> GDPR those banners went viral in clumsy, annoying, not useful and frequently unnecessary implementations. Maybe it's because of hefty fines introduced in the context of GDPR.
The problem is that not enough fines have been meted out. Had they been, we'd see less of the unuseful, annoying, unnecessary banners. Because they are this way on purpose: to make you "consent" to wholesale collection and trading of your data.
Maybe (I'm too lazy to check this out). But from what I remember only after GDPR those banners went viral in clumsy, annoying, not useful and frequently unnecessary implementations. Maybe it's because of hefty fines introduced in the context of GDPR.
My point is: Did it help fighting privacy issues? I don't think so. Did it harm? I do think so. Will it ever be somehow measured for its effectiveness and be taken back/changed to be more effective? I don't think so. So better get rid of it.
The legal follow-up could be better. The exacted fines should actually follow the law instead of being softened. With at least 4% of gross revenue in every instance, it would have bite and act to curb the excesses, thereby tackling the root problem. After all, it was never meant to outlaw data collection, just excessive surveillance.
> The annoying cookie banners
The GDPR isn't unclear about what companies can collect, what consent should be asked and how. Those banners are malicious compliance or non-compliance. They're purposefully built that way to get you as a potential consumer riled up about the regulation. And it's working: instead of talking about the companies trying to abuse your data and implementing horrible popups that don't do what the law says they should, you're now upset at the regulators. Classic case of "Don't like what they're saying? Change the narrative".
I think we can safely agree that GDPR is having substantial effects (I’ve worked on implementing it in 2 organisations) and that the banners we are seeing is a tiny element of what GDPR are about - an annoying edge case.
Keep in mind that the majority of those data processing consent banners aren't actually compliant - the GDPR has explicit provisions against dark pattern or the kind of malicious pseudo-compliance we often see.
The problem is that enforcement is severely lacking, thus most of those offenders actually get away with it.
And there is far more going on than what you see on a daily basis. It isn't "obvious", yes the banner thing is shit, but GDPR is a complex legislation and has many great benefits for personal privacy that go far beyond annoying banners on web pages.
At least 90% of the banners I get hit with around the web are automatically not GDPR compliant because they require you to opt out. It's amazing to think of the effort that's been expended implementing them while still failing to follow the law.
I'd call it a legal fig leaf, but it doesn't cover up anything at all.
> "GDPR nightmare for everyone" -> only for companies that intend touse personal data in non-ethical ways
You do not understand GDPR. It is a burden even for businesses or non-profits that keep a minimal amount of data and do not trade it. As with all Eu regulation it is designed around big business. It actually helps the like of FB because they are more able to push people into agreeing to let them use their data.
> "cookie banners for everyone" -> cookie banners only if your website is using cookies in a way that needs a cookie banner.
Yes, but it does little good, and it stops end users from white-listing sites allowed to set cookies because you need to allow the cookies that track your cookie options.
> "USB-C" -> Good for consumer, I believe.
I disagree. It stops new connectors being introduced (because you will still have to provide USB-C). There is little gain: essentially slightly lower sales of charger cables.
Add to that messes like VAT MOSS which was ridiculously heavy and even lead to some small businesses stopping sales to other EU countries to avoid complying with it.
> It's just that the implementation sucks big time.
Yes, the way companies are "implementing" GDPR compliance sucks, even though GDPR compliance is not that complicated. That should tell you that those companies think it is more profitable to annoy you than to have a privacy-compatible business model.
Github, for example, gets it right. It only stores data it needs for fulfilling the services it provides to you, so there is no need for cookie banners and similar. That's exactly how the GDPR intends it to work. The problem is companies dragging their feet and trying to fool you into thinking it's the fault of the GDPR that they don't respect your privacy. Incredibly backwards, but sadly it seems to work.
> I see and hear of GDPR violations everywhere (here in the UK, pre and post Brexit). Despite the threat of legal action, companies still ignore (too small to care) or are ignorant of the rules. At the end of the day, Big Tech still owns all the personal data in some way or another getting around EU restrictions.
> The annoying cookie banners where everyone just clicks "accept all" because no one wants to go through a list of checkboxes. This is classic EU strategy to problems: just throw more bureaucracy and administration at a problem.
These cookie banners are (slowly) being deemed illegal: "Accept all" and "Reject all" must have the same prominence and accessibility. GDPR is forcing companies to care about security and about how they use information about their users and, probably for the first time, it's forcing companies to be transparent with how they are processing their users' data. And it's not requiring company to do anything you wouldn't expect an honest person to do when you give them some personal information, it's not just throwing bureaucracy at a problem.
It's just as easy to escape GDPR banners: Just don't visit the offending sites. Free markets at work.
And similar to ads, I expect automated tools to emerge that eliminate most GDPR banners by granting the minimum consent required (optionally alerting the relevant regulator if that's excessively broad) and then revoking it immediately afterwards.
You can't escape bureaucracy, but you can escape the lazy companies who can't think of a better way to deal with bureaucracy than pushing it onto the user.
> Because it puts a whole bunch of people out of a job
Yup, that's the reason behind the hysteria.
> and ruins the user experience for many things.
