Hacker News new | past | comments | ask | show | jobs | submit login
Sites using Facebook ‘Like’ button liable for data, EU court rules (euractiv.com)
802 points by abbe98 on Aug 4, 2019 | hide | past | favorite | 264 comments

"He warned that the decision would go beyond Facebook and effect all social media plug ins, which are important for many firms to expand their reach on the web."

Add an image on your own website that links to Facebook. Problem solved. You keep your like buttons, their servers are no longer involved in serving your web page.

I did this and wrote about it[0]. It works really well, is very fast and doesn't compromise your users' data. There are also libraries that make it very easy to add.

[0]: https://www.stavros.io/posts/scourge-web-analytics/

Note that by not setting rel="noopener noreferrer" on the links you let the linked sites control the opener window (and of course see a detailed referrer header).

https://www.jitbit.com/alexblog/256-targetblank---the-most-u... (This applies to more than just target="_blank")

You are correct, fixed, thank you. It's a shame this isn't the default on all links.

For the case of opening in a new tab, consensus seems to be moving to making it default, though that's not true everywhere yet. It's currently default on Safari and Firefox.

Closed (fixed) Firefox bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1503681

Open Chromium bug: https://bugs.chromium.org/p/chromium/issues/detail?id=898942

If the link is for users to click and like this page on Facebook, then Facebook will be able to know the source URL regardless, no?

Well if the referrer header matches the shared url it's just bloat in the request headers, and if it doesn't it's possibly leaking details it shouldn't, like perhaps a token in a query parameter. Twitter, Facebook, etc doesn't really need to know where a user initiated a share anyway.

Either way making sure that window.opener isn't available to random sites is a critical security feature and in some browsers that require you to set noreferrer, so better safe than sorry.

I really like that if it's just a simple <a href>, I can completely understand what it does and the code is very short.

Yes, and there's no loss of functionality, you can still share/Tweet/whatever. Really makes you think about what exactly all that extra JS the real button loads is doing.

If you're not asking rhetorically, all of the extra stuff is a delivery vehicle for Facebook/etc. tracking code.

They didn't ask; they said it makes you think about it.

Facebook at least used to tell the user if any friends also liked something, as well as tell them whether they had liked the page already.

Not sure if FB still supports that, and where I work, we have used static buttons since forever.

Does Facebook allow it?

Unless you have rights holders permissions then the social links at the bottom of that article look like copyright and probably trademark infringements. (I'm not saying that's a good thing, just how it appears.)

It's against Facebook's terms:

> 8. You must not use or make derivative use of Facebook icons, or use terms for Facebook features and functionality, if such use could confuse users into thinking that the reference is to Facebook features or functionality.

We know that Facebook uses that paragraph against alternative like buttons. Many years ago German computer magazine publisher Heise created a version of the like button that works like this: The button is initially greyed out and has to be activated by a slide button to be used. Communication with Facebook's servers starts only when the button is activated.

After threats from Facebook Heise had to change the look of the initial button so that is has none of the Facebook branding. Only the dynamically loaded original Facebook button looks like Facebook like button. [1]

Link to the original alternative like button project in German is [2]. An fork with English documentation is [3].

EDIT: Their current branding guidelines for the "thumb icon" [4] say:

> Do link the Thumb Icon directly to your Page on Facebook when using the Thumb Icon online.

So a thumb icon linking to your page should be OK.

EDIT 2: The branding guideline also says:

> Don't use an outlined thumb with the cuff detached.

So you can use the "Thumb Icon" but not in a way that replicates the current original Facebook like button because that one is outlined and has the cuff detached.

BTW this is exactly what Privacy Badger does: It replaces the original Facebook Like Button (cuff detached) with the thumb icon from the official assets (cuff connected).

[1] https://www.zdnet.com/article/german-website-creates-two-cli...

[2] https://www.heise.de/extras/socialshareprivacy/

[3] https://github.com/panzi/SocialSharePrivacy

[4] https://en.facebookbrand.com/assets/thumb-icon/?audience=lan...

>> 8. You must not use or make derivative use of Facebook icons, or use terms for Facebook features and functionality, if such use could confuse users into thinking that the reference is to Facebook features or functionality.

> We know that Facebook uses that paragraph against alternative like buttons.

Did you quote the wrong section? That term can't really apply to alternative "like us on Facebook" buttons, because such a button can't confuse users into thinking it refers to Facebook features or functionality, because it actually does refer to Facebook features and functionality.

The quote is from the ZDNet article (reference [1]). It says that Facebook brought up this clause specifically as a reason why the implementation violates Facebooks's terms. Here is a little longer quote for more context:

> Unsurprisingly, Facebook didn't like this change. A spokesperson told the German publication that the way it has implemented the Facebook Like button violates the Facebook Platform Policies, specifically quoting this clause:

>> 8. You must not use or make derivative use of Facebook icons, or use terms for Facebook features and functionality, if such use could confuse users into thinking that the reference is to Facebook features or functionality.

> It's against Facebook's terms:

> > 8. You must not use or make derivative use of Facebook icons, or use terms for Facebook features and functionality, if such use could confuse users into thinking that the reference is to Facebook features or functionality.

As written, if the reference is to Facebook features or functionality, then there can be no confusion and this clause does not apply. This would seem to be the case here.

Makes sense but isn't Facebook's stance. See my answer to the sibling comment from thaumasiotes.

Facebook's stance doesn't really matter in the end though. It all depends on how this will be interpreted by a judge, and I have a hard time believing that a European judge would rule in favor of Facebook, since there's no possiblity of confusion for the end user. Also, it is done to protect end-user privacy, which European judges tend to like.

I'm adding European, because that's what the article is about and that's where I'm from. Not sure what would happen in a US court.

The tech giant is its own judge and jury.

IMHO to be complete the law should require web widget providers to serve what it says on the tin.


If it is a button so that users can bookmark articles on the facebook website then it shall only do that, nothing else. And so on: the webmaster must host the image himself. If the functionality can be accomplished with html there shall be no javascript. If there is a need for javascript it will be hosted by the webmaster and shall require consent before calling home to the mothership.

For example, visiting a store doesn't give the store owner the right to search your bag.

Then lets not stop there and include all advertisement???

The advertiser knows the topic of the website he is advertising on, he knows what kind of audience is attracted by a specific article. He can place his advertisement at the top or the bottom to further filter down.

This gives him everything he need to advertise his product on that website. The web master can host the images. A neutral 3rd party, preferably a government agency, can track impressions and provide the advertiser with a crude estimate of traffic by region.

I think it shouldn't stop at having other people do all kinds of things and pay for it. The EU could easily fund its own technologies.

THE EU could give you [say] a Facebook like button in html and require you use it. That they have their own TOS is just irrelevant. Or worse, Facebook shouldn't have to invest in terms of service. We should have detailed laws removing the need for a TOS. Standard laws for social networks should apply.

A restaurant owner doesn't have to clutter up his place with 100 no smoking signs. There is no contract to sign before you can eat.

> Does Facebook allow it?

Who cares? Facebook is a zero sum game at this point for advertisers/content creators. Facebook stacking the odds like a casino does chuck-a-luck. There's only them winning here, nobody else.

Blocking facebook tracking, meaning comments/like buttons and the like has vastly improved my browsing experience.

Who cares?

The site owner that might be sued by Facebook for copyright infringement, for starters.

Aren’t logos fair use? Maybe a like button might be sueable, but a logo should be fine, right?

