This is fantastic, and I hope it stands up on the presumably inevitable appeal. It's the most obvious way of eventually getting rid of per-site cookie notices - make DNT legally enforceable and cookie notices become irrelevant for people who have it switched on. I run an agency that builds websites for non-profits and we respect DNT by not tracking and not even displaying the cookie notice. The only thing I've wondered about is whether we show a one-off notice saying "we note your DNT setting and we've disabled tracking" just because I wonder if users become suspicious that we're tracking them by default if they don't see a cookie notice!
Better would be to not (try to) do anything that requires cookie notices in the first place. Might not always be your decision but at least try to push back on the notion that this kind of tracking is needed at all.
Never our decision you mean ;) Funnily enough, the nonprofit space can be even tricker to dissuade from tracking. ROI in nonprofits can be really ephemeral if the the aim is "raising awareness" whereas if you're selling something, there's a clear bottom line. In those circumstances if you want figures to present to the board in terms of ROI, something that requires tracking like "return visits" is a hard number. Nonprofits also have to make the best use of minimal funding, so efficient use of resources on publicity is absolutely key. The only site we've built that doesn't have opt-in tracking is one for a domestic violence prevention service which didn't want any tracking to reduce the traces in visitors' browsers.
It’s practically impossible to track return visits anymore anyway. No cookie or localdb or browser fingerprinting is going to tell you whether someone looked at a site once on their home computer, again on their phone while commuting, and again on a work computer to show colleagues.
For a thousandths time: GDPR prohibits the collection of personal information without informed consent.
It does not matter how you collect that personal information, so whether you use cookies, pen and paper, the digital equivalent of a rube goldberg machine or UUIDs in the URLs — totally meaningless. As soon as you process the IP and use that information for any purpose not considered legitimate interest you are on the hook (and no: if you are in doubt it is not legitimate interest).
Many wrongly believe GDPR is about cookies. It is not. It is about the information and the consent. So whether you change the collection mechanism doesn't make any difference if you still collect the info. It just means you now have to update your consent banner to include that new way of data collection as well ; )
A interesting way to show that you got no clue why people put cookie consent banners on their websites.
Let me give you a hint: Because they are required to do so by law (at least in the biggest free market on the planet). Now maybe you can figure out how that law is called and why it is relevant in a discussion where the topic is DNT and a German court ruling it needs to be honored.
We are not discussing whether tracking is technically possible — that would be a pretty short discussion: Yes it is possible. So we are talking about something else. And if we are not talking about the law, why did you even feel a need to come up with a way of circumventing it?
My answer to that is that this is trivial from a technical standpoint. Serving each endpoint with an UUID or URL parameters to figure out who shares what with whom is not a new thing and has been used for ages.
So when the headline says »German court prohibits Linkedin from ignoring DNT signals« the interesting point isn't what is technically ancient history, but what that new legal reality might mean in practise for those of us who build, maintain and run the things that are affected by said legal reality.
Or what more did you have to say than hint at one very obvious and noticable way to do tracking?
So you just jumped into a thread that had nothing to do with you to complain about how it doesn't solve your particular problems, despite never claiming to?
I don't know you and I am sorry if my multiple initial comments felt to aggressive, they were not about you per se. You believe my comments had nothing to do with your remark, I demonstrated and explained the opposite. I am open to reason, but you did not tell us once why your remarks have nothing to do with the laws mentioned inside this comment section.
So from my perspective: No. I jumped into a particular thread that seemed to imply one could "get around" that particular legal issue with a technical fix, which is just false. You sure can do that but it will not make the legal risk go away, just because you are not using cookies.
Now of course you could again go and attack the messenger instead of telling us why a technological workaround for a legal issue has nothing to do with the legal issue inside the comment section on said legal issue. Now because all of this could just be one great misunderstanding I am going to assume you don't know that much on the legal side of the issue and my comments on "your" thread came across as aggressive which raised the heat unnecessarily and was not my intention.
My remarks were in reply to the comment I replied to, which stated:
"No cookie or localdb or browser fingerprinting is going to tell you whether someone looked at a site once on their home computer, again on their phone while commuting, and again on a work computer to show colleagues."
My intention was to provide a mechanism for solving this problem. GDPR or even Europe in general has nothing to do with it.
This is how marketing emails already work. Although outside of those, usually these are replaced by query parameters that are merely extraneous to the main path. Integrating the tracking parameters into the path in a non-separable way is going to happen eventually, though.
How exactly do you legally enforce "each link must not be a unique UUID generated per-user or per-page-view"? Do you mandate how "generic" a link has to be, such that a visit to that link exposes less than a certain amount of information about that visit? What about things like order-specific links on a shopping website, that will naturally identify an account if all orders share the same namespace?
Easy. It is already forbidden by GDPR without consent. Contrary to popular believe the GDPR does not mandate anything about cookies, it talks about personal information, if you collect it through cookies or some intricate system of pulleys and levers doesn't matter at all.
Simplified it says: if you collect personal information, you need to ask for consent. If someone doesn't consent they must not receive degraded service. Now there has been a ruling that the Do Not Track info users send you shall be honored by you (duh).
This is true regardless of how you technically do it. So UUID URLs are okay, storing which IP adresses shared an UUID link with which other IP without consent is not.
I think some in the IT world need to finally stop making excuses and stop coming up with new illegal ways of tracking users on a personal level. Just use the same creative energy for finding ways of pseudonymizing and anonymizing users (where possible — depending on what you are collecting deanonymization might always be possible).
Nobody here is talking about collecting personal information except you either. The goal is simply to track the amount of sharing various pages experience.
And how do you track that amount of data without collecting the datum of which user shared what to whom? Sure you could anonymize it etc., but by that point you already processed data that has been ruled personal data without consent.
The truth is, that we had some rulings on what is considered personal data and what isn't and IP adresses, even parts of them can be regarded as such. Now you and I might think this is silly etc., but if we write software for corporations that have to pay fines as a feaction of their total revenue not knowing that can easily ruin our lives.
And I am merely reflecting the way how these laws have been interpreted and ruled on so far in the comment section for an article on, well another ruling by a court. Legal reality, like physical reality doesn't go away if you close your eyes.
For one, it'd be a potential way to maintain a sophisticated full-conversion lifetime A/B testing setup with no PII of any sort ever hashed/retained. No IP addresses required, or anything else.
Just counting the times someone requested that particular UUID could indeed work — provided you don't store which IP requested that UUID-endpoint anywhere on your webserver or elsewhere, because then we could infer that relationship again. So this sounds like a good idea.
Is this what you originally meant?
Nontheless I hope you can see in which way the whole thing is still deeply connected to the legal question of how one can still learn about their service without tracking single users when they don't give their consent, maybe now even via DNT header.
> Nobody here is talking about collecting personal information except you either. The goal is simply to track the amount of sharing various pages experience.
TikTok has possibly the most nefarious version of this: When someone shares a video, a link is created that’s specific to them. It’s a short link that looks like a regular one, while the tracking params are shown only after someone goes to the link and the shortener resolves it. If it opens in the app through deep linking the tracking has happened transparently.
This (ostensibly) empowers the user-facing "feature" whereby you're presented the "User XXX is on TikTok, you should join them!" modal when you click their link. Which is perhaps better than no end-user impact at all.
GDPR is not about consent or data being collected. If it were, the EU would not penalize violators based on a (largely irrelevant) PERCENTAGE OF GLOBAL REVENUE for a breach.
I'm an external auditor. The GDPR is a cash grab.
Regulations that actually incentivize organizations toward stronger privacy and protection practices are designed more like HIPAA or PCI where the MAGNITUDE OF THE BREACH is the primary factor determining the monetary fines imposed (e.g.,number of records exposed, was it PII, PHI, etc.).
Taking 4% of the company's annual revenue from the previous year, irrespective of the size of the breach, results in a regulation about as effective as clicking those cookie consent boxes. "Oh thank goodness I gave my consent, I think now we can all rest easy that our data is being handled securely and appropriately!" No, the EU included the ticky tacky consent requirement to create major global visibility about itself so that when a company doing business with the EU has a breach, they won't be surprised when they then get an additional bill from the EU for not only having the breach, but now being in violation of the GDPR too.
The GDPR is a despicable joke. And my use of 'the' gives me the right to that opinion. If anyone else out there was involved in GDPR's creation or implementation, I think you would agree:
GDPR owns the Greatest Dung Pile Record, Grandma's Dildo Paste Replenisher, the Gagging Damaged Penis Rectum and one Gigabyte of Dick Punch Radiation in addition to €2.83 billion (as of 12/2022) collected from breached companies in 1,401 cases for "violating the GDPR".
The GDPR doesn't mandate fines of 4% regardless of the nature of the breach. That's the maximum size of the fine.
You should go ahead and actually read the text of the GDPR. Specifically, Article 83.
Paragraph 1 states that "the imposition of administrative fines [...] in respect of infringements of this Regulation [...] shall in each individual case be effective, proportionate and dissuasive".
Paragraph 2 lists eleven factors that the SAs have to have regard to when setting fines, and top of the list is "the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them".
I know that the fines are a percentage of global revenue. And I am totally on board with this. I wish we had dynamic fines like these in more areas of society.
The other option would be to have fixed fines that Google et al. pay out of their small change, while it absolutly would torch their small competition.
Sure, they could also jail CEOs for this. I would also be for that.
If a fine doesn't grow with the income it is a fee. So if you want a corporation to follow your law, it needs to come with a fine that motivates those in charge enough to follow it. Money is the soft option there.
It is totally possible to run websites in compliance with GDPR. I built multiple that require no consent whatsoever, because guess what: No personal data is collected, where it is not absolutely technically required.
For me as an EU citizen the GDPR turned my data-related communications with companies from essentially begging into the void, to actually getting a response.
Are "return visits" really a big concern? I don't care if a site tracks my return visits, as long as it's local and not via a hidden Facebook pixel, Google Analytics, etc. that will get added to their global profile about me.
Doesn't matter if you care. IPs have been ruled to be personal information and GDPR mandates that the collection of personal information requires informed consent — regardless of whether you use cookies or some other mechanism to do so.
If you don't care, switch on DNT and never see those banners again (assuming this ruling preveils).
By this logic, anybody who does any coordination with anybody is scamming. Some nonprofits are scams, and some businesses are scams. Most businesses are not scams, and most nonprofits are not scams either.
>anybody who does any coordination with anybody is scamming
Scam: "a dishonest scheme; a fraud; a swindle"
I would argue, outside of our closest relationships, the majority of people are attempting to, or engaging in some kind of scamming behavior in at least half of their interactions.
At this point, 2023 worldwide, fear and distrust are table stakes for social interaction
I refuse to make this assumption. Maybe I'm wrong, but I'm getting a lot of mileage from assuming kindness and honesty at the start of every interaction.
Well, with exception of those which need to be shot with Hanlon's handgun[0]. There's surprisingly many of those, and not where people would suspect (e.g. I see it more often interacting with small businesses than with larger ones) - but in most interactions with others, I find it best to not reach for the handgun until it's clear it's needed.
Our economic system is based on systemic incentives promoting malice. I'm surprised how people aren't more scammy given how greatly it's incentivized.
