[ddddfdohvsyknn]

These regulations seem worse than nothing. We already have browsers, we can block and filter cookies based on our individual preference and adjust depending on our tolerance for privacy vs functionality. How has this changed the data collection practices of Facebook or Google in any meaningful way? Not enough people are asking what effect the many new regulatory burdens will have for the internet. It entrenchs the existing players (know who has the money to hire 20 compliance officers for every Tuscan villa?) and makes the barrier to entry to compete more difficult. Plenty of proto facebooks have fallen by the wayside. Remember AOL? Remember Myspace? Now the big players have a hand in writing the law that potential competitors will have to comply with.

[planb]

Why is this downvoted? This is exactly what happend. Speaking with non tech savvy users here in Germany, they feel safe and secure on Facebook and fear the „world wide west“ that the open Web has become, where you need to click 20 consent messages on every website without knowing what all that stuff means. This is just like EULAs - one more annoying thing they simply accept with a slightly bad gut feeling.

[okamiueru]

I for one welcome it. If a website has this popup, and it doesn't default to disabled tracking, and there are "legitimate interest" bullshit that cannot be turned off, I close down the website. I even uninstall apps (chess.com, here's looking at you).

Just because website purposefully give a terrible UX in an effort circumvent the law does not mean the law is wrong. It's the implementation.

[pixelpoet]

I have a sneaking suspicion that if you leave the site without doing its maze of opt-outs, then they go "oh great, user didn't opt out!" and you didn't even get to read what you were looking for.

[nicky0]

Joke’s on them because all their cookies get deleted when I close the tab. And it’s not like I have a shortage of things to read.

[Thlom]

One thing I don’t understand is why in the good lords name do I have to consent to being tracked every day when I have already agreed to the goddamn cookie jar? Often several times per day as well!

[bombcar]

On iPhone at least Safari seems to throw away cookies with wild abandon resulting in the stupid popups continually popping up.

[TeMPOraL]

> This is just like EULAs - one more annoying thing they simply accept with a slightly bad gut feeling.

The point of GDPR is that they shouldn't have any bad gut feeling about accepting these terms - because anything even slightly shady, in any way beyond the most basic necessities for performing the service, must be opt-in by default, set to "no consent".

Alas, national data protection agencies are way too reluctant to chase the offenders and issue fines, so a big chunk of the sites on the Internet are breaking the law with impunity.

[permo-w]

Why is it downvoted? Because it’s implying that selling your information to advertising companies is a good thing, because it increases competition, and regulations making that harder are bad

The problem is that you could frame almost anything like that

Take an extreme example: Let’s imagine gold traders were allowed to go around taking people’s jewellery at gunpoint. Gold would be cheaper to buy. Traders make more profit. More jobs! Surely this is a win all round? Of course not, for obvious reasons.

Competition is not a an excuse for damaging your rights

And your example of clicking through 20 scary messages is because the websites, as is pointed out in the article, are not complying with GDPR

[TheCoelacanth]

It's a non-sequitur.

GDPR is about data collection, not about cookies.

Using cookies for core functionality instead of tracking does not require consent. Tracking without cookies does require consent.

[xtracto]

I think the GDPR and other sites would have better results if they approached these in a similar manner as how the "nutrition warning labels" are done in Mexico ( https://mexiconewsdaily.com/news/new-warning-labels-now-requ... ):

Make it so every page that contains a tracking element MUST permanently display a large-ish (say, 1% of the screen for each) seal/label indicating that it is tracking you (like ESRB labels). That way, website will be pushed to remove the tracking elements so that they can remove the offending banners.

[Griffinsauce]

This is an interesting idea.

In the end this option still hampers genuine users of those websites. That is the point and instead of people taking issue with the website tracking them, they'll complain about the banners instead.

Just look at this entire comment section... No guys, the problem is not that the law is bad, it's that the state of the internet is absolutely fucking terrible. "Why do I have to click so many consent things?" - because everyone is tracking everything about you, this is the point!

[intricatedetail]

They law was aimed at the big guys and they are in my opinion still not compliant, but have not heard of them being fined, some small guys on the other hand... This law feels more like it was a bribe fishing and checkbox exercise rather than genuine attempt at solving the issue.

[cyphar]

Google was fined 50 million euros in 2019 because Android didn't provide enough transparency or informed consent for advertising-related tracking[1].

For a company the size of Google, it's a slap on the wrist (especially when compared to the 5 billion euro fine from 2018 over antitrust violations) but they have been going after the big players. In fact most stories I've heard related to GDPR actions have exclusively been about big players getting fined.

[1]: https://www.bbc.com/news/technology-46944696

[ketzu]

> That way, website will be pushed to remove the tracking elements so that they can remove the offending banners.

Don't they currently have the same incentive? (And mostly don't act on it.)

[unix_fan]

I feel like this is a point the HN crowd likes to ignore when it calls for governments to regulate certain aspects of tech. Do regulations like this really protect consumers, or just make their experience worse?

[TeMPOraL]

That point has been beaten to death here in case of GDPR, though. The problem isn't with regulation, but enforcement. The fines aren't applied nowhere near enough, so almost no site cares.

The consumer experience being worse is, in a large way, purposeful UX degradation done by the sites themselves. The typical consent popup tries to simultaneously walk the line between "illegal under GDPR" and "just scummy" (often crossing to the illegal side; see the problem of low enforcement), and shift the blame for bad UX on those pesky, no good regulators.

