This. You can see the impact of this on the new iOS tracking permissions. Most people want to opt out, but can't. Regulators stepping in would spell the end of large sections of the online advertising industry, so I doubt it'll happen.
Regulators in the US do not seem to be completely in the pockets of the online advertisers quite yet, given recent legislation proposals. Regulators in the EU, even less so.
I thought this exactly. Kind of like US requiring pension plan options to be provided in a certain consistent layout etc., were this spec to be demanded by e.g. the EU, then it could see a really positive shift
The GDPR already explicitly forbids 95% of the cookie banners out there, but large companies decided to ignore it and simply face the fines if they in some hypothetical future will arrive. The rest of the industry followed.
Until the law that defined informed consent actually get enforced, a new law can not really fix it unless the regulators start to add the threat of jail time to repeat offenders.
> but large companies decided to ignore it and simply face the fines if they in some hypothetical future will arrive.
This is not the case. The fines are up to 2% of annual global turnover. This scares companies.
Moreover, some of the worst offending cookie banners are slowly being replaced by better ones as more and more organizations (such as noyb) file official complaints and companies get fined.
> This is not the case. The fines are up to 2% of annual global turnover. This scares companies.
You are wrong. The initial fine is much, much lower and companies have so long to dabble in wilful ignorance that it is at the moment not something that has teeth. Companies are like bullies, they don't respect threats - only harm.
> initial fine is much, much lower and companies have so long to dabble in wilful ignorance
Another diluent: the maximum fine is practically the lesser of 2% and the NPV of business in that European country, or, expansively, in Europe. If you have little business in Europe, it’s cheaper in some cases to simply close shop.
I'm pretty certain an actual fine (not ceasing operations) has a limit of max(10M€, 2% worldwide revenue of previous year) and double if you're antithetical to GDPR. Also, it's per infringement and isn't a yearly free pass to continue once you're fined.
Companies are not doing much because enforcement is lacking, and in case you get caught, most fines are in the neighborhood of reasonable rather than instant liquidation.
> Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (emphasis mine).
Automated enforcement is already easy if there was willingness to do it. The majority of non-compliant cookie banners use a handful of libraries and/or third-party services such as TrustArc so detecting these with a web scraper is be trivial.
Noyb - one of the organisations behind this proposal - have started contacting the operators of non-compliant websites,[0] as the first step in forcing them towards compliance.
If they change their ways then good, if not Noyb has a much more solid case when making a complaint to the SAs and/or the courts.
I mean, a good first step would be to start fining companies 2% of the revenue. Especially Google.
And then maybe automate the GDPR fines, because it's definitely possible to identify that a site puts up a non-compliant banner.
No need to add the threat of jail time, _especially_ if it isn't enforced.
Even so, it would be 0.2% per EU country, right? Because the legislation is transposed into member states legislation. I doubt that anybody would really want to fight (& risk losing) in even 5 member states per year...
It is time for the governments to take control back and start regulating BigTech: you can not easily opt-out from any data gathering from Google, Microsoft, Apple, Facebook, ... If you try it and turn it off on mobile phone and desktop you will constantly have issues and be flooded with messages like "turn on location services", etc. Yesterday I learned that my private calendar on my phone was replicated to Google Calendar >>for many years<< without my knowledge, because the default setting was to save new events into Google Calendar and not a local phone calendar... and I was not asked during setup if I would like that (I have turned off all replication / data sharing / etc.)... this is just crazy... they are basiclly STEALING MY DATA and sending it to the cloud where it is processed without my knowledge... I hope they pay BIG MONEY for these GDPR breaches...
I doubt there is an easy fix in cases like Google Calendar due to consumer expectations. Simply put, there are certain types of data that many consumers expect to be synchronised, and those of us who have the opposite expectation (or only want certain data to be synchronised) are likely in the minority.
This is somewhat different from most tracking done on the web, which is done for the exclusive benefit of those doing the tracking.
Recent Android phones sync a ton of stuff automatically - which I suppose you agree to by signing in with a Google account, but that's also typically required. I know this because on the last two Android phones I purchased, a set of old outdated contacts from my Google account were automatically synced to the phone as soon as I logged in, which I was required to do to begin using the device.
Believe me, I would have opted out of this had I been prompted to do so during setup.
I checked again exactly why this happened: Samsung Calendars app (which is a default calendar app on Samsung phones) has set a default calendar for my new events to my Google Calendar account. And if you just enter the event title and set the time (what one would usually do) - and leave all other settings untouched - then by default it will be added to your Google account which will then be synced to the cloud... You can change these settings (see [1]), but the default is wrong!