[Nextgrid]

The problem is that the GDPR is pretty much not enforced. See https://ruben.verborgh.org/facebook/ where the author tries to get all his data from Facebook - the case hasn't moved since 3 years now.

The regulators are useless (especially the Irish one which seems happy to shield big tech scum from having to comply with the law) which confirms my own experience raising complaints with the ICO (the UK privacy regulator).

[MaxBarraclough]

Same goes the for 'cookie law'. A significant fraction of the web is in violation. The lack of enforcement sends the message that non-compliance is acceptable, so it's become the norm.

[jtbayly]

What cookie law? The one that states I have to make my website worse for everybody to use?

Yeah, I definitely ignore that law, and I wish 100% of website owners did. It feels to me like 99% of them follow it.

[ben_w]

There is no law stating you have to make your website worse.

Making your website worse is just a what certain analytics providers want you to do so you keep paying for their services.

https://github.blog/2020-12-17-no-cookie-for-you/

[debesyla]

I, personally, like it more when I can say "no, don't track me".

It's only worse for the user when the cookie notification is blocking the content, there is no "no, I don't agree" button or clicking it means clicking trough 100 extra toggles.

[jtbayly]

Set the do not track flag if you trust website owners to actually listen to your request. If you don’t trust them to listen to your request, then being forced to manually tell every website you visit not to track you is obviously pointless and worse.

[ben_w]

It’s easier to trust a business to follow a law with teeth than to follow a mere non-binding header that politely requests the same thing.

[jtbayly]

What an utterly useless law. We have a convenient way for people to request universally that sites not track them. So let’s make a law that makes them have to ask “the right way” every. Single. Stinking. Site. On. The. Internet. Every. Single. Time. They. Visit. Every. Single. Site.

One might be forgiven for assuming that the law was actually intending to accomplish the reverse of the stated goal. It gives site owners tons of explicit opt-ins that nobody can complain about, even though they were coerced.

[foxfluff]

I believe GPC is considered legally binding under CCPA.

The DSA proposal also has language that appears to be intended to make such headers legally binding: "In order to avoid fatiguing recipients who refuse to consent, terminal equipment settings that signal an objection to processing of personal data should be respected."

[spiffytech]

> The problem is that the GDPR is pretty much not enforced.

17 companies were fined for GDPR violations just this month. Last year, Amazon was fined €746,000,000, Google €150,000,000, Facebook €60,000,000.

https://www.enforcementtracker.com/

[Nextgrid]

I knew this link was going to come up so I've addressed it here: https://news.ycombinator.com/item?id=30141276

The 60M Facebook fine is a welcome development but my point still stands - how much did Facebook profit from breaching the regulation for the 4 years since it's been in effect? That fine should've had a few extra zeros at the end to actually serve its role, otherwise it's just a very small cost of doing business.

[colejohnson66]

My understanding is that GDPR allows for increasing fines up to 4% of the revenue. But regulators don’t like going for maximum fines because there’s a higher chance the company fights back.

[SpicyLemonZest]

Regulators have brought quite a few successful GDPR fines. The reason that people think the GDPR isn't enforced, in my experience, is usually that they've been misled about what it does and doesn't require.

For example, the author you linked to is demanding a portable copy of all his personal data from all sources, which Facebook has no GDPR obligation to give him. He seems to have been misled by a form letter he found, which incorrectly conflates Article 15 data access (isn't required to be portable) and Article 20 data access (isn't required to include data that he didn't initially provide).

[Nextgrid]

I don't disagree that there's been a few successful fines, but by that logic I should quit my job tomorrow because I happened to get lucky at the casino a couple times.

GDPR enforcement has been extremely lacking as demonstrated by the web being littered by non-compliant data processing consent forms. A compliant consent form should make the "decline" option as prominent as the "accept" one - the vast majority of services currently don't comply (including big names like Google or Facebook) and entire businesses such as TrustArc have been built on providing non-compliant consent forms as a service.

For GDPR enforcement to be considered serious, the fines amounts should be higher than the profits of companies built on abusing user data. If we look at https://www.enforcementtracker.com/?insights we can see that 1,6 billion euros has been handed out so far over a period of 4 years across the entire EU. How much does Google or Facebook profit in a year?

The entire experience of reporting violations is also a major problem and suggests the regulators (at least the UK one) aren't actually interested in enforcing the regulation. The process with the ICO requires that you first get in touch with the company and try to resolve your concern. This takes time & admin work on your behalf and a malicious actor can drag out the process for months. But let's assume that after you've done that and haven't gotten anywhere, escalating to the ICO merely results in them sending a letter. And when the company ignores that too, guess what happens? Another letter which they will promptly ignore too.

This sets the example that breaching the GDPR does pay, because not only reporting a violation requires so much commitment that the vast majority of people won't bother, but even once the violation is reported, the response from the ICO isn't actually an effective deterrent either.

[SpicyLemonZest]

> A compliant consent form should make the "decline" option as prominent as the "accept" one - the vast majority of services currently don't comply (including big names like Google or Facebook) and entire businesses such as TrustArc have been built on providing non-compliant consent forms as a service.

Nothing in the text of the GDPR, nor of any regulatory guidance that I've seen, suggests that the "decline" option has any particular UI requirements beyond merely being present. Again, while I don't want to claim that this or any other regulatory process is perfect, I think the primary reason people in privacy circles find it so frustrating is that they keep trying to enforce things that aren't actually GDPR requirements.

[Nextgrid]

The following is from the ICO, which I don't think has any reason to interpret the guidelines any stronger than what they have to, since they aren't willing to enforce any of it anyway:

https://ico.org.uk/for-organisations/guide-to-data-protectio... :

> Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.

> Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.

> Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.

> Make it easy for people to withdraw consent and tell them how.

https://ico.org.uk/for-organisations/guide-to-data-protectio... :

> What is an unambiguous indication (by statement or clear affirmative action)?

> It must be obvious that the individual has consented, and what they have consented to. This requires more than just a confirmation that they have read terms and conditions – there must be a clear signal that they agree. If there is any room for doubt, it is not valid consent. [emphasis mine]

At this point you could already argue that unless the decline option is as prominent (if not more) than the accept option then the user didn't actually intend to consent and just couldn't figure out how to decline.

> Consent should be given by a clear affirmative act [...] Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

> The key point is that all consent must be opt-in consent, ie a positive action or indication – there is no such thing as ‘opt-out consent’. Failure to opt out is not consent as it does not involve a clear affirmative act. You may not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions, or seek to take advantage of inertia, inattention or default bias in any other way. All of these methods also involve ambiguity – and for consent to be valid it must be both unambiguous and affirmative. It must be clear that the individual deliberately and actively chose to consent. [emphasis mine]

Seems like that's cut and clear.

[SpicyLemonZest]

What I would call "cut and clear" would be a specific description of how prominent the decline button must be. "Inertia, inattention, or default bias" is a very nonspecific phrase, and even if it does include UI, it's not obvious why the implied standard would be "as prominent" rather than, say, 50% as prominent.

Don't get me wrong, I'd really like companies to design this way on principles of general user friendliness, but I don't see much evidence that anyone involved in creating the GDPR intended to require it.