And they will be suing for what? For attempting to send more people to facebook? What's the damage?

Facebook has no right to have their arbitrary code on other people's websites. So they can't force any specific way to show their button. From the end user's perspective it's all the same.

Facebook could reasonably argue that by bypassing their established use policies for the like button, you are depriving them of value - in this case the value of the data that their JavaScript collects and sends back to them, and that you (the site owner) are being unjustly enriched through the use of their copyrighted image(s) on your site.

Except in cases of fair use, which isn’t nearly as broad as people think, the use of other parties’ images is subject to whatever licensing restrictions they choose to put on them. You can choose not to display their images if you do not accept those terms.

I feel like trying to sue someone for linking to Facebook would go down extremely poorly.

The reason sites want to have Like buttons is because they perceive value in that for the site. A C&D would be enough to bring anyone in to alignment that didn't have a wish for a very expensive day trip to court.

Especially when it's done this way for privacy considerations.

Aren’t logos fair use?

That’s a very broad question. For one thing, fair use is a concept only in US law. Other countries may have their own versions of it, but all of them have their own unique limits. Even under the US version, it is not at all clear that it would fall under fair use. If I start making t-shirts with the Facebook logo on them, is that fair use? No, it isn’t. Is there much difference between that and putting it on a website that I make money from? The right jury would say no.

perhaps, but if so, they win more when they sue you and you lose...

I'd bet it falls under fair use: https://www.inta.org/TrademarkBasics/FactSheets/Pages/Fair-U...

By the way, this website does exactly that.

Fair use is a defense. You, at best, get sued, have to pay a ton of money in attorneys fees, on the chance that you "bet" it's going to work. Tough sell.

Why would Facebook sue over this?

Because they want the data their button+js gets for them, and if they let you get away with not using the js, then anyone can get away with it. Better to shut it down early and painfully.

Sure they allow it. The icons are also included in FontAwesome for easier use.

Shouldn't you also show intermediate page with a privacy warning and a cancel / continue buttons? Otherwise user can click it by mistake and compromise his data.

Yes indeed! Thanks for that and your lightentheweb resource!

May I reach to you (from qbix.com) as we are building a new social operating system for the web?

Sure! My email is in my profile.

This somewhat more fancy implementation of that idea is used on many German websites: https://github.com/heiseonline/shariff or https://github.com/panzi/SocialSharePrivacy

I know I am part of the HN bubble but I have not used any of those buttons if ever in years. I wonder how many legit use the buttons vs how many copy and paste a link and it shows up under those metrics somehow? Guessing I am part of the weird bubble.

I put Github "star" buttons on my portfolio site[1], but I also created my own Gitstars API [2] and am hosting my own Button Generator [3] because of some limitations on how Github's API works with static front end websites. This has the added privacy benefits as the improved stability.

[1] https://projects.tedivm.com/

[2] https://github.com/tedivm/gitstars

[3] https://gitbuttons.tedivm.com/

I’d guess the number of users that copy and paste a link to share it is statistically is insignificant considering that many modern browsers don’t even display URLs in the header anymore.

I think people copy paste links all of the time. Modern link preview cards fed by og tags are a big thing, and interpreted nearly everywhere.

Mobile browser generally have a "share" functionality that can share anything to Facebook or any app that supports that easily, so that's what people would be using rather than copy and paste.

I wish I could remove this "share" button. It's unintuitive and a waste of space.

It's true the share button is unintuitive, but if you removed anything in a standard phone UI that was unintuitive you'd have about nothing left.

Unfortunately, we live in the day and age where designers and marketers feel it is more profitable and fashionable to distinguish between the ingroup and the outgroup, rather than to empower all users.

All my Firefox browsers do with the exception of the one on my phone and only cause I changed it to show when I scroll back up to save on screen real estate. Its all configurable. Heck... When people press F11 accidentally they start calling all their kids, nephews and grandkids all scared and confused.

Because without that address bar that tech people seem to think normal users dont use they lose their ability to reason about the web.

It will wind up similar to the missing start button on Windows.

Disclaimer: I worked at a local college and had to support students in CS and other Microsoft Office courses. They lost it whenever Microsoft took away the start button but I would tell people its still on your keyboard... Anyway also saw a lot of F11 people losing it.

Are you not aware of the difference between a like button and a share button?

If you are, I would very much like to hear how you are able to get a like from linking an image to Facebook.

The last public site I worked on, did this for all the social links... was the easiest way to keep it normalized. I didn't want to use their images, etc anyway.

Sites using the like button are dumb to begin with, especially if they are in e-commerce. You’re handing your competitors an ability to do lookalike targeting of your customers via Facebook ads. This is one of the biggest advantages of that platform. Surprised nobody writes about this while gasping at Facebook’s profits.

People are writing about it - saw this trending on HN just yesterday:


How would you do that? You can only do lookalike of an audience you upload yourself (ex: your customer list). How would you do a lookalike of your competitor?

You can target by purchasing history either through "Partner Categories", or "Purchase behavior". Facebook knows what anyone is (interested in) buying through pixel or aforementioned widgets.

Yeah but you cannot target specifically a competitor's customers just by the fact that they have a like button on their site, which is what OP was mentioning.

I don't think he meant a specific competitor rather than a whole category. Aka you buy a shirt at one site and then every e-commerce site that sells shirts can target you.

Don’t Facebook buy purchase history off credit card companies anyway though if you actually get as far as purchasing?

The data from the Facebook javascript integration is much richer as it lets Facebook see each customer's complete journey before purchase. This helps tremendously with ad targeting as it tells FB (for example) what other products the customer viewed before purchasing, and possibly even how they got to the site in the first place.

What, credit card companies sell customers' purchase history?

It gets worse. I know a startup that works on targeting people using their bank statement data.

Yes, absolutely.

This is primarily to help with offline conversion tracking and impact of FB ad spend.

It depends if you think the likes you get are worth more or less than however Facebook can use the data against you.

> Surprised nobody writes about this while gasping at Facebook’s profits.

Those who understand what you wrote are busy making money via Facebook ads, milking the gravy train while it lasts.

Except that are all using them. Like, literally, all news sites.

Why don't you write about it, you seemed informed and we would like to know.

E-commerce, possibly, but less true for journalism. Nobody browses news site front pages anymore. They visit news article links directly from their Facebook feed of other people sharing/liking stuff, Reddit, HN, or other social media.

When was the last time you typed in nytimes.com or some similar foo into a browser?

Well, since you’re asking - Daily - news sites’ front pages are bookmarked on my mobile but often typed as well.

For me the exact opposite. When did I last even go on facebook? Probably over 10 months ago.

I do that regularly with local news websites. Convenient to go though stuff I might have missed.

A long time ago, because I've got bookmarks for 5 or 6 news sites that I regularly visit (usually daily). And of course those bookmarks go to the front pages.

Facebook for news...seriously? Even HN, though I sometimes follow links to news sites, is primarily of interest for me as a source of links to obscure blog posts and similar non-news stuff. The news links are usually colored as "already visited" for me. Nevertheless, quite often the comments to these news articles are still worth reading. Which stands in stark contrast to Facebook comments on news articles...


Also, I don't use Facebook. Most of the people I know navigate to the news site directly, as social media is just an echo chamber, there are lots of links to obscure news sites publishing fake news, etc.

I literally typed nytimes.com into my browser moments ago, right after typing in news.ycombinator.com.

