|
> If they implemented GDPR correctly and in a sensible manner, you would get one popup per site, once. You would give your consent to data collection and usage, and they would save that preference in a cookie or your profile settings for that site. And how is that supposed to work, exactly? If you choose "deny" then they can't track you, so they can't set a cookie or save profile data! Of course you'll get the same prompt the next time you show up. At that point you're just another anonymous visitor of whom they have no prior knowledge. You have to consent before they are allowed to remember your preference. The same issue applies if you grant consent but take your own measures to thwart tracking, such as limiting cookie lifetime. The next time you show up they don't remember you and must ask again, or else give up and assume that no one ever grants consent. If you are already signed in to an account that is a different matter, of course, but even for the minority of sites where I would have an account signing in would generally be more trouble than dealing with the pop-up, and thus not an improvement. > ... into accepting their onerous terms. There is nothing "onerous" about their terms. They have every right to require your consent in exchange for their services, the GDPR's infringement of that right notwithstanding. For that matter, they have every right to collect, store, and make use of whatever data they are able to gather from your interaction with their service without your consent. The law in this case is blatantly one-sided, and consequently unjust—you aren't forced to beg for their consent to remember and/or communicate whatever data you can gather about the them. For that matter, where is the GDPR equivalent for the government? They collect more information, and more personal information, than anyone else. Based on the same principles as the GDPR, you should be able to opt out of all those income and sales tax reporting forms, for a start, or demand that they delete you from all their databases, with no change in services received. |
Abolish the popups entirely, move the consent forms to a voluntary options page. Implement a user profile system, so people can create a profile and opt-in to tracking and profiling through that. Turn off tracking and profiling completely for anonymous users who choose not to create a profile, or who haven't opted in.
I know there will be an outcry of "but the amount of data we would be able to gather is miniscule!", and I say that's a good thing. Companies have absolutely no right to my personal data and to infringe on my privacy, unless I explicitly grant them access to do so.
The default should be to not track and not profile and not store privacy-infringing data, unless the user has taken specific and deliberate action to allow it.
>"There is nothing "onerous" about their terms. They have every right to require your consent in exchange for their services, the GDPR's infringement of that right notwithstanding."
They have absolutely no right to my private data, unless I specifically give them permission. They do not have any right to success, no right to a specific business model being viable forever.
>"For that matter, they have every right to collect, store, and make use of whatever data they are able to gather from your interaction with their service without your consent. The law in this case is blatantly one-sided, and consequently unjust—you aren't forced to beg for their consent to remember and/or communicate whatever data you can gather about the them."
No, they do not have that right. There are very clear differences between corporations and people. Corps are not people, they do not have the same rights a person does.
>"For that matter, where is the GDPR equivalent for the government? They collect more information, and more personal information, than anyone else. Based on the same principles as the GDPR, you should be able to opt out of all those income and sales tax reporting forms, for a start, or demand that they delete you from all their databases, with no change in services received."
The GDPR applies to governments as well. There are very specific rules in place for what information they're allowed to keep, any PII data can only be kept if there is valid purpose. The same rules go for companies, they're certainly allowed to keep information, as long as it's appropriate and necessary to provide the services they provide to you. And yes, taxation is part of the overall service government provides you to, specifically it's the payment for those services.
Facebook doesn't need to endlessly track, profile and monetize you, in order to run a social network that lets you chat with people, exchange cat videos and arrange events. Google doesn't need to endlessly track, profile and monetize you in order to provide search, email, calendars and their other services. It's perfectly fine to keep your calendar data, because that's a service they provide to you. But it is not OK for them to analyze and monetize your calendar data to target ads, unless you give them explicit consent.