Telling people "by continuing to browse, you accept our cookies" is wrong. You need to clearly offer a decline option and you can NOT force people out the door when they dont want to be tracked.
Nobody does this right.
In other words: if a site displays a consent form, it's already doing something wrong. Not horribly wrong - that's why it's a consent form requirement, and not immediate fine or jail time for the site operators - but wrong nonetheless. GDPR is purposefully structured in such a way that consent is needed only for things that are abusive to users, or were found to carry a significant risk of being used to abuse users.
What the regulators intend is one thing. What paranoid legal teams, particularly common law legal teams, think is another.
I'm always pleasantly surprised when some outlet does seem understand the GDPR, or at least not weasel their way out of it in a most obvious manner.
Following a link to theatlantic.com just a few hours go was such a pleasant surprise.
What's more: I noticed I trusted the reporting more. If an outlet can't or won't understand the GDPR, why should I trust their journalism?
It also made me wonder why, apart from non-deceptive "I accept" and "I do not accept" options, there was a "Set my preferences" option. Turns out they also offer cookie tracking without 3rd parties, which is fair enough, I guess.
The bottom line is that it's a sad affair that transparency and clarity are not a given for serious news outlets and protecting their readers' privacy is very much seen as optional.
It's nice to see some--if few, do try to make an effort. I hope the effort is enough to give them a competitive edge, at least until the various enforcing agencies get around to weeding out the non-compliant ones.
Of course folk get creative and declare Google Analytics "purely functional." Really, Butlerian Jihad can't come soon enough.
- No option (27.8%)
- Confirmation with no opt-out (68%)
- Binary (3.2%)
So ~96% of websites sampled are not GDPR compliant, inadvertently or intentionally.
I agree with the conclusion of the study:
"The business model of online behavioral advertising, which targets ads based on large amounts of personal data, should be challenged, and alternative models like privacy-friendly contextual advertising or other ways of monetization for web services need to be developed."