Hacker News new | past | comments | ask | show | jobs | submit login
(Un)Informed Consent: Studying GDPR Consent Notices in the Field [pdf] (ruhr-uni-bochum.de)
28 points by Tomte 9 days ago | hide | past | web | favorite | 14 comments

When I browse the web, it feels like 100% of websites do it wrong. Consent needs to be active and cannot be enforced unless technically necessary.

Telling people "by continuing to browse, you accept our cookies" is wrong. You need to clearly offer a decline option and you can NOT force people out the door when they dont want to be tracked.

Nobody does this right.

Consent form is not needed when cookies are technically necessary. If user's login state or shopping cart would break if they didn't store a first-party cookie, you don't need to ask them for consent for that cookie (as long as it's limited to that purpose).

In other words: if a site displays a consent form, it's already doing something wrong. Not horribly wrong - that's why it's a consent form requirement, and not immediate fine or jail time for the site operators - but wrong nonetheless. GDPR is purposefully structured in such a way that consent is needed only for things that are abusive to users, or were found to carry a significant risk of being used to abuse users.

> GDPR is purposefully structured in such a way that consent is needed only for things that are abusive to users, or were found to carry a significant risk of being used to abuse users.

What the regulators intend is one thing. What paranoid legal teams, particularly common law legal teams, think is another.

And the user has to opt-in voluntary. Checking (and hiding) all boxes by default doesn't imply consent.

Almost 100%.

I'm always pleasantly surprised when some outlet does seem understand the GDPR, or at least not weasel their way out of it in a most obvious manner.

Following a link to theatlantic.com just a few hours go was such a pleasant surprise.

What's more: I noticed I trusted the reporting more. If an outlet can't or won't understand the GDPR, why should I trust their journalism?

It also made me wonder why, apart from non-deceptive "I accept" and "I do not accept" options, there was a "Set my preferences" option. Turns out they also offer cookie tracking without 3rd parties, which is fair enough, I guess.

The bottom line is that it's a sad affair that transparency and clarity are not a given for serious news outlets and protecting their readers' privacy is very much seen as optional.

It's nice to see some--if few, do try to make an effort. I hope the effort is enough to give them a competitive edge, at least until the various enforcing agencies get around to weeding out the non-compliant ones.

Doing it right would lead to almost nobody accepting cookies (0,1%), so you can stop using cookies and you no longer have to ask for permission.

Except not. Cookies (and just generally browser storage) for authentication and other purely functional needs are fine without any disclaimer nonsense.

Of course folk get creative and declare Google Analytics "purely functional." Really, Butlerian Jihad can't come soon enough.

Most of these opt-outs are nearly useless because they require so much effort. (And of course this is by design.) I personally prefer just using uBlock Origin and a DNS black hole. It's less effort, and it's more likely to prevent abusive behavior. (And it also cleanses the internet of most advertising.)

It's true that most websites outside Google/fb etc just don't get it right. Makes you wish that google/FB could silo in all the web's content so peoples privacy can be better protected

I remember the FB consent process that was worded in a very specific way to create fear within the user when no consent is given. That was not cool.

The results explain why I keep running into Oath (and Q..something) popups that only present a single button "Confirm" to give consent, with minimal information on what that means. There's usually a de-emphasized link to change the hidden consent settings, with a hundred checkboxes, all on by default. It's downright insulting and malicious.

Choices (visible):

- No option (27.8%)

- Confirmation with no opt-out (68%)

- Binary (3.2%)

So ~96% of websites sampled are not GDPR compliant, inadvertently or intentionally.

I agree with the conclusion of the study:

"The business model of online behavioral advertising, which targets ads based on large amounts of personal data, should be challenged, and alternative models like privacy-friendly contextual advertising or other ways of monetization for web services need to be developed."

> Our results further indicate that the GDPR’s principles of data protection by default and purposed-based consent would require websites to use consent notices that would actually lead to less than 0.1% of users actively consenting to the use of third-party cookies.

Tough cookies.

"Users don't care for privacy," has been said to me so many times, justifying questionable decisions. This blows such a huge hole in that it's silly.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact