"According to France’s privacy watchdog CNIL, Youtube users only had to click once to accept cookies, whereas refusing cookies took multiple clicks.
CNIL’s complaint stated that Google purposefully made the consent mechanisms more complex to push consumers to accept cookies––a clear violation of the GDPR’s requirement that companies provide equally simple ways to opt into or out of data collection."
So these dark patterns are officially violating GDPR.
However there are still tons of websites implementing this.
They were from the start and this was abundantly clear, but given the complete lack of enforcement, people just did whatever the big websites were doing. If these don't get caught, why would they go for random cooking blogs?
The section on “ How to avoid GDPR fines in 2022” is naïve to a fault.
My personal opinion is that after recent rulings startups need to be very careful. GDPR compliance is practically a nightmare for any entity that even so much implements visitor counter with default http logging turned on.
It will be interesting to see how solutions and landscape evolves once GDPR fines come to smaller companies and startups.
Maybe defaults should not be designed to capture personal information.
This indicates a massive need for GDPR or something like it, as opposed to the opposite.
The lack of disincentives to collect personal information is why so many softwares default to collecting it. GDPR flips the equation completely, where GDPR aware software (and lots of software now market their GDPR compatibility) will default to not collecting personal information.
GDPR compliance is totally doable, in fact, if you take 'don't screw your users and be careful with their data' as your guideline you will make almost all of the decisions the right way. Note that fines are almost exclusively for repeat offenders, and that were they were not there was clear evidence of malice rather than accident.
You should not do any tracking (in which case you do not need any pop-up and approval dialog) and if you put things like twitter feeds, Google analytics and Adsense, you need to have a choice for the user which, if they do not want this, will not put them on your site.
The thing is; most sites do not honour your choices or make them as hard as possible as analytics and Adsense are required for monetising. Analytics can be replaced by friendly versions that are gdpr compliant without personal info storage or cookie tracking, but then your monetising (Adsense) or internet marketing (AdWords and landing pages) are not integrated into funnels and a lot harder.
I have tested it with some of our assets (most of which do no tracking at all and only have 1 necessary cookie for login without SaaS cannot work) but a few have Adsense and analytics; we have a small and simply bar; accept or not accept; both is one click. ~90% (not exact as we try to compare the Google analytics which means they did say Accept vs the none cookie analytics which means both accept and not accept) clicks Accept which is enough. We use [0] by the way.
Maybe the trickle down economy will work. First some web site operators get fined for not realizing that their subcontractor (twitter) captures personal data. They stop using said subcontractor, and at some point this trickles down to twitter, who will provide a compliant solution.
Good. If you want to quote text, copy it. Has the advantage that it still will be around once the tweet is gone or Twitter is offline.
With a little css it will look the same as the original tweet to which a simple link could lead you.
This is what you do if you value your users privacy. If not, then you have (under GDPR) at least give them the choice not to get these cookies. Which destroys the usability of your site for your privacy conscious users.
Maybe web devs should more carefully consider how much crap third party scripts and resources inject into their sites, rather than caring about a tiny bit of convenience.
That’s absurd. That’s like saying car owners should be held responsible for how safe their car is to drive. It makes unrealistic assumptions about the competency of the end user to judge such things.
Your right. The best way is to filter at the firewall level everything Google, Microsoft, Cloudfare, Facebook, Twitter etc.
The world would be a better place.
Now try to do this on Windows 10 :)
Note that fonts from Google Fonts can be self-hosted which resolves that problem. It's a little bit more work to set up, but it does resolve this issue well, while also being slightly more efficient for the end-user (assuming that you've got a decent CDN setup).
That's what I was trying to say, I think I got excited and used too many double negatives...
Theoretically, it should be more efficient hosting these things yourself - there are fewer origins to request, which means fewer lookups, fewer connections, etc.
You can put this in your build steps that it downloads everything; I have that and prefer it anyway; companies ‘tend’ to suddenly remove, change or switch things off or get hacked.
Can someone explain to me how GDPR makes you responsible for twitter collecting data? It's not your faukt if twitter has their own cookies... What matters is whi stores the data who in this case is not the person embedding twitter
Quite simple. You just facilitated Twitter's data collection. Without you it would not have happened.
Even worse, the user loading your page could probably not have known you embedded a Tweet (and sent their data to Twitter) before actually loading the page (if you didn't implement a consent dialog with a reject option).
The user only has a business relationship with the website they visit. The website is responsible for the services it employs, just like any other general contractor is responsible for their subcontractors.
No, they should strengthen them instead and put a couple of offenders out of business that would definitely get a lot more companies to fall in line and stop abusing their users. Effectively you are arguing that the self regulation worked, but it really didn't. Hence the need for legislation and hence these (still pretty mild) fines.
For starters: don't include third party resources in your offering. That already cuts down tremendously on your exposure under the GDPR.
Me collecting data is not me abusing my users. I am simply recording facts about the world. Being forced to censor facts because the people the fact is about don't like it is plain censorship. Information should be free.
What if the recording is your conversations? What if it's the location of places you visited? What if it's people you're on pictures with?
It's still just recording facts about the world? Are you comfortable with apps doing this without any oversight?
That's fine. Discord already has thousands of conversations that I've had with people. Google has a history of places I've visited and I've had an improved Google maps experience from that data. I don't really take many pictures with people. I would say I am mostly fine with it. It would me nice if they could disclose what they collect though. I think informing consumers is a good thing.
Informing consumers is largely what the GDPR regulations are about - ensuring that data can't be collected without the informed consent of users, and that when it is collected, the users can then see what data is available and how it's being used, along with being able to delete it if they wish.
Compliance with the law is not optional, as you will probably find out at some point. All this naive 'information should be free' stuff went out of fashion in the 00's when it was all the rage on /.
If you're not collecting personally identifiable information, you are not affected by GDPR and can proceed as normal. Not exactly sure what "recording facts about the world" means, but if it doesn't involve individuals and their data, you don't have to change anything.
I agree that general information should be free, but there is a difference between general information and personal information. Personal information (like the photos I take in my bedroom) should not be free unless I agree to that.
Once you have shared a picture of your bedroom to the world I believe it should be free to exist. If someone noted that you had a booshelf in your room I don't believe you should be able to have that information taken down just because it is information related to you.
Edit: If knowledge of the bookshelf does not count as personal information instead someone could post your address my crossreferencing the photos with houses that have been sold in that area in the past.
The only thing needed for it to go 'back to normal' is to treat the do not track flag as if you had automatically fucked around with their anti-cookie game for 10 minutes, and then also not use any server side tracking or half of the 'necessary cookies' and not bother you.
The web was "normal" before corporations started abusing it since it was not regulated. Europe is merely putting adding those regulations so corporations can stop ruining the web for us.
If you think this is bad, our (Italy) privacy laws in meatspace are orders of magnitude more annoying than GDPR, to the point where we have to write in our resumes that we allow whoever reads it to use it, otherwise they wouldn't be even able to store them in their archives.
CNIL’s complaint stated that Google purposefully made the consent mechanisms more complex to push consumers to accept cookies––a clear violation of the GDPR’s requirement that companies provide equally simple ways to opt into or out of data collection."
So these dark patterns are officially violating GDPR. However there are still tons of websites implementing this.