This is a very shady website and thus not a good source for legal advice of any kind… they call themselves “Deutsche Gesellschaft für Datenschutz” (German society for data protection) but are actually located in Bulgaria. They are not any kind of “official” data protection organisation.
> The difficulty of the puzzle, and therefore the time and resources needed to solve it, is intelligently and automatically scaled based on sophisticated risk signals to protect against advanced bots. Friendly Captcha is completely invisible and require no manual user challenge at all.
EDIT: ignore all this, as per other comment, this appears to be an unrelated company registered in a different country.
The real [Deutsche] "Gesellschaft für Datenschutz" seems to be: https://www.gdd.de
-
Before edit:
Given this is one of the organisations who help give governments draft laws by advising them, and whose purpose is to help its members obey those laws, that would be rather self-defeating.
And given the web design apparent on the following page, I think this is much more easily explained as "bad web design": https://dg-datenschutz.de/imprint/
The choices are driven by the extra revenue and will not change until mass enforcement. Some sites (mostly news) even have a "buy subscription" or "accept cookies" option which I thought was not allowed under GDPR.
EU should have just banned all collection. You give an inch and the parasites take a mile.
If given an active choice nobody* would ever go "yes I want you to sell my data to your 1,414 carefully selected partners". Maybe they want personalisation when they sign up for an account, but you ask them that at signup time, not the first time they land on your page.
The wall of text is horrible UI, but at least there's a checkbox with an obvious label:
"Do not sell or share my personal information (CCPA/CPRA)."
Most other websites try to hide this fundamental choice from you behind dialogs and endless options. (And of course outside the EU you don't even get to control this, your data will always be collected and sold.)
It's not well known but Canada also has rules (for any company or agency covered by Federal privacy law) around respecting the users wishes and gaining meaningful consent.
And as someone who was successful in making such claim, it was a relatively easy process.
Funny you should say that... a friend sent me a page in german yesterday, helpfully linked directly through google translate so I can read it in a language i understand.
Unfortunately, the cookie dialog was missed by "the translation tool" and both accept and reject kinda look the same to me.
I concede that cookie banners are not helpful here. I also admit that I rarely see them anymore, as uBlock Origin removes them for me. I probably shouldn't have assumed that the web I see is the web everyone else sees.
I have uBlock Origin (mind, with the default settings). I also have the Consent-O-Matic autofill extension that's supposed to reject cookies automatically for me.
Neither of them seems to catch cookie dialogs on some german sites. Not that I want uBlock to hide the cookie dialogs, I want them explicitly rejected by the other extension.
Consent-O-Matic does automatically reject most crap on english and romanian sites so I guess they haven't added support for whatever cookie dialog zeit.de uses (and that's popular on german sites?).
> both accept and reject kinda look the same to me
I bet that's very intentional too, and there are other ways to phrase it in German so the two options don't look similar.
Well, I opened them in a plain browser profile and in the non-translated page the options seem clear to me? The buttons literally say this:
- Settings / Einstellungen
- Accept / Akzeptierten
- Reject All / Alle Ablehnen
The English translation is on the buttons in the non-translated page and those translations are fine. There's even a reject all button, which is fine too. The only not so nice thing is that the "Accept" button is coloured green.
Yep I could look it up. But using the same verb looks like an intentional dark pattern to me. And I wasn't interested enough in the article to jump through the hoops.
(Our conversation did make me look it up and neither is 'reject all', they're 'accept all' and 'accept selection').
> Google's invisible reCAPTCHA V3 simulation is now used on many websites around the world and no longer uses tests to check the humanity of users, but is based on behavioural analysis.
I had no idea. 90% of the time I’m getting the Please select all stairs bullshit. Another 5% is an outright block for “suspicious activity”. (I’m on Firefox, FWIW.)
Fair enough! I was thinking about the checkbox variant, not the “invisible captcha”. But I have a feeling I’m still getting the task for that as well, most of the time.
Currently YouTube is blocked at work without a Google login, and Chrome keeps demanding and successfully convincing individuals operating shared PCs to stay logged in on a browser session indefinitely.
"Das Vorhandensein von datenschutzfreundlicheren Optionen steht im Widerspruch zu einem berechtigten Interesse"
which means
"The existence of more privacy-friendly options contradicts a legitimate interest."
But did they really test if the alternatives block bots as well as reCaptcha?
If not, wouldn't that mean there is a legitimate interest in using reCaptcha?
If the mere existence of more privacy-friendly options, no matter how inferior, means you cannot use a certain service, wouldn't that make the use of pretty much every service illegal in the EU?
A similar argument was tried with 'we sell all users data because otherwise we would not be able to run the service, thus we have a legitimate interest.' It did not fly there either.
A service does not have a right to exist. The user has a right to privacy. The users right to privacy trumps the services want to exist. Not to mention that, yeah, there are ways to get similar or better blocking for free, if you have some technical chops at least. I wouldn't fault a small blog for using googles captcha (although the need is questionable), but any company with at least a few employees should be able to figure this out at a relatively trivial cost.
Data hoarding doesn't just hurt the individual, it's bad for everyone.
The data-selling model will always have a strict competitive advantage against the good actors and so you as the user will end up with no options other than allowing that "legitimate" interest or not being able to access such a service. This has slight "people peeing in the community pool" vibes. Sure it may be "easier" for the individual doing it, but long term everyone just ends up with an unusable pool.
ReCAPTCHA’s privacy concerns are valid, but I wonder if alternatives like FriendlyCaptcha can offer the same bot protection while being GDPR compliant.
There's a massive difference between your personally identifiable information visible to people who physically pass by versus people all over the world + various automated tools.
Also you're making a difference between license plates and doorbell names where there is no difference; it's only muddying the waters. The only difference is: visible to people physically close by is ok, visible on internet is not ok.
Germany... A place where you cannot publish a photo without permission from every person whose face is visible in it and yet people walk around with their faces uncovered all the time...
Less so than you may expect. Lots of apartments around here, including my previous place — if my name wasn't on the building doorbell, post just wouldn't get delivered.
(Sometimes post still wasn't delivered, as somehow even DHL couldn't find a 100 year old building and kept going to a different building on an adjacent street…)
Germany also requires an imprint with name and address on any non-personal website.
Non-Personal can basically mean anything beyond a purely personal blog without comments or anything.