[doctorfoo]

Fully legal and compliant GDPR cookie warnings are also awful UX and a pain in the ass. This should have been done at the browser level.

[Tomte]

Not necessarily.

If you're using cookies for things like shopping carts, you don't need a cookie popup at all.

If you're using cookies to track visitors across sites for advertising purposes, you're the problem, and the cookue popup only documents that.

[TazeTSchnitzel]

No. If you act in the spirit of the GDPR you never need to prompt people at all.

[auganov]

Did I have to deal with these popups before GDPR? No. Was I blocked from accessing many US sites before GDPR? No.

If EU cancels GDPR would everything go back to normal? Probably.

As an unhappy consumer, that's all I need to know. The cause and effect is pretty obvious here.

Sure, some people may be happy (I hope?!) with whatever privacy benefits GDPR is supposed to bring about. But blaming websites for responding to EU regulation one way or another, doesn't make me, who doesn't care about these supposed benefits, feel any better. If GDPR people feel like this is a cost worth paying then so be it. I certainly don't believe more enforcement will somehow make companies come up with fewer legal derisking strategies.

[TeMPOraL]

That's a bit like complaining about street lights, because thieves now have to accost you, where previously they'd just punch you in the dark and steal your money without you knowing what happened, or who did it.

GDPR forced bad actors on the Internet to document their bad behavior openly. If this made your overall Internet experience worse, it should reveal to you the magnitude of the problem of surveillance capitalism.

[TazeTSchnitzel]

> We already have browsers, we can block and filter cookies based on our individual preference and adjust depending on our tolerance for privacy vs functionality.

Blocking cookies on the browser side is a cat-and-mouse game where the cat is a multi-billion-dollar corporation and the mouse is a handful of volunteers.

You're also vastly oversimplifying the tracking issue to just “cookies”. The big advertising networks will use any method imaginable to track you. In the US (sans e.g. CA) they do not even have to tell you that they're tracking you, let alone tell you what they're doing with the information or let you opt out.

The GDPR gives you rights that work against all kinds of tracking.

> How has this changed the data collection practices of Facebook or Google in any meaningful way?

They have to tell us what they are and obtain our consent before doing them. They also have to tell regulators before doing novel and particularly intrusive things.

> Not enough people are asking what effect the many new regulatory burdens will have […]

The burden of putting the least effort to respect people's privacy is a good one. If you actually aren't trying to spy on people the burden imposed by GDPR is much less, perhaps giving good actors a competitive advantage. You don't even need consent most of the time.

[atleta]

If nothing else, it definitely raised the awareness. The thing with cookies and tracking is that it's invisible. Especially for the average Joe users. But even I was surprised when, thanks partly to these dark patterns and not letting me to opt out with a single click, I saw how many trackers some sites actually use.

Now as users got pissed off, solutions started to emerge. Yes, the EU does not seem to enforce it too much, though I'm curious how many reports they get. Anyway, Mozilla just announced that they started compartmentalizing most cookies, so tracking will stop working for a lot of sites/services.

[TheCoelacanth]

The regulation is not about cookies. It is about tracking.

You do not need a consent popup if you are using cookies for core functionality instead of tracking and you do need a consent popup if you tracking without using cookies.

[3np]

I argue the problem is not the regulation itself, but the all but complete lack of enforcement, and red tape around reporting offending companies.

[Nextgrid]

The GDPR covers more than cookies though. The GDPR regulates data collection and processing regardless of which technical means are used to do so. Disabling cookies in-browser doesn't change anything when it comes to tracking IP addresses or browser fingerprinting.

[anoncake]

Even if cookies were the only method for tracking, that would not be true. You cannot reliably distinguish tracking cookies from those necessary for functionality – there is no evil bit set.

[belorn]

I can think of two noticeable effects.

1: It makes leaks a liable issue and one that get additionally costly if the company tries to hide it.

2: All data collection by the big players are sitting behind a single legal argument that informed contained can be gain by a pop up window or by passively clicking a link, both which the GDPR writers said was not informed consent. That big players explicit ignore part of the regulation and get away with it is a problem that not enough people are questioning. The discussion has moved away from the law makers and into the enforcement.

[PurpleFoxy]

The GDPR added a data export feature to many websites. I have used it so much. I think the pressure is being felt by companies. Otherwise walled off platforms like apple are starting to open up.

[EdwardDiego]

I work in European adtech and the GDPR regulations have meant that a loooot of players had to scramble to remove all the information that was stored in datalakes that could be used to identify you.

So, from a privacy point of view, it's improved the situation. If some DMP has their S3 bucket hacked, then there's less of your personal information being leaked.

[intricatedetail]

These big companies are not compliant. For example Instagram if you make a GDPR complaint they will reply with a couple of canned responses and when you keep pointing out they have no read your complaint they will simply stop responding. What could you do next without having your account deleted in retaliation?

[WA]

Guy in IT sec recently: some companies reduced their yearly pentesting budget and spend the money on a GDPR paper trail instead. Compliance on paper more important than actual IT security.

[p_l]

This shows that they consider GDPR fine possible, thus making it a more worthwhile risk. There risk of penalties from cyber attack unpreparedness is essentially zero.