookie is tied to that form submission only so we know its origin and uses, and all other cookies are forbidden. It doesn't strike me as user-hostile at all to then ask the user if they want to permit the site to store a persistent authentication token.


Isn't this kinda what Brave/Brendan are doing?


Looks interesting, I'll have to dig into the details further. Annoying that the home button on my keyboard appears broken on the Brave site.


But is GDPR really making the kind of difference people wanted?

What I see, is that mostly companies continue the same behavior, but now with a disclosure you are prompted to accept.

I predicted everyone would just accept those terms in exchange for free services they already have invested into. Now we just have an extra annoyance. Has anything substantially changed?


Just a few hours ago there was an article on the front page about yet another tech giant getting hacked and losing contact info on hundreds of millions of users [1].

A GDPR in the US should have the power to audit companies and ensure compliance, just like the FDA does with health-tech companies.

On the user side you might only see the effects of GDPR in the form of cookies that were added as a quick-and-dirty solution for companies that have built an infrastructure whose revenue model requires collecting user information. On the other side, law also gives a vector for the government to step in and demand changes to companies that are fast and loose with user data.

If we'd had an effective GDPR in the US, the Equifax breach that lost everyone's social security number may have been prevented and they might have faced some kind of real repercussion when it did happen. Instead, data companies still get to privatize gains and externalize losses.

[1] https://news.ycombinator.com/item?id=18117322


> GDPR in the US should have the power to audit companies and ensure compliance, just like the FDA

This is wanton overregulation. All we need is strict liability for data loss. After a few years of watching cases play out in the courts, we can revisit to see if more onerous regulation is required.


I think auditing needs to be part of it too. Otherwise what's to stop companies from just never disclosing data loss? The way I understand it, right now companies intentionally don't look for data breaches so they can claim ignorance if anything comes to light.


accept those terms in exchange for free services

Such exchanges are illegal under the GDPR. Consent must be freely given; if access to a service (that doesn't require that data, or that use of the data) is dependent on it, then it's not valid.


That was OP’s point. Some people, like me, want to freely accept such terms. I don’t give a damn about some cookies tracking. What I do give a damn about is making my own choices.

The entirely predictable consequence of making this trade illegal is that I can’t even access information on sites that have minuscule EU revenue, are too big to be afraid they might become a target, and can’t afford to provide me their services for nothing.

The Great European Firewall is a thing now.


The GDPR is about a lot more than that, which can't be simply covered by a one-click TOS.

https://www.itgovernance.co.uk/articles-of-the-gdpr


Well, you can’t even access some major news sites from EU...


European news sites work fine without problems for Europeans.

What does one in Europe gain with reading, say, American news sites which have a mostly local (e.g. American West Coast) focus?

Sure, one may find more entertaining news in a way, and get perhaps another perspective, but I would say that this perspective is obtainable via other means. It is usually even spelled out in the news articles themselves, but perhaps not explicitly. So what does a European really lose by not being able to read, say LA Times, or a news provider from Kentucky?

Not trying to troll.

After the GDPR I noticed I was not able to read some sites. First I was a bit annoyed, then realized the links I tried to access were to some random US news sites. I realized I should be interested in more local happenings versus those in a remote place that is beyond a vast ocean. Also, I wanted to know in more detail what world events mean for me and my area, since that is where I live. And I want to avoid political paint in my news, as far as possible.


The cost of determining the tracking behavior of every dependency of every part of your web site is prohibitive. Can you be sure that every hosted font and JavaScript framework you use is hosted on a server that isn't, say, logging IP addresses? Why bother? It's much easier to just throw up a warning popup, which users universally dismiss.


I would argue that you should be able to and then follow that up as to why its prohibitive (and what prohibitive means)?

At least on the library side, there tends to be a default-to-trust to the point where large projects put dependencies on libraries that are built by literally one-guy-with-a-github. I posit that developers should be more critical of including dependencies, and factors like "can we guarantee support" and "how do we know it doesn't have malware, both now and in the future, and who can we hold responsible if it does" should be considered for every dependency we add. As it is, I find a lot of developers will uncritically slurp in any dependency or library that saves them a bit of effort.

If the tooling isn't there to help with this problem then it should be built.