Granted, I'm sure I'm an outlier but it was an entertaining coincidence, especially as I don't typically read the NY Times.

It has been a long while since we've had usable news sites.

There are so many mixed in signals when it comes to the "decline of news" that it's hard to pinpoint causes or use it in arguments.

Nobody? What about 1B Chinese?

Most e-commerce sites use the Facebook pixel - they'd be crazy not to. Retargeting is actually where most e-commerce profits through Facebook ads come from. Advertising to cold traffic is often a loss leader, just to get an audience to retarget to. They lose money getting people into the top of the funnel, and then make it back as a smaller number of people progress to the end of the funnel.

So no, sending your data to Facebook isn't dumb, and in fact, it would destroy most smaller e-commerce businesses if they couldn't send their data to Facebook.

I think all these privacy protection rulings are a step in the right direction, in that we are seeing governments respond to dark patterns similar to how they respond to spam and telemarketing.

The loose thread now is in how the companies are required to communicate their data mining. These twenty page privacy policies that I agree to with a flick of the scrollbar and a button click, or these equally boring popovers when I visit a site, are where the governmental innovation needs to happen next.

All it takes is strict enforcement. The rules are already there.

Many of the popovers (basically all that you can't easily dismiss without giving consent to anything unnecessary) don't result in valid consent.

Twenty page privacy policies are also questionable: "the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language."

I also hope that the ones that ask for consent with a modal pop-up create a modal pop-up offering you to revoke consent on every page load: "It shall be as easy to withdraw as to give consent."

Strict enforcement of the existing rules is all that's needed. Getting consent is going to be really hard, to the point where web sites may be best of not asking for it, and only doing what they can without processing personal data.

This. I long for the day when regulators pick one high profile target that uses “by entering you agree to [us giving your data to third parties for ad purposes only]” and simply hit them with an enormous fine.

But why are data brokers still allowed to exist?


Many European supervisory authorities are investigating these right now.

I'd expect the first enforcement action to come either this year or early next year.

The popovers are the result of government innovation. I'm skeptical whether it's actually possible to get people to read the privacy policy before using a website.

It would help if privacy policies were brief and clear.

Edit: just realized pbhjpbhj has written much of this elsewhere in this thread, upvote that instead, although I'll keep mine since it is slightly different: https://news.ycombinator.com/item?id=20607528

It would help if companies could respect the rules in EU that says data collection should be voluntary and opt in.

Then the privacy policies could be really short.

That said I agree with others that reasonable standard policies would be great for both consumers and businesses:

Something like the Creative Commons licenses comes to mind:

- 0, green: nothing (no analytics, no state, so no login possible)

- sessions, green: login possible

- telemetry, yellow: anonymized, short lived (< 3 business days) data, not linked to use, not shared outside of development

- 1 party analytics, yellow: like telemetry but longer lifespan and shared outside of development

- 3 party analytics, red: uses Google Analytics standard edition or any other 3rd party tracker that shares data

The GDPR does actually contain a provision - Article 12(7) - which allows for that sort of indicator:

>The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.

Which is why the EU has already mandated that. But privacy is a complicated issue, so there are limits to how brief a complete policy can be; just the suggested template[1] is a four page PDF.

[1] https://gdpr.eu/wp-content/uploads/2019/01/Our-Company-Priva...

One way to do this would be to have privacy standards. EU PP0, PP1, PP2, etc., that would conform to particular uses of one's data.

Such info could be tagged in page head and then you could do things like search for a forum that doesn't (according to policy) use your data for revenue (or share it outside the named business -- perhaps that's "PP0", in analogy to CC0), etc..

Just thinking on my feet, E&OE.

P3P header? What’s old is new again?


Wow, I didn't know this existed! And very interesting to read why it failed.

That is something I'd like to see standardized and mandated - complete with mandatory audits so it doesn't fizzle out like it did last time.

Anyone knows if a single thing takes a look at it nowadays?

Also, maybe it would work if it was legally enforced now? I suspect this was a case of Too Soon™.

It is officially deprecated, even by Microsoft it seems.

One way to do this would be to have privacy standards. EU PP0, PP1, PP2, etc., that would conform to particular uses of one's data.

Or at least have those as standardised starting points that cover the routine points that will be the same for 90% of data processing operations, so you only have to specify additional detail for things that might be unusual or surprising.

If you look at the template privacy policy that SpicyLemonZest linked to, a large proportion of it is boilerplate that covers either reasonable and normally expected data processing or standard notifications required under the GDPR etc. Repeating that more-or-less verbatim on every website someone visits today doesn't help either that person or those websites.

It would simplify things greatly if instead of all that boilerplate, a short list of one-liners is all you need to state if you're only performing normal data processing for common purposes, as defined by official privacy standards along the lines pbhjpbhj suggests but perhaps specific to each common purpose. Then you only need to elaborate on anything unusual or particularly sensitive, and anyone interested in how you're processing data about them can quickly identify such cases (or verify that there aren't any and they don't have anything to worry about).

It would help if privacy policies were brief and clear.

And the way to do that is standardisation.

In many situations, at least here in Europe, you can go about your normal life without worrying too much about tricky contracts catching you out. There are consumer protection rules that restrict what can be done, prohibiting it entirely in some of the most serious cases, but also setting out reasonable expectations in some sense so that any business wanting to violate those expectations has to be clear about their alternative or might find it doesn't stand up if challenged.

One difficulty with the online world at the moment is that because it's very international in nature, even rules that apply across say the whole EU or at federal level in the US don't necessarily provide any guarantees to visitors of websites or recipients of emails because the business or other organisation they're dealing with might not be in the same jurisdiction as them.

On top of that, these big data-hoarding organisations pose an unprecedented threat to our privacy and ultimately to our freedom and way of life because there is an unprecedented amount of data collection and processing going on. Some things didn't really matter much at a small local scale, like the person passing you in the street seeing your face and knowing you were there at that moment in time, yet forgetting you a moment later. The exact same data points can matter a great deal more when we're talking about huge numbers of them being collected and collated by a single entity that can then process a more informative data set in ways that would never have been possible in the simpler case. Now the marketer or the government or the criminal who hacks the marketer or bribes the government official has a detailed record of your normal daily movements and any anomalies, or your spending patterns across everywhere you shop and everything that says about you, and so on.

We need a clear basic framework for what we as a society are and are not willing to permit in these areas, for how we trade off the potential advantages of organisations that might genuinely be trying to help us having access to more data against the potential risks of organisations that are not necessarily acting in our best interests having access to more data, even if in some cases they might be the same organisation using the same data in different contexts.

I personally regard the GDPR as a swing and a miss in this context. The intent might have been good, but it's so complicated and ambiguous that in many ways it creates problems rather than solving them. Crucially, that is particularly true for organisations that were trying to be responsible about how they work with personal data and privacy issues, which might have been looking to the GDPR and the national regulators for clarity about the ethics and legality of different practices with pros and cons.

So there have been some moves in positive directions recently, but right now, if I'm selling you something online then I still have to state in my privacy policy that I'm going to keep records of money you pay me and I'm going to store those records for long enough to comply with my obligations around tax records. Does it really help anyone to declare obvious and indeed legally required behaviour like that, or is it just noise?

To pick a less obvious example, maybe we should have clear defaults about analytics. For example, perhaps a business is allowed to monitor how its customers are using its own hosted systems by default, but activities like accessing users' personal data uploaded to those systems for other purposes, exporting users' personal data from their local devices, or sharing any of this data with third parties requires explicit disclosure and maybe some level of consent.

