Since the deadline passed for the enforcement of the EU’s GDPR (General Data Protection Register) most major web sites have revamped their privacy settings with new privacy policies and more options for controlling how your personal data is used. Unfortunately, the options offered are in many cases too obscure, too complex and too time-consuming to be of any practical value.
Recital 32 of the GDPR says:
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data … this could include ticking a box when visiting an internet website … silence, pre-ticked boxes or inactivity should not indicate consent.
I am sure the controls on offer via major web properties are the outcome of legal advice; at the same time, as a non-legal person I struggle on occasion to see how they meet the requirements or the spirit of the legislation. For example, another part of Recital 32 says:
… the request must be clear, concise, and not unnecessarily disruptive to the use of the service for which it is provided.
This post describes what I get if I go to technology news site zdnet.com and it detects that I have not agreed to its cookie management.
Note: before I continue, let me emphasize that there is lots of great content on zdnet, some written by people I know; the site as far as I know is doing its best to make business sense of providing such content, in what has become a hostile environment for professional journalism. I would like to see fundamental change in this environment but that is just wishful thinking.
That said, this is one of the worst experiences I have found for privacy-seeking users. Here is the initial banner:
Naturally I click Manage Settings.
Now I get a scrolling dialog from CBS Interactive, with a scroll gadget that indicates that this is a loooong document:
There is also some puzzling news. There are a bunch of third-parties whose cookies are apparently necessary for “our sites, products and services to function correctly.” These include cookies for analytics and also for Google ad-serving. I am not clear why these third-parties perform functions which are necessary to read a technical news site, but there we are.
I scroll down and reach a button that lets me opt out of being tracked by the third party advertisers using zdnet.com, or so it seems:
I want to opt out, so I click. Some of the options below are unchecked, but not many. Most of the options say “Opt out through company”.
It also seems pretty technical to me. Am I meant to understand what a “Demand Side Platform” is?
I counted the number of links that say “opt out through company”. There are 63 of them.
Currently I am “Opted-in”. This is a lie, I have never opted in. Rather, I have failed to opt out, until I click the button. Opting out will in fact set a cookie, so that Adform knows I have opted out. I am also reminded that this opt out only applies to this particular browser on this particular device. On all other browsers and/or devices, I will still be “opted in”.
OK, one down, 62 to go. However scrolling further down the list I get some bad news:
How to control your privacy
What should you do if you do not want to be tracked? Attempting to follow the industry-provided opt-outs is just hopeless. It is mostly PR and attempting to tick legal boxes.
If you do not want to be tracked, use a VPN, use ad blockers, and delete all cookies at the end of each browsing session. This will be tedious for you though, since your browsing experience will be one of constant “I agree” dialogs, some of which you may be able to ignore, or others for which you have to click I Agree or endure a myriad of semi-functional links and settings,
Maybe the EU GDPR legislation is unreasonable. Maybe we have been backed into this corner by allowing the internet to be dominated by a few giant companies. All we can state for sure is that the current situation is hopelessly broken, from a privacy and usability perspective.