Most of these sites do have high regard for your privacy. It's not all for ads. Much of it is just for tracking logins and preferences, but warnings for that are required now too.


It's probably not true that warnings are required for tracking logins and preferences:

> The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.

> https://ico.org.uk/for-organisations/guide-to-the-general-da...

In most circumstances, I would expect things like logins to fall under the 'legitimate interests' basis rather than the 'consent' basis, and interestingly, if login is required to provide service it shouldn't fall under consent anyway.

I think the majority of the consent popups I've seen do not in fact comply with my reading of the GDPR. It's strange, but apparently people don't read the legislation or guidance before making these changes to their sites.


I don't really care where is my annoyance aimed at, I just don't want to be annoyed. All websites use cookies to track users. In this context getting consent is noise.


You talk as if the GDPR was a win for privacy. It wasn't. It was poorly drafted legislation by people who had no idea what they were doing.


Your comment is being downvoted because you're just rambling like an old man grumpy about kids on his lawn. Not a single shred of evidence, or even an attempt at making an actual reasoned point.

Every time there's comments like this I can't help but think I'd be extremely surprised if the people writing them knew any of the names of the people who worked on the law.

I wonder what you even define as "having an idea what you're doing".


And yet the poster is right for the reason mentioned by the first poster.

Most people click on the option that gives quick access to the content.

If it creates more than 2 seconds of distraction, I might even close the page.

There is no reason to trust the EU legislature regarding the internet after something like this:

https://juliareda.eu/2018/08/censorship-machines-gonna-censo...


The poster claims two things:

1. It was "poorly drafted legislation"

2. The authors had "no idea what they were doing"

Whether it was poorly drafted legislation remains to be seen. The "unintended consequences" people are talking about here are minor, what matters are the intended consequences such as the augmented rights europeans have over their data, their privacy, etc. I personally don't give a shit about the annoying cookie popups, I'm just glad I can finally delete my account and email address from various websites when I want them gone.

GDPR has given me a ton of rights over my data that I should have, and everybody should have. It has given me access to my own data. It has given me the power to delete it. This shit is important, and now it's law. That there's cookie popups because the companies in question suck? I don't care. If it makes you close the page, that's a positive side effect IMO. This shit must be bad for conversion in order for businesses to start getting a clue. It's a version of the "tax on privacy" that a lot of people on HN like talking about.

Regarding #2, I dispute that for the same reasons. GDPR is achieving its goals of securing user data in europe. Companies are scared straight into following it so far.

There are issues with it (especially a lack of compliance material). None of them point to "the authors had no idea what they were doing".

In other words, no, GP isn't "right" just because you have to click off some annoying popups. That's not the only thing GDPR does.

Edit: Lacking replies, I'm going to assume those downvoting this comment are the usual no-privacy-apologists who are annoyed they now have to put legalese in front of users and don't ask themselves why they have to.


I agree with you that an important and useful part of the GDPR is deletion of your data. Good examples: No advertising and spam. Prevention of later hacking and theft of your data like e.g. credit card numbers or private messages. You have revealed your true identity on social media and want to remove your posts.

But maybe GDPR gives a false sense of safety and security and control:

- What is technically possible ? When I cite you, must my posts be deleted as well ?

- Who controls what companies do outside of the EU or even within the EU ?

- National police and secret services in the USA and EU might be more interested in the data than some US company. They have no moral problem with installing spyware on your computer.

- Banks and maybe even insurance companies have already the right to know much about you.

- https://ec.europa.eu/info/law/law-topic/data-protection/refo...

- https://ec.europa.eu/info/law/law-topic/data-protection/refo...

IMO, you can only trust that the EU and the rest of the world does not give you control when it really matters.

Another example: https://www.youtube.com/watch?v=gGeevtdp1WQ&t=1


IANAL so I can't address most of your questions, but

> When I cite you, must my posts be deleted as well ?

You mean for comments and such? What I write on a site's comment section falls under copyright law, with the usual attribution reservations etc. So no.

> Banks and maybe even insurance companies have already the right to know much about you.

I shouldn't have used the word "privacy" in my comment. I think calling GDPR a privacy law is a shortcut a lot of people take (myself included), but it really is a data protection law. (It's even in the name!)

