9 comments

[ 3.3 ms ] story [ 9.9 ms ] thread
I’m a US resident visiting my European home country for Christmas, and I’m astonished at how much worse the web browsing experience is, now that the GDPR is law.

The cookie notices of old have turned into full-screen modal dialogs that are deliberately designed to be as obnoxious as possible. These dialogs list hundreds of cookies under multiple tabs and are filled with legalese that any normal person will immediately dismiss. A common trick seems to be to have an “accept all” button that is prominently displayed, but if you want to reject every cookie you have to click onto another tab, click a button to toggle all the switches off, then click “save & exit”. The “save & exit” button is often initially off-screen, and the worst offenders even disable elastic scrolling on mobile to make it as annoying as possible to reach. These shenanigans make private browsing mode particularly intolerable. I hope to see a legal judgement that makes these dark UX patterns explicitly illegal, but I’m not holding out hope. Either way, asking users to decide which third-party companies can set cookies is plain stupid and ripe for abuse.

To this lay user, so far this law appears to be a complete disaster for web usability, and business as usual for the big players (Google, Facebook, Quantcast etc). In fact, you could argue that the GDPR concentrates power in the hands of those megacorps. I am a privacy advocate but I think the GDPR is a joke, at least as far as tracking cookies are concerned.

>In fact, you could argue that the GDPR concentrates power in the hands of those megacorps

That's pretty much par for course with any regulation. Regulation creates a barrier to entry for new players which means that existing players benefit. Just like Microsoft wants AI regulated now that they're an established and large player in the space.

If there's enough of a net benefit for consumers is a separate issue.

I would expect to see at least some legal judgement against dark UX patterns. I was quite heavily involved on the technical side in GDPR compliance (EU company) and my understanding from the legal folks was that the regulation strictly forbids at least certain types of UX patterns, e.g. opt-out is a big no-no, consent should always be opt-in, you can nudge the user towards consent, the purpose of data processing must be expressed in an understandable language, etc.
Seems good overall, but unfortunately the article reinforces the myth that the GDPR applies to EU citizens. The regulation never mentions citizenship; for non-EU companies¹, it applies to "data subjects who are in the Union". A French citizen living in the US is not "in the Union", yet an US citizen living in France is.

¹ EU companies/organizations have to apply the GDPR to everyone

So why can't we have a GDPR notice only for IP coming from EU, and the notice will have a single accept all button and call it a day ?

GDPR is so much hassle right now that hurt small business more than those big Internet giants.

Accept all what? If you're a regular business and aren't tracking your users, you (probably) don't need to show anything at all. As the article says, consent is just one of six legal bases for storing user data.

I disagree that the GDPR is "so much hassle". Just look at the checklist in the article, it's nothing special.

"accept-all" style buttons are explicitly no longer allowed. This is a good thing as now on most websites I get a decline option that actually works, as opposed to previously where the options were "accept" or "gtfo".
I’m not sure how much this actually clarifies things, to be honest. But, who knows.

And about the cookie banners, we didn’t add them because we thought normal people give a crap about cookies. We added them because lawyers told us we needed to. Nobody is happy about those things- users, developers, nor designers.

Maybe I’m overstepping here, but I find it unbecoming to assume that everything developers make is just because that’s what they felt like doing that day. We aren’t cowboys, we take orders just like anybody else.

Surprised it didn't mention that consent doesn't mean 'agree to everything or get lost'. For many sites, it seems the only thing they do is ask you to agree to every tracker in existence sight unseen or leave, with no option to choose what cookies you want to allow or to view the content without them running.

Would also be interesting to see a legal critique of the equally common practice of assuming the user gave consent the minute they scroll the page or click anything on it. Seen a few companies argue that, and I suspect it's probably not compliant with GDPR (no matter how they spin it).