I was recently tasked with making an "Accept our use of cookies" banner for our public site. Before that banner we did not store any cookies at all; now we have one to store their consent.
That doesn't prevent dark UI patterns to highlight "Accept" and hide "Reject" as much as possible, or not having a "Reject all" button. Some sites deliberately make you manually click on "Reject" for each "ad partner", at which point I bail out or disable JS or scrape the text if I'm really interested in the content.
The web of 2020 has become a hostile and ad infested place. I miss the simplicity of the 90s, but it might be nostalgia bias.
To be fair the web of the early 2000s was full of ads too. I remember a time when people still used Yahoo as their homepage which was basically just a giant ad delivery platform with even more invasive ads than we have today. That's not to say that today is much better. It seems like most sites today try to walk the line between ad revenue and user retention.
The new dark pattern is to default everything off, but then have a separate switch labelled "legitimate reasons", which are all turned on for default.
For example https://www.telegraph.co.uk/ (right wing UK newspaper). In the pop-up it says "You can also review where our partners claim a legitimate interest to use your data and, should you wish, object to them doing so.".
If you click manage it opens with "user consent" selected, where everything is turned off. Click save means they're not going to start tracking you, right?
Wrong, if you switch to "legitimate purpose", you'll see that everything is turned on. All those ad companies claim they have a legitimate purpose to be tracking you, even though you have zero business relationship with them.
Unless the ICO hands out some very heavy fines to those companies, the whole thing's become a farce, just like the cookie law was.
(PDF) Irish DPA's sweep of thirty-odd websites under its jurisdiction. Lots of good guidance here, but for the point specifically under discussion, ctrl+f "nudge." https://www.dataprotection.ie/sites/default/files/uploads/20... by the DPC on the use of cookies and other tracking technologies.pdf
Filed bankruptcy? No problem. Just make the credit companies forget about it!
After moving from the US to the EU, I've thought about trying to use that right on my credit history in the US. I don't think it would work, but it would be entertaining if they even responded.
The right to erasure does not apply if processing is necessary for one of the following reasons:
to exercise the right of freedom of expression and information;
to comply with a legal obligation;
for the performance of a task carried out in the public interest or in the exercise of official authority;
for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
for the establishment, exercise or defence of legal claims.
The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:
if the processing is necessary for public health purposes in the public interest (eg protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
if the processing is necessary for the purposes of preventative or occupational medicine; for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services.
For more information about special categories of data please see our Guide to the GDPR.
Respectfully, educating stakeholders is part of your job. Until you accept and embrace that, you're likely to remain stuck in roles doing useless things.
If they heard from legal they need it and legal hourly rate is greater than engineering hourly rate, they will rather waste engineering time than spend legal time to save engineering time.
Attempting to educate stakeholders is part of your job. Forcing them to accept your reasoning may not be possible and they may have other reasons for their decisions that you may not know about or they may not wish to reveal (legal, marketing, internal politics, etc).
And at some point in pushing back, disagree-and-commit is the right thing to do.
Since the topic touches law, it's more complex to some people than you might think. To us it's obvious, but someone else might think that they better be safe than sorry and not get sued for accidentally setting a (non-essential) cookie somewhere without letting the user know. I definitely know some people who'd rather implement such "unnecessary" things than exposing themselves to a potential legal trap.
I would recommend thinking like a lawyer and writing a memo like one. Legal writing and analysis follows a very common pattern known as IRAC (Issue, Rule, Analysis, Conclusion):
(1) Identify the issue; (2) Quote all relevant rules; (3) Analyze the rules in light of your specific factual circumstances; and (4) Reach a reasonable conclusion based on your analysis of the rules.
This is how your company's legal team is making recommendations to management. You have to fight fire with fire. The only advantage your legal department may have over you is access to more comprehensive legal research services like Westlaw and LexisNexis. But at the end of the day, all they're doing is researching what the law is and how the courts are interpreting the law. Search for the right terms on Google, and you can do a pretty damn good job at crafting credible arguments. We don't need the lawyers always acting like they're at the top of the food chain.
You might instead consider asking people why they're asking, and figuring out ways to promote more widespread understanding.
Concretely: you might actively promote adblockers and tell people why they should use them. And rather than saying "we don't use tracking cookies", you could explain "here's why so many sites have cookie banners, here's why we don't".
I'm not suggesting doing it proactively; I'm suggesting doing it in response to the question, if people repeatedly ask the question. "No, and here are other ways to protect yourself" is stronger and more definitive than just "no".
Lawyers would argue that it might be a good idea to put up a sign if your neighbors have a dog that could attack them.
(weak argument but somewhat funny).
Lawyers are ultra cautious. If you can -guarantee- that no one is going to magically add tracking/google analytics or some such to your site than sure, tell them you don't need the banner.
Yeah, and I don't hold it against very early stage startups or Show HNs. But if your company has lawyers in-house preparing these texts, that's more surprising then.
Eventually we'll add an analytics plugin and need the banner. But at the time it was one of those "every site has one" decisions from non-technical folks. Similar frustration with arbitrary password requirements on the same site.
Probably an unpopular opinion - but if you do not have a physical presence in the EU, and you're not the size of some Unicorn corp, you can completely ignore these silly cookie banners for now and instead focus on things that actually matter for your startup.
My "dysfunctional product design process" alarm is going off.
The idea of implementing an annoying popup to support something you _might_ do in the future for any reason is madness.
And do they not realize that user credentials are a huge liability? Why would you want to support anything related to user identity if you don't need to.
I don't think it is irrational ot madness at all. Imagine having to switch developers and then you ask for analytics from your new developer. Very easy to happen that they could forget about the cookie banner.
I would go as far as to say it is wise to deal with it once and for all.
Especially since implementing the banner takes such short amount of time. Worrying about it will waste many times more brain cycles and once again there is always a chance someone forgets about it in the future and legal worries will be infinitely more costly.
What are we as technical operators even good for if our counsel, judgment and recommendations (things I thought we were even hired for as valuable key contribution points) are frequently overridden by non-technical people who in the best cases don’t understand the evidence shown, in the worst don’t even care to?
Well, if you use Cloud Armour and you try to change the password it apparently doesn't like the password to start with $ and then this blocks the whole request.
Two options to solve disable the specific rule or change the password requirements. Sometimes the latter is the easiest in some companies.
At least 90% of the banners I get hit with around the web are automatically not GDPR compliant because they require you to opt out. It's amazing to think of the effort that's been expended implementing them while still failing to follow the law.
I'd call it a legal fig leaf, but it doesn't cover up anything at all.