GDPR doesn't talk about privacy very much. In fact, I just searched the full english text of the law: There isn't a single instance of the word "privacy".

In other words, it doesn't so much say who can and cannot store and analyze your data. Instead, it lays out your responsibilities if you are storing/analyzing personal data, and your (consumer) rights as someone whose data is stored/analyzed somewhere.


If it creates more than 2 seconds of distraction, I might even close the page.

That's a win for the GDPR, not a loss! Sites that track people less will have less bounces and therefore higher revenue.


Is the best way to fight ignorance, virulent personal attacks? Does that constructively influence people?


I was attacking the contents of the comment, not the person. As for ignorance, I usually give the benefit of the doubt, but I've seen enough of those types of comments regarding GDPR that I'm cynical. They're almost always from non-EU business owners annoyed at having to suddenly comply to EU laws, or business owners in general annoyed at having to care about privacy (where they didn't before).

Uninformed consumers who think GDPR is a cookie law also exist, but they're not HN's usual audience.

Edit: A quick stroll through scoom's comments reveals an nauseatingly unsurprising picture. I'm so very shocked.


https://www.zdnet.com/article/gdpr-cuts-tracking-cookies-in-... Tracking cookies have reduced a lot in the EU so I would call that a win for privacy.


The fact that companies can simply continue what they have always been doing “but with pop ups” is evidence that the GDPR did not go far enough.

Also, still waiting for the first major company-wrecking GDPR fine everyone was losing their minds over... any day now. There are doubtless plenty of companies still in violation.


It's pretty much having the same impact as California Prop 65, which requires warning signs about "chemicals known to the State of California to cause cancer and birth defects or other reproductive harm" to be displayed where ever you may come into contact with them.

Of course, the state of "what the State of California knows" changes every few days, and there's no penalty for being proactive and posting your signs without actually verifying that one of the ~800 chemicals exists on your property. So every business just places a warning sign anyway, and consumers ignore the signs.


This actually changed recently. Businesses now have to specify exactly which chemical(s) may be encountered.


> These are very real, very concrete negative effects of GDPR

No, these are very real, very concrete negative effects of every company and their grandma spying on your internet usage.


As others have said, you should direct your anger towards every company showing you a GDPR popup. The more complex it is, the more they're trying to fuck with you, and the more they did fuck with you in the past.

I know it's too much to ask, and I'm happy the GDPR went through as it is, but I wish EU could nudge browsers to centralize cookie and GDPR consent forms. Both to fix the UX (a standard browser interface would be much better than most of the popups out there), and to enable me to select "decline everything" once and for all, and never be bugged by it again.


Yeah I don't want to sit down with the digital form of someone's lawyers each time I visit a site, and if I have to I imagine I and others all just click away to get the dang content already.

The way GDPR works out it sort of expects us to care to follow this annoying process, and I don't think people do / want to and thus ultimately won't make good choices.

GDPR demands users engage in the process on the web in a very particular way. As far as that goes I suspect it will fail on that aspect.


I find it fascinating how people blame the solution while it's the symptom that bothers them and they don't even notice the disease.

GDPR isn't only related to internet services. I received a phone call today from my mobile operator, they got bought by a larger company and it was a sales call. However, they were asking to speak to person in charge in regards to company-wide mobile subscription and services - we use none.

What was disturbing is that I was contacted on my private phone number in regards to a sales call related to the company I work at.

The details I left when buying their mobile service (which was 20 years ago) don't contain where I work at. I didn't work at all at the time, but I kept paying for the service.

I didn't update my account details so I found it a huge surprise when they knew exactly who to call and on what number.

Being a EU citizen, I went GDPR on them. I don't want people to call my personal number and disturb me in my own free time with sales calls in regards to my company. How did they get my details? Who authorized them to contact me? I've many questions and luckily - now I have legal backing when asking them to anonymize my data.


I think people get too tied up in the problem (and I agree it is a problem) that they just dismiss the flaws with GDPR.

I really think (like the one I describe) that for many cases GDPR isn't going to have the desired effect, if the result is that we have to sit through notices on every site and click away to get through them.


> The way GDPR works out it sort of expects us to care to follow this annoying process, and I don't think people do / want to and thus ultimately won't make good choices.

This is simply false. GDPR only allows opt-in for these choices, companies are just implementing GDPR incorrectly.


I keep seeing this response but I've seen no articles about the EU laying down the law and punishing these so blatantly obvious infractions. So either companies are not implementing it incorrectly or the GDPR has no teeth. The EU needs to act on these bad actors sooner than later if they want people to actually respect the spirit of the law.


Enforcement is only still starting up. Officially as of May this year, with the possibility of handing out fines for violations up to two years back from that date.

https://iapp.org/news/a/heres-why-the-first-gdpr-fines-could...


That's not how any of this works. We weren't going to get fines dropping on the first day.


"The EU is going to extract huge fines from everyone and their dog!"

"GDPR is useless, they aren't even fining violations!"

I'm waiting for "They are applying the law inconsistently - we got away with obvious violations for a year and now we don't anymore. The injustice!"


I really hope it doesn't take the EU over 4 full months to prove a cookie banner is in violation. That seems like a straight forward infraction if the way people have interpreted the law is accurate.


sigh..

the cookie banner has nothing to do with GDPR..


Not the old one. The new ones asking for your preferences on where your information can be sold.


I should have been more specific. I meant good choice as something other than just clicking to get past the notice.


> Is there something that we gained to make me feel better next time I am annoyed with all the popups?

Hopefully you'll choose not to use those sites.

For the first couple of months, I clicked all the "manage my choices" buttons. I felt the pain, but decided it was worth it. Then I discovered that for many sites, I would have had to enable 3rd party cookies in order for the choices to stick. That made me realise that I simply didn't want the marketers to even know that I didn't want them to track me; that I didn't want to enable the malpractice of companies that hadn't offered me the choice to disable their options; that I wasn't prepared to rely on the devs behind those dialogs to implement the design implied.

So now, I just close the tab and read something else. My hope is that others make similar choices.


> half a dozen consent popups every day

I don't see any such things. What I got is many emails when GDPR started and companies asked me to click a link so that they can keep my data and emails saying that they changed privacy. I didn't click any of those links.

BTW I use ad blocker and that hides many nonsense. Even before GDPR there were too many of these dickbars[1] everywhere and I'm annoyed at those. Every site has those subscribe to email popup and other dickbars floating around.

So GDPR didn't make things worse like you say. Although the internet has become worse with tracking everywhere and stupid designs making us suffer.

[1]https://daringfireball.net/2017/06/medium_dickbars


> I don't see any such things.

I usually browse the web from within the EU, and I have really begun to mentally filter out the popups because there's just so darn many, but on a recent trip back to the US, the difference was remarkable. A visit to commonly used sites like SourceForge or Washington Post were suddenly just seamless, and on some other sites I was no longer even searching around for the obnoxious cookie warning so that my screen didn't feel so cluttered.


I can’t agree more. The popups are insanely stupid, frustrating, and a usability and design disaster. I would adamantly oppose any US regulation that could lead to something similar here.

That’s just the tip of the iceberg of the problems with GDPR. Watch as the enforcement side becomes selectively weaponized as a political tool against unpopular sites and the other shoe will have dropped.

GDPR is a regulatory bandaid to a technical problem. That geeks are calling for more regulation to fix their own failings to design privacy resilient network protocols and decentralized software which truly and actually puts users in control of their own data, is shameful.

It’s a common trope that users don’t care enough to seek out and use privacy enhancing and protecting solutions. I think that’s a load of crap. The current solutions are alpha quality and are not ready for general use. But the technology will improve and I am convinced they will destroy the competition when they get there.


It's much to early to understand any of the effects of the GDPR yet. We'll need to see some case history before we can even understand what companies will be penalized for, or how they can come into compliance.

It might not be necessary, or even compliant, to notify and gather consent for cookies via popup. This is just something that many web site operators are assuming will bring them into compliance, but there's no way to know that yet. Just like there's no way to know if you'll still be clicking through cookie prompts 5 years from now once we have a few GDPR test cases.

Let's wait and see how this all plays out.


