[tablethnuser]

I think all these privacy protection rulings are a step in the right direction, in that we are seeing governments respond to dark patterns similar to how they respond to spam and telemarketing.

The loose thread now is in how the companies are required to communicate their data mining. These twenty page privacy policies that I agree to with a flick of the scrollbar and a button click, or these equally boring popovers when I visit a site, are where the governmental innovation needs to happen next.

[tgsovlerkhgsel]

All it takes is strict enforcement. The rules are already there.

Many of the popovers (basically all that you can't easily dismiss without giving consent to anything unnecessary) don't result in valid consent.

Twenty page privacy policies are also questionable: "the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language."

I also hope that the ones that ask for consent with a modal pop-up create a modal pop-up offering you to revoke consent on every page load: "It shall be as easy to withdraw as to give consent."

Strict enforcement of the existing rules is all that's needed. Getting consent is going to be really hard, to the point where web sites may be best of not asking for it, and only doing what they can without processing personal data.

[alkonaut]

This. I long for the day when regulators pick one high profile target that uses “by entering you agree to [us giving your data to third parties for ad purposes only]” and simply hit them with an enormous fine.

[amelius]

But why are data brokers still allowed to exist?

https://en.wikipedia.org/wiki/Information_broker

[M2Ys4U]

Many European supervisory authorities are investigating these right now.

I'd expect the first enforcement action to come either this year or early next year.

[SpicyLemonZest]

The popovers are the result of government innovation. I'm skeptical whether it's actually possible to get people to read the privacy policy before using a website.

[whatshisface]

It would help if privacy policies were brief and clear.

[eitland]

Edit: just realized pbhjpbhj has written much of this elsewhere in this thread, upvote that instead, although I'll keep mine since it is slightly different: https://news.ycombinator.com/item?id=20607528

It would help if companies could respect the rules in EU that says data collection should be voluntary and opt in.

Then the privacy policies could be really short.

That said I agree with others that reasonable standard policies would be great for both consumers and businesses:

Something like the Creative Commons licenses comes to mind:

- 0, green: nothing (no analytics, no state, so no login possible)

- sessions, green: login possible

- telemetry, yellow: anonymized, short lived (< 3 business days) data, not linked to use, not shared outside of development

- 1 party analytics, yellow: like telemetry but longer lifespan and shared outside of development

- 3 party analytics, red: uses Google Analytics standard edition or any other 3rd party tracker that shares data

[M2Ys4U]

The GDPR does actually contain a provision - Article 12(7) - which allows for that sort of indicator:

>The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.

[SpicyLemonZest]

Which is why the EU has already mandated that. But privacy is a complicated issue, so there are limits to how brief a complete policy can be; just the suggested template[1] is a four page PDF.

[1] https://gdpr.eu/wp-content/uploads/2019/01/Our-Company-Priva...

[pbhjpbhj]

One way to do this would be to have privacy standards. EU PP0, PP1, PP2, etc., that would conform to particular uses of one's data.

Such info could be tagged in page head and then you could do things like search for a forum that doesn't (according to policy) use your data for revenue (or share it outside the named business -- perhaps that's "PP0", in analogy to CC0), etc..

Just thinking on my feet, E&OE.

[sroussey]

P3P header? What’s old is new again?

https://en.wikipedia.org/wiki/P3P

[eitland]

Wow, I didn't know this existed! And very interesting to read why it failed.

That is something I'd like to see standardized and mandated - complete with mandatory audits so it doesn't fizzle out like it did last time.

[Avamander]

Anyone knows if a single thing takes a look at it nowadays?

Also, maybe it would work if it was legally enforced now? I suspect this was a case of Too Soon™.

[Silhouette]

One way to do this would be to have privacy standards. EU PP0, PP1, PP2, etc., that would conform to particular uses of one's data.

Or at least have those as standardised starting points that cover the routine points that will be the same for 90% of data processing operations, so you only have to specify additional detail for things that might be unusual or surprising.

If you look at the template privacy policy that SpicyLemonZest linked to, a large proportion of it is boilerplate that covers either reasonable and normally expected data processing or standard notifications required under the GDPR etc. Repeating that more-or-less verbatim on every website someone visits today doesn't help either that person or those websites.

It would simplify things greatly if instead of all that boilerplate, a short list of one-liners is all you need to state if you're only performing normal data processing for common purposes, as defined by official privacy standards along the lines pbhjpbhj suggests but perhaps specific to each common purpose. Then you only need to elaborate on anything unusual or particularly sensitive, and anyone interested in how you're processing data about them can quickly identify such cases (or verify that there aren't any and they don't have anything to worry about).

[Silhouette]

It would help if privacy policies were brief and clear.

And the way to do that is standardisation.

In many situations, at least here in Europe, you can go about your normal life without worrying too much about tricky contracts catching you out. There are consumer protection rules that restrict what can be done, prohibiting it entirely in some of the most serious cases, but also setting out reasonable expectations in some sense so that any business wanting to violate those expectations has to be clear about their alternative or might find it doesn't stand up if challenged.

One difficulty with the online world at the moment is that because it's very international in nature, even rules that apply across say the whole EU or at federal level in the US don't necessarily provide any guarantees to visitors of websites or recipients of emails because the business or other organisation they're dealing with might not be in the same jurisdiction as them.

