[lmkg]

I know y'all are taking the piss. But real talk though: The consent-management space could do with some disruption. Like, for example, just a thought here, I know this sounds crazy, but hear me out: actually complying with GDPR. You'd think a tool whose entire job is to ensure compliance when gathering consent would actually gather consent in a compliant manner, but that's not the default behavior.

[duncan-donuts]

I’ve been working on compliance software for 2 years now and this problem is hard. A large part of it is in “ensuring compliance”. You have to sort of straddle the line otherwise you end up a data controller instead of a data processor. You also can’t really give legal advice. You can build as many tools as you want but it’s really hard to give a good toolset and also not become liable.

[mywittyname]

This is a hard problem still. AFAIK, it's still not really well understood what constitutes lack of compliance. I've worked at a few companies where we just work with a legal team to get an okay.

[Macha]

There's the risk of getting small details incorrect while making a good faith effort of complying.

And then there's what those platforms do, use every dark pattern possible to get the user to perform an action that they can interpret as consent.

[disgruntledphd2]

I think the whole "legitimate interest" checkboxes that you can object to are the best example.

Like, if you have a legitimate interest (you need my address to do deliveries to me), then you don't need consent.

But clearly there's no legitimate interest in this case, it's just a dark pattern to get more data.

[l33t2328]

Can you elaborate on the GDPR tool?

[rrix2]

I take it to mean that this person is complaining (a point I often agree with) that these consent management platforms often resort to dark patterns to drive users' consent rather than attempting to truly inform a user before they consent.

[lmkg]

To elaborate: While most of these tools can be configured to comply with GDPR, it is not their default configuration. The tools and products predate GDPR, and being enterprise software they value backwards-compatibility over other aspects of functionality. So out of the box, they engage in practices which are non-compliant.

But of course, most companies assume that the default configuration is compliant, since that's the entire point of the product, right? Companies think the product is a compliance solution itself and therefore compliance is purely an IT problem of deploying the software and legal doesn't need to be involved. But in fact the software is actually a platform for scaling and automating enforcement, and legal actually needs to be involved to figure out what compliance looks like.

There are several studies showing that a huge fraction of GDPR/ePD violations are actually a result of using consent-management software but leaving it in the default configuration.