[pieno]

That’s actually the entire point: this should not be standardised. That would make it useless. The purpose of GDPR is that, in principle, you need consent to process personal data. The consent must be specific both in terms of what data is processed, and in terms of why it is processed. The consent must also be explicit (no opt-out or implicit consent by browsing a site) and voluntary (no coerced consent by refusing service for not giving away personal data that is not specifically required for the service you’re asking for). Standardised widgets are exactly the opposite of all that.

In a way it’s very frustrating to see all these nonsense cookie banners that absolutely do not comply with GDPR at all. Why nag visitors with annoying cookie banners when your website is just as “illegal” as when it wouldn’t have a nag screen at all. This is really the worst of both worlds.

Then again, it’s perfectly understandable for companies to comply just a little, as they can then start long arguments with regulators on whether their implementation is compliant or not and whether they are getting valid, specific, express and voluntary consent (rather than just getting fined right away because there’s clearly no consent being asked at all which would make it too easy for the regulator).

So I’m really glad to see someone picking up this battle to actually enforce GDPR and call out the complete joke/smokescreen that most companies have made of it…

[withinboredom]

I think what they mean is a standardized end-user interface with some drag-drop/easy configuration on the dev side. Every site on earth doesn't need to develop their own modals/UI to gather consent.

[pieno]

But why ask for consent right away when someone just visits your website for the first time? Imagine that you walk into a shop and the owner starts harassing you right away, blocking your path and your view and nagging you whether you consent to them following you around the shop tracking what you’re looking at, what you touch, what you actually purchase, and then give the shop next door a call to tell them all about your visit so that they can all “improve your shopping experience by giving you personalised recommendations”. Pretty sure almost no one would keep shopping there. In fact, this is pretty clear from Apple’s new do not track option where Facebook said in their quarterly report that it’s really hurting then (contrary to their statements that all of their users already happily consented to tracking and that they’re actually doing their users a favour by tracking them).

What should really happen is that sites just stop asking for bullshit consent to being tracked. No one will consent to being tracked if given an actual, clear and explicit opt-in choice, if there’s absolutely no downside in refusing consent and no one is tricked into giving consent by dark patterns.

Websites should just abstain from processing personal data until the visitor does something that actually requires personal data (e.g. sign up, make a purchase, …). In those cases, most obvious processing of personal data can be done based on other grounds (performance of contract, legitimate purposes, …) so really there should not be any consent nag screens needed at all except for some very specific exceptional cases…

[xg15]

I think the elephant in the room is that tracking is the major business model that currently powers the web - and regulators (and citizens) have made clear they do not want this business model to continue.

It's really a power struggle between businesses and regulators in regards to tracking as a business - and overly complex cookie banners are the most visible sign of it.

[withinboredom]

> But why ask for consent right away when someone just visits your website for the first time? Imagine that you walk into a shop and the owner starts harassing you right away

You do implicitly give consent to "be tracked" when you walk into a shop. A savvy shop-keeper will look at the clothes (brand, style, etc.), hair, facial features, etc. and internally compare you to other's who have made purchases and either approach you or not.

The closest thing we have to that is our (pretty terrible, in the privacy kind of way) ad networks to tell us what kind of people visit our online shop. Without that information, it's hard to (nay, impossible) to guess what demographics come to our store and position the store to cater to the demographic that actually makes a purchase vs. those that don't. If I see a whole bunch of boomers coming to the site, but they don't convert, I can figure out why they're not making a purchase and do something about it, just like I could in a brick-and-mortar store.

I really don't like the amount of personal data gathered or the dark patterns surrounding them. But there's got to be a way to surface some kind of aggregate information without sacrificing privacy.

[jlokier]

They can do the tracking you've described. We all have a brain and will process at a personal level.

But they aren't allowed to make it systematic by, for example, writing a file of paper notes describing each person's recognizable characteristics to share among the staff, or doing the same with photos. Those records would be covered by the GDPR, which corrects an omission in previous laws that only covered electronic records.