Let's put the blame where it belongs. It's not GDPR that is ruining the experience. It's the sites that refuse to take a hint and stop abusing users' data. When you prepare this popup that will "ruin the user experience", you list a bunch of things in it. All of those are the things you should strongly consider stopping doing.
> And while this is happening I've read about people having their app revenue drop 90% in some cases.
Honestly, I was strongly hoping this would happen. Good to hear the new law is working.
> It's not about whether data abuse is okay or not, but rather it's about the consequences of taking such a heavy-handed approach as GDPR did.
As others said, the industry had plenty of time to avoid this. For instance, the Cookie Directive is a decade old now, with previous regulations touching this sphere as early as 16 years ago. The industry instead doubled down on user-hostile practices. So now we've got GDPR.
> GDPR is bad because some will decide to break the law.
No, where do I say that?
My point is that GDPR still lets companies collect user data, legally.
"Oh, now they need to ask for consent" doesn't really change things in practical terms. If Facebook still has billions of WhatsApp users, and if every user had to give consent to have the data extracted to use the service, in practice Facebook still has access to the data and can build a profile of billions of people.
> What specifically makes GDPR just "protocol theater"?
I don't know how else to restate this, and I don't see how I can make it any clearer.
Companies are still collecting data at large. The requirements about consent do not stop them from doing collecting and exploiting data, they just add some extra hoops and create inconveniences. These hoops and inconveniences are enough to make data processing costly for smaller players (even for legitimate uses) but they don't do anything to stop the Big Players. We get the worst of both worlds.
> I'd say that you have more privacy because you "refuse consent".
On paper, you can "refuse consent". In practice, the absolute majority of people continued to use the services and devices from GAMMA (Google, Amazon, Microsoft, Meta, Apple), and the only way to use those services and devices is by giving consent.
> what changes should be made to make it more than that?
By forbidding data collection and brokering (tracking cookies, ad auctions) at all. By forbidding personalized advertisements at all. By forbidding ad-subsidized hardware. By forbidding hardware to be sold bundled with internet-connected software/services, i.e, they can either sell the software or the hardware, but not both. By forbidding any service to be commercialized unless it has a self-hosted version. By forbidding "freemium" services, i.e, either you charge from everyone or you don't charge from anyone.
----
> Money is power
This is exactly what I am contesting! Having more money can help with getting more power, but we can think of ways where the concentration of power is limited without having to fight over the discussion of how to limit the concentration of "money".
> you recommend removing civil rights...
No. People still keep property rights, and they are still free to associate with others. The only thing about my proposal is to eliminate corporations.
That's not the fault of the GDPR. The point of the GDPR was to force companies to expose just how much they sell your data, and thus incentivize people to vote with their wallet and choose services that value protecting your data.
Unfortunately, corporate greed was too high, and the result are cookie banners listing sometimes >1k third-party entities.
I'm guessing that the core idea behind GDPR laws wasn't a to flood internet with banner popups, but to limit excessive and unneeded for honest usage, storage of PII. IIRC GDPR allows for some limited PII storage without any banners, but it is restricted in time and scope, to prevent selling this data. Instead nobody is limiting usage of the data (not even Eurocommission site with GDPR rules) because that is not enforced in reality. So in essence GDPR law was a spectacular expensive failure, because nobody restricted their PII processing and analytics.
> I see and hear of GDPR violations everywhere (here in the UK, pre and post Brexit). Despite the threat of legal action, companies still ignore (too small to care) or are ignorant of the rules.
It was wild west before GDPR, it takes time for companies and attitudes to adjust. And that adjustment is ongoing. Every fine helps; it results in increasing compliance. Give it a few years, wild west won't be so wild anymore. I'm sure you'll still find lots of smaller companies that didn't get the memo but the likelihood that your daily activities involve entities that violate your privacy left and right is getting lower and lower.
> The annoying cookie banners where everyone just clicks "accept all" because no one wants to go through a list of checkboxes. This is classic EU strategy to problems
Annoying banners are not EU strategy, they are strategy by companies who want to violate your rights and annoy you until you consent. The regulators are aware of this problem and I believe it's being worked on.
The DSA proposal discussed in the article includes additional regulation against dark patterns and there's this little bit: > In order to avoid fatiguing recipients who refuse to consent, terminal equipment settings that signal an objection to processing of personal data should be respected.
I have no idea if it's going to work out but this would make something like Do Not Track legally binding. I very much support this bit, because I hate annoying consent nags as much as you do..
> What trouble? It's really not rocket surgery to be compliant with the GDPR if
> your business model isn't to sell (or profit from) targeted advertisements.
There are a lot of popular services you apparently can't use, like Stripe, and a lot of rules to follow, especially if you store any kind of personal data.
Imagine if companies didn't collect copious amounts of user data and didn't try to use every trick in the book and all known dark patterns to make you give up that data.
"We care about privacy by selling your data to 2765 'partners' and are blaming GDPR for this"
The problem is that not enough fines have been meted out. Had they been, we'd see less of the unuseful, annoying, unnecessary banners. Because they are this way on purpose: to make you "consent" to wholesale collection and trading of your data.
reply