Privacy policies could indeed be much clearer if only the exceptions to common sense had to be declared in some standardised way, and if an acceptable definition of "common sense" were itself provided somewhere through legislative or regulatory means.

The GDPR isn't a bunch of rules, it's a process. It's no different to your health and safety process. You define your process, what data you have and where it is and any risks.

Personally, with massive PII dumps getting leaked every week I'm not surprised governments are starting to act.

> but right now, if I'm selling you something online then I still have to state in my privacy policy that I'm going to keep records of money you pay me and I'm going to store those records for long enough to comply with my obligations around tax records.

No, you don't. That's covered by the rule "Compliance with a legal obligation" because you have to do it, but only store as much as you need.

Quite: far too many people equate the "consent" basis for holding data as the _only_ basis for holding data. It is not, and and compliance with other laws is also a valid reason which _cannot be overridden by withdrawal of consent_.

Sure, but if we're talking about data usage for marketing and targeted ads, then generally consent would be the only basis that can apply.

If you have a legitimate basis to collect and store personal data for some purpose X, then that doesn't allow you to use the data you collected and stored for anything else - if you want to use the same data for some other purpose (like targeting ads or given them to your "partners" to target ads), then you need consent; and if you give them to your "partners" to allegedly execute that legal need X but it turns out that they're using it to target ads or reselling data, then you're liable for that.

Sure, but if we're talking about data usage for marketing and targeted ads, then generally consent would be the only basis that can apply.

That's debatable. The GDPR itself explicitly notes [Recital 47] that even direct marketing can constitute a legitimate interest.

However, there are specific provisions for that case, particularly the explicit provision [Article 21, para 3] that if the data subject objects to processing for direct marketing purposes then that is black and white and that processing must be stopped.

Yes you do [have to state that in your privacy policy].

Compliance with a legal obligation is valid grounds to store and process data, but the information requirement still applies - you need to inform the customer what you're collecting and why, you just don't need their consent in this case.

E.g. the GDPR article 13.1.d / 14.2.b - you need to inform the data subject about what exactly is your legitimate need that justifies the processing of data; and customers then can judge whether that need (and the collected data for it) seems reasonable or warrants a complaint to the regulator.

The GDPR isn't a bunch of rules, it's a process.

The GDPR is an EU regulation. An EU regulation is a bunch of rules that have direct legal effect across the Union.

No, you don't. That's covered by the rule "Compliance with a legal obligation" because you have to do it, but only store as much as you need.

That's a legal basis for processing, which you also have to disclose. It doesn't exempt you from disclosing other required information such as the types of personal data you're collecting or your policy on retention.

That innovation could be simply disallowing most of the data gathering/sharing outright.

The EU's GDPR already requires opt-in for all auxiliary tracking etc. even for those huge policies. So you can try to hide all the nasty stuff in a long policy, but you are not allowed to default to them. A single "I agree" button is explicitly disallowed to enable anything else than the barest minimum required to provide the service (now I'm sure that could pose a loophole for some tracking, but they most egregious cases would be liable for enormous fines if they don't adhere to this).

>These twenty page privacy policies that I agree to with a flick of the scrollbar and a button click, or these equally boring popovers when I visit a site, are where the governmental innovation needs to happen next.

If the sites are relying on consent as their legal basis for processing personal data then hiding it in those policies is 100% a violation of the GDPR.

Enforcement action is unlikely to make headlines, though as it'd be such an open-and-shut case it won't even make a courtroom. The supervisory authorities will just impose administrative fines.

Until Facebook starts regulating Washington. They've been pretty uninvolved in lobbying so far.

I get the sentiment, but wouldn’t this apply to something as simple and fundamental to the web as including an image that I don’t host on my webpage? The 3rd party hosting that image could be collecting a decent amount of data about people accessing it - I really have no idea what they’re doing, or any way to verify it.

This ruling feels poorly thought out to me. Activities on the web aren’t totally private, that’s how it’s always been. Getting rid of 3rd party content makes it ... kind of not the web anymore.

That's a very D&D Rulebook type interpretation :). Not that rulings should be ambiguous, but usually some common sense can be applied (and is expected to be reasonably applied).

The Facebook like button is a web tracker, disguised as a social engagement button. If not its primary -, then its secondary function is to (indiscriminately) track users and non-users outside of its walled garden, like some reversed Trojan Horse.

Hotlinking an image is just that: hotlinking an image. Facebook relies on us and lawmakers to say: "We just can't ban third party content!", while we perfectly could leave innocent third party content alone, and focus our sights on the spy button. It isn't reasonable, nor common sense to conflate the two: even if similar in syntax, the context is vastly different.

> That's a very D&D Rulebook type interpretation :). Not that rulings should be ambiguous, but usually some common sense can be applied (and is expected to be reasonably applied).

You can't build a business on assumptions made on an ambiguous ruling. And while common sense seems reasonable there it has no definition. Why should investors take the risk?

Lots of businesses, investor-backed and otherwise, currently operate within the “frontier areas” of the law. Some of them step a little too far and get whacked, others stay in the gray area for decades making money. Legal due diligence is not about guaranteeing 100% you’re above board. It’s about weighing the risks.

Do you realise that most tracking products including Google Analytics was/is built around hotlinking an image?

An image served from a third party server can very much have a secondary function to track users.

Yup. And Google Analytics should (and I believe already has) be treated similarly to a tracking beacon.

> Getting rid of 3rd party content makes it ... kind of not the web anymore.

This is what the web used to be like, every site hosted it's own content and the only third party content was typically limited to ads. Embedding third party content was considered a dick move at best, illegal at worst and larger sites would frequently block deep linking or being embedded in frames/iframes. Third party hosting only became prevalent when the web became bloated javascript.

> Bitkom, a German trade federation for online businesses criticised the ruling, saying it would heap costly bureaucracy on firms without enhancing consumer protection.

Swap "costly" for "mildly inconvenient" and then I could almost see where they're coming from but I think they're missing the forest for the trees here. Let the "like button" die, rulings like this take the wind out from beneath it and eventually it's a metric you'll never be burdened with.

They're not 'missing' anything. They're trying to convince others to agree with them.

Either they take a stand against holding all businesses liable for transfer of data, or those who pay them a membership fee will see an increase in liability or a decrease in the perceived precision of advertising data.

They're not missing the forest for the trees. They're busy logging the forest for the trees, and would very much like everyone to hear their call to action and join their side.

For context: Bitkom is pretty much a lobby organization and usually takes the most company friendly standpoint they can find, that's quite normal at this point.

Also the "without enhancing customer protection" is not correct. The mere act of loading a page with the like button causes data to go to fb

One solution would be to have a "turn on like" button, but the image solution that some comments point out seems like a good option as well

(Or fb could have data sent only when the person clicked the button, but that's unlikely to happen)

Corporation with financial interest in disinformation spreads it through press release. News at 11

The best part:

> Under EU data protection law, therefore, a European retailer and the US platform are jointly responsible for gathering the data

I really hope this means that Facebook and all those stats/ads providers can be held responsible if they don't take adequate measures to ensure that only data from users who have given valid consent is sent.

Going after individual site operators is a fight against windmills. It would be much more effective if they could go after a company that provides an Ad SDK to hundreds of thousands of apps, but just tells the app developers in the fine print "by using this SDK you confirm that you have gotten consent from your users" - and as a result, knowingly accepts that nobody will care and data from non-consenting users will be collected.

