[probably_wrong]

In their example, under "Gather consent seamlessly", their example shows "Yes" and "Other Options". Now, I haven't yet read the GDPR in detail, but I was under the impression that opting out should be as easy as opting in. A quick search returns:

> The ICO also said that, while "GDPR does not specifically ban opt-out boxes," that method of communication is "essentially that same as pre-ticked boxes, which are banned"

If this is correct, using the product as shown on the screenshot (and as used by several websites) is in violation of the GDPR.

I wonder if Google will pick up your legal defense costs if you get sued for using their product.

(Edit: I tried to find answers to these questions, but apparently the only way is contacting my Google representative, which I don't have)

[Terretta]

Having cleared all cookies recently, I'm re-encountering all these dialogs. They've gotten cagier.

Anecdotally, a third of these cookie dialogs are violating those principles, either preselecting all third party advertisers, or claiming all 60+ third parties are necessary for the functionality of the site so Allow or Go Away. Or having only one OK/Agree button.

It's not just little guys. Slate.com for example:

Slate’s Use of Your Data

By clicking “Agree,” you consent to Slate’s Terms of Service and Privacy Policy and the use of technologies such as cookies by Slate and our partners to deliver relevant advertising on our site, in emails and across the Internet, to personalize content and perform site analytics. Please see our Privacy Policy for more information about our use of data, your rights, and how to withdraw consent.

[Agree]

https://slate.com/gdpr?redirect_uri=%2F%3Fvia%3Dgdpr-consent...

The privacy policy generally says you're welcome to go opt out of each individual third party then delete their individual cookies from your browser, beat yourself up.

Slate for example, says, "You may choose whether to receive interest-based advertising by submitting opt-outs..."

The justification appears to be "EU doesn't tell us what to do":

"Please note that the Services are directed towards users who reside in the United States. By using the Services, you consent to the collection, storage, processing, and transfer of your information in and to the United States, or other countries and territories, pursuant to the laws of the United States. Some of these countries may not offer the same level of privacy protection as your own."

This Privacy Policy also features dynamic legalese:

"Slate tracks when EU readers grant consent for Slate to collect and process data through the use of an identifying cookie on your browser. The browser through which you are currently viewing Slate does not currently have such an identifying cookie. If you are an EU reader this means that Slate is not collecting or processing data from your current browser session."

https://slate.com/privacy

// I am currently reading from EU -- a good time to clear your cookies.

[sleavey]

I noticed that about Slate too, yesterday, when another HN article linked to them. Now I just open sites that break GDPR laws in a private tab, accept all of their cookie things and skim the article and determine if it's worth properly reading (while blocking ads, canvas super cookies, etc.). When I'm done I close the window and all the data they place on my machine is wiped. This means the outcome for them is even worse than if they had behaved themselves and offered a "minimum required" box that I would have probably ticked.

[stephengillie]

> claiming all 60+ third parties are necessary for the functionality of the site

If you consider financial needs underpinning the site operation, it's technically true - without the 60+ 3rd parties, they could run out of funds to host the site, after which the site would not function at all.

[CaptSpify]

There are other sources of funding than advertisements

[nloomans]

Interestingly, Dutch news websites usually handle GDPR popup dialogs property. Example: https://nos.nl/.

It's just as easy to opt-in as to opt-out. Just tap the checkmark or the X and then Save your preferences.

[bo1024]

This hits another big point I've been wondering about GDPR. If site X has third-party JS from Google, Facebook, or so on, who does GDPR apply to? Is site X the one collecting the data, or is it the third party?

[lmkg]

GDPR distinguishes between the "Controller" and "Processor" for data. A Controller has the most responsibility under GDPR. A Processor has separate responsbilities, and generally fewer of them.

In your example, Site X would be the Controller. Google or Facebook may be a Processor, or they may not be involved at all. If the JavaScript in question sends data to Facebook/Google then they are a Processor, whereas if it's purely a client-side library or something that helps Site X send data to itself then the situation is more ambiguous.

Vendors could arrange the relationship in such a way as to be joint controllers instead of processors if they wanted to. Most companies seem to want to avoid this set-up if possible.

[drewmol]

from Article 4:

(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Generally speaking, site X is the data controller and the third party JS providers are the data processors. GDPR applies to both, with the controller being the party primarily responsible for ensuring compliance.

[lucb1e]

+1 for actually mentioning (let alone citing!) the article. There is so much information floating around, much of which slightly exaggerated, misinterpreted or misremembered, and if you want to check it you basically have to go and search through the whole thing. Even Dutch data protection authority has lots of info and FAQs without any reference to the law at all. So whenever I refer to it, I often have to go "at least, that's what our national authority says, I have no idea which article in the international law this is based on. Here, go and read some Dutch!"

[gsnedders]

My understanding (IANAL) is the site requested (i.e., X) is the data controller: X caused the third-party requests to occur, and is therefore responsible for any data transmitted over them.