Large corporations where all human values are made illegal are quite shining examples how humans should operate in our system. This is sadly quite common in non-profits too.
> I'm getting a lot of mileage from assuming kindness and honesty at the start of every interaction.
I agree with this, but there are situations where because of obvious incentives you cannot make this assumption. Car salesman treating me like his best friend? I wonder why?
I've been around long enough to know that it's the same as it ever was. I don't think it's a majority, or ever has been a majority, that engage in scamming behavior. I could be wrong about that, but I don't think the ground truth has fundamentally shifted.
But that the majority must still behave rightly paranoid that it is the majority in order to protect themselves from a really pretty small minority.
This relates to a piece of advice I gave my children: most people are fundamentally good and decent. A small percentage are not. The problem is that you can't tell which is which just by looking at them.
I wouldn’t. The internet has been a game changer for scammers. Back I. The day, you could still run a boiler room, but it was an actual office in the US law enforcement could raid.
Sounds like you're conflating scammy behavior with behavior that furthers one's goals. Just because something someone does furthers their agenda doesn't mean the person they interact with doesn't also get something out of the interaction, and it doesn't mean they were deceived in any way.
Even in human interaction amongst your closest friends and family, they only interact with you for their own benefit - that just happens to be in pursuit of the endorphins/dopamine gained when they spend time with the people they share memories with, and it happens to be reciprocal.
"the majority of people are attempting to, or engaging in some kind of scamming behavior in at least half of their interactions."
I think the numbers are way lower, but it is an old, archaic idea, you do good for your tribe/family - by taking from anywhere outside of the tribe. Stealing from the tribe is very bad and might get you killed. Stealing from another tribe however is not stealing, but reputable work, as long as there are no established friendly relations to that tribe. Many people indeed operate with this mindset (consciously or not)
But all in all I would rather say, that the number of people who consider all of humanity their family, is increasing.
This just isn't true, certainly in the sense that I meant it. What about a breast cancer charity who wants to raise awareness of the early signs of breast cancer? A domestic violence charity who wants to raise awareness of the signs that a friend of yours is the victim of domestic violence? There are countless examples like that that I'm sure you could have come up with rather than a flippant dismissal.
“ In those circumstances if you want figures to present to the board in terms of ROI”
This sentence shouldn’t be associated with anything “non-profit”
Proving yet again that, unless you structure your organization differently than every other capitalist thing (which means you won’t get funding through traditional sources) then you’re just helping capital further entrench their positions of power
But you should want an ROI as a non-profit. If you spend $1000 on advertising to get people to write their Senator to help push for/against a bill, you want to make sure you're spending it on the most effective way. If it gets spent on mail ads and no one calls, then that is largely a waste of money (regardless of funding model and org structure). If you don't have a measure, you can't really know if money is being wasted. You can guess and have a gut feel, but not scientific, actionable data to change how the org is working to best further the non-profit's cause.
Maybe you can call it something else, but for a non-profit ROI is just answering the question "Are we spending our money wisely?
Or were you referring to the non-profit having a board?
I'm suggesting that in the long run, any organization that is hierarchically "overseen" by humans with outsize power compared to the employees (aka a "Board" of special people that are better and smarter and more politically well placed than disposable employees), will inevitably exploit the structure for selfish gain with a probability of 1.
The STRUCTURE is wrong is the point.
The entire concept is built around would-be-aristocrats (Board) coercing the management and employees into allocating property (Money) based on their whim with no accountability or democratic function. It is built to exploit.
Instead they should organize as a non-stock cooperative so that is effectively impossible to exploit. That's the actual answer.
"ROI" just means "return on investment". It doesn't automatically mean that return is monetary. A nonprofit getting results in terms of accomplishing their purpose is getting good ROI.
A board (no need for scare quotes) is a legal requirement for tax exempt (501c3) status. And not sure what point you're making with the linked article which is about (relatively mild) board dysfunction, not scamming or illegal behavior.
Presumably the board could be made of every single employee of the non-profit (perhaps with varying voting power depending on factors such as seniority or experience)?
Need can only be assessed relative to one's goals. Many business models depend on tracking, so if your goal is to run such a business, then it's needed.
I appreciate that this court decision will most likely be appealed and so the current state is not as clear as it could yet.
But if you assume the court decisions stands then if your business is based on tracking that means your business is based on illegal activities.
The only way out is to either change your business approach to comply with the law or go out of business. That’s no difference to many other activities that probably could earn money but are illegal.
I don't - and I am fully informed and prepared. A month into the cookie banners avalanche and I just started clicking OK without looking. Now I have the "I don't care about cookies" extension and that's it.
I think this question is very context sensitive. The way privacy questions are usually presented ("we want to improve/personalize your experience"), I don't think most people care. But when presented with actual outcomes of loss of privacy (e.g. the Cambridge Analytica scandal) people seem to care a lot. For most people I suspect there's a gap in understanding between how people think their data is used and how it's actually used. Whenever this gap is closed by a major scandal where "how the sausage is made" is revealed, there's often a strong reaction.
But perhaps the biggest indication that people do care about privacy is that ad companies are so reluctant to allow them to opt out of tracking. If (almost) nobody cares, what's the harm in having clear consent or an opt out?
Who wants to pay for anything? All else being equal, people would rather get things for free. But you can't run an economy that way. It turns out that for many people the perception of getting something for nothing is an adequate substitute.
I think if interpretation and enforcement works the way we hope it will then that becomes a difficult business model.
That is: where you can’t track people without explicit consent, consent is as easy to not give as to give, and you can’t choose not to deliver the service or deliver a worse service to those who do not consent.
Does it then proceed to track each license plate and their movements once outside the parking lot, keeping a note of every single place where the license plate goes and parks in order to build a profile on that license plate so that you can sell that info off and shove ads down their throats?
That’s not how most people use cookies, just google & co. I’m using an in-house analytics app platform that uses cookies to track how often visitors use the app but we do no tracking at all outside of our website, we just want to know how often people use our site
Only for the purpose of tracking how much time each vehicle was parked so you can charge them for that time. Absolutely nothing else. You should also be legally required to delete that information immediately after the transaction is done.
You're more likely going to be required to keep that information for a period of time for audit purposes, or to be able to justify a credit card charge in case there is a claim of fraud, etc.
I think this is an actual example of 'legitimate interest' under GDPR (unlike most of the websites that claim it). There would still be an expectation that you didn't use that data for anything else and got rid of it as soon as it was no longer needed.
I bet that kind of use of license plates is older than any judge still alive. The hard part is convincing the judge that you can't implement it without sharing the data with two dozen web services.
You don’t need consent for that under any data regulation I know of. So long as you don’t keep it any longer than you need to, don’t sell the info or use it to target people with ads etc then you are fine. What you are referring to here isn’t a problem.
That is a position that only the privileged can take. There are a lot of people who are happy to pay for services with personal info rather than cash because they have to save what little of the latter they have to pay for things like food and shelter.
"Happy to" is quite a stretch. Being forced into having your privacy invaded due to economic circumstances does not make such practices acceptable.
If all the privacy-violating companies go out of business, there will be plenty of underserved customers for companies with more legitimate business models.
A lot of people simply don't care about "having your privacy invaded". I've yet to be convinced, and I'm even a technical person.
Even the words words "privacy" and "invaded" are such loaded and ambiguous language, I don't see how smart tech people are playing along with it as if it's some sort of innate human right in the electronic sense. You have to convince us, you don't get to just skip a few steps and tell us we're all crazy plebs that don't understand the implications of this thing you decided has to be the case. Hence the comment about this attitude being privileged (elitist).
No, I don't think so. I think most people would choose to pay with info rather than cash even if they have the cash simply because they don't fully grasp the actual cost to them. People make foolish (from my perspective) economic decisions all the time. I am currently traveling in the American south where I am surrounded by shockingly vast numbers of morbidly obese people who willingly trade their health for a sugar rush. No one is holding a gun to these people's heads and forcing them to drink sugary soda and eat fried food, but they do it anyway. They do it because they like it, and because they don't think about (or don't care about) the long-term consequences. People are (again, from my perspective) stupid. But I don't think it should be the role of government to save people from their own stupidity. That is a very slippery slope.
> They do it because they like it, and because they don't think about (or don't care about) the long-term consequences. People are (again, from my perspective) stupid.
Another reason for this is addiction. Addiction has people doing things that aren’t in their best interest despite them being otherwise intelligent humans.
People get the choice all the time with loyalty and reward points cards. It's pretty much a unique identifier that people carry in their pockets and handover willingly every time they make a purchase. It's more obvious and in-your-face sure, but the principle is the same and they have the choice.
Personally, I handover all my fitness information, driving habit information, spending and banking and investing information, my health information, even my location data, my STD statuses, etc to a company so I can get massive discounts on a bunch of stuff in various ways. It alters my behavior in a good way, it alters other peoples' behavior too, and I'm all the more happier about it. I much prefer this over stupid things like sin taxes, consumption taxes and laws that most people don't stick to or agree with (talk about choice and consent, huh).
People also chose to use Netflix or Steam (and other streaming platforms) instead of pirating. Last one would (and still is) be free. So it's not unprecedented.
Paying with personal data/advertising is an illusion.
People who buy ads or buy your personal data don't do so out of the goodness of their hearts. They do so in order to make up not only the cost of buying the ad/data in the first place but extract more money out of you, one way or another.
This means it should always be cheaper to just pay for the service yourself then "pay" via ads or exploitation of your personal data, since the latter involves more middlemen that want their cut.
The fact that poor people can currently "freeload" off the system is an artifact of imperfect targeting rather than intentional generosity on the advertisers' part to subsidize the poor population, and will be quickly closed off the second there will be a way to reliably distinguish the purchasing power of a user as to deny service to those whose ad views aren't profitable enough (as they would never be able to purchase the advertised products).
Personally, I would love to see the kind of offers companies would start to make for opt-in tracking. In a much cooler world, people would be able to sell their data, as subscriptions, to companies, with premiums placed on more 'valuable' data at whatever given time, based on advertiser interest.
Of course, no data tracking would be ideal, for me. But if someone wants to sell their personal data, they should at least be able to sell it for a market price.
Right? And it's not like the equation changes, for advertisers. The only difference in this scheme than the current one is that it doesn't allow for such severe money-pooling. Still some! Obviously facebook would have a great and well-vetted network of advertisers that they could connect you with, which would surely incur some maintenance cost. But being able to opt-in to someone's ad services would be just another way to prove the cost of a service (in this case, social media) to consumers. It's just wins, all the way around.
> That is a position that only the privileged can take. There are a lot of people who are happy to pay for services with personal info rather than cash because they have to save what little of the latter they have to pay for things like food and shelter.
What's the value of a persons data if that person cannot afford any of the products which are advertised using that data? On the other hand, persons on a limited budget are sometimes most happy to spend money unwisely.
Your views on the data market seem to be as narrow as your views on poor people.
The collection, buying, and selling of your personal data isn't always about ads. The data people have on you is increasingly used to determine what you can and cannot do, what opportunities you're offered, how much you pay for things, even how long you're left on hold when you call a company.
The data companies collect about you can get you arrested, can be used against you in family court, or prevent you from getting a job.
Even ads themselves aren't always about what you buy. Ads are often used to manipulate you, change the way you see the world, even change the way you vote.
That’s why any reasonable regulation tries to address that by saying the provider basically can’t do that e.g in the example of behavioral advertising. Basically you can show the page with dumb ads to users who don’t consent but you can’t say “you need to let us show the ads which pay more because otherwise we can’t keep the lights on”.
I urge you to step back and look at your comment, which is essentially "tracking as a business model is morally justified because it means that poor people can use Google", and think about other, potentially significantly more efficient, ways that this problem might be solved without needing to preserve the bottom-of-the-barrel status quo.
> tracking as a business model is morally justified because it means that poor people can use Google
No, that's not my position. My position is: tracking as a business model is morally justified if it is done with informed consent. A business arrangement is morally justified even if it has potentially deleterious side-effects to one of the parties so long as it is entered into with informed consent.
People buy and sell tobacco and firearms and motorcycles and junk food despite the fact that these products potentially have negative impacts on people's lives that are at least as serious as tracking. One could argue (and some do) that selling Coca Cola is not morally justified, but that position is hardly the slam-dunk that you imply.
It is only the privileged that is allowed to have any choice in their live in what they can do and what can be done to them. When the option is to die to starvation or the elements then anything, really anything, is better.
This is why many governments are in general responsible to provide enough social support that turns all citizens into privileged people.
It could be seen that way, although I disagree with that viewpoint. For the same reason I don’t think it’s privileged perspective to ban organ sales because someone would need to sell a kidney to eat.
I’m going to keep ensuring that this possibly-only-good-for-the-privileged world is realized and I think modern privacy regulation like the GDPR helps, which is why I’m supportive of it.
> I don’t think it’s privileged perspective to ban organ sales because someone would need to sell a kidney to eat.
We're going to have to agree to disagree about that. Have you ever actually faced that choice? I haven't. Until I have, I don't think I'm in a position to make that decision on someone else's behalf.
Here's another thing to consider: we allow people to put their lives at risk in exchange for money and social prestige by joining the military. The only substantive difference I see between that and selling an organ is that the latter doesn't provide any tangible benefits to the elites who make the rules whereas the former does.
Courts in Europe have lots of precedent on balancing the users' right to privacy with businesses desire to implement things like tracking. You don't just get to say to the court "I need to do it because otherwise I don't have a business"
This is how the cookie law should have been implemented and it was absolutely one hundred percent the fault of the lawmakers for not implementing it this way. The millions of hours bureaucracy has wasted having people click through banner pop-ups is entirely on the makers of the law, not the offenders.
Are you being sarcastic? Cultural mores are different in the EU, lawmakers there began with a presumption of basic good faith on the part of business which turned out to be lamentably lacking in the international market. This is 50% the fault of the people trying to circumvent/undermine the law rather than cooperate with it.
> lawmakers there began with a presumption of basic good faith on the part of business which turned out to be lamentably lacking in the international market
Did they learn their lesson? Because that was an incredibly foolish assumption out of the starting gate; from old-guard developers and companies' points of view, they were stomping into a sandbox they hadn't built and upsetting the status quo that was working; of course malicious compliance should have been anticipated.
That is pure naivete and I'm saying this as a person who lives and works in the EU. It's time to get off our ethical high horse and treat corporations exactly as they expect to be treated.
There is no “cookie law” and no mandate that banners are used etc. Regulation should try to avoid languages in specific technology as much as possible - and the GDPR does.
There's no mandate banners be used in the same sense that there's no "requirement" bungee jumping companies have you sign a waiver; they could just make the experience inherently safer, right?
The banners were an extremely predictable outcome of a badly-crafted law.
> It's the most obvious way of eventually getting rid of per-site cookie notices - make DNT legally enforceable and cookie notices become irrelevant for people who have it switched on.
I think this is unlikely to happen, because most websites actually want to track you. So they will display the banner anyway, or perhaps a slightly modified version like "we noticed you have your DNT turned on, but are you willing to make an exception just for us?"
That gives them a chance users will consent anyway to get rid of the cookie banner. And they will argue that a specific consent given on their website overrides the generic non-consent represented by DNT.
My mom actually texted me once that she didn't like a site I shared with her, because it did not allow her to disable cookies... After a quick investigation it was because they weren't collecting any.
And because the law is written so unaccountable bureaucrats (often in another country) get to decide what is a "technical cookie," so better safe than sorry.
Stop spouting nonsense. Enforcement is done by the DPA of the country where the company is located, hence why everyone is annoyed with how Ireland is handling Facebook but can't do anything about it.
This is one of the most harmless uses of a cookie one could imagine. It can only be used to identify someone in combination with other fingerprinting techniques, but applying those without consent would be illegal. Accordingly, its danger can be entirely dismissed here.
It's important to note that Cookie banners and GDPR are separate things and that these pop-ups are covering both purposes in a lot of cases. So even with a DNT flag, many sites will still need explicit, advance permission to process data, and cookies will still be a method for technical enablement.
In an ideal world, respecting DNT would instantly bin 95% of the cookies and data processing requests, but I'm still getting automatic (and permissionless) marketing subscriptions from companies when I make purchases, and the British ICO seems unwilling to intervene, so it seems unlikely that DNT being case law is going to have any quick effect on things.
I wouldn't worry about that last concern. The overwhelming signal from users is that they don't actively think about tracking most of the time. If you show no banner, they'll assume nothing one way or the other.
Just put up a `Privacy` link for those actually conscious of the topic to give them details; you'd be doing both categories of users a solid tucking that info out of the way.
You are one of the good people. Unfortunately, many will go the easy route: What it will do is that even more websites won't be available over here, and direct to a 451 ("Unavailable due to legal restrictions") error. This fragmentises the net.
The best way to fix that is for other countries to start improving their consumer protection laws so cutting off "problem" countries becomes less and less feasible for unscrupulous businesses. Meanwhile (slightly) more ethical companies can take over the EU market.
EU is a massive market. If some unscrupulous businesses don't provide their services here, I'd say good riddance. If there's enough demand, other businesses will take over.
I find it a bit hypocritical to associate the unauthorised tracking of visitors, usually for advertising purposes, with the themes of the Fahrenheit 451 book, which are are censorship, conformity vs individualism, the destructive role of technology, and the loss of critical thinking.
On the contrary, I think it's very true to the spirit of lost critical thinking.
Every single consumer protection has people show up on the side of the giant corporations. Usually a libertarian type with no clue how furious they would be if they got what they were asking for.
I use a lot of news aggregators, and never once got a link to a 451.
I think part of that is also that it's not foolproof to identify where a user is connecting from. Because I think legally, you can't use "but that user had an US IP address" as an excuse why you broke EU law against an EU citizen connecting from inside the EU.
We should get rid of cookies in general! And the web. Hear me out.
The Web makes it so that there is one server and lots of customers. It has to be hardened against SPAM, DDOS, etc. It pays all the costs. But also recoups them by tracking, it’s called surveillance capitalism.
Every site should have no idea how many people visited, actually. Just a bunch of static front-end content that gets passed around.
If people want to store their data, they can pay dumb pipes to store encrypted data.
Get rid of email too. Anyone who gets ahold of your email address can spam you. Instead people should pay for the dumb pipes to store messages, and you can give out capabilities for your attention. They can be transferable but if they are abused then you cut off the root of that tree. And you should charge for using them, too. Just cause someone has your public address doesn’t mean they can reach you.
In short, DNS and the Web and Email promote a certain dynamic where people invest in an upfront service and then take advantage of extreme power disparities forever, to recoup costs. And if they take on equity investors in a ponzi scheme until they IPO then they have more and more costs to recoup. There is no end to it. Wall street earnings depend on surveillance capitalism to continue.
It's a sad state of affairs that if I saw that message I would think positively of the website... Except that of you're only showing it once that means you're tracking me to know I'm a repeat visitor
It's clearly not required. The site would function without it. Therefore an activist will eventually argue to a court that it's a GDPR violation and win, meaning you have to pay up a fraction of your revenue (possibly sending you under).
GDPR threads on HN are always like this. Tons of people saying "no no it doesn't work that way it wouldn't be reasonable" and then when that thing ends up being ruled illegal, "of course it's illegal everyone knew that it's all very clear".
GDPR is written in such a way that you can't ever know what is or isn't allowed.
The recent case against Criteo in the Netherlands has some interesting definitions of cookie types:
This case revolves around (third party) tracking cookies.
The Dutch Data Protection Authority (AP) defines 2 cookies as follows:
“Cookies are small files that a website owner places on a visitor’s device. For example on a computer, laptop, smartphone or tablet. For example, the owner can collect or store information about the website visit or about (the device of) the visitor.
Bottom of form
There are 3 types of cookies:
- functional cookies;
- analytical cookies;
- tracking cookies.”
The AP says about tracking cookies 3 :
“If cookies can also be read when you visit another website, we call these tracking cookies. These cookies allow organizations to track people’s internet behavior over time.
Tracking cookies make it possible to draw up profiles of people ( profiling ) and treat them differently. Tracking cookies usually process personal data.
Personal interests can be derived from the information about visited websites. This allows organizations to, for example, show their website visitors targeted advertisements. (…) Do you process personal data of visitors to your website with tracking cookies? Then you must comply with the rules of the General Data Protection Regulation (GDPR).”
(It's in dutch, translate at your own liberty, I'll give my own below + the stuff the authority for consumers and the market demands, which is linked from their page.)
Basically of the three cookie types, functional cookies require no consent whatsoever. A cookie to set up a user session (the page uses a shopping cart in a webshop as an example and the details mention things like saved passwords and language choices) is totally fine. The AP still recommends informing the users, but it's not required.
Analytical cookies are permissible insofar that they aren't used to profile the user. You're not required to ask for permission as long as they don't contain any uniquely identifying information. You are required to inform the visitor that you are placing these cookies though.
The final category are tracking cookies. These fall under the full scope of the GDPR; you must ask for consent before placing them, you must tell people how you are collecting their data (cookies, scripts or beacons are listed as examples) and you need to tell people what you do with them.
Pre-checking consent forms in general is expressly forbidden (on the same logic that you can't pre-check people into signing up for physical spam mail or paid subscriptions) and consent must be clearly stated, not hidden in some terms of services page or privacy statement.
Those are all requirements on top of the rights the GDPR (in Dutch called the AVG) grants consumers, although obviously most of this overlaps with the GDPR already.
That’s setting a cookie/local storage that can be used purely client side to determine whether to show the message or not. No tracking required because the server never has to see or store this.
Tracking cookies identify you across multiple sites. If some front-end JavaScript sets and checks a cookie for "has visited" on a single site, that's not considered tracking. It's non-identifying and harmless.
Storing previous_visitor=1 into local storage is not the type of tracking most people are objecting to, nor is it against the gdpr until you start having user specific indicators or trying to use a collection of values as a fingerprint.
> Storing previous_visitor=1 into local storage is not the type of tracking most people are objecting to
Who are you to speak for "most people". I do object to that kind of cookie being placed without my explicit consent. It provides at least some identifying information that might allow multiple websites working together to uniquely identify you.
No, a cookie with default settings attached to https://example.com saying "previous_visitor=true" does not provide any information whatsoever to any sites other than https://example.com.
There are various techniques to place "cookies" (sometimes not technically cookies) that can be correlated by multiple websites working together, but the website has to go out of their way to proactively do that, this is not something that gets enabled by simply placing a standard non-personalized cookie.
I still don't get why websites are not able to find in-house ad solutions that are not provided by third parties. Major sites look like shit due to ads placed without thought or care. This should be handled like magazine or newspaper ads. People selecting and placing them in the page with care. Would result in a better experience and wouldn't require any tracking.
I think that tracking to get "good ads" is a wish that never came true and it needs people with taste to choose products people would like to buy.
That's because of the silo formation in the advertising market. Agencies want to have an easy time to spend a large budget and they don't want to negotiate individually with thousands of parties. So they do a bulk buy from some large provider which then provides a centralized way to return the statistics. These serve to - somewhat - keep property owners honest because both click fraud and placement fraud would probably be rampant.
Not every kind of advertising is that suspect to fraud but for every budget out there there is some way to siphon it off without giving the advertiser what they were looking for. It's been an arms race between fraudsters and marketeers with the end-users caught in the middle, and between the marketeers and the users with respect to privacy issues. This ruling injects some sanity for those that have declared themselves to be non-combatants.
Youtubers get paid way more for custom in-video ads than they do for the automated ads that Youtube runs before and throughout their videos. If what you said was true then content creators wouldn't be going through the work getting these sponsors and sponsors wouldn't be bothering with the hassle of working with individual content creators.
I'm genuinely curious how total ad spend on YouTube compares to total spend direct to influencers. I presume the former is substantially larger, but by how much I have no idea.
> I still don't get why websites are not able to find in-house ad solutions that are not provided by third parties.
Because interacting with the advertising industry, or advertisers directly, is a lot more complicated than just slapping a banner spot on your page/app¹, and sites want to concentrate on with their core business rather than learning another one.
--
[1] finding people to advertise, negotiating rates, arranging reports of add positioning and response², detecting click-fraud, convincing your ad partners that you have dealt with any click-fraud & other such issues, convincing your ad partners that your agreement with them really did involve them paying you at some point before the heat death of the universe, etc.
[2] so they can marry that up with the logs of incoming attention on their systems
Even if a third-party is involved, they could serve ads based on the content of the page instead of showing me ads for the products I bought yesterday.
This has been done in the industry from very early on and is typically referred to as "Contextual" advertising. I and the company I co-founded are huge proponents of contextual as it generates positive ROAS (return on ad spend). The "problem" is that a contextual impression typically sells for less than an impression that is leveraging audience (user) data, so there is a tremendous incentive from middlemen to collect and peddle data - so much so that the entire industry all but forgot about contextual for almost a decade. I do think however that the promise of accuracy in audience data is very much oversold and not worth the tradeoff in user privacy, particularly in the loosely coupled world of programmatic advertising, which is anything in the open web and not something like walled garden (facebook) ads.
Or at least take responsibility for what they help to publish. Preventing delivery of malware, ensuring that each ad can be traced to someone responsible, ... like newspapers.
It does[0]. Google gives a breakdown of site revenue from contextual versus personalized ads it seems [1]. Maybe someone here with a voluminous adsense property can report which is more, but from what I remember years ago, personalized ads often still dominate on revenue.
The market is full of fraud, and the surveillance exists as a counter to the fraud. Users are surveilled in an effort to prove that they are real users, not bots that are being used to fake impressions or clickthroughs. It's all very messy.
Place yourself in the shoes of an ad buyer: a random website offers to display your ad. How do you know what you're getting?
Only some billing models are vulnerable to fraud though. The old school "your ad here for 2 weeks for this price" is not vulnerable to it since you're no longer charging per click/impression.
The "measurement function" becomes the uptick in sales resulting from the unique link embedded in said ad and ultimately the money that lands in the bank.
Yes, share of voice is a lot simpler to reason about and is still done nowadays. It all comes down to yield maximization. One buyer may buy x% of impressions of y quality, so the publisher/website will try to extract as much value from the remaining impressions by auctioning them. There's certainly a lot of lemons that are created in that process.
Sure it is. Just figure out what IP the advertiser is checking from (if they have time to check at all) and show the ad to only that IP. The slot can then be sold repeatedly.
> I still don't get why websites are not able to find in-house ad solutions that are not provided by third parties.
Because marketing department people come and go so they don't have time/motivation to learn some in-house tool. They know gtag and they are happy with it.
A webmaster wants to sell ad space, but doesn't want to go and court each and every marketer buying ad space who will just rebuff individual proposals anyway.
A marketer wants to buy ad space, but doesn't have time to sift through millions if not billions of websites and court their webmasters one by one.
Ad platforms bring together the webmasters and the marketers with a one-stop shop. The webmaster courts Google and gets ads to sell his ad space to. The marketer courts Google and gets ad space to put his ads on.
Finally! The Do Not Track header is the ultimate consent negation. It's an explicit "no". It's part of the request header which the server cannot claim ignorance of. That the web turned into this mess of consent popups despite the existence of Do Not Track is evidence of the bad faith of these corporations. They were clearly attempting to circumvent the manifest will of users. Worse: they turned it into an additional bit for tracking.
I would love for a codified way to specify this in the browser but that also makes way for the inevitable exclusions.
for example taken to the extreme, compliance with the DNT means that you can not use any site that even requires a login.
> it does not provide for a way to allow specific sites
That's a browser limitation. They currently implement it as a global setting. They could also allow the user to configure a whitelist of websites.
The lack of that feature doesn't invalidate it though. It's not a problem.
> the meaning of what to not track is not defined anyway
At a minimum, it means denying consent to everything you can deny consent to.
> taken to the extreme
All this complication and confusion just isn't necessary in my opinion. Tracking is the collection of any information the user did not explicitly provide for any purpose other than what the user wanted.
If I log into a website, I'm explicitly providing my username and password. The site didn't fingerprint me and automatically log me in based on that unique identifier, I did it myself. If I give a store my address so it can ship an order to me, I'm the one providing that information and only for that exact purpose. I certainly don't expect the store to sell my address to some marketing company which then starts spamming my physical inbox with advertisement garbage.
These corporations need to learn to do exactly what's asked of them and nothing else. We don't want them exploiting the information we trusted them with for unknown purposes.
This is the spirit of the GDPR: inform users of the data you collect and what it's used for, and anything not absolutely essential to the transaction may be denied. It is obvious to me that a Do Not Track header represents that blanket denial of any non-essential data collection and processing.
Most of the pseudo-contract BS that defines consumer-company relations is trash legal theory. It should have never held water in the first place.
The fact that our legal systems have tolerated and supported it, mostly demonstrates how intellectually weak the legal profession's philosophy and ethic is.
Companies, especially interacting digitally, use TCs, EULAs and other such nonsense like an incantation. Those are not agreements. They are stupid little rituals that strip users/consumers/whoever of all rights.
Any right that can be stripped by TCs... doesn't exist.
The whole concept of "by agreement" in these circumstances is bogus but... If it must be this way... Stack the deck in the other direction.
"By serving this browser a webpage, you agree to the following..."
By dripping a cookie, by recording this person's data. Pro user, pseudo-legal defaults.
Make "you must agree to X, before you use the product you bought" invalid. Give consumers the full right to unlimited time refunds, if divulging data or agreeing to terms (old or new) is a condition for using the product
This ridiculous deck can be stacked either way.
If I have to agree to a coercive contract intended not to be read, in order to use a device... Give me the right to say no and get a full refund at any time. At least invalidate the agreement.
Where TF are our judges, judicial philosophies, law professors? I want to ask "How could they let this happen' but the correct question might be "Why did they do this to us."
> you must agree to X, before you use the product you bought
To my understanding in many countries this is already illegal in practical terms. Users in those countries are usually permitted to just click through those kinds of agreements and they'll hold no legal water. A EULA must be shown before the user obtains the application or appliance (this for example is why Steam will ask you through click through accepting any third party EULAs before you can download a game and why third party EULAs for a game are listed and readable in an attention drawing yellow bar on their store page) and "back of the box link to the EULA" isn't allowed. (And even then, the majority of stuff in EULAs that goes beyond the liability-related stuff is illegal anyway since they forbid things that are considered rights you just have.)
The US is basically the only country where these kinds of shrinkwrap EULAs tend to have more use than fancy toilet paper as far as I know.
It's not illegal, it's just not legally binding. Accepting an EULA after purchase is more like "we would like you to comply to these license terms, but if you violate them, we can't do anything"
In a lot of countries only the terms that were accepted during purchasing are legally binding. So if you buy a windows license in a shop without signing a contract, than no additional terms except general copyright laws apply.
With SaaS and online services this got way more complicated though. They can always ask to accept new conditions and stop providing their services if you don't accept them.
> Meaning you can't use the software because that would be copyright infringement?
Using the software is explicitly not copyright infringement. Private modification probably isn't either. Generally you don't need anyone's license to use your private property as you see fit; copyright is an exception but it only applies to a limited set of things.
Dishing out an EULA that contains non-enforceable terms should be criminalized. Probably if the deck wasn't so stacked for business, it would be quite clear to interpret such EULAs as fraud or attempted fraud.
But as the GP said, the whole thing is a total corrupt farce.
Technically EULAs with non-enforceable terms are meant to be thrown out as a whole in court, even in the US.
Unfortunately every lawyer quickly caught on that their explorative legal fiction being thrown out entirely might make their employer unhappy, so most EULAs have some sort of clause that if a part becomes unenforceable, it won't break up the entire thing.
In Belgium, someone sued because windows showed its license only after you paid for it. It was declared illegal. Instructions about the license are now printed on every boxed copy of windows, so you know the license before you pay.
That’s cool, I wish you could do that to online (one time purchase) services that change your license terms after purchase. Keep my license terms static or full refund.
Although that standard might lead to them just moving to a monthly subscription model
Most licence terms already include a term to change the terms. So technically once you buy it, install it, and agree to it, you are also agreeing the terms may change. They probably also have arbitration clauses you are agreeing to so you can't directly sue them either.
That's why they get you to agree to new terms and conditions with an update, or when there is a new TC you get a lovely email or whatever to ignore. Either you don't accept it so you don't get the update or you don't accept them and you can't continue to use the service if you don't accept the new terms.
The consideration for the change is getting the new features, updates, or using the services.
They can usually cancel the contract early, then you keep your subsidized phone without paying it off. In such a case they usually accept to keep the old conditions until the phone is paid off, because they don't want to give away a phone for free.
>> They are writing law in MS Word and negotiating any changes in law by sending paragraphs over email, which they check once a day at most.
Fair point. But, I don't think it's good enough, at this point.
Software is not new or marginal anymore, and the business of software certainly isn't.
Practices like terms and conditions... Its not something lawyers can't see. I've heard the same thing about patents and I don't really believe that either. Patent lawyers, specialists and reviewers are nerds... They're not "boomers."
There are no more excuses. It's just makes suck now.
Excellent news. Now let's see this taken up by the EU courts as well if they are challenged on this. But my guess is that the advertising world would rather do this on a country-by-country basis rather than to risk losing in all of the EU at once.
I'd love if this became a EU-wide law. If you send the DNT header, then you can't get cookie consent alerts since you already do not consent being tracked.
I don’t think there’s anything that would disallow asking the user questions. It’s rather that even if the user gives consent through a web UI, the DNT header would still continue to be sent, thus presumably immediately revoking the consent given.
I doubt that a court or regulator would see that as a revocation of consent when the consent was explicitly given by the user. DNT is a global so its continuing to be sent to the site doesn't really provide any evidence that the user means to revoke the consent that they just gave. All it really indicates is that the user doesn't want to turn off DNT globally.
Alternative reading: if mechanized expression of consent is now possible, then if you send a different header "Tracking-OK: True" all the cookie consent banners should now disappear.
It could be a great thing. 99%+ of all people would quickly learn to opt in to tracking to get rid of the annoying popups.
I have exactly zero popups / cookie banners, and I'm in France and a French citizen (and a GPDR supported). My browser and extensions rejects all requests for consent to be tracked automatically.
We can easily get Web browsers to do that for everyone (it takes about one minute to set up manually) so that everyone could have privacy while having a seamless browsing experience. This is easily doable with the current GDPR.
Now, why would you or anyone prefer to consent to tracking instead?
By modifying the site that way you're violating its ToS and can simply be denied service, as you are neither accepting or denying the request (you can't deny it because you haven't read it).
Yeah you can claim otherwise and other people are free to just deny you service. EU still doesn't have access to Threads, right? Twitter is thinking of turning off the EU as well. That attitude is why. Trade is a two way street and constantly harassing the providers is a good way to find yourself without any services to harass anymore.
Consent is not a request where the consumer has to make a decision to accept or deny, in EU consent is an opt-in activity.
So there is a clear default state - doing nothing is the same thing as refusing a request, and refusing to even read any requests is a perfectly legitimate way of doing nothing. There is no legal or moral reason to afford the request any attention or consideration, if you're ignoring it, then you're not opting in, and the site has very clear explicit information that it doesn't have your consent.
Hmm, that is an interesting combination. I forgot that I had tried that in the past as well. It had its own issues, because it deletes all cookies by default. Is there any way to keep the convenience of staying logged in with that, e.g. a crowd-sourced whitelist for authentication cookies?
I've used that in the past. Unfortunately, it had some issues; some sites completely broke when consent-o-matic did its thing (e.g. page remained greyed-out and/or scrolling was broken from the cookie popup). Not their fault really and I respect the effort, but it made it hard to keep it enabled all the time.
Maybe I should try it out again, it has been a while...
https://addons.mozilla.org/en-US/firefox/addon/multi-account... for subdomains you want to log into but still want to access the main and other domains without being connected. For instance, I have it set always open mail.google.com in the Work container so that I can log into Gmail but still search google.com, navigate google.com/maps (etc) outside the work account.
Then, install https://github.com/Cookie-AutoDelete/Cookie-AutoDelete and set it to delete all data from all domains expect the ones you want to stay logged into (Google for instance… but only inside the Work container mentioned above). Then, all websites data (including cookies) will be auto-deleted a few seconds after your close all tabs from that domain. You have to enable the auto-cleaning and support for containers.
You can tweak a few more things but that should be enough.
I also recommend the awesome https://gitlab.com/magnolia1234/bypass-paywalls-firefox-clea... add-on but only for users who support some media financially. It's fine to workaround paywalls (such a bad system) but good journalists still needs to be paid somehow.
The US (outside of California) only has extremely anaemic data protection law. I don't think there's an established right to not be tracked there at all?
Why does there seem to be zero interest in changing that? All I see is hope the EU would do something on one side and mockery of China and Russia for doing exactly the same.
> and mockery of China and Russia for doing exactly the same.
Lol...
As if China and Russia care anything about privacy. They are complete panopticons. You can't compare them with the EU. Which is a democracy unlike the others.
The only reason China has this policy of storing Chinese users' data in China is so they can spy on them more easily, not because they want to give them more privacy.
You just pretending harder. Letting them rape kids and get away with it? That's low. Every time I hear an American invoke child protection I laugh out loud remembering how the FBI executed Epstein and how protected pedophiles were in the Maxwell process.
So no, there's not less censorship in the US than in the EU. You just gave up trying to say anything meaningful.
To some extent, in most fields, the US has become more a regulatory follower than a leader (the big exception would be finance; the SEC in particular is still hugely influential); it waits on, generally, the EU (or sometimes California) to do stuff, and then sometimes adopts it either de facto or de jure (for practical purposes, US auto emissions rules are dictated by California, and in practice the US gets most of the benefits of the RoHS just from it _existing_, say; California has actually adopted some of the RoHS in law).
Now that the GDPR and CCPA have existed for a while, and the kinks are getting worked out (see, for instance, the article above), that lowers the cost of adoption, and will make GDPR-type rules an easier sell for US states who want to adopt them, or the US as a whole.
Russia and China do not have GDPR-type protections (they do have some data locality rules, though for rather different reasons).
you can go only up so far the country court chain before you either lose or EU courts get involved.
If this goes to the Federal Court (BGH) in Germany they will "ask" the European Court of Justice for their interpretation of the applicable Union law (in this case the GDPR) and other national courts will take this precedent into account.
If LinkedIn does not appeal they will be required to follow the ruling. Even in this case it's not uncommon that national courts will look across the border.
As far as I understand it, they were not forced to respect the DNT header in their processes. They were only forbidden to claim that the DNT header would not be legally binding and therefore not respected.
The court did not force LinkedIn in any way to actually respect or at least consider the DNT-header in their processes.
The full decision can be found here [1]. The consumer protection agency did also seek that LinkedIn be forced to respect DNT, but the court did not grant this relief, reasoning that it was overly broad in two ways. First, it did not specify precisely enough what is meant by DNT — in particular, the suit did not limit itself to the DNT header, but referred to any kind of configured signals sent by the browser. Second, it described the behaviour that LinkedIn is supposed to cease when encountering such a signal in an overly broad manner.
If upheld, the judgement certainly seems to open the door for future litigation, and one might even hope for potential targets to adjust their behaviour in anticipation of it, but I would not hold my breath there.
To read that article, you need to pay or "freely consent" to personalised tracking. Sometimes I wonder if the people writing for that site, who no doubt have an IP whitelist or are logged in all the time, even realise the irony anymore
While that's true, the court also said, that DNT is legally binding. That's also in the article from heise that you linked, in the second to last paragraph.
But you're right. It sounds like the court interpreted it that way, but anyways, the ruling is only about the claim, not about whether they respect DNT or not.
One problem I've always seen when debating tracking was the broad scope of the word.
Take for instance three examples:
1. A shopkeeper that watches his customers for shoplifting and observes their flow in the store to know where to place products.
2. An online store that tracks what products people are looking at and what carts are abandoned the most.
3. A global ad-network that gets fed most of your browsing activity across the internet and creates an advertising profile for you.
Don't you agree that a difference in scale brings on a difference in kind somewhere on this axis?
The way I personally see it is that what a user does on your website is fine to observe, but when data is being shared to third parties is must explicitly have your agreement.
Even the term “advertising profile” is a very broad statement that leaves much to the imagination. They’re not all the same.
You can view and modify the ad profiles Google has for you [1] [2]. I leave it running because I’m vaguely curious what it will find. So far, the ad topics are extremely generic and not anything I worry about.
I'm not so sure those advertising profiles are "the data" as much as a simplified representation of the data for users to manage. I don't know about Google specifically but there's no way in hell the limit of Facebook's marketing profile is what they show you in their analogous interface.
Personally, I'm hoping the internet business world will discover an entirely different currency to exchange for online services. While I do pay for email, search, news, etc. I don't have a problem with some single-party tracking. If I go to a pharmacy website and search for Q-tips, I see no problem with them banner advertising their generic cotton swabs on subsequent page loads. However, the actual psychological profiles created by today's ad tracking systems have proven to be quite dangerous, a la state actor interference in recent US elections. At its heart, this is not a discussion about advertisements. This is about marketing companies making large-scale tools specifically designed to manipulate the behavior of millions of people. I don't care about what's in product ads-- I do care about bad actors using that data for its intended purpose in another domain.
Yes, that sounds bad, but the ad topics in Chrome look nothing like a psychological profile. It's a list of very generic topics like "Computer & Video Games", "News", and "Real Estate".
If you aren't tracking with identifiable data there's no problem. Tracking contents of a cart is not a problem, nor is how often a product page is hit. Keeping log of when some space is occupied by a person is not a problem, at least if you don't anything else about the person.
The space a person inhabits is an inanimate object.
Whether a space is occupied or not is an observation of the space. What an inhabited space looks like is an observation of both the space and its occupants.
So is my analytics engine merely observing inanimate electrons that have been launched apriori by an occupant, but which do not constitute the actions of the occupant-in-itself or the tracking-in-itself.
Sorry, but I can't find any other response to what you said there.
In what way? What are the "necessary terms"? I honestly have read some of that legislation and didn't get clarity.
GDPR created a lot of burden for small companies and at the same didn't seem to offer that much protection against abuses from the likes of Google/Facebook.
Much like tech standards/specs laws have a section defining the terms used in the law. So, GDPR defines these things. In the context of GDPR tracking probably doesn't even exist as a term. There's personal data that you can't pass on to third parties without user's consent and similar things.
What are those "European values" you speak of? I am in Europe and I shiver at the thought of others assuming that I feel the same way about certain issues than someone who lives all the way across the continent.
I'm not sure in which part of Europe you live, but in some parts these are part of the high-school and university curriculum (civics classes). Here is a refresher:
> # Freedom
> Freedom of movement gives citizens the right to move and reside freely within the Union. *Individual freedoms such as respect for private life, freedom of thought*, religion, assembly, expression and information are protected by the EU Charter of Fundamental Rights.
>
>[..]
>
> # Human rights
> Human rights are protected by the EU Charter of Fundamental Rights. These cover the right to be free from discrimination on the basis of sex, racial or ethnic origin, religion or belief, disability, age or sexual orientation, *the right to the protection of your personal data, and the right to get access to justice*.
I think we found him, the biggest victim on the continent. Noone is as persecuted as this guy. Some political opponent in North Korea? An unarmed minority in Mali? Nothing compared to user vasdae.
As someone who lives in the EU, I see this very often with US based websites - the ones that absolutely need the tracking cookies and the data suckage.
For the longest time I noticed that many of those websites, typically small-town newspapers, all ran the same CMS, developed by a former employer of mine. Part of the problem, at least back then, could have been that the CMS simply didn't have the ability to disable the tracking cookie based on visitor settings, and development had pretty much stopped years earlier.
Almost no software ever doesn’t need changing. Anything without some sort of indefinite service contract of some sort is always a bum deal for the buyer.
EU law makes that distinction, as I understand it. If the cookie is absolutely required to do something the user explicitly (not implicitly) requested, then you don't need consent. If you can get the user to explicitly request your business model including the use of these specific cookies then you're good to go.
I think a lot of it is really just pure incompetence. Some product person was just like "we need analytics" and so a dev just put it in. Probably neither party put any thought into it. The product person was trained to want analytics and the dev just does what they're told.
What do you mean "need"? The only website whose business model is user tracking that I can think of are Facebook and google. Without tracking they would cease to make money.
Other than those two I don't see how spying on users is a business necessity.
What's the difference if everyone has Google and Facebook tracking embedded in their website? Offloading the spying to these is even worse, because they are centralized and have farther reach.
Oh that's common, from when I used to not live in the US. Usually for stuff that the site bought a license to, with region-lock restrictions.
I was imagining a scenario similar to what Facebook is doing in Canada, with messages stating "We cant show you [x] because your government hates free speech" (hyperbole)
Indeed and Facebook is now doing this with Threads - "you can't use Threads in EU because we hate how they make it hard for us to sell your essence to the highest bitter" (hyperbole)
I think geo blocking is legal, if it's blanket blocking. However, blocking based on DNT header is probably coercive — even if country is mentioned as excuse.
Consent must be "freely given", which means you have not cornered the user into agreeing to you using their data. Requiring consent to data processing therefor excludes consent. You need to be able to say no.
But not enough to make up for the costs of even thinking about implementing what is needed let alone actually implementing, getting a legal check and maintaining it.
Yes it does, EU considers GDPR to apply internationally and "European user" is defined in such a way that it includes people physically outside the EU.
Last I checked the GDPR applies to EU residents, not EU citizens. In other words: it applies to anyone in Europe, not anyone from Europe.
The legal problem with geo-blocking to work around the GDPR is that the error page is usually not GDPR-compliant either. That said for most US sites which apply geo-blocking this is very much a "we'd rather lose that part of the audience than respect anyone's rights" kind of deal. You can roll out the GDPR-compliant treatment for your US users too and it'll be to their benefit. It just means your broken business model that relies on abusing your users' privacy might no longer work.
Note that there are EU sites that do force tracking ads on their users while still being GDPR-compliant by only doing so after the user has consented to it and offering a paid subscription without these ads as an alternative. So it's not just "but we need ads" but explicitly "but we want to harvest your data and do who knows what with it".
I remember back in the day when GDPR was announced this was an actual thing. Nowadays tho, 9/10 of the website that used that message caved and are serving EU without problems.
Websites that refuse to serve be any content due to that law are just yelling at me saying "we don't care one bit for your basic rights for privacy". They have zero intention of sharing anything respectfully and would just sell my data instead, with no accountability whatsoever.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
“Freely given” consent essentially means you have not cornered the data subject into agreeing to you using their data. For one thing, that means you cannot require consent to data processing as a condition of using the service. They need to be able to say no.
I've always thought that's a bit weird. I think companies ought to be able to give the customer a choice of "paying" either by consenting to spying or by coughing up some cash.
The whole idea of unalienable rights (which in ECHR includes privacy) is that you can't "alienate" them by signing them away in a contract.
It's just like any contractual clause that would sell yourself in indentured slavery or oblige you to make sexual favors is automatically void, since consent to these things is not something you can sell, you can change your mind about these things at any time no matter what contracts you've signed, because they can't be binding for that.
(It doesn't matter for the point you're making, but in Germany a contract to supply sexual services is legally enforceable, just like a contract to supply any other kind of service.)
That's interesting, I'm not a lawyer, but the way I understand the German Prostitutionsgesetz, it makes sexual services legitimate part of the financial contract - so both parties may be entitled to payment or compensation in various disputes, however, it still doesn't allow "sale" of future consent, it does not imply that the customer has a claim for the specific performance of some service, or that the provision of the service is enforceable; such consent may still be withdrawn at any time, though it may legally result in a claim for e.g. refund of any prepayment for the service.
Just like no company can purchase my kidneys. I can donate them, and hospitals can transplant them, no problem. But they are not for sell.
We know what is being done with human organs when it's on the market for profit. Nothing good. Idem with privacy (especially when your personal data encompass other's: contact details, emails, photos, etc).
I've also seen a Spanish site with this, but as far as I know it has only been accepted by Austrian and German authorities (and challenged recently by some courts).
excellent, at least the site is being honest. I would not need it in such a case. It's somewhat illegal (GDPR) but likely unenforceable when the entity resides outside the EU, and has no (official) business there.
Would this include browsers which have the DNT header enabled by default? I remember early edge/late internet explorer defaulting to sending the header, and claimed as much in advertising.
The spec itself (at the time, at least) said that it could be ignored if the header was always sent/not user-enabled.
Not a lawyer, but basically the website cannot distinguish whether a DNT setting was enabled by default or whether the user intended to set it so it really does not matter. It must be assumed that the user enabled the DNT setting.
Let's assume Aunt Agatha reads about the DNT setting in one of her magazines, goes to the browser settings, sees that it's enabled, takes no further action. That is no different from Uncle Ulysses who has a different browser with a DNT-disabled default who goes to the settings and enables its.
My letterbox has a sticker on it that I don't want to receive unsolicited ads. I don't need anyone to try to presume that it wasn't me who put that sticker onto my letterbox.
It gets better than that. Once, I've seen / caught in the act / one ads-distributee who damaged the sticker on my box' lid. He was scratching it with a key. Then, suddenly vanished after seeing me.
After that, I got ads put into my box again. Once I asked one distributee if he can't see the sticker.. "it's damaged. So I thought you wanted to remove that, but it made problems so yo left it striken through"
This is fascinating. We have no such system in the US as far as I am aware. First, I think it’s against the law for anyone other than postal employees to put stuff in mailboxes. So we get flyers shoved under doors, in cracks around letterboxes, etc. Second, no one would respect those stickers. And third, because our postal service has to be self-sustaining and legit mail has declined, the only mail you get these days is advertisements.
I don't remember the beginnings of such stickers, but it had something to do with the litter produced by the unwanted mail. We have to pay for our litter here. And no one wants to pay for others :)
Just like the same reason for you can get fined for throwing away litter. If it's not your litter box.. :)
I wish that the free willy said "I don't want" is binding for all people over the world.
The same reason we put 2-3 of them in the same letterbox or we trashed some packs at the end of a street (yeah I did that back in the '90s as a teenager). To work less and earn the same.
I mean at that point you could just put the entire stack in the nearest recycle bin and call it a day. Much more efficient! Much less of an annoyance to people.
I have no idea why they bother but the sticker on my post box and those of some neighbors were removed the third time now in the last 2 years. I know that they didn't remove them themselves because I talked with them and gave them new stickers. The kids in the house are either too small or to old to remove them so I can only assume it's the people distributing flyers. It sure is not the postman, he actually wrote a note asking everyone to put up those stickers because he didn't want to carry stuff that ends up in the trash anyway.
I've had door to door solicitors argue with me, after I pointed to my quite prominent "no soliciting" sign, that they weren't really "soliciting" but, rather, "marketing" and therefore the sign didn't apply to them.
> Not a lawyer, but basically the website cannot distinguish whether a DNT setting was enabled by default or whether the user intended to set it so it really does not matter. It must be assumed that the user enabled the DNT setting.
In Firefox you can't even turn it off, except maybe via some about:config thingy, so that's not really an entirely valid assumption.
You've missed the point. Knowing the browser sets it by default says nothing about whether the user consciously decided to keep it that way, so claiming that it's just the browser default and therefore to be ignored was always just wordplay.
Spec largely doesn't matter for what the courts think; DNT is considered by them to be a valid signal for not wanting to be tracked in the eyes of the court according to the ruling. (note: I am not a lawyer.)
You could argue that by using a browser where the DNT header is set by default, they are making that decision on their privacy by y'know, using those browsers over the ones where they're not set by default. Ad companies don't want that argument, they want you to opt out in every browser (and ideally they'd just ignore the header entirely, which they do after Microsoft enabled it by default in Explorer).
To be fair, Chrome is basically doing everything it can to stop being the users agent and is instead Googles fun magic box you use to see what goes on on the internet (with the explicit long-term goal for Chrome to just be Googles freely downloadable OS overlaid onto your Windows/Mac/Linux, given how many system APIs Google keeps dumping into the browser).
I don't blame people for forgetting that part sometimes, given how 90% of the population uses a browser that doesn't serve their interests.
If this were true, then wouldn't your browser sending out personal data constitute consent to have that data tracked? After all, the website asks you to give them the data and the browser complies.
>Would this include browsers which have the DNT header enabled by default
It's EU - the default is to require consent for using personal data (which in at least few of the jurisdictions IPs are included). The the 'default' should be out.
the latest date consent given (or taken away) takes precedence, consent requires an clear&affirmative action, so if that part can be recorded - do as you please.
Would be irrelevant, because the DNT-header will be sent with every request, so for all practical purposes will be later than any other kind of consent.
There can be a case where the end user (person), logs on the site - then sets a permission/consent to be 'tracked' (whatever), then a cookie/localstore persists - so the DNT is not relevant.
Consent/tracking doesn't mean solely 'cookie' banners.
Yup. If I'm going around my daily business wearing a shirt that says, "no sex for me, please!" Then please do not come up to me and say, "but, would you like to have sex with me?"
And if I say "yes, actually, even though it was very rude of you to ask, given the shirt that I am wearing...in fact, I would like to have sex with you," then you should at least have the decency to wait for me to take my shirt off before having sex with me.
If I decide it's really not worth the effort to take the shirt off, then it turns out, actually, no, I really did not want the sex after all.
On the other hand, I recall a discussion about how GDPR requires active and informed consent, and how a blanket refusal would not be in line with the regulation.
If the user installs a privacy-focused browser (NB: not sure if such things exist, marketing aside), one could argue that there is still user choice involved even though the browser sets DNT by default.
The original Internet Explorer situation was different because it came pre-installed with the operating system, and whether there is choice in operating systems for any given piece of consumer hardware is often rather dubious today (and was probably “no” in more cases back then).
> If the user installs a privacy-focused browser (NB: not sure if such things exist, marketing aside), one could argue that there is still user choice involved even though the browser sets DNT by default.
it doesn't need to be argued as the fact that the user did not disable the DNT option in such a browser is the action that matters.
IIRC the people who wrote the spec did it in co-operation with the larger ad networks and this was the only way they could get the ad networks to comply with it.
Then Microsoft enabled it by default in Explorer 10 and the ad networks took it as carte blanche to ignore the DNT header forever, claiming Microsoft had violated the agreement. Nowadays it's usually not set even by the overly privacy conscious out of fingerprinting concerns, since its another unique way to identify your traffic.
What didn't help was that the EFF was actively campaigning against it instead of lobbying to elevate the flag to legal status so it would become useful.
The same way they campaigned against adblockers but had their own petty little voluntary pledge thing.
That's what you get when your NGO gets so big your leaders end up playing on the same golf courses and waiting in the same netjets lounges as the enemy.
I have absolutely never set it because of how many bits of information it is in terms of fingerprinting me. Might as well send a header with half my SSN up along with it.
I couldn't find any explicit discussion of that aspect of the spec (https://datatracker.ietf.org/doc/html/draft-mayer-do-not-tra... is an early version), but I suspect that as noirscape wrote, it made consensus-building easier. Not that it mattered in the end, of course.
Courts are not necessarily bound by such a spec, but it doesn't look as if that question was addressed here and in my view it would have to be established by another case because for sure the companies that ignore do not track right now will be more than happy to pretend that they have an excuse to continue to do so. This is a long drawn out rearguard fight.
> According to the General Data Protection Regulation, the right to object to the processing of personal data can also be exercised using automated procedures. A DNT signal represents an effective contradiction.
I assume automated procedures include default settings. Not a lawyer and not from the EU though
No, the idea was exactly do prevent browsers from enabling DNT as the default. The spec would expect the server to check the User Agent and ignore the DNT header entirely if it comes from a user agent which is known to default it to true.
Obviously, this was a ploy to gut the standard while still pretending to self-regulate.
GDPR specifies tracking to be necessarily default-off and opt-in anyways. Therefore the browser sending DNT:1 by default would just repeat the legal status quo. A tracker could not successfully argue that this is to be ignored, because the technical default that the browser sends is the legal default anyways.
I see no one's commented on Global Privacy Control. It's essentially an HTTP header that's supposed to be legally binding with the California Consumer Protection Act (CCPA); unlike DNT.
There's a setting on Firefox (Beta at least) that enables it.
GPC is already the law in California, but it seems the EU has yet to catch up, possibly because of how enforcement failed by being delegated to national DPAs, some of which like the Irish ones are clearly captured by the surveillance-industrial complex.
The EU learned its lesson. DSA and DMA enforcement is not left to national authorities. The Irish DPC clearly thinks it is a subsidiary of the IDA, the agency charged with attracting multinational headquarters to Ireland.
Germany is not a common law country and neither are any other EU countries. Higher court decisions (which I don’t think is the case here) can set jurisprudence but it’s not the same thing as in a common law system.
Also national court decisions do not apply to other member states.
A lot of courts use rulings from other countries where the cases are similar. Any interpretation by the Berlin regional court that GDPR implies that DNT should be treated as a GDPR opt-out should be easily adopted by courts in other countries deciding similar cases.
I’d have to read this specific decision but my opinion is that while the GDPR says the user can refuse consent “by automated means” it doesn’t specify what those means are, thus making it quite hard to follow, enforce and therefore likely that other courts will decide differently on similar cases. E.g. would my own “X-Tracking-Is-Stupid: don’t track me” header be valid as refusing consent? What if I add it as a query parameter in the URL? And so on - DNT is not special in the eyes of the law.
Care to explain? In my legal career - which is now years behind me - I've never heard of, say, a Dutch court picking case law from Germany and make it applicable to a Dutch case.
This talks about foreign countries applying & enforcing your countries court orders (within EU). I don't think it can be stretched to include case law in your new case.
You could try that in court since the base gdpr is the same, but EU law implementations still differ.
GDPR is a different law per country, not one law for the whole Union.
A lawyer could argue that the law in their country is supposed to work like the law of another country because both are GDPR, not directly appeal to the authority of a foreign court.
GDPR is an EU regulation which means that it is one law for the whole union. EU regulations supersedes even constitutions of member countries. An EU directive means that countries have to put a law in their own books.
Don't know though how different court judgements are interpreted. I'd guess it would have to be an EU-court judgement for it to bind other courts. In most EU countries only high/supreme court rulings set a precedent anyway.
> EU regulations supersedes even constitutions of member countries.
On paper that is the idea politicians had, but they don't always have the final say in practice. For instance Germany's Federal Constitutional Court reserved themselves the right to make decisions superseding EU regulations, however re-affirming the authority of the European Court of Justice "in the general case", since it is compatible with Basic Law for the Federal Republic of Germany. Neither court is explicitly considered to be higher and their stance is cooperative.
So far, as far as I know, no EU regulation was struck down in Germany, only parts of various laws implementing directives.
>Don't know though how different court judgements are interpreted. I'd guess it would have to be an EU-court judgement for it to bind other courts.
If there is a contested interpretation of EU law then the lower courts of a member state MAY refer a question (or questions) to the CJEU to resolve the issue.
In the case of the highest courts (where there can be no appeal) they MUST make a referral to the CJEU.
These referrals also aren't "appeals" as such, either, but are designed to answer the questions in such a way that the member states' courts can resolve the case with an authoritative (and consistent) interpretation of EU law.
As long as companies can use EULAs to assume our consent implicitly (and change their terms at any time, without warning), that also means that I can send them headers alongside my HTTP request containing legal terms that they must also accept implicitly.
I'd have zero problems with ads embedded in the page where the topic is inferred from the content of the page.
But as long as these companies unneccessarily track my browsing habits in order to serve ads, I'll continue using a tracker blocker like uBlock Origin with the sad side-effect that the ads disappear from the page.
This is an excellent step towards more control for consumers/users. Next step should be DNT disable all cookie popups and assume that only essential cookies are acceptable.
Speaking of, I am expecting DNT to reset to disabled silently on next release of chrome. So people forget about it and tracking is allowed.
Please: let's get rid of cookie banners. Force websites not to show cookie consent banners if I already chose not to be tracked by enabling the Do Not Track (DNT) header.
The danger there is that people who consider adding a second check for “legitimate interest” (otherwise known as “we see your preference, but fuck you and your preferences we want to anyway”) to be valid will consider that their legitimate interest pushes the tracking into required-cookies territory so not covered by DNT.
There's no such thing as "consenting to legitimate interest" in the GDPR. Those are two different mechanisms. Legitimate interest does not require consent. If it requires consent or can simply be opted out to, it's not legitimate interest and therefore requires consent.
Those two-stage "legitimate interest" opt-out toggles are pseudo-legal nonsense dreamt up by (mostly non-EU?) companies trying to shoehorn their business model into the new legislation, just like the "consent pop-ups" that don't provide a single-click "disagree with all". Those are actually explicitly forbidden by the ePrivacy directive btw: there must be a first-level "disagree with all" button and it must be as visible as the "accept all" button if there is one.
I actually see nothing in this ruling about DNT that makes DNT do anything that isn't already the default under the GDPR. As far as I can tell, the ruling just supported the claim that LinkedIn was demonstrating deliberate intent in its violation of the GDPR by saying it does not consider DNT to be relevant. It was likely already violating the GDPR based on what the article describes, this just establishes a justification to issue a serious fine rather than just a warning.
I wonder if there is a way to make them give a shit. A pizza place in my area is a serial offender, and I'm wondering if an Abmahnung and the threat of a fine would get them to stop.
Is is legally binding since the 80s in Germany. Just mostly nobody bothers to protest a occasional error and it would mostly affect the teenager who delivers the ads anyway.
What pisses me off is that they advice to do the same in my country when I complain about leaflets from Lidl, Kaufland, Rossmann and others. Take your silly practices back to Germany, I don't need to label my postbox NOT TO RECEIVE your spam over here. "No spam" is the default without any label.
Or, you know, you could just not have spam. Not in boxes with a label, not in boxes without a label. Just stop spamming. No "but what about ...", just stop spamming.
I would never try to run a business that depends on tracking (I want to be able to look at myself in the mirror) but if I did I would respond to this by putting up a notice like this:
"Our business depends on tracking. That's how we make our money. We cannot provide this service for free to someone who has activated do-not-track. We do offer a paid version of the service at $X per month. If you want to subscribe, click here. Otherwise, if you want to continue to use our service for free, you will have to disable DNT."
Wow, really? That seems deeply wrong. That's effectively saying that certain classes of products have to be given away for free. I know that the EU regulatory regime is broken, but can it really be that badly broken?
No, certain classes of products don't have to be given away for free. But you can't take tracking as payment. You can still show ads without tracking, or only have paid users.
Then tracking info has to be given away for free. Your info is valuable, but you aren't allowed to trade it for something else of value, you are only allowed to "voluntarily" give it away for free. That is even more deeply wrong IMHO.
The GDPR text this is one of those exceptions where it is not broken.
But you can rest assured that GDPR enforcement is and will remain totally broken. If GDPR was actually enforced there wouldn't be tracking-targeted ads etc in EU at all, because very very few people actually want them. And why would they?
A potentially interesting aside is that Do Not Track was removed from Safari some time ago.
Why? Because nobody respected it, and since it was a user setting that needed to be explicitly enabled, it proved to be a useful additional dimension for browser fingerprinting.
So the irony is that, "do not track" ended up being used... to track.
The company I'm currently at has changed its behavior after court/regulatory decisions regarding google analytics. We are now using a cookieless solution that respects DNT. I have no doubt that this would not have happened otherwise.
Still sad that our legal counsel didn't like the idea of self hosting web analytics (since then we'd become a data processor).
I hope in the midterm most companies, which do not make their money with advertising, will ask themselves "do we even need that data??"
My local dentist has a cookie consent banner up and it's certainly not because they need that vital web tracking of the odd person who tries to find their opening hours but because it's the default setting of their hosting provider.
If it becomes a hassle for companies to deal with this it'll lead to data minimization.
Most companies do not need detailed analytics beyond counting inbound links.
This ruling opens up the door to enforcement, it is general enough that German companies and companies active in Germany will take notice and it might inspire other EU countries to follow suit.
https://devowl.io/wordpress-real-cookie-banner/ has an option described as: "Users can set the "Do not track" HTTP header in their browser to indicate that they do not want to be tracked. If you enable this option, users will be able to access your website with this HTTP header without a cookie banner, if there are no non-essential services that are used based on legitimate interest. Only the non-rejectable services will be used in the case."
geizhals.de shows a message that it honored DNT, but in the ideal case you don't even see it.
Every time DNT comes up, advertisers are like "but, but, 15 years or so ago, Microsoft enabled it by default for a few months! Hence we can't honor it! Booyah!"
That LinkedIn ignores DNT does not surprise me in the least. They also make it practically impossible to unsubscribe from their email spam without deleting your account.
In the past, commenters on HN would claim that use of DNT is somehow a privacy loss because the presence of the header would make a fingerprint more unique, or something to that effect.
Wonder if they will continue to make this ridiculous argument now.
I wonder if that sets a precedent in terms of what type of electronic signals could be regarded as a legally binding form of agreement between two parties in EU, especially given the fact that DnT is not a standardized HTTP header.
This one feels legit; DNT has been around (and ignored by everyone) for a long long time. But the summary here is saying, oh, the consumer signalled something so sites have to obey. It feels like fools could make up all kinds of arbitrary signalling systems packaging all manners of data handling directives to sites.
So, what if any limits does the court see or allow? If DNT is something sites have to obey, what's something sites wouldn't have to obey? And how do sites become aware of all the different mechanized ways consumers might send processing directives to them?
I'd say website should be required to honour any signal that more than 1 mio potential users know about. That seems like a fair trade-off between pushing work onto companies while simultaneously closing laziness as a loophole.
This legal proceeding is about do not track. It is not about anything else which you're pulling in. This is an appeal to ridicule and these are generally not very interesting.
I could configure my browser to add some custom headers to my HTTP requests, like `DONTDOTHISTHINGTHATISIMPORTANTTOME` or something. I don't think courts would accept that, as it's not an established interface / protocol, and furthermore GDPR does in fact allow for data-processing if it's needed / required to offer the service.
By providing an interface standard, however, the browser vendors have kind of set the stage for the courts accepting DNT as a valid communication medium for the service consumer to state intent to the service provider. This is akin to the courts taking into account how the card-payment terminal works when ruling on matters of card-payment in stores, etc.
You don't think courts would accept that, but you don't know, because EU privacy law is so vague and badly written that the courts regularly "discover" new things about it that nobody had previously considered possible. For example the fact that everyone had a right to remove stuff from search engines if it was about yourself was never written into law by any elected body or even any non-elected body. It was a right that a court simply invented. Ditto for not being able to use Google Fonts.
The EU has had problems with this kind of activist lawmaking for a long time. It's one of the factors behind Brexit. Some Leave campaigners argued that it was impossible to make any kind of deal or compromise with the EU if it meant staying in, because no matter how clearly written it appeared to be and no matter how watertight the international treaty encoding it was, the European courts would simply ignore it and/or rule it invalid. This criticism landed because there was precedent for that, where the courts had previously done exactly the same thing with other agreements. The same debate is now playing out around the ECHR as well, which the UK stayed in because it's not technically an EU court, just a European court. Same cultural issues though.
... You're aware that the UK also has courts, which regularly discover rolling new vistas of law, right? Like, the idea that manufacturers have a duty to not make unsafe products (not just in the UK; this was internationally influential) derives in large part from someone finding a snail in a bottle of lemonade a century ago: https://en.wikipedia.org/wiki/Donoghue_v_Stevenson
I mean, what you're complaining about here is how ~all vaguely modern legal systems work, not anything special about the EU.
There's a long history of activist courts attempting to legislate from the bench. That doesn't make it good, right or that it's just how a modern legal system works. It's clearly not intended to work that way, but vague and badly written law sometimes allows it regardless.
Thank you for being only the second rational argument I've seen in favour of Brexit. The other one was around the inefficiency (~= horse-trading ~= corruption) of divvying up project spending.
There are counter-arguments but I see no need to thrash them out. It's nice just to see some fucking thought.
Yes bad EU case law that can't be fixed with legislation has been a common complaint of both political parties and independent groups over the years. An example is the Charter of Fundamental Rights which the UK and Poland thought they had negotiated an opt-out of, on the grounds that it was bad law and they didn't want it to apply. The opt-out was negotiated and agreed between all countries and was written in a simple and supposedly "watertight" way. The ECJ simply ignored the agreement and ruled the UK had to obey the Charter anyway.
It was one of the events that led to the ECJ's perception as an activist court that makes EU law unknowable, because what is or is not illegal can't be understood by reading the treaties or laws. Here's an example of some British lawyers expressing that view:
The effects of the Charter, whether applied to UK laws made before or after Brexit, cannot be predicted as its operation would be dependent on the rapidly evolving and expansionist case law of the European Court of Justice, and would open the door to judicial adventurism in our own courts.
Not just the UK has complained about this. Here's an example of corruption in the ECJ uncovered by Irish journalists, in which the ECJ was trying to surreptitiously expand EU powers:
It is clearly corrupt to hear a bogus case like that where the plaintiff doesn't even know they're in a court case at all and both sides are represented by the same firm, yet nothing was ever done about it.
I've been having the same thoughts. Pragmatically, the main roadblock is that the DNSA flag would need to go through some legitimate standardization process.
It would be really fun* if the headers of an HTTP request were to be considered part of a legally binding agreement between client and server.
Ads are highly regulated in the EU and individually in member countries. Eg. in Poland it's illegal to show ads using TV shows for children, the ads before and after a show have to be child safe, eg. no medications. Yet same rules don't apply to YouTube or Facebook. Why wouldn't I indicate using a header that this device is used by a child and ads must be appropriate?
I remember that this was trying to be a thing in the mid-2000s (via COPPA) in order to help better age restrict adult content. Sites would use metadata to signal the apropriate age limit for their content and web filters could use this to deny access. I don't think that ever went anywhere.
Finally! I've been waiting for this. This is great news, let's hope it doesn't get appealed. Imagine someone asking you if you want to have sex with them, you say no. And then asking again, and again and again. In what world does that constitute informed consent and not harassment? And don't get me started on the yes or maybe later bullshit.
Not true. Every business has freedom to choose its customers. Nobody can force you to service them for free, and nobody can force you to serve your website without tracking enabled if that drives your revenue.
However, you’ll have to live with the consequences. Maybe it’s time to reduce reliance on tracking after all?
Thank you for the correction! Would I still be right to assert that it is illegal to refuse to bake a cake for gay customers, though? The ruling seems to be about how Colorado mistreated the case, and agrees that freedom of religion can be restricted by generally applicable law. I'm not seeing them ruling one cake is okay and another is not
Yes true. If the service can be provided without collecting and processing certain data you can not coerce the user to "consent" to you doing so in order to access your service. E.g. the good old growth hack of collecting newsletter subscriptions by email-gating a "free e-book" behind a newsletter signup form.
There does seem to be a loophole for enforcing tracking ads as "legitimate interest" (i.e. not seeking consent) if you also offer a paid subscription without them, which is what a lot of German news sites seem to have shifted to. There was a recent court case in Germany however because a company got sued for not providing an option to not consent to everything that wasn't related to ads (e.g. analytics, third-party widgets and so on) and most sites seem to now provide granular controls even when they force ads if you don't want to pay. Note that they still have to lazy load the ads after consent is given in order to be compliant. I'm not sure if this way of forcing ads is compliant throughout the EU as it feels more of a gray area given that the site usually sends the full article and then gates it behind a consent modal on the client, i.e. there's no technical requirement to show the ads, just a sustainability one.
You cannot discriminate based on race, for example.
A major point of GDPR is that it basically made "do you agree to tracking? yes/no" a protected category as well.
Specifically, it requires freely given consent to allow tracking. Freely given consent is defined by the GDPR as consent that was given without any discrimination, rejection of service, or extortion in any way influencing your choice.
So no, you absolutely cannot discriminate based on whether users agreed to tracking or not.
GDPR does not allow for negative consequences for refusing consent - it must be freely given and if there is a negative consequence it is not considered to be given freely.
Little by little, news is coming in that makes me more optimistic about privacy on the Internet.
1.-Users/associations denounce more in court.
2.-Large corporations receive more convictions against them.
3.-Lawmakers legislate more on this issue. GDPR, CCPA, LGPD, PIPEDA,...
4.-Small/medium companies are taking note and are taking steps towards greater privacy for their customers, if only to differentiate themselves in some way.
When GDPR took effect in Europe, a bunch of (mostly US) websites started serving "451 Unavailable For Legal Reasons" responses [1] to EU users. I wonder if there'll be another spike after this announcement.
The other ruling in this case is a bit concerning. The judge ruled that LinkedIn can't make profiles public by default.
1. I hate that LinkedIn ever makes me log in to see a profile and
2. It's pretty much the purpose of LinkedIn to share your information publicly
The idea that you have to obtain explicit consent to do what your website advertises itself to do is idiocy.
If I make a website called 'publishmypii.com' is a German court going to force me to add a click through agreement that says I will publish user's PII? Total nonsense.
"The social network LinkedIn is no longer allowed to announce on its website that it does not respond to "do-not-track" signals with which users object to the tracking of their surfing behavior via browser settings. This was decided by the Berlin Regional Court after a lawsuit by the Verbraucherzentrale Bundesverband (vzbv). The court also prohibited the company from setting a preset, according to which the member's profile is also visible on other websites and applications."
...
"If consumers activate the "Do Not Track" function of their browser, this is a clear message: They do not want their surfing behaviour to be spied on for advertising and other purposes," says Rosemarie Rodden, legal lecturer at vzbv. "Website operators must respect this signal."
...
"The District Court of Berlin agreed with the opinion of the vzbv that the company's communication was misleading. It suggests that the use of the DNT signal was legally irrelevant and that the defendant does not have to pay attention to such a signal. That's not true. According to the General Data Protection Regulation, the right to object to the processing of personal data can also be exercised by automated procedures. A DNT signal is an effective contradiction."
Do Not Track is a silly nuance in Germany because the IP address is fully identifying there and the ISP contract owner takes full responsibility for anything happening behind it. Nothing to be excited about legal trolls burning public money on fighting LinkedIn in courts. XING is not going to happen, stop trying. Every "privacy" fart coming out of Germany is their predatory media publishers and copyright trolls unable to accept that internet exists.
Trust me, I could not care less about the German boneheads. But you are right, as always, the judge has little understanding how tracking works.
I have a heavily modified web surfing browser that offers me some amount of privacy and ad free experience. Pay walls I circumvent with "Pass paywalls clean" or with a bookmarklet that looks up the site on an archive.
In the end, it makes it harder for an average website to track me but not impossible. Dont believe me? Try this website:
By the way, ghostery, the ad blocking software, is (was?) owned by a German media company. Hubert Burda Media. You can't make this stuff up. And no, you should not use it.
It will be funny watching the entire planet continue to ignore this.
Edit: to clarify, a specification based on asking for something is a recipe for everyone to ignore you. It's a design flaw. And if they fix that with a legal patch then it will just be moved out of the jurisdiction that the legal patch applies to.
There is no jurisdiction that the legal patch doesn't apply to.
If you allow any citizens of the EU you're forced to fully comply with the gdpr or face legal action. It's illegal to cherry pick.
You can require a checkbox with "I'm not a citizen of the EU and I'm not in the EU at the moment" to sign up, but that's going to cost you.
If anything, a technological solution would be inferior. We're a rule of law world these days, not a motte and bailey world, and that's benefitted everyone except the moat diggers.
I think they are calling out how no one besides the really big multination's actually cares what the EU does and will just continue to ignore whatever rulings they make.
Enforcement is always the biggest issue with these kind of laws and the EU has been taking a slow approach so people barely care.
>how no one besides the really big multination's actually cares
the big multinationals are (by definition) the companies that predominantly serve the European market so the gains for the consumer and liability for the companies go hand in hand. Sure the Oklahoma Gazette isn't going to care but like three Europeans visit their homepage every ten years so it's not like it matters much in the first place.
The actors you want to discipline are, like in this case, LinkedIn, Meta, Google, what have you. The sites that account for the overwhelming majority of traffic.
> There is no jurisdiction that the legal patch doesn't apply to.
I don’t think it applies to the US. The first amendment takes precedence over German laws. They can block access, but they can’t sue if there is no entity in Germany.
I’ve had this argument so many times. If I told a European that an American law applied to them, they’d correctly explain why that’s nonsense. When I tell them that a European law doesn’t apply to me, an individual running a website hosted entirely in California, I’m told I’m an arrogant American.
I like the GDPR. I’m glad we have CCPA here. I’m also glad I’m entirely outside the GDPR’s jurisdiction and I’m not subject to it.
Well, they'd be incorrect in any but the strictest sense.
Whatever the US wants to enforce, gets enforced. The DMCA, for instance.
And a small company might be able to ignore the gdpr, but the owners would still potentially get in potentially serious legal trouble. There are quite a lot of extradition treaties in the world.
That being said, the EU has been very slow on gdpr enforcement so yeah, it's currently toothless.
GDPR also includes restrictions of speech - you can’t talk about corruption convictions if they happen more then x years ago - that I wouldn’t mind the US going to war against Europe to shield these rights.
I agree (while clarifying that we're talking about a legal war, not a physical one, so bystanders don't need to come in and start yelling at us about it).
I've had some luck in said arguments by pointing out that Chinese law forbids certain content, and asking if they abide by it. It's interesting to discuss why EU law should apply to non-EU hosts, but Chinese law should not apply to non-Chinese sites.