> I really hope this means that Facebook and all those stats/ads providers can be held responsible if they don't take adequate measures to ensure that only data from users who have given valid consent is sent.

Yes, it does mean that, and on top of it authorities can also go after each web site that has a like button on it

Will EU regulate mobile apps and the two dominant platforms too? On web I'm safe using blockers, no JS etc. But on my phone I lack alternatives to suppress privacy abusers.

I believe Apple is trying to get in front of this, and hopefully that means Android isn’t far behind.


Android is far ahead… as long as you only use AOSP or Lineage, avoid Google Apps and install apps from F-Droid and not from the Play Store.

That's not the Android that people are talking about.

Sure. The Android people are talking about exists so Google can control everyone's life. I would not trust it to protect my privacy.

Even on the Google Play Store, there's a browser called Firefox that supports the concept of "add-ons".

I know these are a novelty on Android where most people use Chrome because it's pre-installed - but add-ons are small, self-contained downloadable additions to your browser. There are multiple such add-ons that will block ads for you. They also work in-app where the Firefox WebView/custom tab is used.

> I know these are a novelty on Android where most people use Chrome because it's pre-installed

I still don't understand which law allows _not_ to show a choose your default browser installer, like Windows had to after the court decision.

Are you in Europe? I am and recently I was asked this exactly question out of blue, and I was given 5 options (if I recall correctly).

Yes. 5 options on Android and on iOS? Because if Windows had to, they should too.

I don't have access to iOS devices, but this happened on 3 different Android phones. It wasn't on setup though.

That's interesting, I've never experienced this myself. Wonder if there are any screenshots floating about on the web.

DNS666 is an open source local proxy for android that doesnt require root permissions. Filters out all ad traffic, from websites and in app crap.

This is old tech, and it works very well, on any variant of android. Apple is the one that's very behind.

I am talking about at the platform level. My mom isn’t going to install DNS666. She wouldn’t trust it.

> She wouldn’t trust it.

Then ot doesn't matter. If she trusts Google, there's nothing to do.

Use the Guardian App. Of course, privacy costs money in this day and age, so it depends on how much you value your privacy:


Use the Duckduckgo app.

I don't think the GDPR separates apps or websites, but the difference is that with apps you often agree to their terms by downloading/buying it whereas with websites you really can't agree until after you open it.

How much value does like and other sharing buttons provide to anyone other than Facebook/Google/Twitter these days? I’d argue very little.

I used to work for one of the larger social sites in the UK with many millions of unique users and we found that the social buttons got next to no engagement. Before I left we began the conversation about removing them entirely as they were just dead space on the page.

I agree that for most sites these buttons have very little value both because of lack of relevance and because of low conversion placement.

However there are whole businesses that have been built around these buttons (fx Upworthy).

Not only are they dead space, but in many cases I have found them to degrade performance by a lot on websites. I use Privacy Badger to block them all, as I really never have seen the point of them.

Wouldn't the same logic, apply for users clicking on ads?

Not just clicking on, but being _shown_ third-party ads.

And yes, I would have thought the same logic would apply.

See "Panoptykon files complaints against Google and IAB" https://edri.org/panoptykon-files-complaints-against-google-...

this is a great point. it would be awesome if indeed sites had to gain my permission before showing me an advertisement - or at least a custom one. someone should sue!

Or at least showing an ad that they don't host themselves. A first-party hosted ad wouldn't give away any user data.

Wouldn't mind seeing this happen... Also, showing ads or sending/setting tracking data before clicking on the "Accept" button.

I wonder if this will end up being applied to the usage of third party CDNs as well such as Google Fonts.

I hope it applies to CDN's, I suspect data collection is the very reason they exist and that many are already collecting data, but even it tech circles it flies under the radar. On top of this there's potential issues with any third party and we'll need stronger guarantees from cloud hosts, data centers and the like.

CDN's are especially nefarious when it comes to privacy because they make it so hard to block third party content while retaining functionality.

Technically there isn't any difference. It's a request to a server. You send over your IP (defined as personal data) to a third party server.

But for data collection there is a big difference given that FB knows who you are, you are probably already logged in, and log/use that data. Do CDNs such as Cloudflare, Google Fonts etc log and analyse usage behaviour?

Regardless, I agree, it will be very interesting to see what will happen when all these external services are dragged into GDPR cases. Lots of sites includes fonts, chat widgets, buttons and other stuff that track behaviour without being consented by the user and left out of their privacy policies.

It is interesting how with the many copyright and data protection acts and rules, that the EU is, in effect creating a whole new type of decentralised firewall for content for want of another way of perceiving it all.

Though this is a firewall for the people against business practice/malpractices. Which is a good thing. I'm sure there will be many cases of this causing issues, but on the whole, it does fall in the favour of the end-user, us the people.

I say firewall, more an IDS that reacts to breaches. But it is good how they are at least not ignoring and overlooking such details and this is a fine example of it being well thought out.

What exactly is the data being transferred? It is that the user has visited the site, correct?

The only way the third party site can know that is via third party cookies, or attempting fingerprinting as a third party iframe. Do you see any other way?

I thought that the EU already realized that this is a matter of cookies - in this case third party cookies of a site that you HAVE logged into. Browser makers should just let the user make a decision whether they want the requests to be automatically sent with third party cookies in this case — OR to explicitly approve every single time they log in using oAuth or want to share something.

Whatever happened to this proposed law from 2017, which correctly realized that it’s the Browser’s responsibility to let the user select the cookie policy they want:


> or attempting fingerprinting as a third party iframe

That's essentially what a Facebook like button is

Do facebook Like button really matter anymore? I mean my page has over 5000 likes but there's almost nil traffic on my blog through my page. I have removed like button from my website and nothing has been impacted

It matters for Facebook tracking users in exchange for the "opportunity" of increasing traffic. Of course most of this traffic only occurs if you pay for it.

Not to mention that from what I've seen most of the traffic you'll get from Facebook originates from click farms.

Yeah, Facebook pages are pay for view platform. Paying for FB does not make any sense if you are a blog or something

Facebook pages are a dead channel. Basically, facebook chokes and monetizee every channel that brings traffic. Next up is groups.

One thing that bugs me, is you cannot promote groups directly... you have to create a Page for your group... even if the page is a useless placeholder.

Ha true. and you HAVE to download facebook's app on your phone (500MB app) to prove your not a russian troll. Do not even bother with the page, pages are facebook's way to trick you into paying endlessly to "boost your post"

Yeah, that's the other niggle, it's feels like a never ending stream of upsell/spam once you do make a page.

It’s not about getting “likes” on your FB page. It’s used as a tracking pixel to target specific users of your site for retargeting etc


IMO, decent websites have been using something like that for a long time (the small subset of them that have like buttons, that is), so nothing will change for them.

Yep, I seen this on Bruce Schneier's blog[1] back in 2013.

[1] https://www.schneier.com/blog/archives/2013/03/changes_to_th...

The important crux of the problem is that the current model for all “like”/“social” buttons is that simply including the link grossly violates your user’s privacy.

Why should I have to surrender my privacy to read an article on your site? Why do you think that it’s ok?

The only time a your site should be sending tracking information to someone your user’s have not explicitly stated they want you specifically to share is when they have actually interact with the bottom. Not a mouse over, not a resource load, not an invisible overlay.

