9 comments

[ 2.2 ms ] story [ 14.6 ms ] thread
It is funny that there are lots of "consent" discussions, entire companies to capture and manage user "consent", consent standards like "TCF v2.2" or "act"s like "GMA" when the whole thing boils down to designing a UI where a user will think they can't use the app or the site if they click "reject", or the "accept" button was simply more convenient.

I did not meet or came to know of existence of any one person who willingly gives consent for companies to use their data.

> I did not meet or came to know of existence of any one person who willingly gives consent for companies to use their data.

Get ready to be lectured on users being freeloaders/hypothetical users who would love to give away all their privacy for run of the mill blogspam.

I get your overall point, but certainly there are some cases where it makes sense: eg: when I input some text into a search engine — I expect them to use that input ("my data"), and it seems reasonable that they might retain it for a while and use it to improve their service, etc.

One way to draw the line is in which data is actively given versus implicitly obtained. We actively give search text, but our browsing history not so much.

I think the line is well enough drawn in this particular case. It's not "my data", but PII (Personally Identifiable Information) that most of the legislation is concerned with.

Firstly, the search engine does not require a person's name, address, gender, mother's maiden name, person's dog's name, all people the person is associated with etc to perform a search. If someone inputs these to the search input, it's just a search parameter not something that the search engine can reliable use to identify and track the person. So, a search is fine to perform, using the text for improving the service is fine, using it to do anything at all is basically fine, but collecting personally identifiable information that would allow identification of the user that entered the search parameters and using it for whatever the company deems useful for their own purposes, is not. Not ok without explicit consent of the user that is or if required to provide the service. Or a number of other cases as listed in the appropriate legislation, including the following.

Secondly, (most?) legislation, as far as I know, exempts businesses from the requirement of obtaining explicit consent, if the PII containing inputs, are required to perform the service. That could include for example using IP address logging for security purposes against DDOS attacks. It could be PII, but if its processing is necessary to provide the service, that's ok. No extra consent required.

Another example, if you need an email address from a person to send an "email verification email" for a "forgot my password" feature, there is no need to obtain additional consent beyond stating why the email address is collected and then use it only for that purpose.

Basically, no funny business with the data, use it for what it's given and it's all fine. No need for extra poopups asking, "may I plz stalk you/sell all your dataz?", if that's not what is being done.

Note: This is my limited understanding, not an official or legal interpretation or anything.

I don’t get it. I give the search engine a string. Who is arguing against them searching for the string? They’re arguing against using location tracking and third party tracking in order to figure out that, actually, you’re not searching for a specific type of tree trunk but for viagra pills.

I also might not want my previous searches to impact my later ones. (Just give good results again, Google Search...)

The issue comes down to how we define "user data" and "consent" (as casually mentioned in the originating comment).

Can the search engine look at your IP address or other location information to give you more accurate local results? Can they build a profile of your previous searches, to determine what you're interested in? If you search for your spouse's name or your place of work, is that now data they can associate with you?

This is not an either/or question of "user data"/"not user data" or "consent"/"not consent", but shades of gray (how much consent are you giving, and to how much of your data and for which purposes).

My comment was just meant to illustrate that there's a spectrum to discuss rather than it being a black & white issue. I tried to do that by giving an example of another point on that spectrum.

No to all of the above.

I already made the point that a search engine can just search for the given string and not muck about with user-specific data… that’s what the user expects a lot of the time.

I occasionally leave the "analytics" and "performance" boxes checked. It's the 3rd-party tracking that always get unchecked, and blocked (by uBlock) for good measure.
(comment deleted)