This is my biggest problem with GDPR. Noone knows how to comply with the rules, because the rules won't be understood until someone gets punished for violating them. Good intentions, imho, do not make for good laws.


> The practical effect of GDPR seems to me that I have to click away about half a dozen consent popups every day. Sometimes a cookie warning in addition to that.

At this point I just want those consent forms to be standardized via ARIA tags or whatever so that some extension can click the "yea, sure, whatever" button for me.


That would be fine. But honestly I do the opposite. If I start seeing popups and prompts I just close the tab and move on. The internet is too big and your content just isn't that special.


Me too. So that I could click the "reject all" button, having also marked the "save as default preference" checkbox, and be done with it forever.

Integration of legalese into browsers should have been done a long time ago (another useful thing would be a "ToS" button in the address bar, so you don't have to go hunting for ToS and privacy statements, and read them in whatever painful CSS flavouring the site uses).


I believe this is more due to lack of enforcement of the GDPR. The dark UX patterns you mention are not technically legal. There a numerous stipulations about how the consent must be freely given, simple and concise, opt-in, withdrawable, etc.

I think an equivalent of the GDPR becoming US law would go a long way to improving the problems of enforceability.


You say they are not legal, but then list all the requirements that they do comply with. That’s precisely why they are popups before first interaction, ask you to opt in (or not) and spend half a screen ( but not 50 pages) explaining themselves - concise yet clear and exhaustively explanatory as required.


Most services I've seen set tracking to the maximum by default, then present the user with an "OK, accept everything" and a less obvious "more options", where they must disable numerous default-on tracking options. That's opt-out, not opt-in, hardly simple or concise.

There are also plenty which simply say: accept our tracking or you can't use the service. Which is plainly in breach of Ch. 2 Art. 7.4 of the GDPR.


A GDPR for the US will be written by the very companies it was intended to protect consumers from.


I have started using https://www.i-dont-care-about-cookies.eu (along with uBlock Origin and Cookie AutoDelete) for this reason. It just gets rid of as many of those dialogues as possible, haven't seen one in a month.


This should be temporarily as it shows (IMO) an extreme misunderstanding of the GDPR:

- by default they are not allowed to collect more data than strictly necessary.

- additional collection must be opt-in, and there can be no punishment for not opting in.

- showing these dialogs that are opt-out seems like a way to beg for a fine: "We hereby declare to all our visitors that by default we collect way more information than we are allowed to."


But the windows aren’t opt-out (that would actually provide better UX if you don’t care, see cookie banners).

They are annoying precisely because they do comply and require explicit opt-in into tracking. In other words, they ask you to make your choice as the first interaction.

By default, they collect nothing - and immediately show the form. You are not punished for opting out and can continue the same way as those opting in.

But everybody is annoyed by being asked. Regulators perhaps expected this to be some setting hidden somewhere, but that’s so incompatible with free content business models that it was clear that won’t happen. This is the compliant consequence.


Interesting and well written, you made me think, thanks.

I do not think it us that easy to fool seasoned regulators the second time though (the first time being the cookie law).

Also:

> but that’s so incompatible with free content business models that it was clear that won’t happen.

There is no reason why they need to track me around the we to serve ads.

Im fact, given the recent accuracy of the biggest actor in that space I'd argue that you'd do significantly better in many cases by using contextual ads.


I agree that these are real negative effects of GDPR. However, the concrete design of these pop-ups is mostly not GDPR-compliant: for example, users not agreeing to being tracked must not be disadvantaged, and having to click through a cumbersome array of options is certainly a disadvantage. At least for European web sites, the authorities will hopefully take action after a while, and then these bad practices will stop.

In addition, this is a bit like fire safety regulations. Sure, they are very annoying. All of us probably have experienced the empty battery beep of a smoke sensor in the middle of the night, and many have experienced a false alarm. That's the price you pay for lowering a significant risk.

Wait a few years, and you will see significantly lower risks of your data being collected and distributed without your consent.

I'd like to add that the GDPR is truly disruptive, and it will probably take a few 'product iterations' to get it perfectly right. That alone would be a reason to wait a bit and learn from experiences before rolling such regulations out everywhere. (I'm saying this as an EU citizen)


I don’t get the disadvantage comment: everyone gets the popup crap, whether you say no or yes. Maybe I visit different sites, maybe I don’t notice because I reflexively click the closest button? In any case, the disadvantaging language is hardly meant that way: it’s about withdrawing actual content or features from you.