The use has to consciously opt to do that.

If you can’t ensure that your site isn’t abusing users/readers you need to gate all your pages with a page stating that you will be providing other companies with tracking information that provides your browsing history. You should also list all of the companies you will be sending that data to.

If you don’t want to do that because it will hurt “engagement” or “conversion” that’s your problem.

Alternatively you could have a banner that says “you’ve used our site so we sent information about your browsing history to these companies, and there is no support for deleting that information. We recognize that you may not like that but we don’t care about your privacy, and have no intention to preserve it”

That is an issue with the browser implementation, I think.

No. A browser is required to load resources whether or not they come from they come from the same domain (otherwise you break all sites using CDNs, multiple servers for load, etc)

The browsers (well Safari at least) actively work to break those things being used for tracking, but fundamentally (and the reason FB, etc require you to embed JS that loads their trackers) tracking companies treat user privacy systems as an adversary and continuously update to defeat it. Look at Google circumventing it in the past (and being hit with fines because of it). Nowadays they’re simply more clever in not crossing legal lines.

That is a different problem, of requiring too many resources just to load a document.

"A browser is required to load resources whether or not they come from they come from the same domain "

False. A browser could easily be configured to block or prompt before loading 3rd party content (early versions of IE use to do this). It would be very annoying, but it's possible and that's where we're slowly going with all the cookie/gdpr popups. There's always a tradeoff between security and convenience.

People are trying to legislate what should be a technical solution.

Would this include ad-tech, like advertising cookies and other tracking stuff (specifically, not Facebook / google ones)?

Almost certainly.

Read paras. 71-81 in the judgment[0] - it sounds to me like 3rd-party adverting would be covered by the same logic.

[0] http://curia.europa.eu/juris/document/document.jsf?text=&doc...

What bugs me, is most sites dealing with the issue throw up an "Accept" button with whatever blurb in place, but they're already including the metrics/etc scripts before accept happens.

I mean, I get it... but the whole point was to stop the behavior, not side step it.

Can this verdict be extended to cover Google analytics and all other 3rd party tracking?

Sure, but that's already covered - you need to have a data processing contract with Google to use GA while being GDPR compliant. You'll have to do the same with Facebook for their buttons now, FB will provide an agreement and you sign it pro forma and that's it, I guess.

you need to have a data processing contract with Google to use GA while being GDPR compliant

That is true...unless you are not based in the EU and don't "envisage" (a term used in the GDPR) serving EU customers. Then you don't have to deal with any of this nonsense and are free to add whatever like buttons/analytics solutions you would like. A US site that doesn't offer translations in European languages, doesn't accept EU currencies, and doesn't use an EU domain extension, is not subject to GDPR - even if EU users can access it.

"Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union."

That's what I really like about the EU. At least sometimes it tries to serve it's people.

Agree, IMHO the EU government is the most concerned with citizen's/users' rights. As it must deal with the pressure from so many different member states, more often than not is acts only when it's actions can have positive effects on citizens and users, even if many times that is not fully perceived at national level

This sounds like a great precedent.

A side project of mine, starting in the Junkbuster days, is fighting cross-site tracking/profiling, and almost every Web site does it at least a little. Legal precedents suggesting liability for that seems huge, and maybe end the technological arms race (which I think the privacy&security people will otherwise ultimately lose).

> Bitkom, a German trade federation for online businesses criticised the ruling, saying it would heap costly bureaucracy on firms without enhancing consumer protection.

What cost is involved by not embedding third party bescons on your website?

How does it not improve consumer protections? It's literally stopping doing the thing that is causing harm.

> “With its decision, the ECJ places enormous responsibility on thousands of website operators – from small travel blogs to online megastores and the portals of large publishers,” Bitkom CEA Bernard Rohleder said.

Yes, this is exactly how serious this situation is. I'm glad you're getting a handle on just how damn huge this problem really is. Aren't you glad we're finally doing something about it?

> He warned that the decision would go beyond Facebook and effect all social media plug ins, which are important for many firms to expand their reach on the web

Uh, yes, that's the the idea? Your firm's right to expand their reach does not overrule my right to privacy.

People can still share and like your links on the social platforms. It doesn't require me to be forced into it.

Mind that Bitkom claims to represent German IT companies, but its leading members are (among others) Google (Google Commerce Limited, Google Germany GmbH), Facebook Germany GmbH, Microsoft (Microsoft Deutschland GmbH, Microsoft Ireland Operations Limited, LinkedIn Germany GmbH) https://www.bitkom.org/Bitkom/Mitgliedschaft/Mitgliederliste

The board (Präsidium) includes the CEO of Microsoft Germany, IBM, Heweltt-Packard, Samsung as well as SAP (they are at least German), Vodafone, Deutsche Telekom, etc. https://www.bitkom.org/Bitkom/Organisation/Praesidium

Bitkom is know to promote weak privacy rules and big data analysis.

Bitkom criticizing it would be expected as it's a lobby group for "Neue Medien" and "Digital Transformation" and many of their members are AdTech and Analytics companies. https://lobbyfacts.eu/representative/3d75bcd811c04ccfbfa6d0c...

> it's a lobby group

With weak arguments like those it seems it's not a very good one..

And Google Analytics tracking system?. I guess every site on earth has it!

Simpleanalytics is a nice alternative with a lot less tracking. It’s still analytics, just a bit less invasive

Simpleanalytics is extremely expensive for what it does.

Good. The sooner the like button and all the other 'social media' plug ins disappear the better. It's trivial to host the button and the link on your own pages. That way only the actual likes get counted.

For those that want to show official Share Counts on their Share Buttons while maintaining User Privacy, take a look at Shareaholic's Share Count Proxy -


Share Count queries to the Social Networks are proxied through this service securely and visitor privacy is protected... like an anonymous VPN.

I'm not sure a company that says "Imagine being able to capture, analyze, and re-target any person on any ad platform that clicks on any of your links on any marketing channel" is one that should be trusted with anyones privacy.

Shareaholic offers many different types of marketing tools. The product that you're referring to is the URL shortener, which is independent of the Share Count Proxy product -- https://www.shareaholic.com/link-manager/retargeting

This URL Shortener service is also GDPR compatible as retargeting pixels are not set for EU subjects regardless of what customers want to set. In the roadmap is to add an opt-in message on the redirect.

I get that you offer different types of tools, but my point is that trusting one company that markets tracking to anonymize the tracking of another company that markets tracking seems backwards regardless of if you say that this specific product actually does tracking or not.

Coming in cold, that's a very fair concern/comment. I generally believe that products can be privacy-first but still serve the needs of marketers while providing consumer choice. Consumer choice is the key in my opinion. Shareaholic tools do what the customer sets them to do, with opinionated safeguards to prevent customers from missteps with regards to GDPR and consumer choice. For example, Shareaholic is one of the very few that also respects DNT signals (even though DNT is now defunct).

Btw, Share Count Proxy is also whitelisted by Firefox which provides the added advantage of share counts actually showing on Firefox if you use the proxy while direct calls to Facebook.com, Pinterest, etc are blocked.

The entire Cookie warning fiasco should never have been about cookies. That scared people from using cookies - even authentication related ones. It should have been about connecting your browser to unrelated domains owned by a third party. I mentioned this in a previous post, but when you're logged into your CVS pharmacy account I get tons of connections to Facebook.