On top of that, these big data-hoarding organisations pose an unprecedented threat to our privacy and ultimately to our freedom and way of life because there is an unprecedented amount of data collection and processing going on. Some things didn't really matter much at a small local scale, like the person passing you in the street seeing your face and knowing you were there at that moment in time, yet forgetting you a moment later. The exact same data points can matter a great deal more when we're talking about huge numbers of them being collected and collated by a single entity that can then process a more informative data set in ways that would never have been possible in the simpler case. Now the marketer or the government or the criminal who hacks the marketer or bribes the government official has a detailed record of your normal daily movements and any anomalies, or your spending patterns across everywhere you shop and everything that says about you, and so on.

We need a clear basic framework for what we as a society are and are not willing to permit in these areas, for how we trade off the potential advantages of organisations that might genuinely be trying to help us having access to more data against the potential risks of organisations that are not necessarily acting in our best interests having access to more data, even if in some cases they might be the same organisation using the same data in different contexts.

I personally regard the GDPR as a swing and a miss in this context. The intent might have been good, but it's so complicated and ambiguous that in many ways it creates problems rather than solving them. Crucially, that is particularly true for organisations that were trying to be responsible about how they work with personal data and privacy issues, which might have been looking to the GDPR and the national regulators for clarity about the ethics and legality of different practices with pros and cons.

So there have been some moves in positive directions recently, but right now, if I'm selling you something online then I still have to state in my privacy policy that I'm going to keep records of money you pay me and I'm going to store those records for long enough to comply with my obligations around tax records. Does it really help anyone to declare obvious and indeed legally required behaviour like that, or is it just noise?

To pick a less obvious example, maybe we should have clear defaults about analytics. For example, perhaps a business is allowed to monitor how its customers are using its own hosted systems by default, but activities like accessing users' personal data uploaded to those systems for other purposes, exporting users' personal data from their local devices, or sharing any of this data with third parties requires explicit disclosure and maybe some level of consent.

Privacy policies could indeed be much clearer if only the exceptions to common sense had to be declared in some standardised way, and if an acceptable definition of "common sense" were itself provided somewhere through legislative or regulatory means.

[jinglebells]

The GDPR isn't a bunch of rules, it's a process. It's no different to your health and safety process. You define your process, what data you have and where it is and any risks.

Personally, with massive PII dumps getting leaked every week I'm not surprised governments are starting to act.

> but right now, if I'm selling you something online then I still have to state in my privacy policy that I'm going to keep records of money you pay me and I'm going to store those records for long enough to comply with my obligations around tax records.

No, you don't. That's covered by the rule "Compliance with a legal obligation" because you have to do it, but only store as much as you need.

[jen20]

Quite: far too many people equate the "consent" basis for holding data as the _only_ basis for holding data. It is not, and and compliance with other laws is also a valid reason which _cannot be overridden by withdrawal of consent_.

[PeterisP]

Sure, but if we're talking about data usage for marketing and targeted ads, then generally consent would be the only basis that can apply.

If you have a legitimate basis to collect and store personal data for some purpose X, then that doesn't allow you to use the data you collected and stored for anything else - if you want to use the same data for some other purpose (like targeting ads or given them to your "partners" to target ads), then you need consent; and if you give them to your "partners" to allegedly execute that legal need X but it turns out that they're using it to target ads or reselling data, then you're liable for that.

[PeterisP]

Yes you do [have to state that in your privacy policy].

Compliance with a legal obligation is valid grounds to store and process data, but the information requirement still applies - you need to inform the customer what you're collecting and why, you just don't need their consent in this case.

E.g. the GDPR article 13.1.d / 14.2.b - you need to inform the data subject about what exactly is your legitimate need that justifies the processing of data; and customers then can judge whether that need (and the collected data for it) seems reasonable or warrants a complaint to the regulator.

[Silhouette]

The GDPR isn't a bunch of rules, it's a process.

The GDPR is an EU regulation. An EU regulation is a bunch of rules that have direct legal effect across the Union.

No, you don't. That's covered by the rule "Compliance with a legal obligation" because you have to do it, but only store as much as you need.

That's a legal basis for processing, which you also have to disclose. It doesn't exempt you from disclosing other required information such as the types of personal data you're collecting or your policy on retention.

[NohatCoder]

That innovation could be simply disallowing most of the data gathering/sharing outright.

[l33tman]

The EU's GDPR already requires opt-in for all auxiliary tracking etc. even for those huge policies. So you can try to hide all the nasty stuff in a long policy, but you are not allowed to default to them. A single "I agree" button is explicitly disallowed to enable anything else than the barest minimum required to provide the service (now I'm sure that could pose a loophole for some tracking, but they most egregious cases would be liable for enormous fines if they don't adhere to this).

[M2Ys4U]

>These twenty page privacy policies that I agree to with a flick of the scrollbar and a button click, or these equally boring popovers when I visit a site, are where the governmental innovation needs to happen next.

If the sites are relying on consent as their legal basis for processing personal data then hiding it in those policies is 100% a violation of the GDPR.

Enforcement action is unlikely to make headlines, though as it'd be such an open-and-shut case it won't even make a courtroom. The supervisory authorities will just impose administrative fines.

[burtonator]

Until Facebook starts regulating Washington. They've been pretty uninvolved in lobbying so far.