Surely there are solutions that don't require a popup on every webpage you visit? For example enforcing no tracking by default for advertising purposes?
These days I just block all third-party cookies, which solves most of the problem.
>"She goes apeshit whenever a pop-up window comes up. And one time, she paged me because she got a message about accepting cookies. She was all freaked out because now she thought she was being charged for actual cookies."
I don't get any popups or cookie notices on visiting HN or several other sites. It's not like it's a fundamental need to set hundreds of tracking cookies on a visitor's browser to show them a website.
> Surely there are solutions that don't require a popup on every webpage you visit? For example enforcing no tracking by default for advertising purposes?
Wait, what? There are such solutions. GDPR, and the "cookie law" before it, don't "require" any popups.
They allow cookies, 1x1 pixel images, browser fingerprinting, Flash supercookies, browser local storage, etc. without any need for stupid popups... as long as that's required to implement the site's functionality. Consent for these things is implied by the user's use of the functionality (e.g. game scoreboards, saving word processor documents, keeping track of a user's shopping cart, etc.).
What these laws do require is that handling such personal data without such implied consent, should require explicit consent. This acts as a disincentive for sites who want to continue spying on their visitors, by forcing the UX to be more annoying and dissuade visitors from staying.
> the only practical significant impact is that browsing the web has become more annoying.
Sounds like the dissuasion is working. Hopefully that is causing spyware sites to receive fewer visitors (and perhaps revenue), and potentially rethink their decisions.
Most people hate the UX change but don’t care about the privacy so probably a net loss for the EU.
It clearly isn't. Vast majority of people (me too) are trained to automatically accept whatever cookie BS the website asks for, just to get rid of the popup as quickly as possible and get to content. And no, these "spyware" sites such as reddit.com or bloomberg.com won't switch to non-tracking ads to get rid of the popup.
for reference there are at least 2 parts that make this outcome true:
“Consent must be freely given, specific, informed and unambiguous ... Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid”: a default choice if “i agree” is influence
“The withdrawal must be as easy as giving consent”: if you hit “i agree” in a box that automatically pops up to give consent, there must be a withdrawal mechanism that’s as easy as that to withdraw (and then they must delete your tracking data)
We have seen nothing of that, contrary, tech companies have improved our life's immensely, for free, and in my opinion, are the one of the biggest driving force towards improving the future. Data is not just being collected for advertisement, tracking, and evil purposes, but is a very important asset in the development of products.
Furthermore, historically it was governments, not companies, that were abusing private data for nefarious purposes. Yet there seems to be no effort to stop it happening from that direction? Well of course not, its way to useful, and you'd be a fool not to use it, but companies are 'bad' trying utilize it...
Have you been asleep for the past decade? Pervasive tracking and spying on consumers has been the topic of discussion even long before that.
EU countries have had data protection laws since late 90s, and the web companies have taken a collective dump on them. So now the EU has created a single law that is quite sensible (if not without flaws) which says: you can only collect the data you absolutely require to work. If you collect other data and especially if you send to third parties, you must ask the person using your site if that's ok.
Oh my, did web company do to deserve this? Oh, I don't know. Open TechCrunch and opt out of ~300 tracking, data collection and ad companies, and tell me what they have done.
i'm asking because my government knows everything about me: my private and public IPs, what sites I visit, my comments on those sites, how old I am, how often I go downtown etc etc etc
techcrunch just wants to sell you stuff.
there’s really no comparison.
And no, it’s not TechCrunch who’s getting all that data.
It should be straightforward to show quantifiable harm to people’s right to privacy. You could survey a large number of people to ask if they would be OK with having their online habits monitored in detail by unknown companies (whose websites they didn’t even visit) for the purpose of targeting ads to them at later dates. If close to 100% of respondents say this is an invasion of their privacy, then that’s what it is. You could also do some more technical research to work out how many times per week people’s privacy is invaded in this way. You’d probably arrive at a very big number, rising every year.
The rules are actually only concerned with tracking cookies. Session cookies and user preference cookies aren’t within its scope. They are still perfectly acceptable to use without explicit consent from the user.
The law talks about information that can be used to identify a person.
So a cookie such as "gdpr_response=ok" has ZERO effect on GDPR compliance.
I wouldn't be so certain about that. Before now, most people were pretty certain that an accept/decline warning was enough and that they had the right to refuse service to people who did not click OK on the warning.
This comes up in _every_ discussion about GDPR.
I honestly worry - are we as developers just extra stupid, or are other occupations (electricians, ship captains, architects) equally lax when it comes to reading and following regulations?
1. You ARE allowed to use any cookies you like without popup warnings, as long as the cookie can't be used to bind the session to personal identifiable information (PII) about the user. Session cookies are perfectly fine when used to manage webapp state, such as what page a user is on, what feature has been enabled and so on. Likewise are other identification methods, for this sort of purpose.
2. Any technical means used to make a connection to a user's PII does fall under GDPR.
Seeing the underlying intent?
GDPR is about avoiding invisible tracking (connection to a european citizen). The regulation is written to bring that sort of behavior to an end. Your fingerprinting example, as well as any other "clever" technical ways of achieving the identification objective, when the purpose is that of invisible tracking; tracking where the user isn't in control of the profile information generated, is explicitly what the regulation aims to nail.
Do read the regulation document. It's actually a very well written document that even a non lawyer can understand: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...
GDPR is about users gaining control of the lifecycle of information pertaining to their identity, so if you or your proxies (googl/fb or other ad companies for example) have PII about a user, then the GDPR stipulates processing constraints on that information, which includes any information that can be associated with the user. E.g. building a profile about a user that can be tied to a user's PII becomes part of the user's PII, and thus subject to the intended end-user lifecycle control. What that control means is stated clearly in the document linked above.
When the web plays its normal chinese-whispers-game on any kind of fact, it's always best to go directly to the source to see what was actually said or written. In this particular case with GDPR, this is definitely the case. Not a single of my US colleagues nor friends had even an inkling of what GDPR actually is about, and it seems most of this community is in the same boat.
I guarantee that reading the actual doc will dispel a lot of unfounded fears.
If you happen to have even the slightest layman interest in law, or appreciate games / brain teasers, then you might actually be a bit impressed by the cleverness of the wording in parts of the document, and how it all comes together. Myself, having been in the dev field for 20 years, I've read my fair share of EULAs, licenses and contracts, and to me I saw some true genius shine through half way through the document, like watching a good chess player setup a board and guard against obvious attacks by the opponent. I felt I could almost see into the minds of the authors; what they sought to accomplish, loopholes they tried to close, and an attempt at creating a defensive shield that would be as "future proof" as they could make it, against new unknowns introduced by rapid technical innovation.
I should mention that I essentially browse this way due to a few privacy add-ons I use and it is absolutely infuriating having to deal with these pop-ups even on sites that I've already visited.
I, for one, am happy that bullshit like “hey, we send your data to 244 trackers uncontrollably” has become visible and is being called out.
I mean, visible only in the EU.
Dark patterns and site-blocking are anti-GDPR, so I’m hoping for some heavy fine across the board. And, hopefully, if not the end then curtailing of the intrusive and tracking cookies, ads etc.
These laws force people who are attempting to take advantage of non-technical users to either stop it, or do so in an obvious way that lets even non-technical users see that /something/ is up.
It's good, I like it. It's driving social progress, as truth always does. I'll get downvoted for expressing that opinion here of course. Too many american software developers who want to inflict their freedom on others I guess.
Downvotes may begin now.