Everything that stops them from feeding my shadow profile to FB is welcome. I never gave my consent for that shit.

what's really missing in all this GDPR and privacy discussion is a technical way to enforce it. If you have a large multinational company with 50 TLD's you might have several hundred (including all the subdomains) that are Internet facing.

For a company on that scale to remain compliant to things like cookie law (mention every cookie and what it does for opt-in) there is no easy way to see if you're compliant. We need some standard (like security.txt) which defines how cookie data, impressum or other site specific links are expected which has to be machine readable. Right now every company creates it's own mess of html which is no fun scraping to figure out if the company is compliant or not. (yet scraping is what everyone in compliance expects to happen).

I wonder how these laws can be enforced without creating a huge administrative backlog.

for this there's a e-privacy regulation in the works[1] but it already took a lot of time... GDPR only got as much support as it did because the snowden leaks happened shortly before the vote.

As I understand it, it will include things like Do-Not-Track and a better cookie banner legislation, which makes the banners less common.

Enforcement is trickier. Let's wait for a few more rulings and see if that's enough.

[1] https://ec.europa.eu/digital-single-market/en/proposal-epriv...

”Right now every company creates it's own mess of html which is no fun scraping to figure out if the company is compliant or not.”

I fail to understand how anybody could scrape a web site to figure out whether it is compliant with the GDPR. For example, if I claim my site encrypts your data at rest, how do you verify it by scraping the site? If I say I don’t share your data with third parties, how do you verify it by scraping the site? If I say I throw away the encryption key when you delete your account, how do you verify it by scraping the site? if I say that, after deleting your account, all data is gone after at most 30 days, how do you verify it by scraping the site?

>what's really missing in all this GDPR and privacy discussion is a technical way to enforce it.

The GDPR isn't solving a (purely) technical problem. It applies even if you're using a pen, paper, and a filing cabinet just as much as if you're running a global social media platform.

What's the technical solution to showing compliance with "data protection by default and by design"?

What's the technical solution to ensuring that "only personal data which are necessary for each specific purpose of the processing are processed"?

These are inherently organisational issues, not technical ones.

This is a great ruling, big win for privacy advocates and Europeans!

a side effect of the ruling is that now facebook is NOT liable for that consent, and google is not liable for analytics / adsense. Will the EU start going after the little guys now?

You are wrong.

Facebook and FashionID are joint data controllers, and FashionID aren't liable for additional processing that Facebook does with the data.

If consent is the legal basis upon which the processing is based then both entities must have consent.

Since facebook does not interact with the user, fashionId is responsible for getting consent to send that data to facebook. It's how all the ad cookie prompts work.

Tears of joy.

As the very structure of the Internet crumbles due to over regulation?

Maybe the internet was a bad idea. Maybe the whole neolithic revolution was a bad idea.

In the beginning, the universe was created. This has made a lot of people very angry and been widely regarded as a bad move.

And google analytics tracking system? I guess every site on earth has that.

That's already covered, FB is now treated more like GA in that you need to have a valid data processing agreement with FB if you're embedding their like buttons or you're not GDPR compliant.

GDPR needs to be sharpened to state that you can’t even show a different service at all based on consent relating to third party data sharing.

That is: “to give you this service we need to store some info” - OK.

“To give you this service we need to share info with advertisers” - not ok.

That is: you need to be able to provide the service using only non targeted ads if the user wants it.

I think GDPR requires website owner to inform users what exactly is being processed and by who. The problem for website owners is that Facebook won't really tell what data they process and who will they share it with or they do not seem to allow to revoke consent.

oh lordy

The EU is out of control and is ruining the Internet.

The EU is the only actor that has taken a hard look at itself as to what it has let happen to people's privacy and security online.

This is asinine. If you don't like websites including resources from a 3rd party you can block third-party connections, install a blocking extension. We don't need an authoritarian government to make these decisions for us.

Mark my words. This is going to have enumerable unintended consequences and the Internet will suffer for it. Fuck the EU.

> We don't need an authoritarian government to make these decisions for us.

Yeah man, just like people self-regulated to only drive at safe speeds, always wear seat belts, not hand over money to scammers.

Pray tell, how is the EU authoritarian? You do know that every EU government members is elected, either directly or indirectly, by the EU citizens, right?

I agree; if you do not want cookies then you can just disable it in the client, and if you do not want it to load third-party scripts or images, then you should disable that, and so on; the cookie warnings and all of that stuff is not helpful.

(Perhaps a better requirement would be to require the browser distributors to include warning labels about such features if they are done automatically.)

I don't see the reason why tracking and data collection should be opt-out.

If you do not like the idea that you own your data, not companies then you can give your consent to process data to everybody.

That is not quite what I meant. What I meant is independent of opt-in or opt-out, but is rather saying that such features in the browser should be and must be configurable, and that is separate from the issue of consent. (Maybe they should be disable third party cookies by default, or whatever, but it will work either way.)

What they will do with the data you give to them, is a separate issue than the web browser. The company you are dealing with still needs to have a proper policy for that, but that is different than the issue of the client configuration.

Requiring a warning message about cookies on the web page is not helpful, because that is the wrong place to put it; the browser can provide its own such warning, and the user can configure it. (Lynx provides the possibility to ask when a cookie is received.)

So, the actual problem is the browser providers designing them stupid, and making them such complicated that it is difficult to make up a new one which is actually good.


Is it also sufficient to you if the other guy that's crashing into your car's rear end at insane speeds promises to "self-regulate" his top speed next time?

If some guy is stupid enough to make that mistake do you think a law is going to stop him?

I would guess the existing law on speed limits effectively stops thousands of these guys. It's however hard to prove this without an alternate reality in which there are no speed limits whatsoever.

This is totally insane. Stop ruining the internet before it's too late, EU.

This is totally sane. I don't ever want my browser to contact Facebook and Twitter when I'm visiting unrelated websites. This was bullshit from day one. Please do continue!

edit: I hope that this will also hold for Google with reCAPTCHA and Analytics.

That part won't change, though. It's now just that the website owners need either your consent or legitimate interest as defined in GDPR + they need to have a data processing agreement with Facebook. It adds a formality, but it won't have a lasting impact.

Well, I hope that at least some websites will opt for using an image they host themselves instead of adding this formality. This has to hurt user experience, no?

On the other hand, I guess this is only one more checkbox to tick among the checkboxes we already have to tick.

A self-hosted image + link adds friction, so I don't think that a lot of the mainstream sites (that aren't privacy conscious and do it already) will do it. And, of course, many shops already use Facebook tracking pixels to target visitors that didn't buy anything, so they have very little interest in keep FB out.

> It adds a formality

It’s more than a formality, it means that either party could get sued if they violate the terms of the agreement.

Having contractual relationships in place is common in this type of legislation. HIPAA regulations require formal contractual relationships with suppliers and contractors.

I don't see any legitimate interest of contacting Facebook on every page.

> the website owners need either your consent or legitimate interest as defined in GDPR

Well the part companies doesn't seem to "get" is that this consent should be informed and voluntary, which means opt-in and not only available after 3 minutes of jumping through ridiculous hoops to opt out.

The problem is the or part. They will generally claim legitimate interest ("we need this to fund our operation, FB helps") just as they do with analytics and ads. When they can show legitimate interest, they don't need consent, they only need to inform about the collection and inform you about your rights.

I'm with you that consent before action would be the right way to go. But since we can't rely on sites to be ethical, it'll stay the browser's business to protect the user.

