To “Never register to their services. Never trust their TOS. Never click their Ads. Never accept defaults.”
… I’d add “never trust their information” - in the case of InfoWorld, their written articles. If a site is willing to manipulate readers to obtain consent, there’s no reason to think that its sponsorship disclosure policy or even its writing wouldn’t reflect the same priorities.
Under the GDPR you can hold and process user data if you have a valid excuse. If you don't have a valid excuse, you can still hold and process data if you get informed consent.
“Sounds Good, Thanks” doesn't seem like informed consent to me, so it doesn't grant the site owner any extra permission.
These kinds of consent forms are often designed by advertising companies using the IAB consent framework. The idea is that once a user has opted in on one site, their consent will carry over to every other site using the same framework. Naturally it's in their best interests not to allow you to mass opt out.
This kind of behavior may be going against the spirit of the GDPR, which states consent must be "freely given". Presenting hundreds of check boxes to click may be considered coercing the user into consenting. Will be interesting to see the first rulings about these kinds of popups and the even riskier "consent-walls".
Actually, this is not valid under the GDPR. It explicitly states that data sharing must be opt-in.
To make it valid, everything must be deselected by default.
But there is another pattern, that actually is allowed. Have everything deselected, put a "select all" button somewhere people easily click it by mistake, and offer no "deselect all" button.
You'd still leave a fingerprint in the logs. There's plenty of analytics tools that just harvest logs.
Mind you, not sure how much of the modern web would work once you disable JS and cookies, so I guess you might as well close the browser and go outside.
I think anyone suggesting a technical solution to such affronts on our legal rights is either naive or has contempt for the everyman. Most people are being coerced into this and aren't savvy enough to avoid it. The only real option is enforcement of the law.
> 338 clicks taught me a very important lesson. Whenever someone says: "We care about your privacy." you know they don’t care about you at all. It’s just deception
Probably I'm just picking a nit here, but since is the crux of the last paragraph, I'm taking it as thesis, and as a thesis, it seems overblown... unless there are really no companies out there who care about your privacy.
Undoubtedly, there are companies who will choose to say "We care about your privacy" when they don't really mean it, but I think the assertion that no company does needs more evidence than this single data point.
Yes, the author is exaggerating, but he definitely has the point: the "we care about your privacy" is utter hypocrisy in the modern web-world. There are a few companies that do care, but most don't and yet they have the courage of putting up all these false claims.
You know what's great about the GDPR? It's that all this is stripped naked and lies just in front of our eyes. The requirement to click hundreds of buttons in order not to be tracked is a slap in the face of each European user.
I definitely agree that in this case, the company is playing dirty. One-click opt-in, 338 click opt-out is downright malicious. I just don't think it's representative of everybody, or that one data point makes the assertion complete.
Honestly, I'd be surprised if InfoWorld even intended this behavior, while it seems just as likely that some requirements got lost in the shuffle of trying to hurriedly get GDPR compliance on the page.
Considering how few people still understand what GDPR actually does and doesn't allow, it's not really shocking to me that their attempt at compliance was done so ham-handedly, or that it might even have made them less compliant than they were before.
Even better, do it like forbes.com: put a pop-up asking for selection of preferences. Then wait for ages for a spinner to move from the 6% where it blocks for half an hour.
And then, when it's finally unblocked, you get this:
"Thank you for sharing your preferences with us. We are in the process of preparing the site to accommodate your privacy preferences and appreciate your patience as we do so during this temporary period. Please check back soon. In the meantime, if you would like to change your preferences, click below."
Screw you, forbes.com. Before they had a thing which blocked adblockers. Of if you disabled the adblocker you'd still have to wait about 10 seconds for an interstitial page to show you ads. I just wish I could remove you from my Google searches forever (as in, I wouldn't have to filter it out all the time).
MBNA (credit card company) do a similar anti-pattern. I recorded a video of you accepting the settings which had service improvements and targeting turned off by default. Click 'Accept and continue' and you literally see the option flip to on and you can't get back to the dialog again.
Only until now, I notice the optional actually says 'Accept all and continue'. I fell for it. It's relying on people's habit of not expecting a confirmation button to change the state of the options.
This is my first time seeing a site allow you to ban individual third parties. Is that a best practice for GDPR? Most site's I've seen only allow you to see what they are.
With that said, obviously clicking 300+ checkboxes instead of having an "uncheck all" is absurd. But, I can see how a site that has been around for years could have 300+. I just cleaned up a website the other day that had 50 (we pruned it down to 20 after 30 of them couldn't give us info on their GDPR policy).
I'm also concerned about the blanket statement that companies that say they care about your privacy don't. I've told people I care about their privacy and I actually mean it... :(
19 comments
[ 3.3 ms ] story [ 47.9 ms ] thread… I’d add “never trust their information” - in the case of InfoWorld, their written articles. If a site is willing to manipulate readers to obtain consent, there’s no reason to think that its sponsorship disclosure policy or even its writing wouldn’t reflect the same priorities.
“Sounds Good, Thanks” doesn't seem like informed consent to me, so it doesn't grant the site owner any extra permission.
Its up to the EU authorities to rule on this tho.
This kind of behavior may be going against the spirit of the GDPR, which states consent must be "freely given". Presenting hundreds of check boxes to click may be considered coercing the user into consenting. Will be interesting to see the first rulings about these kinds of popups and the even riskier "consent-walls".
But there is another pattern, that actually is allowed. Have everything deselected, put a "select all" button somewhere people easily click it by mistake, and offer no "deselect all" button.
Mind you, not sure how much of the modern web would work once you disable JS and cookies, so I guess you might as well close the browser and go outside.
Probably I'm just picking a nit here, but since is the crux of the last paragraph, I'm taking it as thesis, and as a thesis, it seems overblown... unless there are really no companies out there who care about your privacy.
Undoubtedly, there are companies who will choose to say "We care about your privacy" when they don't really mean it, but I think the assertion that no company does needs more evidence than this single data point.
You know what's great about the GDPR? It's that all this is stripped naked and lies just in front of our eyes. The requirement to click hundreds of buttons in order not to be tracked is a slap in the face of each European user.
Honestly, I'd be surprised if InfoWorld even intended this behavior, while it seems just as likely that some requirements got lost in the shuffle of trying to hurriedly get GDPR compliance on the page.
Considering how few people still understand what GDPR actually does and doesn't allow, it's not really shocking to me that their attempt at compliance was done so ham-handedly, or that it might even have made them less compliant than they were before.
And then, when it's finally unblocked, you get this:
"Thank you for sharing your preferences with us. We are in the process of preparing the site to accommodate your privacy preferences and appreciate your patience as we do so during this temporary period. Please check back soon. In the meantime, if you would like to change your preferences, click below."
Screw you, forbes.com. Before they had a thing which blocked adblockers. Of if you disabled the adblocker you'd still have to wait about 10 seconds for an interstitial page to show you ads. I just wish I could remove you from my Google searches forever (as in, I wouldn't have to filter it out all the time).
https://twitter.com/Martin_Adams/status/1006439897270546434
Only until now, I notice the optional actually says 'Accept all and continue'. I fell for it. It's relying on people's habit of not expecting a confirmation button to change the state of the options.
With that said, obviously clicking 300+ checkboxes instead of having an "uncheck all" is absurd. But, I can see how a site that has been around for years could have 300+. I just cleaned up a website the other day that had 50 (we pruned it down to 20 after 30 of them couldn't give us info on their GDPR policy).
I'm also concerned about the blanket statement that companies that say they care about your privacy don't. I've told people I care about their privacy and I actually mean it... :(