I would say the most I see have accept, reject and manage preferences as buttons, normally with manage preferences being a link rather than a button. The dark pattern you describe isn't on any big business websites for example.
Out of curiosity, you mean against the spirit of the GDPR rather than the letter of it, right?
The spirit, and the letter too. (It's quite a well-written law.) Article 7, "Conditions for consent":
> 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
> It shall be as easy to withdraw as to give consent.
Being as easy to withdraw as to give consent is technically a different thing from being as easy to refuse as to give consent, since consent that is refused was never given in the first place but consent that is withdrawn was previously given. But yeah, courts have been clear that both of these actions must be as easy as giving consent, and both requirements are too often not complied with.
The law says that it should be easier to refuse consent than give it. That's thoroughly implied (and then there's Recital 43, if the text of the law isn't clear enough for you).
Separate from my other reply to this comment: withdrawing consent and refusing consent are two different things. If it's difficult for someone who previously granted consent to subsequently find the screen where they need to click the reject button, that's not legally compliant.
Nope, including EU big business sites as well. There are also EU big business sites which illegally claim the legitimate interest basis for advertising and tracking purposes of data processing which have already been ruled by the courts as not acceptable justifications for the legitimate interest basis.
> The non EU sites are due to the EU trying to claim global jurisdiction.
The EU is trying to protect the data of the people in the EU. There's no way to do that while allowing companies outside the EU to freely violate the privacy of people in the EU. Otherwise these rules become laughably easy to circumvent for all but the smallest EU companies which are also the least dangerous from a privacy and tracking perspective.
> The EU are very much to blame for the popups, because even the non dark-patterns one are annoying.
Disagree. They're not supposed to be annoying enough to impair site usability. The truly compliant ones aren't.
Maybe some, but generally businesses are not breaking the law willy nilly like that.
> There are also EU big business sites which illegally claim the legitimate interest basis for advertising and tracking purposes of data processing which have already been ruled by the courts as not acceptable justifications for the legitimate interest basis.
And did the EU follow up?
> The EU is trying to protect the data of the people in the EU.
The problem is it's unenforceable nonsense and has led to this foolish cookie popup situation.
If they had limited it to entities with a presence in the EU, it would have worked better. At the moment it applies to some malicious Chinese teenager who blatantly wants to collect and sell the data of Europeans who visit his self-hosted low-traffic blog.
> The truly compliant ones aren't.
Yeah, they really are. It's still something you have to interact with to make it go away.
If your response says something if companies don't track they won't need a popup, then you have missed the point.
> I would say the most I see have accept, reject and manage preferences as buttons, normally with manage preferences being a link rather than a button. The dark pattern you describe isn't on any big business websites for example.
I can accept that our website visiting patterns, and maybe our specific countries of residence within the EU, expose us to different experiences in this regard. I stand by my statement as a description of my own personal experience, but I'm willing to believe your own personal experience too.
It's also possible that I've increasingly realized that "reject" allows the companies to get away with illegally misusing the "legitimate interest" basis for data processing, so I've mentally stopped assuming that it means what it says because it often doesn't. See below for more on that.
> Out of curiosity, you mean against the spirit of the GDPR rather than the letter of it, right?
No, I mean against the letter of it as well. The free, informed consent which the letter of GDPR requires according to public and legally binding official interpretations (such as from the European Court of Justice) is not present when those dark patterns make it harder to refuse consent than to grant it.
Similarly, EU courts have been clear that simply wanting to do a bunch of tracking to facilitate more profitable personalized advertising does not legally justify the legitimate interest GDPR processing ground, but so many sites default to allowing processing based on "legitimate interest", including when you click reject for the consent question, for many of the same advertising/tracking partners where the "consent" basis is off by default. They also don't usually have a way to object en masse to these, and it's often tricky to correctly click off every single "legitimate interest" button which is falsely and illegally claimed to be a valid legitimate interest.
Plus, I've heard reports that many sites set these cookies even before consent is granted, and/or don't properly respect the refusals of consent and objections to legitimate interest processing. However this is from memory and I don't have stats or evidence to back up this statement.
The problem in all of these respects is primarily very weak and reluctant official enforcement of the rules by the relevant Data Protection Authorities and very low fines when they do enforce them. It's more profitable for companies to take the risk on genuine GDPR compliance, beyond some mild public-facing lip service and the lowest-effort bit of engineering they can do to underpin the public-facing lip service.
> I can accept that our website visiting patterns, and maybe our specific countries of residence within the EU, expose us to different experiences in this regard. I stand by my statement as a description of my own personal experience, but I'm willing to believe your own personal experience too.
I appreciate your attempting to reconcile different anecdotal experiences. In the spirit of objectivity however, I would insist that big businesses are not breaking the law.
> The free, informed consent which the letter of GDPR requires according to public and legally binding official interpretations (such as from the European Court of Justice) is not present when those dark patterns make it harder to refuse consent than to grant it.
I think here we've shifted the problem to dark patterns. The problem though is with the popups at all, because even when they are compliant, they are no less annoying, just slightly more clear.
> The problem in all of these respects is primarily very weak and reluctant official enforcement of the rules by the relevant Data Protection Authorities and very low fines when they do enforce them.
They probably shouldn't have claimed global jurisdiction then. Since that's a big part of what has resulted in so many poorly done cookie banners.
> I appreciate your attempting to reconcile different anecdotal experiences. In the spirit of objectivity however, I would insist that big businesses are not breaking the law.
Take a look at the many GDPR violation complaints which noyb.eu has filed against big businesses, almost all of which they eventually win in court. Yes, many big businesses are in fact breaking the law in this regard.
> I think here we've shifted the problem to dark patterns. The problem though is with the popups at all, because even when they are compliant, they are no less annoying, just slightly more clear.
The truly compliant ones are far less annoying. They all generally need only a single click to refuse consent, and they are also easy enough to ignore while using the site without ever responding to the banner at all.
> They probably shouldn't have claimed global jurisdiction then. Since that's a big part of what has resulted in so many poorly done cookie banners.
It's also essential to actually achieve the goal of protecting the data of people in the EU, much of which is done by companies which are based outside the EU. Do you not see the big truck-sized loopholes which would exist without that? All they would then have to do is change the website's contracting legal entity to a foreign partner or parent company and then they could refuse data subject access requests, track without consent, and so on if the jurisdiction provisions in Article 3 were as narrow as you're advocating.
> Yes, many big businesses are in fact breaking the law in this regard.
Define big business here. Coca Cola? IBM? Amazon?
> The truly compliant ones are far less annoying. They all generally need only a single click to refuse consent
No, they yare still annoying. It's still something you are forced to itneract with that diverts your attention.
> It's also essential to actually achieve the goal of protecting the data of people in the EU, much of which is done by companies which are based outside the EU.
The problem is it's unenforceable nonsense and has led to this foolish cookie popup situation.
If they had limited it to entities with a presence in the EU, it would have worked better. At the moment it applies to some malicious Chinese teenager who blatantly wants to collect and sell the data of Europeans who visit his self-hosted low-traffic blog.
> All they would then have to do is change the website's contracting legal entity to a foreign partner or parent company and then they could refuse data subject access requests, track without consent, and so on if the jurisdiction provisions in Article 3 were as narrow as you're advocating.
They can already do that because EU has no jurisdiction outside of the EU no matter what they claim.
Also, we are basically having the same conversation in two places. If you want to consolidate your two replies into just one I would not object.
Out of curiosity, you mean against the spirit of the GDPR rather than the letter of it, right?