[jkaplowitz]

> I would say the most I see have accept, reject and manage preferences as buttons, normally with manage preferences being a link rather than a button. The dark pattern you describe isn't on any big business websites for example.

I can accept that our website visiting patterns, and maybe our specific countries of residence within the EU, expose us to different experiences in this regard. I stand by my statement as a description of my own personal experience, but I'm willing to believe your own personal experience too.

It's also possible that I've increasingly realized that "reject" allows the companies to get away with illegally misusing the "legitimate interest" basis for data processing, so I've mentally stopped assuming that it means what it says because it often doesn't. See below for more on that.

> Out of curiosity, you mean against the spirit of the GDPR rather than the letter of it, right?

No, I mean against the letter of it as well. The free, informed consent which the letter of GDPR requires according to public and legally binding official interpretations (such as from the European Court of Justice) is not present when those dark patterns make it harder to refuse consent than to grant it.

Similarly, EU courts have been clear that simply wanting to do a bunch of tracking to facilitate more profitable personalized advertising does not legally justify the legitimate interest GDPR processing ground, but so many sites default to allowing processing based on "legitimate interest", including when you click reject for the consent question, for many of the same advertising/tracking partners where the "consent" basis is off by default. They also don't usually have a way to object en masse to these, and it's often tricky to correctly click off every single "legitimate interest" button which is falsely and illegally claimed to be a valid legitimate interest.

Plus, I've heard reports that many sites set these cookies even before consent is granted, and/or don't properly respect the refusals of consent and objections to legitimate interest processing. However this is from memory and I don't have stats or evidence to back up this statement.

The problem in all of these respects is primarily very weak and reluctant official enforcement of the rules by the relevant Data Protection Authorities and very low fines when they do enforce them. It's more profitable for companies to take the risk on genuine GDPR compliance, beyond some mild public-facing lip service and the lowest-effort bit of engineering they can do to underpin the public-facing lip service.

[ruthmarx]

> I can accept that our website visiting patterns, and maybe our specific countries of residence within the EU, expose us to different experiences in this regard. I stand by my statement as a description of my own personal experience, but I'm willing to believe your own personal experience too.

I appreciate your attempting to reconcile different anecdotal experiences. In the spirit of objectivity however, I would insist that big businesses are not breaking the law.

> The free, informed consent which the letter of GDPR requires according to public and legally binding official interpretations (such as from the European Court of Justice) is not present when those dark patterns make it harder to refuse consent than to grant it.

I think here we've shifted the problem to dark patterns. The problem though is with the popups at all, because even when they are compliant, they are no less annoying, just slightly more clear.

> The problem in all of these respects is primarily very weak and reluctant official enforcement of the rules by the relevant Data Protection Authorities and very low fines when they do enforce them.

They probably shouldn't have claimed global jurisdiction then. Since that's a big part of what has resulted in so many poorly done cookie banners.

[jkaplowitz]

> I appreciate your attempting to reconcile different anecdotal experiences. In the spirit of objectivity however, I would insist that big businesses are not breaking the law.

Take a look at the many GDPR violation complaints which noyb.eu has filed against big businesses, almost all of which they eventually win in court. Yes, many big businesses are in fact breaking the law in this regard.

> I think here we've shifted the problem to dark patterns. The problem though is with the popups at all, because even when they are compliant, they are no less annoying, just slightly more clear.

The truly compliant ones are far less annoying. They all generally need only a single click to refuse consent, and they are also easy enough to ignore while using the site without ever responding to the banner at all.

> They probably shouldn't have claimed global jurisdiction then. Since that's a big part of what has resulted in so many poorly done cookie banners.

It's also essential to actually achieve the goal of protecting the data of people in the EU, much of which is done by companies which are based outside the EU. Do you not see the big truck-sized loopholes which would exist without that? All they would then have to do is change the website's contracting legal entity to a foreign partner or parent company and then they could refuse data subject access requests, track without consent, and so on if the jurisdiction provisions in Article 3 were as narrow as you're advocating.

[ruthmarx]

> Yes, many big businesses are in fact breaking the law in this regard.

Define big business here. Coca Cola? IBM? Amazon?

> The truly compliant ones are far less annoying. They all generally need only a single click to refuse consent

No, they yare still annoying. It's still something you are forced to itneract with that diverts your attention.

> It's also essential to actually achieve the goal of protecting the data of people in the EU, much of which is done by companies which are based outside the EU.

The problem is it's unenforceable nonsense and has led to this foolish cookie popup situation.

If they had limited it to entities with a presence in the EU, it would have worked better. At the moment it applies to some malicious Chinese teenager who blatantly wants to collect and sell the data of Europeans who visit his self-hosted low-traffic blog.

> All they would then have to do is change the website's contracting legal entity to a foreign partner or parent company and then they could refuse data subject access requests, track without consent, and so on if the jurisdiction provisions in Article 3 were as narrow as you're advocating.

They can already do that because EU has no jurisdiction outside of the EU no matter what they claim.

Also, we are basically having the same conversation in two places. If you want to consolidate your two replies into just one I would not object.