We have waited a few years with cookies law and nothing changed. Unless some browser based fix takes place, this degradation of web is staying with us.


The way it is supposed to work is you are supposed to be able to visit the site and get the same experience whether or not you accept the popup and ridiculous opt-out dark patterns. So declining should not disadvantage you.

Most of these pop ups appear to go against both the spirit and letter of the law, so will hopefully see some regulator response. Now whether regulators have enough budget to respond to all the wilful evasion remains to be seen.


GDPR has learned from the cookies law: - you cannot 'comply' by forcing the user to accept - better enforcement options (of course only when the site provider is under EU jurisdiction)

The jury is still out, but it is only a few months since GDPR is in place.


What we are experiencing is years of years of web development with zero thought around user privacy and how it actually could be a nice, safe experience that also protects the user from mostly selfish corporate interests.


> Am I expected to look at every one of those dialogs and figure out what I have to click to "customize" my tracking?

Most of the sites you're talking about are probably in violation of the GDPR. They're hoping that by adding a big notice telling you about their violations they'll be OK. We'll have to see. But there should be a "Refuse" option that's just as prominent as the "Accept" option.


Same here. Not sure what goes behind the scenes but I have to click on "accept" to remove the pop-up window. So far worse for me, unless, there's something I don't know.


Yes that's what is most annoying that many companies by default assume opt-in to their spying activity, despite GDPR regulation saying that all consents should be opt-out by default. As a result, after clicking on 21 pop-up and opting out suddenly I notice that I stop caring... so in this area it seems GDPR is effectively dead regulation.


Something might have changed here recently; the past couple of days I noticed all GDPR popups I get have "reject" set as default for everything in the "Details" view. Unfortunately, they don't communicate this on the initial view, so I still need to review the details before continuing.


A couple things to be happy about:

1. Private Browsing, separate sessions in web previews, etc. are all somewhat less privacy protecting than you'd hope (IP tracking[A], browser fingerprinting, etc.) the GDPR mandates that companies ask you about tracking before they do it. Those notices are a sign that they're trying to do that.

2. I do work in the tech, marketing and security arenas and the GDPR was like kicking a beehive. Everyone at least looked around and asked themselves: "Do we really need to keep this data?" and in many/most cases the answer was: "No". So they got rid of it.

The GDPR is a lot like a vaccine, the power is in the prevention. Which won't make splashy headlines, nobody is going to write: "A million records weren't leaked today b/c they were deleted off the server 6 months ago as they weren't needed."

A - every time GDPR comes up on HN, someone complains about IPs (either that it doesn't matter and/or that their Apache log file is full of them, so why bother). GDPR regs focus on what data a company is collecting, how are they using that data and did they get consent for that. In the case of IPs, you can consider implicit consent b/c they're browsing your site. But you did _not_ consent to have your IP tracked as part of a 3rd party marketplace for retargeting ads.


> Am I expected to look at every one of those dialogs and figure out what I have to click to "customize" my tracking?

Nope. Likewise you aren't expected to read a car lease contract or the papers you sign to buy a house.


Yes. And you're lucky if you see any Refuse button. Most all what I see the choices are to Agree completely to all terms, or "do not use this site".


Example?

That is illegal under GDPR. I’ve yet to see it. The only dark pattern I’ve seen mentioned is “agree” and “fine tune the settings” (with rejecting all as level 2).


TL;DR yes, yes you do; the sites have to ask for explicit content, and that's the patterns they use to give you (or, the EU) what you/they want (fine-grained control over what they can use your data for). In practice, it's not something people care about because they just want to get to the content and don't care about the cost. The EU / GDPR and internet rights activists care for your sake.

Of course, these fine grained access controls are also a dark pattern, make it annoying and look difficult just so you consent. There's even a few out there that take a minute with a spinner going "Please wait, storing your preferences..." even if just hitting "accept" is instant. As is "cancel". Dark patterns.


I haven't looked, but is there a browser plugin to auto agree to these cookie and GDPR popups?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: