Exactly. This isn't a small oversight from Grindr, they share especially sensitive information (the fact that someone is gay/Bi) without the option to opt out (nevermind that it has to be opt-in).
> Authority imposes a fine of 100 Mio NOK (€ 9.63 Mio or $ 11.69 Mio) on Grindr. An enormous fine, as Grindr only reported a profit of $ 31 Mio in 2019 - a third of which is now gone.
Do you mean emotionally hurt or, like, you'd struggle to eat hurt?
Did they reduce CEO income by 30%? I'd be impressed if they had. Mind you some CEOs take 1000× median income so 30% is still pretty unlikely to hurt them (but I don't know the relevant details in this case).
GDPR contains special protections for LGBT people, but Grindr shared their users private information with third parties anyway, since they argued that Grindr users might be straight...
Grindr collects and share quite a lot. Things such as HIV status, sexual preferences, body type, advertising ids, or GPS coordinates. To third parties from the app, and not always using encryption.
Presumeably, similar arguments could be made in each of the other classes, but none of them work. While these protections might be related to a history of discrimination, they do not apply to some more then others. They apply to everyone in the class equally.
What would be the chances of having an article 9 provision specifically mentioning "philosophical beliefs" if everyone had the same philosophical beliefs?
Of course, people don't have the same philosophical beliefs which is a pretty caveat to the whole argument.
There's no special protection for LGTB, but sexual orientation is considered sensitive information. If you tell advertisers (implicitely or explicitely) whether a user is gay or straight, that requires explicit consent.
That is quite silly if it truly be so — are we moving to the Anglo-Saxon “protected classes” model now?
If I understand this correctly, it is not a problem, or a lesser or different problem if such a company share that a client finds being stroked on his earlobes to be highly arousing, or is a big aficionado of the “big black cock”, as those are not “sexual orientations”?
That seems like a rather arbitrary distinction I am not used to from E.U. regulations.
P.s.: I see that someone else quoted “data concerning a natural person’s sex life or sexual orientation”, — which is already significantly less arbitrary; the “or sexual orientation” is merely a superfluous inclusive.
> 1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited
> 2. Paragraph 1 shall not apply if one of the following applies:
> (a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
So any data that does not fall under that blacklist is free game?
I still find that quite arbitrary to make that distinction, not to mention the wiggle room it leaves with many of those categories being rather ill-defined.
At what point does an opinion become “political”? what is “racial” an “ethnic origin” is quite open to interpretation; when is a belief “philosophical”?
The way I understand this paragraph, it could conceivably be so that an opinion that, say, consoles are not suited for f.p.s. games could freely be processed, but an opinion that U.K. roads are unsuitable for cycling could not, as the latter would be more easily classified as “political” even though the former could too, and the later could conceivably not as well?
"Jein" (German for "yno"). Look at it in historic context. This article can be seen as an anti-holocaust clause. Don't collect data that was too often used to harm minorities.
Yet many data that aren't listed under it can also be used to harm minorities, and many data that are, can not.
How exactly does biometric data to identify a person, but not a name and address to do the same differ in how much it can be used to harm minorities?
They are both a means to uniquely triangulate the identity of a person, one is arbitrarily allowed but the other is not. It's as arbitrary as if not permitting murder with poisons, but permit it so long as it be done with a knife.
I'm guessing that biometric data is sensitive, since it cannot be changed. You can change your name and address, but your biometric data will follow you for the rest of your life.
> So any data that does not fall under that blacklist is free game?
No. That list are data that are considered especially sensitive, and so it's generally prohibited to process personal data of this kind. As far as I can tell it's the strictest part of the GDPR, so it's probably also the easiest to enforce.
If some data doesn't fall into these "special categories", the rest of the GDPR still applies. The GDPR applies to any data linked to natural persons.
Yes, so we arrive at “if I understand this correctly, it is not a problem, or a lesser or different problem” as I first asked.
I find this distinction to be bereft of a proper justification. As I said elsewhere, I cannot think of any salient reason to not cover name and address as a means to identify a person, but do cover far more obscure and unlikely biometric data.
This is getting a bit off-topic, but there are good reasons why biometric data is especially sensitive.
For example, the GDPR emphasizes the "right to be forgotten". If something bad happened to you, you may not want to be forever defined by that event. A kidnapped person might not want to be forever known as just a crime victim. So they can ask Google to remove mentions of their name, and they can even legally change their name as a last resort.
But if eg. Facebook stored their face measurements and then automatically tagged them in a newly uploaded photo all that would be pointless.
So it makes sense to treat certain data as more sensitive.
At the same time, the GDPR doesn't want to go overboard with regulation. Name and address are data that lots of businesses need to process -- eg. every online store needs to collect customer name and address and pass it on to payment providers, shipping companies, etc. It would be really inconvenient if you'd need explicit permission for each use ("Do you consent that I can tell the post office where to deliver your package?").
Sure, someone may find a way to abuse a list of names and addresses, but it's just not as sensitive as other data.
I think the GDPR actually strikes a great balance between protecting people's privacy and not inconveniencing businesses. If you only collect and process data that's absolutely necessary for providing your service, the GDPR won't inconvenience you much.
> So it makes sense to treat certain data as more sensitive.
I cannot change my name so easily as far as the Dutch government is concerned as well as that of many other European countries. I need a reason of significance and a simple “I wish to be forgotten and start a new life.” is not accepted, as it is in many European countries.
If the E.U. cared so much about this, it would mandate that it's member states permit easier name changes.
Simply put, it is easier for me in the Netherlands to have plastic surgery and change my biometric data, than it is for me to change my name so I am holly unconvinced by this argument and it seems ad-hoc to justify what is purely an irrational distinction.
> At the same time, the GDPR doesn't want to go overboard with regulation. Name and address are data that lots of businesses need to process -- eg. every online store needs to collect customer name and address and pass it on to payment providers, shipping companies, etc. It would be really inconvenient if you'd need explicit permission for each use ("Do you consent that I can tell the post office where to deliver your package?").
There are already exceptions in place in the law where data may be collected if it be essential for operations.
As it stands, companies may ask for my name and address when they have no need for it to process anything, this information can surely be used to uniquely triangulate my identity with little effort, far more effort would be required to do so with a picture of my face, or a scan of my retina.
This seems highly arbitrary and ineffective to me. I remain very much unconvinced that this distinction is one that was given any serious thought.
> Sure, someone may find a way to abuse a list of names and addresses, but it's just not as sensitive as other data.
It is far, far more sensitive.
Would you rather that your name and address be placed on H.N., or that your fingerprints or retinal pattern end up here? Would you rather a stalker have the former or the latter?
To triangulate a man's identity from biometric data requires specialized equipment, to do so from name and address is a trivial endeavor a layman can undertake.
> I think the GDPR actually strikes a great balance between protecting people's privacy and not inconveniencing businesses. If you only collect and process data that's absolutely necessary for providing your service, the GDPR won't inconvenience you much.
I do not. I find the distinction made here to be completely arbitrary and undeniable that name and address are far more sensitive and open to abuse than biometric data, the latter requiring specialized equipment to make use of.
Again, would you rather a stalker have your name and address, or your retinal scan?
As another note on your claim of the necessity of address:
It would be absolutely trivial to implement a system where one might requæst a randomly generated code with the postal service, that can be placed on a letter that maps to one's real address, except of course, that the real address cannot be retrieved from it, which is hidden with the postal service.
With such a trivial scheme, it would be possible to receive mail without having to leak one's place of residence to the sender, simply give them such a code, which could even be set to expire within a set timeframe, at which point the postal service deletes the connexion to one's real address, for fear their data be leaked.
It's trivial; it's of far greater importance than the sensitivity of biometric data, yet it is not there.
I can only gander it's not, because the E.U. is extremely arbitrary at what points it cares about one's privacy. Name and address are absolutely, as I argued elsewhere, some of the most sensitive data available, and there are trivial measures that could be taken to secure it better, yet these are not implemented, for the E.U. is extremely arbitrary and not rational in it's decisions.
I'm late to reply, but in Austria the postal service happens to offer multiple services similar to this.
You can rent a "post box" for letters or packages. You pay a monthly fee and get a post box number. You provide your post box number instead of the address, and then you can pick up your mail from the post office.
They also have a forwarding service. Same thing but they deliver it to your home.
Also, many online stores let you deliver directly to a post office or even to self service pick up stations.
So there are ways to shop online without providing your address. But these services are not used very much. I guess most people don't care as much about the secrecy of their address.
"Companies cannot just include external software into their products and then hope that they comply with the law. Grindr included the tracking code of external partners and forwarded user data to potentially hundreds of third parties - it now also has to ensure that these 'partners' comply with the law." – Ala Krinickyte, Data protection lawyer at noyb
The impact comes from Grindr being responsible for the collected data, obviously just handing that data to a third party to do whatever is not responsible handling of it.
Grindr actually distributed data from persons that had opted-out, reasoning that setting a flag should stop the down-stream processors from touching the data. That is literally the gossip girl using the the "don't tell anyone this" principle of privacy protection!
The thing is, third-party SDKs often do data collection on their own. Or, even if they don't, they could do so, and you don't really know if they do or not.
Well, if that SDK contains tracking stuff, the question then becomes whether the SDK has an opt-out option. If yes, it's on the consumer of the SDK. If not, then whether the TOS is enforceable in Europe.
Seems like the specific problem there is Facebook enticing you to break the law. You could try filing a complain with some appropriate data protection agency.
Then don't implement Facebook login in your app, unless SDK becomes adapted to make its use GDPR-compliant. It's really a problem between you and Facebook at this point.
The whole point of Facebook login and like was to collect data from unsuspecting users. Devs and product managers didn't care. GDPR makes this "laisser faire" attitude expensive.
EEA has all the laws and requirements of the EU but without representiation. So they have to follow the laws and rules but don't have a voice in the rules. I have no idea what the benefit of the EEA is for it's members other than political that they can say they're not in the EU but there must be some, maybe they don't need to pay in like EU members do?
Also, EU has a ruleset adapted to the climate of central Europe and not to cold places where almost no food grows and eating seals and fighting polar bears is how you stay alive. This is an extreme example, but Norway is more dependent on fish for sustenance than many other countries.
> eating seals and fighting polar bears is how you stay alive
Your image of Norway may be a bit off..
It's true though that Norway is overly protective of its food industry. And arguably for good reason since it wouldn't be competitive at all if integrated with the rest of Europe.
As a Norwegian, I do like the idea that foreigners see me as capable of fighting a polar bear.
As for seals, I've eaten seal, I think, but it's hardly been a dietary mainstay... We used to have whale regularly when I was a kid, mostly because back then it was much cheaper than beef (and much tougher, and oily... it was not great meat - it's expensive now due to low supply and nostalgia).
Norway is dependent on fish mostly because of the export value. A lot of fish is eaten in Norway, sure but the Norwegian economy is such that local production has very little to do with what people choose to eat.
The only place in Norway Polar bears live is Svalbard, far North of the mainland. Most Norwegians have never visited because it's far away (a 1h 40m flight North from Tromsø in Northern Norway - similar to how long it takes to fly South to Central Europe from Oslo) and way too cold and miserable.
Seal is something few people eat very often. A huge proportion of the population will never ever have tasted it. Like whale, it's uncommon these days.
Is there any reason for the EU to close that loophole now ?
It seems to be a pretty good partnership so far, and I did not read anything about a will from either side to change anything about it yet, but I might be misinformed
They can't "close that loophole". It's an integral part of the EEA treaty. If the EU withdraws from the EEA treaty it would virtually guarantee that support for EU membership in Norway would sink like a rock out of sheer anger. It would lead to Norway withdrawing further from the EU, not joining, so it'd be entirely counterproductive.
This is true, Norway and Switzerland are strong economies that can stay outside EU. Norway have a lot of oil compared to the number of people who lives there, which makes Norway a more independent economy than for example UK. I do think Norway would benefit by becoming a full EU member. But there are also good reasons not to. So the EEA treaty is the best of both worlds. Norway lose and gain some.
Not having to adopt the Euro is also a "special right".
It's not well known, but all EU countries are required to adopt the Euro (except for Denmark who have a real opt-out). The countries who haven't are using a loophole to bypass the requirement of Euro adoption, by purposefully failing to fulfill some standards.
Weren't pretty much all the reasons for Brexit bullshit from the start? I heard that some politicians even gave nonsensical statements in more recent interviews so that searches for various keywords would hit those instead of the original Brexit promises.
The Faroe islands are not Norwegian, and Norway does not allow hunt of pilot whales.
EDIT: That's not to say Norway doesn't still do whaling, but quotas are only for minke whales. Of a quota of 1278 for 2019, 429 where caught. But pilot whales explicitly still do not meet the conditions required (size of population etc.) for Norway to allow hunt.
This is a big one for Norway as food security has been a big strategic focus for Norway ever since the British naval blockade against Denmark-Norway during the Napoleonic wars, reaffirmed by the hardships during the Nazi occupation.
It's still largely politically untenable in Norway to oppose agriculture subsidies.
At this point it's more of a curiosity than something most people are aware of. It was the starting point of a realisation that choking off just a handful of trade routes could starve the country.
Today the main reminder is that Norwegian school children still tend to learn the epic poem "Terje Vigen" by Ibsen, about a man who braves the blockade to feed his family and is captured - coupled with food security being a talking point in other subjects. It's not pushed very hard, and many probably at this point don't even make the connection.
The main modern justification is WW2, where the subject of food security gets reinforced with stories of bread made with bark etc., and post-war rationing.
Couple that with the constant fear of the Soviet Union (to the point that when growing up, we had regular air raid siren tests - today they're so rare the newspapers write articles to explain what they are) only reducing to unease about Russia, and food security is still a political topic.
We still do the air raid tests here too, every 1st Monday of the month at noon, but they are more for other kinds of disasters (pollution, gas leaks, large fires and so on). That system is about to be phased out completely, because mobile phones are a much faster way to reach people.
Personally I don't mind the sirens, they tend to work pretty reliably and every time the mobile phone network was used to indicate something was up for some reason I totally missed the message, never received it or received it more than a day later.
> I have no idea what the benefit of the EEA is for it's members
We have the option to reject certain EU-rules, and can negotiate special exemptions into our agreement. Norway has some exemptions in fishing rights that are central to our agreement. Under the previous government we also rejected the EU Postal Directive, though the current government has since accepted it.
The UK always got special treatment while they were in the EU. No other country was allowed to come even close. Which made Brexit so much more surprising to the EU.
Contrary to popular belief, the EEA is not required to follow every law set within the European Union.
> The EEA Agreement does not cover the following EU policies: common agriculture and fisheries policies (although the EEA Agreement contains provisions on trade in agricultural and fish products); customs union; common trade policy; common foreign and security policy; justice and home affairs (the EEA EFTA States are however part of the Schengen area); direct and indirect taxation; or economic and monetary union.
There are also passport checks when you fly to Norway from other EU countries. For flights between other EU countries you generally just show the QR code on your phone. At least that was my experience, but it's been a few years since I last flew. (Except flights to UK before Brexit, I think they always required passport checks)
> There are also passport checks when you fly to Norway from other EU countries.
Except countries in the Nordic Passport Union: https://en.wikipedia.org/wiki/Nordic_Passport_Union You need zero documents to travel between these (well, you need a ticket if you fly or travel by train or a bus).
So I read the article, and in theory there should be no passport checks with other EU countries either because of Schengen, but apparently they have "temporary border controls" since 2015 in violation of the agreements.
> There are also passport checks when you fly to Norway from other EU countries.
This is incorrect. And the presence or absence of these checks is not a EU/EEA matter. The passport free movement is a matter of the Schengen agreement. This is why the UK had passport checks with most of continental Europe back when they were EU members (but not Schengen members).
Norway is a Schengen member, and an EEA member, but not an EU member.
But I had to show my passport a couple of years ago on a flight from Vienna to Norway, so I thought they weren't part of Schengen. I'm not sure why, but I believe the reason must have been the "temporary border controls" introduced in 2015.
The passport checks have nothing to do with the EU, it's the Schengen treaty[0] that allows omitting that part. Norway is a part of the treaty, so is Iceland for example. Some EU countries still don't meet the criteria to join, e.g. Romania, Bulgaria. Ireland and the UK are/were outside (voluntarily) of the treaty as well - which is one of the weirdest parts of the Brexit with the UK actually checking its own borders more than most of the rest of the EU.
For example traveling from Poland to Norway by car (and ferry Tallinn - Helsinki) requires zero passport/id card checks. (id cards are a valid traveling document within the EU and Schengen)
Clearview AI has the same impression. They do not allow Norwegians to opt out (by uploading your face) - however they recognize that Switzerland have GDPR despite not being part of EU
> Grindr is now relying on a new consent system and alleged "legitimate interest" to use data without user consent. This is in conflict with the decision of the Norwegian DPA, as it explicitly held that "any extensive disclosure ... for marketing purposes should be based on the data subject’s consent".
This "legitimate interest" shenanigans is coming up more and more often, where you have a modal with lots of options to opt in to specific forms of tracking which. Most of those are now off by default, as it should be, except that if you scroll down you still see a number of "legitimate interest" ones enabled, even though you can turn them off manually.
Edit: And worst of all is this very confusing pattern with two columns of toggle buttons, one of which concerns "legitimate interest": https://toot.cafe/@peter/105367185171860458
The various dark patterns employed by these consent systems are fairly opaque to anyone who bothers to open them, and are clearly deliberate attempts at maintaining the old status quo of "opt-in by default". Frankly, I am surprised at how few of these fines are flying around, though I am quite happy to hear they _are_ happening.
I do get that this type of regulation is very disruptive to many companies, but if they cannot survive with informed consent, then perhaps they should not have been so successful without it in the first place.
I’ve also wondered why there aren’t “enough” fines. Are the countries just being cautious because they want to establish precedent before going after the “big fish” like Facebook or Google? Or is it something else?
It sounds like a fear of backlash - essentially if you find like 3% of the population with parking tickets it is fine. If you fine 40% to 60% then you get a large contingent pissed off at you - regardless of validity of the laws and enforcement unpopularity is perilous to laws and officials.
If 40% to 60% of population gets fined then that means the law is stupid* and should be abolished. Backlash on law enforcement is totaly understandable.
*"stupid" is relative term. Laws are made for particular society, if almost a half of that society disagrees with the rule then it shouldn't be a rule.
With this logic, there's essentially no regulatory way out of local minima, lemon markets and such. And, the freemium for personal data mining model is very much such a situation.
And I don't think it's a fair statement that any large percentage of _people_ oppose this particular law; in my experience, most people don't seem to have a strong opinion about it, and those that do have a strong negative opinion very often don't really understand it (and are mostly reacting to the irritation that the various stakeholders are deliberately putting them through). Sampling the opinion of companies that live off ads is a bit like asking printer companies how they feel about toner prices.
GDPR is pretty recent (2018) and legal opinions on how to apply it (e.g. marketing tracking) are still in the making. I think fines are still applied "slowly" so that the industry has time to change.
Constantly applying fines is not sustainable. You eventually want to get to the point where privacy "just happens".
Data protection officials are generally understaffed and underfunded. GDPR has increased public awareness, scope and thereby caseload. The rest of the normal justice system isn't responsible to handle data protection cases and will just refer you to the data protection officials. So while fines are happening, things move very slowly if at all.
The way of things in EU is a bit different than some other areas. The goal is to change the industry slowly. You don't change industry by killing them quickly so these things are first made into law, then there is usually a number of warnings, then the fines starts showing up small and then the gets ramped up if the industry doesn't change.
These dark patterns we keep seeing shows that the sites didn't do their homework and is trying the usual weazel way of getting past on "you clicked accept so now you are stuck.". Consent can only be given knowingly, if you hide it in the fineprint (or behind a "show more" button) it's not valid according to GDPR. To invent things like selling customer data to third party and call it fair usage of private data is not ok either.
The agreement has to be easy to understand and very short. And it has to be presented close to the actual entering of data or the accept button. No hiding, no shenanigans, no trying to fool with colors or design. It's that simple.
> The goal is to change the industry slowly. You don't change industry by killing them quickly...
I completely agree. People calling for an immediate 4% fine are ignoring that killing companies is bad for the economy. If a “pitiful” fine of $200,000 fixes the behavior, why fine the living daylights out of them?
I’m just wondering why the fines have been so “slow” to happen. Enforcement Tracker[0] lists only 533 of which the majority appear to be against individuals (such as “Doctor”, “Private person”, etc.) I just figured there would be more by this point.
> People calling for an immediate 4% fine are ignoring that killing companies is bad for the economy.
As a person who calls for these, my reasoning isn't that they should dismantle the entire web because of it[0] - but that destroying a few small businesses and seriously hurting some big ones would set an example for all the rest to fall in line. Right now, companies seem to correctly reason that they're statistically unlikely to be noticed and fined.
--
[0] - Even though my belief is that advertising industry in particular is a social cancer and absolutely needs to be torched down to the ground.
I'm baffled by the number of companies that should not have any need for third-party cookies and still go full-on dark pattern. In particular online shops: I'm already on their site, why would they loudly advertise "we're shady and want to trick you into selecting all cookies"? I've cancelled more than one purchase because I didn't want to bother with this.
It's certainly down to bad legal advice. Lawyers are trained to take everything they can get. If it turns out that was too much, then they frame it as a bargaining chip, as leverage to at least recover some fraction of what they previously took.
It's sneaky, immoral, unethical and illegal. It also works.
Taking everything one can get is not exclusive to lawyers. Many engineers would rather have more information/data than not enough. Better yet get all the data up front and then decide what you need later.
One expects it of many companies. But the BBC seemingly have a dark pattern here - if you follow the cookie link it shows all cookies are turned off already, so there's nothing to do, no confirmation, nada. If you don't follow the link they of course have set tracking cookies ... so the cake^w link is a lie.
IMO it would be fine to say "we were tracking you but when you followed the link we deleted those cookies and won't now set them". "Reject all", or default off ("no cookies are set, cock here to enable the committee types you wish") is better.
What's far worse is the admission that they still use ad networks even when those networks are clearly breaking the law (ie they offer no settings to disable tracking). Indeed BBC should be going further and not allowing advertisers on their network to drop cookies if a user has disabled first-party cookies. Instead they say "go to these networks and disable it yourself", good luck with that!
This from an org funded in [minor] part by taxation and whose rausin d'etre is supposed to be serving the public interest.
They use ad networks only outside the UK, so the taxpayers are not tracked by these networks. They're very explicit about it in their cookies explanation: 'Set your cookie preferences for performance cookies. And if you’re outside the UK you can set your preferences for personalised advertising.'
It’s almost impressive what these people have created. Now, when I stumble across the rare “Reject All” button on one of those pop ups, I don’t know if they even really mean “all” or if it keeps the trackers under “legitimate interests” enabled because they’re... “legitimate”. So the only safe option ends up being disabling all of them manually, which is absurd when these websites list hundreds and hundreds of trackers.
It’s as if they used decades of HCI research precisely to make the user experience as horrible as possible. No wait, I’m sure they did exactly that.
With that they win the public's opinion. I make an effort to always explain to people I hear complaining about those pop-ups why they've been made to be annoying. Usually it helps to turn their opinion against GDPR towards the companies employing the dark patterns.
I think that's a long lost battle and they know it. They're going for attrition. People don't want to be tracked, and clicking all the don't track buttons 78 times a day is annoying, so eventually they say fuck it and just start clicking Accept All.
There need to be fines for this. They're clearly violating the spirit of the law, if not the exact letter (and I think much of Europe has legal systems that follow the spirit more than the letter, don't they?)
I'm in favor of a lot more fines, and substantial fines. Few companies need to be made example of. The current situation does further damage to how EU citizens perceive GDPR and EU itself - companies do their best to make the consent control experience as bad and tiresome as possible, and then they tell people to blame GDPR for how web browsing just got more annoying.
I've found the Reject All button _more common_ in the last few months, but due to a lot of sites that have added it also adding a legitimate interests section which is seperate, to the point I'm less trusting of sites that have recently added reject all.
For all the hate that Yahoo gets for theirs (shown above), at least it does have a mostly functional reject all function, even if it requires two button presses (the end of the footer does tell you to go manually opt out of facebook/twitter).
Also the 'reject all' button is often drawn in a greyed out style to make people assume you can't interact with it. The 'accept the status quo' button is always brightly coloured and may as well have blinking arrows pointing at it...
It's honestly absurd the amount of different dark patterns they're using to try to trick users.
I’ve already seen websites which I (cynically) assume exploit this new-found aversion I and many others have to green buttons in cookie pop-ups by using differing colour schemes, e.g. https://hltv.org, whose “Allow all cookies” button is actually blue, whilst “Allow selection” is green.
“TrustArc” is a funny name considering it and its pals have obliterated any trust I had in this stuff.
Once again proof that what we need is the opposite approach;
companies need to actively get explicit permission not just from
the end user, but also from authorities to collect and share
data, and the full report should be publicly accessible. Also I
wouldn't mind a general ban on using personal data for marketing
purposes, I don't know a scenario where this would be necessary
and beneficial for the user.
Right now companies just keep doing what they always did and
hope for the best. As long as they're convinced they can just
try not to get too much attention this data sharing problem will
persist with barely a dent.
On some websites I get a tracking / cookie consent popup which, if I choose not to consent to everything, leaves me hanging for a _very_ long time while "saving my settings". I am talking about 30-60 seconds here. That must be deliberate to keep you from denying consent. I forgot which company it was but I immediately recognize those popups.
Is it TrustArc? I remember having a similar experience with their pop-up, for example on Oracle's website when I'm looking for Java docs: https://docs.oracle.com/en/java/
That example doesn't have the long loading times for me any more, but I'm almost certain it was the TrustArc pop-up.
Some tools call APIs from a whole bunch of ad networks. That 60 seconds is likely spent getting opt out cookies from dozens of different ad network domains.
TrustArc's doesn't, or at least didn't the last two times I inspected it deeply. It is possible to reproduce this claim by checking the browser inspector Network tab and by debugging trough the source code: it's just a bunch of setTimeouts.
Not to mention that if there were any hypothetical API calls those could be made asynchronously after closing the modal.
It should not matter if they're following the law. Failure to access some API doesn't mean the user consented.
Like the sibling poster said, the default should be opt-out.
It's not as if this TrustArc modal is some old product that was repurposed for GDPR. This is all planned and done in bad faith, period. It's a dark pattern.
I thought so as well but if I recall correctly someone explicitly disproved that. Should be fairly easy to confirm by checking the traffic in the network tab - unless the ad networks themselves take 60 seconds to respond there should be no reason for that much delay.
Why is the “opt out cookie” necessary? Why can’t they just assume that anyone who doesn’t have an opt in cookie hasn’t opted in and can’t be tracked? Isn’t the opt out cookie itself a form of tracking? If you have the cookie I know you’ve been to a site I advertise on/track/am affiliated with.
The opt out cookie was created by ad networks prior to GDPR when many EU countries allowed for opt in by default. The opt out cookie was the tool to allow users to opt out. It still has value today as it allows an ad network to remember a user's choice not to be tracked.
The opt out cookie is set by the advertiser, not the publisher, and the contents of the cookie have generic text like "OPT OUT".
I agree with your point here, it's in spirit of GDPR, unless expressly permitted the sites must assume that the user has opted out. The ad agencies with their cookies have it backwards.
The actual way this should be implemented, if they wanted to be morally irreproachable, would be this: a consent popup always available, tucked down somewhere in the corner of the site. It defaults to opt-out from everything, you can click on it to expand it if you want to opt into something.
An acceptable option is to pop up a consent form as needed, and set a cookie recording whether user made a consent decision. That can be classified as essential cookie to fulfill a legal obligation.
At least in some cases I've seen, the progress seems to be tied to a staggering number of network requests happening in the background. I've heard this explained as being necessary to communicate your opt-out to all the relevant parties, but honestly, that smells like bullshit. More likely it's designed like this on purpose, to have plausible deniability for the dark pattern.
This is a great example, that I intend to hang on to. I've run into a few people online with some severe willful ignorance about the GDPR. The worst was somebody arguing that since targeted advertising was their business model, that in itself constituted a "legitimate interest". So, pretty much exactly the sort of thing that GDPR forbids.
That is how it should be. Legitimate interest means they don't need your consent. They actually shouldn't be prompting for it at all. Adding it to the consent box is a kind of cargo culting going on.
Most of these data consent forms are purposefully complicated so that many opt in to all to save time. The “advanced options” menu even loads suspiciously slowly at times.
It should be required by law that there be a simple to access “opt out to everything” option that should be as easy to access as an “opt in to everything” option.
Also, I would not be opposed if some browser standard were developed under governmental oversight that sends a blanket “opt out to everything” that websites would be required to respect by law.
> It should be required by law that there be a simple to access “opt out to everything” option that should be as easy to access as an “opt in to everything” option.
It arguably is already required with the language of article 7.2 and recital 32, especially this part
> If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
But we will see how it gets interpreted as more cases works their way through the system.
The phrasing “The-opt-out-to-everything option must be as easily accessible as the opt-in-to-everything option.” is far less arguable and hiding one behind a further menu, but one not, is a clear violation of this rule.
> Edit: And worst of all is this very confusing pattern with two columns of toggle buttons, one of which concerns "legitimate interest": https://toot.cafe/@peter/105367185171860458
That's pretty awful, how are you even supposed to interpret that? I'm guessing it's something like "first || !second", because that would be the sleaziest.
I think the left column is the "legitimate interest" version of the cookie type, and the right column the "consent" version (whatever that means). So you can enable and disable either independently, but the former is enabled by default.
Most of those are now off by default, as it should be, except that if you scroll down you still see a number of "legitimate interest" ones enabled, even though you can turn them off manually.
Taking a page from the RealNetworks playbook from twenty years ago, I see. Put the shit you don't care about up top and unchecked, keeping the interesting stuff checked but below the fold.
My biggest bugbear with these multi-modals is that much of the time the buttons that turn consent on or off are not labelled. You're supposed to guess from their colour and default position what is on and what is off, so when I make a choice I never know for sure how the website interpreted my choice.
Some have an "accept all" button that could perhaps reveal which is "on" and which is "off", since when you press it all the buttons go to "on". But this happens so quickly and the modal is closed immediately afterwards, that there's no time to tell. And of course by then you've already accepted so it doesn't matter.
Yeah, same thoughts. The gdpr didn’t change much but made small companies like these more vulnerable and web browsing more unbearable. Data is still getting collected and big companies don’t care.
> The gdpr didn’t change much but made small companies like these more vulnerable and web browsing more unbearable. Data is still getting collected and big companies don’t care.
Compare to the median of straight men+women, or the median of straight men? In median, even in Norway women earn on average 80% of men. Assuming sexual orientation otherwise doesn't matter, there should then be a difference between gay men and straight people in general...
I made likely what the post I answered to found unlikely. I could not find reliable stats for gay wages in Norway. Gender paygap is however very well monitored by http://www.ssb.no/ Arguably my point is not great. If you really want to know about gay conditions in Norway, try this report https://www.ssb.no/a/english/publikasjoner/pdf/rapp_201038_e...
Wouldn't that be "bi[-curious] married family fathers", mainly, assuming you're not suggesting they all fathered children against their will. Or, maybe you mean people who never had/never intended to have homosexual sex?
I mean men who have self-internalized being straight due to living in a homophobic society. And I speak from personal experience as a long time Grindr user.
I see a lot of comments [in general on the web] calling people 'gay' when those people clearly had/are having both heterosexual and homosexual relationships. Things like "Freddie Mercury was gay" when Brian May attests that Mercury enjoyed heterosexual encounters too. The proper definition is bisexual then, it seems.
But perhaps the same reluctance to acknowledge those who seek homosexual relationships is present in people who call themselves gay, they won't acknowledge people as bi? Which seems like hypocritical bias against people whose behaviours are bisexual.
Maybe the behaviour you call out is because people want to have homosexual sex without being 'gay'. By which I mean without making that sexual activity the focus of their identity (I believe it's known as MSM)? It need not have anything particularly to do with societal disapproval.
Who one has sex with, and defining oneself by ones sexuality are quite distinct, as too are sexual desire and desire for relationships.
Whether Freddy Mercury was gay or bi is a culture war which doesn't need to be fought. He can and does represent both gay people and bi people in transcending heterosexual norms.
Young people sometimes use the word "gay" to express a complex sexuality which doesn't categorise neatly with a label. It's understood that you can be both "gay" and "bi" simultaneously, or indeed you can be a man who has sex with men who is straight.
The only person in this chat who is trying to put strict labels based on behaviour is you (the other commenter only observed some behaviour without labelling), so it seems like you're arguing with yourself?
I cannot speak for Norway specifically, but there is, as far as I know, not a single openly gay player in the (male!) Bundesliga. Apparently, even high-status, well-earning men in progressiv societies can be vulnerable to disclosure of their sexual preferences.
Individuals, even in Norway, can still be significantly affected if their sexual orientation or preference were discovered by others.
Anything from getting shunned by family members or religious community, losing out on job offers, to foreigners visiting Norway from a country where their sexual orientation is punishable by law.
Yes, the LGBT community in Norway is still a vulnerable one. While physical violence is much less of a fear now, people have long memories, and people still report being subject to abuse (hate speech, being pushed, etc.).
Further, there are still people living in the closet here, afraid to come out for fear of being disowned by their family or ostracized by their community. Grindr plays a double-edged sword here, because on the one hand it gives people a chance to meet others, but it also creates a risk of them being outed. --That makes people vulnerable to blackmail.
I think gay men anywhere are a vulnerable community. You can live in the most progressive society in the world, but many people still don't want their sexuality to be common knowledge
It's no different to straight people's sex lives, I'm sure many people wouldn't want it to be common knowledge what they're into, and who they've slept with
Being gay can still get you arrested or killed in some countries of the world. Even if not, discrimination of gay people surely is a thing all over the world.
Besides that, dating apps of any kind should be held to very high data protection standards for the sometimes very delicate matters.
> Has everyone just decided that words have no meaning anymore?
Yes. It seems a lovely social media trend. And on instagram many (most?) people don't seem to actually be able to use words, only emoji's. Not sure if that's worse or better.
That doesn't mean you speak on behalf of all hindus. Just because you don't feel threatened and free to be a proud hindu
What if a person lives near racists, people who keep directing hate at hindus because of their (unjustified) hate against muslims? They may feel unsafe if people knew they were hindu no matter the area of the world
It's good that you don't feel threatened, but unfortunately not everyone is so lucky. And we should respect people who want to keep any aspect of their lives private.
Being gay means that simply holding hands with one's partner puts one at direct risk of being attacked. This is certainly still true in places like the UK. Are you saying you're at as much of a risk of being attacked like that in the UK for being Hindu? If so, it sounds like the UK has some major safety issues.
Most likely as a Hindu you never had to fear the response you would receive by telling your parents or other family members that you are a Hindu.
As long as people have to fear getting kicked out, disowned, subject to slurs, or otherwise being ostracized by their family, friends, or community for being gay, lesbian, bi, or trans, then yes, the LGBT community remains vulnerable. And once you've been vulnerable like that, it never goes away. There will ALWAYS be a part of you that remembers it and it will affect you for the rest of your life.
That alone is enough vulnerability. The fact that the LGBT community still deals with a lot of verbal and physical assaults as well just makes things worse. And yes, this is still an issue in the UK, in Norway, the US, and other western countries.
And why would you say LA is 100% gay friendly? There's absolutely no hate crime? Absolutely every gay or LGBT person is perfectly happy with the intimate details of their sex life being shared? Every person who isn't openly gay is happy with their identity being shared?
'Preying' is a bit much. Nobody is forced to use grindr and the whole point of the app is to meet same-sex people geographically close to you.
This whole case seems to revolve around whether the 'Legitimate Interest' legal basis is valid or not. It was only a matter of time before it was legally challenged.
Animals higher up on the food chain don't need force. Many get to know the habits of their prey to entice them without forcing them to do anything. Prey is a very appropriate word when talking about this kind of marketing and manufactured consent.
It was founded by Max Schrems, whom some of you might now for his lawsuits against Facebook a few years back, which ended the EU-US Safe Harbour and Privacy Shield data trade agreements.
It's mainly EU-centric which might be the reason why people here haven't heard of it before.
It's incredible what one dedicated man can accomplish through the court system. Makes me wonder what the world would be like if we just spent a little time educating our children about their digital rights in school.
Here is what the Norwegian Data Protection Authority says:
In the cases of Smaato, OpenX and AdColony, Grindr “only” transmitted a signal conveying the data subject’s “opt-out” preference. We understand that advertising partners could choose to ignore that signal. In any case, Grindr would have to rely on the action of others, either the user, the operating system, Grindr’s partners, or a combination of the aforementioned, to halt its sharing of data where so required. In consequence, Grindr failed to control and take responsibility for their own data sharing, and the “opt-out” mechanism is not necessarily effective.
Furthermore, for a consent to be “freely given”, accepting to the particular processing operation should be as easy as declining, and the choice should be intuitive and fair.
> I, too, will happily pay for my data being not used and seeing no ads.
These are two different things, sharing data and displaying ads. The ad industry has forgotten that you can advertise without collecting hoardes of personal data, and they've convinced the rest of us that it can't be done.
The point here is that sharing data in the way Grindr is sharing it with third parties is not core to its business. That is, no one signs up for Grindr because of that functionality. Folks sign up to Grindr to find and message others. That functionality does not require the type of data sharing being reviewed in this case, and that sharing of data is distinct from merely displaying advertising.
I was a little surprised by this: "The DPA highlighted that users should have a real choice not to consent without any negative consequences."
Does this mean that it is unacceptable to run a service which requires consent to share data? That seems overly restrictive - where does that leave services in which sharing data is the whole point of the service?
The article goes on to say: "Grindr made use of the app conditional on consenting to data sharing or to paying a subscription fee."
Is this the unacceptable part? I.e. Grindr is creating a financial penalty for users who exercise their data privacy rights?
Would it be acceptable under GDPR to run an app where the choice is "consent to sharing data or do not use this app at all"?
If a marketing service are upfront about "asking your preferences to serve as a reference to participating companies" and that is the primary purpose, they would be allowed under GDPR. Now the real question is would someone wants to do this? Knowing that around 17% of Americans would do this, it would fly in America. Now, would this fly in Europe?
> Does this mean that it is unacceptable to run a service which requires consent to share data? That seems overly restrictive - where does that leave services in which sharing data is the whole point of the service?
In this case the issue was that the consent was not informed. That is, Grindr weren't making it clear enough that the highly personal information they collected was then shared with hundreds of advertising partners.
> Does this mean that it is unacceptable to run a service which requires consent to share data? That seems overly restrictive - where does that leave services in which sharing data is the whole point of the service?
GDPR literally says that you're allowed to run a service that requires data and you don't even have to ask for consent for that type of data.
What you're not allowed is to collect data that's NOT critical for your service without consent.
> where does that leave services in which sharing data is the whole point of the service?
When you actively share data with others, consent to process the data for this implicit. So as I understand it, a dating app would not need your explicit consent to share a profile photo with others on the platform since that is the whole point of the app.
But if the service decides to provide your personal data to advertisers, explicit consent is required, since that is not essential for providing the service. The service could just as well show anonymous ads, or target ads without tracking the user.
> When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.https://gdpr.eu/article-7-how-to-get-consent-to-collect-pers...
So it does sound to me like you can't tie data sharing to provision of service because then consent is not freely given.
Also:
> Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.https://gdpr.eu/Recital-43-Freely-given-consent
I think this means that even if Grindr obtains consent the way they do, it's still not freely given consent so even having obtained it they still don't have permission to use the data the way they want, since only freely given consent counts as consent. But I'm not sure, maybe it's more complicated.
>Consent must also be freely given. The DPA highlighted that users should have a real choice not to consent without any negative consequences. Grindr made use of the app conditional on consenting to data sharing or to paying a subscription fee.
I thought that this was allowed. Kind of puts companies depending on advertising in really bad position. One would expect that having choice of paying or getting tracked would be, at least for some people, better than just having to pay to get to the content.
Yeah, but personal data is way more profitable. Hence why every popular site puts all the opt-out buttons & privacy terms behind tiny fonts placed in some hidden inconspicuous corner.
I recently stopped thinking of myself as an Internet user on the web but rather an advertising ID holder.
Probably net zero, as long as everyone follows the same rules. Advertising is a zero-sum game, and changing the height of the playing field shouldn't impact relative revenue all that much.
Couldn't this be done based on content, without looking at personal data? "Here is an article on investment. How about I show an ad of an investment bank."
If only one company does it, they lose. But if everyone is forced to do it, noone will lose.
> An advertisement that is not within the user's interest is wasted, rather than going to the competitor.
Not completely, if there is anything to the concept of "brand awareness" (and I believe there is, and a good chunk of advertisers do too). An ad that is not within user's interest still makes an imprint of the brand, product and vendor in their head. Later on, where user's interest change, that brand/product/vendor is a bit more likely to be recalled by them. A mistargeted ad is better than no ad at all.
In theory, yes, in reality, no. The strongest, biggest signal of what ads people will click is what kind of ads they clicked in the past. Content based ads have really bad performance comparably.
There's very little planned obsolescence anywhere. It's more about racing to the bottom and building the chepest possible product that will hold for a while.
Planned obsolescence is a tricky term and has many faces (see e.g. a classification at [0]). A good and widespread example of overt, in-your-face planned obsolescence (surprisingly not mentioned in the article I linked) is "fast fashion", where nobody even tries to hide that clothing is designed to deteriorate quickly, to accommodate a season-long replacement cycle.
I think race to the bottom deserves to be its own type of "planned obsolescence" (again, not mentioned in the Wikipedia classification). While in a highly competitive market, the design process may boil down to "do the same as competitor X, but slightly cheaper" instead of explicitly setting the durability target low, the end result is the same - products that have no business existing enter the market, live very briefly, and forever enter the waste stream. It's a systemic problem, and it's planned in the sense that if you enter such a market, you've already decided to create short-lived trash.
Well, to make it more obvious - if users had the choice of paying with money or paying with their future voting rights, would that be "forcing users into signing their rights away?". Surely, not "forcing" since it's their choice - but, I hope we agree that it's a choice that should NOT be presented to them, at all.
You may or may not agree on whether the right to privacy should be on the same level as the right to vote, but other than that, it's really the same principle.
I don't share your paternalistic view of having to police people's actions. Giving informed consent to use some data (and eventually ability to withdraw that consent when the business between the parties ends) should be enough. And your comparison between sharing users' personal data, something that influences only them and voting rights (which are not transferable btw) that influence everyone is absolutely ludicrous.
Privacy absolutely affects everyone. If you gave consent to Facebook to track you & you are my friend, you'll give my phone number to Facebook, and photos of me, etc. I cannot opt out of that! And in fact FB is well known for building shadow profiles [+]
Look, I understand if you feel "privacy rights" and "voting rights" are not in the same class of rights, I even mentioned explicitly that even though the same principle applies, you may not agree they're comparable. But you can't deny that the only reason voting rights are not transferable is because we said so - we have laws that dictate "voting rights are not transferable". It's easy to imagine a world where voting rights would, in fact, be transferable. It's just as easy to imagine a world where advertisers don't have the right to build a profile about you.
What is happening now is that we started with a world where (online) privacy rights were non-existent, and laws like GDPR are aiming to change that. You may not agree with the change, but others do, and it's a legitimate sentiment to have. It's not necessarily outrageous to want to "impose on everybody" my view of privacy rights. No more than it was to "impose on everybody" the view that e.g. women should be allowed to vote.
I don't know why you are bringing Facebook into this. Its business model is completely different, afaik it doesn't offer paid subscription to opt out of all tracking. This is known as straw man fallacy - misrepresenting someone's position and then rebut that.
What you are suggesting is not like "women should be allowed to vote" it's akin to "women must vote".
What does the business model have to do with everything? I was merely replying to this:
> sharing users' personal data, something that influences only them
It does not influence only them, and I gave you an example. Also, I don't care what's FB's business model, I advocate that nobody should have an automatic right to build user profiles. I explicitly advocate that you should not have the right to demand payment in "data" because privacy should not be considered currency. Is that a strawman? I thought that was your entire argument "people should be free to decide to pay with their data!". NO THEY SHOULD NOT. Data is not currency, just like votes are not currency. You ask for currency, if you need payment - you don't ask for profile data.
> it's akin to "women must vote".
Well, it's an analogy, if you don't find it useful, let's drop it. The gist of it is, I feel very strongly that we should legislate that privacy is not currency, you seem to feel otherwise. It is fine to disagree, but it doesn't make my position irrational or absurd in any way. Yes, I feel that allowing people to pay with privacy _is_ exactly "taking their rights away", in the same way that allowing them to pay with their voting rights would be.
I didn't expect having to qualify everything I say to the context of a discussion and topic on hand. I don't agree on your definition of personal data. Phone numbers and email addresses of my contacts are personal information that don't belong to me, I have merely unwritten consent to use them (but not to give them to every spammer).
But none of that seemed to be relevant to the Grindr fine. And one thing I should have probably mentioned before - I don't know Grindr and how the subscription works there, but my opinion on paying(subscription) vs giving data away would also depend if there were additional features granted in the subscription (now thinking about it probably yes) or not. This would in my opinion qualify as forcing user into paying even for thing he might not necessarily want to just to protect own privacy.
I'd like to sell you some cough medication, it's all natural, made from a concentrate of two south-american plant called "coca" and "tabaco", everyone who tries keep asking for more, even when we increased the price !
Too bad the big bad governement regulation prevent me from selling it. It's absolutely ridiculous, all my customers wants it and I pay my taxes.
I'm not a hard core libertarian to argue about whether banning drugs is good, but even in your scenario customers having information about what is the "medication" made of and any addictive properties those things might have would go a long way. And lets not pretend that whether a drug is legal (alcohol, tobacco, even marijuana somewhere) or not is result of rational process and not just result of lobbying and historical custom.
Everyone (in the EU/EEA) has the right to not to have their data processed if there’s no applicable basis. So if Grindr requires money to keep their service active, then everyone should pay the same fee (leaving aside service levels) and not be forced to give up their rights. Alternatively, Grindr could come up with a business model that allows them to offer their service for free without processing their user’s un-needed personal data; an obvious first idea would be advertising targeted at gay men, but not at any one specific user.
I'm not sure if I've ever seen such choice being offered in the first place. It's always either "pay with your data or don't use it at all", or "pay with your money and your data, or don't use it at all".
Also, prior to GDPR, the "pay with your data" aspect wasn't even mentioned by the companies. Ultimately, GDPR doesn't prevent people from donating their data - it just requires that it's explicit and not mandatory.
Really? Going to der spiegel as someone from Chicago I get a "Continue reading with ads, Visit SPIEGEL.de as you normally would with the advertising and the usual tracking. (You can revoke your consent at any time.)" with an accept and continue box or "… or purchase a PUR subscription, It allows you to visit our site without any ad tracking and mostly free of advertising. €4.99/month, €1.99 for SPIEGEL+ subscribers".
I've never been there before. I went on to read the details of their "PUR subscription" via Google Translate, and it seems to truly be a "pay OR give up data" model, the first one I've ever seen. That said, it still isn't advertising-free[0] and contains some amount of internal, first-party tracking[1] (but see [2]).
Below are excerpts run via Google Translate. I'm truly very surprised by what I just saw - the directness and honesty of communications is even more refreshing than privacy-friendliness itself. Their FAQ covers privacy and advertising concerns separately, and is very specific. If I had a need for German-language news, I'd subscribe to this just as a token of appreciation.
--
[0] - "We continue to advertise our own products discreetly because SPIEGEL readers expect information about new products from the company. We cannot technically remove advertising from podcasts and our digital edition, but this is played without tracking. Individual sponsorships are just as difficult to fade out, and separate page areas such as voucher and sports betting marketplaces that are independently offered by the providers there are only to be made inaccessible in the navigation of our journalistic offers - but not, for example, for searches from outside. This is the level at which the exceptions move."
[1] - "We depend on it [internal usage measurements] for both basic control and further development of the news site, especially in order to optimize our payment model: Which texts are of interest to readers, where do operating elements not work, which pay offer might interest a reader and which rather not?"
[2] - "What data does DER SPIEGEL collect from PUR subscribers? The customary reach comparisons and usage statistics for the control and optimization of the site, especially via our first-party service provider Adobe." - I'm not sure what they mean by Adobe being a "first-party service provider", but I don't like it collecting anything.
--
EDIT: here [3] is a list of cookies they set for PUR subscribers. Seems to be true to their word (and it's nice this list wasn't hard to find in the first place), but I'm worried about the presence of Outbrain on that list. I can't imagine any legitimate interest a third-party chumbox provider would have.
Yet a very large number of companies do. Open Facebook in an incognito window - it'll give you a dialog with "Accept FB cookies"; options are, "Accept all" or "Manage" (already in violation of GDPR since rejecting is not as easy as accepting!). Click manage, and you get presented with a single button, "I Accept"; sure, there's one checkbox that you can leave unchecked, but it's really unclear from that wall of text what exactly you are "Accepting" and what you're not.
If Grinder was fined 10% of revenue - why exactly aren't they fining Facebook 2.2 billion? It'd be much more impactful, and hopefully help put an end to those practices.
They are sending all of their user's data with an "opt out" flag and leaving it to the ad companies to honor it? Slow clap?
It also caught my eye that their TOS didn't allow users a choice in data sharing, it was either agree or don't use the app. That might have some wide ramifications, I've encountered many web sites that won't let you past the sharing opt-in until you click agree - i.e. it is impossible to disagree. It is a completely foreign concept for US companies.
Wikipedia says Grindr is based in California, US. I wonder if they will pay the fine or refuse. If they have no assets in Norway I imagine it may be hard to collect from them.
> If they have no assets in Norway I imagine it may be hard to collect from them.
I thought, but have never verified, that fines given as GDPR enforcement can be collected throughout the EU/EEA. If this is true, and if European courts uphold the fines when Grindr undoubtedly challenge them, then it's my understanding that the Norwegian DPA can have Grindr assets elsewhere in the EEA seized.
I think you underestimate how specialized law can be.
I have a relative who is a lawyer and legal attorney who would definitely not know this and when asked would answer that it is not his speciality and that he would have to do more research.
He's an attorney in employment law, and I asked him some things about criminal law and he did not know, and when pressed to make a guess, his guess was wrong.
It seems that law is quite complicated, and that lawyers have their specialities.
Yes and it seems like this would be an even more specialised area. if we don’t even know which lawyer to ask how can we even hope to follow the law meaningfully
If they are "established" somewhere in the EU, then all GDPR complaints get forwarded to the DPA for the country where they are established. This is called the "one-stop shop mechanism."
If the Norwegian DPA is the one handling this case, probably that's because Grindr's EU operations are legally established in Norway. If they don't have an "establishment" in the EU, then I think it's up-for-grabs, and my gut is that NOYB would have preferred to file in France or Germany.
This is why GDPR actions against Facebook, Google, etc. all go through the (under-resourced) Irish DPA: US companies are all based there for tax reasons. It's... becoming a problem.
If they try that, I guess the Norwegian authorities will escalate through EU - either on the EU level, or by collaboration with larger national agencies such as in Germany. This is not a case isolated to Norway, and the agency seems to see it as such.
I'm pretty happy that GDRP finally starts being used to limit that type of data agglutination. Max Schrems and NYOB are doing a great job pushing for better privacy protection in Europe. I just hope that the big ones also either change their behavior or get forced to account for it.
Grindr presents me the third party data choice dialog every day. Sometimes multiple times per day. I reject every time. Also, it forgets that I set my units to metric regularly. Grindr is a mess. Besides it big user base, it is a garbage app.
The GDPR has always amazed me. It changed the playing field from "you can use our free app as long as you give us data for marketing or not use it" to "you can provide a free service in the EU as long as you dont collect data for marketing or dont provide it"
Without making a judgement on the merits of the approach, as a user/individual I appreciate the power this gives to protect my data. As a company/developer the conplexity of navigating the landmines that this poses makes me understand why a lot non EU companies decide to just block EU users. Is it "good riddance " in both cases? Maybe, but still the fact that innovating becomes more expensive sits there.
As a company/developer starting from scratch, there is really no complexity nor landmines : Do as you say, Say what you do, Give the user options.
You can offer the user the choice between targeted advertising or non-targeted.
You can offer the user the choice between paid subscription or advertising.
Cant get enough users to pay or consent ? Then you did not find market-fit in the real world.
Oh but GDPR is more than "don't do marketing". There´s stuff like "Right to be forgotten" that implementing controls for it would require a company starting from scratch to spend resources in "getting it right", and then you have things like backups, that may or may not fall in scope. And this is only one of the 8 rights that the GDPR provides.
First of all, it's not "don't do marketing", it's don't do "user-tracking-and-profiling based advertising". Marketing is so much more, like actual market research to provide a service users actually want.
You have to handle a "right to be forgotten" query within a month, surely this is enough time for one sysop to run a prepared query. If your database is so byzantine that you cant find all reference to a given customer, you are either google or in need of a new architect.
Backups do not need to be deleted immediately, they should however expires and be destroyed in accordance to your data retention policy (Say what you do, do as you say).
This fear mongering is absurd. You won't get fined millions just because you didn't delete something by mistake. You will get fined however if you do this repeatedly and deliberately.
> As a company/developer the conplexity of navigating the landmines that this poses makes me understand why a lot non EU companies decide to just block EU users.
The only places I've seen actually do this are local newspapers in the US. Are there many other substantial companies doing this?
In general, dropping the EU is an expensive game: it's 450 million people, including many rich developed countries. GDPR doesn't mean you can't advertise or do other freemium upselling, it just means you can't precisely track people's personal data to do so, and the rules for that are fairly common sense & clear imo. It's not difficult for most businesses to make good money and stay inside the rules.
There are definitely a couple of big one. They get posted on here every now and then but I can't remember them because I'm in Europe and if they don't want me, I don't want them.
I'd rather not interact with a company that disrespects my privacy and it's rather helpful they have to tell me this up front.
Same whining in finance. Every loophole is ruthlessly exploited, shady tactics employed, malicious compliance or borderline fraud are commonplace. The legislature changes to address that => the actors kvetch about red tape.
What you and many others are missing is the fact that major part of GDPR is about collecting unnecessary data, specifically PII, personally identifiable information. If your web/app/whatever has legitimate reason why it needs the data, GDPR is fine with that. For example it's perfectly OK for a dating app to collect information about person's eye color and height or for medical app to have access to your heath-related information, even though it could be used (with other data) to identify specific individual.
No because GDPR has exceptions for state usage. Tax returns are not published but some key figures are available but you need to authenticate to retrieve it and it is logged and the log is available to the searched person.
The point is that comes across as hypocritical and makes the rationales come across as lies. "Consent for data sharing is important - except when we do it!" isn't a very good look even if there are valid reasons for tax return transparency it goes against their own stated principles.
You don't always need consent. There are 6 legal reasons to collect data. "Public interest" as with tax returns is one.
As another example, the post office is allowed to collect and process your address, since otherwise they could not fulfill their contract to deliver your parcel (contractual obligations).
Similarly, paramedics don't need to worry about asking for consent from a patient that is unconscious: They can look into their medical records based on "vital interests".
Governments are run on hypocrisy. They can kill you, imprison you, extort you etc all under their legal framework. This isn't anything new. It's kind of essential in order to function as if they couldn't do it a vacuum would develop and eventually be filled by someone else who is willing to do these things.
There are 6 legal basis for collecting and processing personal data: Consent, legal requirements, vital interests, public duty, contract requirement and legitimate interest.
Collecting and publishing tax returns would fall under "public duty".
We need to separate "showing advertisement" from "surveillance capitalism". You can (and should) show advertisement without infringing the privacy of your users.
I see two potential outcomes:
1) Ad-supported apps will serve ads without hoarding personal data, e.g., a weight tracking app will show weight-loss ads to everyone.
2) We will see more paid apps.
Just as investors don't invest in companies doing financial fraud, I'm hoping investors will also do more due diligence on the privacy posture of their portfolio.
Question in regards to the user consent pop-ups on websites: On sites that continue to let you browse without making a selection (say the consent banner in on the bottom of the browser window), If I don't make any choice, accept or reject, what happens? Am I giving consent by default?
reply