I don't know how other countries are doing, but Germany's officials are apparently very understaffed, so complaints will regularly sit for months and they won't have a lot of time to understand the details, so I don't put my trust in oversight for the foreseeable future.

"It makes us more profitable, tough" is patently not a legitimate interest, and would fail the balancing test (the individual's interest overrides the legitimate interest). If it were as simple as "it helps fund our operation", the whole of the GDPR would be instantly rendered toothless as why else would they gather unnecessary data? It would open a "loophole" that lets everything through.


Don't know of Germany's position but the UK's ICO added significant staff and budget when the switch from Data Protection to GDPR came in.

From all I've heard, making a profit isn't overridden by the individual's interest not to be tracked - otherwise, Google Ads wouldn't exist in Europe, at all, and Remarketing especially not.

It's not unnecessary data - FB needs that data to target users with ads, the shop needs FB to show ads to people that are likely to buy what they've been shown. I do agree with you that this would be very different if there was no business interest in tracking users, but there is.

As far as I know, remarketing hasn't yet been shown to be valid at all under GDPR. Someone probably needs to make a test complaint. There may already be one in the works. It's but a detail within the general case of Google or FB advertising in general.

Google Ads have already been fined €44m under GDPR, and I believe there is another case already in the French system.

Showing ads is not the service provided as no one at all would accept them optionally. FB, and Google, should be targeting in non-personal ways even where that necessitates less targeting. That was part of the point on which Google got their €44m fine.

As seen in TFA, the web of third party tracking appears more liable, and in need of consent than many, particularly American companies with a vested interest, have claimed whilst hiding behind those.

> "we need this to fund our operation, FB helps"

As far as I am aware, and I'm fairly certain about this: funding is not a valid legitimate interest under GDPR. If it was it would be a loophole big enough for a medium sized planet ;-)

Funding is a legitimate interest, it's at the very foundation of legitimate interests: companies need to make money to exist. "We need this to make money" is basically all they have to say - it's why Google/FB Remarketing, Cross-Network ID-Sync so all the networks have a unique ID of you when they talk to each other etc is still a thing.

The difference is that they now have to inform you that they are doing it, who is involved and who to direct requests for information / deletion to.

> Funding is a legitimate interest, it's at the very foundation of legitimate interests: companies need to make money to exist.

I think "legitimate interest" has a different meaning in the context of GDPR. I'm fairly certain about this, but you don't need to take my word for it: https://duckduckgo.com/?q=gdpr+%22legitimate+interest%22&t=h...

As I said: if your interpretation was correct (in this context) it would be a loophole so big it would make the rule meaningless.

> The difference is that they now have to inform you that they are doing it...

I don't think so. AFAIK the difference is they now need to make it opt in and voluntary.

> As I said: if your interpretation was correct (in this context) it would be a loophole so big it would make the rule meaningless.

That's my point - actually, not a lot has changed. There's just larger fines and more bureaucratic hoops.

It's why you still do see all kinds of tracking - but you'll now get information about it.

Did you try the search I gave you?

Yes, and I've also talked about this on multiple occasions with a lawyer friend who works in privacy law. A typical claim to legitimate interests would be for optimizing the website and ads on the website for example. It's so commonly used exactly because it's a very simple one-size-fits-all approach.

I have not heard statements going against this from any lawyers.

Was this a European or American lawyer?

I'm interested because my understanding has been most Europeans understood it the same way I did.

European, from Germany.


Not saying I fully believe that explanation yet, but I'll try to find out more.

BTW and FWIW: I'm not the one downvoting you and I disagree with those who do.

> "It's so commonly used exactly because it's a very simple one-size-fits-all approach".

ICO says this [1] about choosing a lawful basis: "You must not adopt a one-size-fits-all approach. No one basis should be seen as always better, safer or more important than the others, and there is no hierarchy in the order of the list in the GDPR."

I think I'll stay clear of your lawyer advise.

[1]: https://ico.org.uk/for-organisations/guide-to-data-protectio...

From the article:

> According to the European Court of Justice ruling, a site that embeds the Facebook “like” icon and link on its pages also sends user data to the US web giant.

This is categorically false. The site that embeds the like icon is sending absolutely nothing to Facebook. The user's browser is the one sending information. You have control over your browser. You can do something about it if you don't like it.

The EU's regulations infantilize the public and removes consumer choice.

How is it removing consumer choice to ask for their consent?

Many sites who just don't want to deal with the regulation will simply not offer anything from a 3rd party on their site. That is least risky approach and most businesses paying attention will do that.

Yeah, stupid business people abound. If those offers are really interesting to the users, those sites will be replaced by better run ones, who correctly calculate the risks.

> The site that embeds the like icon is sending absolutely nothing to Facebook. The user's browser is the one sending information.

Sites run both on the server and on the browser. Are you saying JavaScript is not part of the site?

The execution of the Javascript does not occur on the company's resources. It occurs on the visitors computer, over their own Internet connection. Both which are in their full control.

The sentence is still correct, not "categorically false".

> Both which are in their full control.

So is your car when you leave the car wash, yet if they had put something damaging in the gas tank, I'm betting you'd complain about them.

I'd complain. I wouldn't demand from them millions of dollars or suggest they be locked up in a cage like the EU would.

Complaining makes sense, but when you've been doing it for twenty years (the Data Protection Directive, which prohibited many of the same behaviours but didn't impose specific penalties, is from 1995) and you see that businesses keep recklessly doing the same behaviours, you might learn what economists have been saying: they only respond to incentives, and so the EU had to set some of it wished to see its complaints taken seriously.

And so the EU joined the US into fining companies a few million for privacy violations.

EU shooting themselves in the foot with all these data rulings. Innovation will never happen there, US tech products will slowly suck the wealth out of European nations, much like China manufacturing sucked the wealth out of the us manufacturing sector.

Needing consent for sending data to Fb is only consequential and consistent with the law's goals. It's been good practice on decent German sites for a long time to present social media buttons as greyed-out icons to indicate tracking code by those third parties is only embedded on the linked page.

Interesting, I would have thought that one of the few UI conventions that is fairly universal is that buttons are greyed out if they are inactive. I'm certain that many people will never click a greyed out button for this reason.

Not quite greyed-out as in disabled. Not sure merely using a b/w logo without logotext will work out with today's flat designs and usage habits. I remember it being used when minimal design wasn't as common as today, and the icons would stand-out (or rather fade into the background).

Is that what being greyed out is supposed to convey? I thought it was just another UI design.

It certainly does not convey that intuitively. Nothing's preventing Facebook from presenting greyed out versions of their icons, for example.

True. It's just been a convention on tech-related sites for their above-average privacy-aware audience.

I think you're putting too much weight behind the like button here. It will be replaced by something else or stripped down to a version without any identifying properties, which I see as a win-win.

> Innovation will never happen there

How does forbidding hostile user data harvesting means that innovation will never happen?

Less innovation in user-hostile practices, of course!

Unfortunately it probably means the opposite. Make it harder to track users and these companies will innovate in the area of user tracking.

It will also cause innovation in user data protection though?

Do you have some sort of timeline for this “sucking of wealth from European nations”? What are some of the actions/consequences as you see them?

Or, just possibly, Americans will wise up that surveillance capitalism is a net negative in the long run.

Heh, as an American I only wish. Every day it seems like the surveillance of all kinds gets worse.

I would vastly prefer the "US innovation" ideology to stay the fuck over there, and we keep our privacy rights.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact