GDPR - what a complete waste of time (1 Viewer)

Jon

Access World Site Owner
Staff member
Local time
Today, 19:28
Joined
Sep 28, 1999
Messages
7,305
I am utterly fed up with popups. Whenever I use my phone, nearly every website I go to has some popup I have to get rid of, frustrating my use of what used to be a much more frictionless internet. It's ruined the internet! And it is technically unworkable for a very large number of websites.

The stupidity of the popup messages is that every single site uses cookies. It's pointless to tell people every single time they go to a site. I spend all my days clicking popups to get rid of them! Wonder if there are any Chrome plugins to auto suppress them?

I just feel that it is unnecessary to add friction to using sites, make the internet a plethora of popups, just because some privacy militants from the EU get legislation enforced by those who probably don't understand the internet much. The EU wants to enforce this, but what happens if another country wants to enforce their own legislation, then another and so on? Ten popups!

Much better would be to have one popup when someone first starts their browser that says, "Nearly every single website you go to uses cookies for data, ads, tracking, etc."

What do you think of GDPR, privacy and popup fever?
 

vba_php

Forum Troll
Local time
Today, 14:28
Joined
Oct 6, 2019
Messages
2,884
don't you know how to shut that stuff off Jon? don't phones have the same ability? no website I've ever gone to on my phone has ever given me one popup, in 1 full year. have you also seen this?

https://www.access-programmers.co.uk/forums/threads/browser-tracking-knowledgebase.309432/

I created it on my site because I was having issue with my hosting company's dashboard showing the wrong content on every page I was visiting, and that's when I found out that it was the fault of both chrome and firefox. so I created a wsh vbs script to take care of the problem. I'm not sure where exactly the issue resided, by my solution drops all content from sqlLite database files, among other things.
 

vba_php

Forum Troll
Local time
Today, 14:28
Joined
Oct 6, 2019
Messages
2,884
Jon, are you sure you want to let an unknown program do THIS?
Cookie Notice Blocker works by injecting scripts into each tab
that word inject reminds me of your ukranian friends running those sql injection attack attempts around here! :p if I were you, after you install the package, I would go to the dir where the sources files are and check out what those people are doing and what tools they are giving you to work with. if you know the windows languages, you should be able to find the script types they are using to do what they claim. I'm sure they're fine though. It's just an intelligent thing to do in any case. by the way, have you seen the little window at the bottom of almost all websites nowadays that comes from asynchronous code? the windows always have buttons on it, and one of them says:
allow cookies
it must be a corporate thing that has risen up due to a legal battle with the general public. that would make perfect sense.
 

sonic8

AWF VIP
Local time
Today, 20:28
Joined
Oct 27, 2015
Messages
998
I think the privacy legislation in general and the GDPR in particular are very sensible ideas. This post actually motivated me to finally write an article on “Why I love the GDPR as a software developer”. - I had that on my list for quite a while.

I am utterly fed up with popups.
Yes, the cookie popup madness as a reaction to the GDPR is extremely annoying. But making the EUs “privacy militants” the scapegoat for that is slightly ignorant. The people running websites are as much or more a culprit in that matter.

First, repeat after me: You do not need consent for Strictly necessary cookies!

Do you really need a whole host of third-party cookies if you are running a website? Probably not. At least not as many as most websites currently have. Still, website owners rather blame legislation for cookie popups than their own data collection insanity.

Asking website visitors with cookies disabled in their browser is completely pointless. They won’t get the cookies anyway. Still showing the consent popup is plain technical incompetence on behalf of the people managing the website (or the underlying technology). 90+% of websites are doing it anyway.

Then there is the cookie popup industry selling peace of mind. “You’re concerned about GDPR compliance? No worries, just buy our snake oil popup solution and you’ll be fine.” – And people are buying like crazy. Many of those solutions do not even work!

The EU wants to enforce this, but what happens if another country wants to enforce their own legislation, then another and so on? Ten popups!
Regarding privacy legislation, that’s nonsense. Those popups are to inform people about the data that is being collected by whom and for what purpose. If there were ten other countries implementing privacy legislations that might require minor additions to the info and wording in a popup (singular!) but not additional popups.

Much better would be to have one popup when someone first starts their browser that says, "Nearly every single website you go to uses cookies for data, ads, tracking, etc."
The cookie settings in your browser do exist!
It’s on technology industry (browser vendors and website owners) to improve them and put them to better use. – They are not keen on that because most of them earn money by collecting data. – That is exactly the reason why privacy legislation is needed.
 

Jon

Access World Site Owner
Staff member
Local time
Today, 19:28
Joined
Sep 28, 1999
Messages
7,305
I am neither ignorant of the issues nor talking nonsense. We just disagree on the very basics. To say someone is ignorant because their view is different is being ignorant yourself. We have a big problem in the world where a small minority are often highly vocal and drown out the wishes of the majority. The highly vocal are more likely to take action and then persuade the less informed, such as the unelected EU bureaucrats. Add in a whole bunch of scaremongering and you have a movement on your hands.

In my view, the collective annoyance of the plethora of popups and the added burden to website owners far outweighs the heavy-handed approach of the EU on this matter.

Regarding privacy legislation, that’s nonsense. Those popups are to inform people about the data that is being collected by whom and for what purpose. If there were ten other countries implementing privacy legislations that might require minor additions to the info and wording in a popup (singular!) but not additional popups.
I am not sure you know enough about the matter. The rules for GDPR can differ between countries within the EU iself. What about if Country A differs with Country B on what the popup should contain? What about if Country A says you are allowed to prevent someone from seeing content if they do not consent to your cookie and data collection, while Country B says you cannot prevent them? What do you put on the popup then? What if North Korea decides that no cookies should be allowed at all. What do you do then?

They are not keen on that because most of them earn money by collecting data. – That is exactly the reason why privacy legislation is needed.
I went through a lot of research on the topic when the laws came out. There was a steady encroachment with the militant privacy activists over the years, where they were steadily pushing the boundaries further and further. People want everything for free. But when for example you deprive the content provider or free service provider from monetising from an advertising cookie, you are cutting off their supply of oxygen. Profits go down, less money to provide the content, quality falls.

Besides, does anybody actually read every single privacy policy and popup to all the sites they go to and do they not go there because of what they say? I imagine it to be a very small minority. If I am wrong, those who are fearful of shadows will only just deprive themselves of the richness of the internet in their war on privacy.

According to this link you are breaking your own beliefs regarding compliance with GDPR: https://www.termsfeed.com/blog/gdpr-notice/

Note these paragraphs:

Consent is not valid unless it is "freely given, specific, informed, and unambiguous." Basically, that means a "clicked" agreement is required.

The common practices of browsewrap, implied consent or pre-checked boxes will no longer be considered valid.

I saw no agreement on your page to click to give my consent.

How do you justify your beliefs when you ignore them so blatantly on your own site?

Edit: Sonic, I am sure you have way more people on your side than mine. But for the life of me, I just cannot see the big deal about all this privacy nonsense!
 
Last edited:

sonic8

AWF VIP
Local time
Today, 20:28
Joined
Oct 27, 2015
Messages
998
We just disagree on the very basics. To say someone is ignorant because their view is different is being ignorant yourself.
I said the statement was ignorant, because it was focused on one part of the issue only, ignoring other, in my opinion more relevant, aspects of the matter.


The highly vocal are more likely to take action and then persuade the less informed, such as the unelected EU bureaucrats.
I agree that poorly informed politicians are huge problem in democratic processes on every level, not just the EU.

BTW: If you are interested in the EU and have some time at hand, you might want to verify the truth in and relevance of the term “unelected EU bureaucrats” with an independent source.

The rules for GDPR can differ between countries within the EU iself. What about if Country A differs with Country B on what the popup should contain?
GDPR rules cannot differ between countries in the EU. The GDPR is European legislation and is in and by itself law in each member country. Nonetheless, each country can enact additional laws as long as they do not contradict the GDPR. If this is the case, you comply with the laws in your country.

Edit: Any chance you are mixing the GDPR with the ePrivacy Directive (aka: "Cookie Law") here? Those are different things!

People want everything for free. But when for example you deprive the content provider or free service provider from monetising from an advertising cookie, you are cutting off their supply of oxygen. Profits go down, less money to provide the content, quality falls.
The idea is to make people aware of the fact that they are paying with their personal data for the “free” content. At least part of the problem with people wanting everything for free is that they were unaware of the that hidden price they paid for the “free” content.

I saw no agreement on your page to click to give my consent.

How do you justify your beliefs when you ignore them so blatantly on your own site?
Consent to what exactly? And on which site?
 

Jon

Access World Site Owner
Staff member
Local time
Today, 19:28
Joined
Sep 28, 1999
Messages
7,305
you might want to verify the truth in and relevance of the term “unelected EU bureaucrats” with an independent source.
Already done that in the past. It depends on what you mean by unelected.

Nonetheless, each country can enact additional laws as long as they do not contradict the GDPR. If this is the case, you comply with the laws in your country.
This is part of the problem. The laws are not retained within that country making them. They spread overseas. If the Spanish have one rule and the Italians another, which laws should you adhere to for your own site?

GDPR rules cannot differ between countries in the EU. The GDPR is European legislation and is in and by itself law in each member country. Nonetheless, each country can enact additional laws as long as they do not contradict the GDPR. If this is the case, you comply with the laws in your country.

Edit: Any chance you are mixing the GDPR with the ePrivacy Directive (aka: "Cookie Law") here? Those are different things!
Because of the vagueness of the GDPR legislation, each country has their own interpretation of what the GDPR law mean. This is another part of the problem.

The idea is to make people aware of the fact that they are paying with their personal data for the “free” content. At least part of the problem with people wanting everything for free is that they were unaware of the that hidden price they paid for the “free” content.
This is the first part of your argument where I see some validity, even if I don't think it is much! If you perceive your data to have some sort of value to a company, then you might feel that you want something in return. So then what do you do? Don't go to nearly every single website on the internet because they nearly all want your data? The internet is run largely by ads. If this forum had no ads, it would not survive. What is the difference if you go into a shop in person? They could collect your data. They have your gender, approximate age, what you look like etc. Why don't you go up to the counter and ask for a refund! :LOL:

Consent to what exactly? And on which site?
You linked to an article that you wrote, Why I love GDPR as a software developer. So, I looked at the site. I did a GDPR check. It failed. Since you feel this is an important issue, you might be shocked that you are not complying with the GDPR rules. If you, as a privacy advocate feel the GDPR rules are important and should be obeyed, why are you not following them yourself? If that is not your site, then obviously, this does not apply to you.

I ran it through a compliance checker. Here is the link: https://www.cookiebot.com/en/

You get sent a report with details on if you are compliant or not. I don't blame you for not being compliant. Most websites aren't. Some are partially compliant, and that is it.

I've wanted to understand this issue more, so I can understand the other persons side of the argument.
 

Steve R.

Retired
Local time
Today, 15:28
Joined
Jul 5, 2006
Messages
4,617
Getting back to human nature. People (business, corporation, etc), to get attention elbow each other and/or attempt to circumvent regulations. Hence, we have intrusive offensive actions such as spam, junk phone calls, and pop-ups. What amazes me through these repulsive actions that so much "noise" is created that the attention these people want is lost to the user who is supposed to seeing their advertising messages. It is unfortunate that many people resorting to these deplorable tactics believe that they have this "right". These people could benefit from some self-control and self-reflection.

Of course, there has to be room for a degree of responsible non-intrusive advertising. Otherwise a lot of services, such as this website and Google would not exist.

PS: As an aside. Several websites that I drop-in on are almost unusable because of pop-ups and other features. But the issue that I am focusing on is the behind the scenes webpage coding. It must be excruciatingly complicated, convoluted, and subject to intensive maintenance. Is the work really worth it?
 

Jon

Access World Site Owner
Staff member
Local time
Today, 19:28
Joined
Sep 28, 1999
Messages
7,305
I also go to some news sites where the number of ads is mind-blowing. On a desktop I can cope with them a little more, but on my laptop it drives me nuts.

Junk phone calls seem to come through despite being on many lists saying they aren't supposed to call. And more recently, there are AI callers who respond to what you say, faking that they are a real person. I used to get hundreds of spam messages per day. Probably still do but its too painful to look in my spam folder!
 

sonic8

AWF VIP
Local time
Today, 20:28
Joined
Oct 27, 2015
Messages
998
This is part of the problem. The laws are not retained within that country making them. They spread overseas. If the Spanish have one rule and the Italians another, which laws should you adhere to for your own site?
You should adhere to law of the UK. Unless there is a treaty between the UK and another country covering that matter, it will be hard to enforce a foreign law against you. – I’ll come back to that in minute with an example.

Of course, this will be fundamentally different if you run a business with a physical presence in another country.

Because of the vagueness of the GDPR legislation, each country has their own interpretation of what the GDPR law mean. This is another part of the problem.
In my perception the major part of the GDPR is not vague at all. There are some grey areas, but I think for most use cases they are not worth worrying about too much until they are clarified.

The internet is run largely by ads. If this forum had no ads, it would not survive. What is the difference if you go into a shop in person? They could collect your data. They have your gender, approximate age, what you look like etc. Why don't you go up to the counter and ask for a refund! :LOL:
Data privacy does not prevent you from showing ads. Would it make such a huge difference if you would not show individually targeted ads but generic technology related ads instead? –This is not meant as a rhetorical question, I’m genuinely interested in an answer.

If a physical shop would record that a white male, apparently between 30 and 50 bought some stuff, I would not object. If they would combine that info with data to identify me as person, like a photo or my credit card data it would be a different matter and would need explicit consent. – Customer loyalty cards are implementing that and with them you actually get a tiny partial refund.

So, I looked at the site. I did a GDPR check. It failed. Since you feel this is an important issue, you might be shocked that you are not complying with the GDPR rules.
Oh, I see. That is my site indeed. - The check failed in more than one way.

In general, such automated checks can only test some very superficial aspects of data protection and GDPR compliance. Nevertheless, as this is our very topic in this thread let’s look at that check in more detail.

The check just focused on cookie related stuff (no surprise for a website called “cookiebot”). It found 4 Google Analytics cookies on my site and addressed three (potential) issues with them (in reverse order):

Passed - Personal data is transmitted to 'adequate countries' only (GDPR)
The adequate country referred to is the United States. Well, my website passed but the test itself failed. The United States are not an 'adequate country'. Only US companies adhering the Privacy Shield framework are adequate companies in a not-so-adequate country. Google does so, of course. So, my website is compliant, but the check did not mention that; I doubt they actually verified it.

Failed - Prior consent on personal data (GDPR)
Correct, I do not ask for prior consent. However, the check failed to notice that IP addresses are anonymized, and cookie lifetime is set to a minimum in the setup of Google Analytics. Thus, the data is not personally identifiable and the GDPR not applicable. It is just the data of “one visitor”, very much like in the physical shop example above.

I explicitly address this in the data protection statement on the website. So, it’s not something you would only notice when poking around in the source code of the page.

Failed - Prior consent on other than strictly necessary cookies (ePR)
That is not related to the GDPR but the ePrivacy Directive. Other than the GDPR the ePrivacy Directive is not European law but needs to be implemented by the member countries in local laws. The German implementation of ePrivacy considers the browser settings to be sufficient in that regard. So, if you set your browser to accept cookies you automatically consent.

Other European countries are not happy with the German interpretation of ePrivacy and complained about it, but to my knowledge this has had no effect yet. - This is an example for foreign countries wanting to impose their laws abroad. Unless there is some treaty or agreement between the countries covering that, it does not have an automatic effect.

So, while the check is not entirely wrong here, my website is still compliant to the ePrivacy implementation of the local jurisdiction.

(Warning to future readers: The EU ePrivacy legislation is currently under review and might be updated in the near future.)

So, am I shocked by the results of that check? No, not at all! After closer inspection they turned out exactly as intended. In terms of the law, I consider my site to be fully compliant to all currently applicable rules for data privacy.

Would I get around the cookie notice if not applying the more relaxed German interpretation of ePrivacy? I don’t know. I guess so, because I’m not using those cookies to identify persons. I would need to do more research on that to be sure.

My point: You can absolutely be compliant with data privacy regulations without bombarding your visitors with popup notices.

To not let the disadvantages of my approach go unmentioned: By restricting Google Analytics to not identify persons I lose all demographic information on website visitors and the new vs. returning statistics are utter rubbish. On the codekabinett.com site I do not care much about that.

On my AccessDevTools.com shop site, I lose the ability to track how a user purchasing stuff originally came to the site. I do not know which marketing channel is most effective. This hurts my interests as an online seller. So, I can understand businesses which want to track their visitors more closely. Nevertheless, I decided (for now) I rather don’t track visitors for the usability improvement of the absent cookie notice.
 
Last edited:

Jon

Access World Site Owner
Staff member
Local time
Today, 19:28
Joined
Sep 28, 1999
Messages
7,305
My point: You can absolutely be compliant with data privacy regulations without bombarding your visitors with popup notices.
If this is possible, with no popups, I don't have much objection to that type of implementation. Popups cause friction, slow me down and drive me nuts. They are an irritant, and when I am using my mobile, it gets even worse!

I would say that the burden to site owners is considerable. Third-party cookies, their complexity and opaqueness in what data they actually collect is a minefield. To have all that data accurately in a privacy policy gets very difficult indeed. Imagine someone installs a plugin for Wordpress. They have to then check what it does or doesn't do regarding privacy and cookies. I've had about 50 websites in my time. To create accurate details for all those sites would put me out of business! I would just have to close nearly all of them just to stay on the right side of the law.

Do you really read all those privacy notices when you go to a new website? Really? Do you really delve into each sites cookie and privacy policy page before you go on their site? Personally, I never read any of them. Collecting data on a website form is slightly different. But you can just add, "Your data will never be shared with a third-party."

I commend you if your intent is to stay compliant with your GDPR views. But I would say we differ in perspective on some things here.

The German implementation of ePrivacy considers the browser settings to be sufficient in that regard. So, if you set your browser to accept cookies you automatically consent.
I agree with the German implementation. But here is the problem with these type of laws that try to stretch across borders. If countries disagree, who's implementation do you adopt? If you have someone from another country (e.g. US) go to a German website, who's law do you need to abide by? German law, or say, US law? According to the GDPR EU militant rules, their jurisdiction stretches worldwide. So what happens if a country like North Korea says cookie notices are not allowed, since they like to spy on their citizens. You then cannot implement a solution without breaking someones law. Should US companies really comply with whatever the EU says when the server is on US soil?

You should adhere to law of the UK. Unless there is a treaty between the UK and another country covering that matter, it will be hard to enforce a foreign law against you.
The problem of jurisdiction is a big one. According to the EU, GDPR extends to all countries. What gives them the right to say that?

This article is interesting: https://piwik.pro/blog/is-google-analytics-gdpr-compliant/

It suggests there are many problems with Google Analytics regarding GDPR compliance.

One thing you brought up was that you are giving your data (something of value) in return for the content. But the GDPR explicitly says that you cannot deprive someone from the content if you refuse to give your data. So what say you? Do you believe in a one-sided contract? Do you think its fine for you to not give something to the website owner in data, but its also fine to freeload off their hard work? :unsure:
 

Users who are viewing this thread

Top Bottom