Ah this is the best bit! Because many companies cater for a global audience, us Brits will STILL have to endure the stupid little popups AND we'll have no protection or recourse from privacy invasion! Can't wait! /s
I don't think you're right at all. The US is the dominant online market. China is second. Neither have the stupid popups, so why wouldn't the UK just get added to the list of 'places we don't need to show it'?
Have you ever tried browsing many US news sites? They block the entire EU from even seeing their content. That's how much they care about their in-GDPR users. The idea that people cater to a global audience by just implementing the EU rules for everyone is patently false. If the UK diverges, it's free revenue to just add it to the whitelist, basically.
Okay, fair point, they might just re-include the UK in whatever exclusion list they have and that'll be that. But since GDPR came into force, others have followed suit, several other countries have begun implementing similar legislation.
This is anecdata, so fair warning, but over the last year (at a guess) I've noticed many US sites, FAANG companies but also smaller sites too, all flashing cookie/data protection type popups at me where they didn't previously. I've assumed that's because they need to comply with the CCPA which came into force last year, though it's totally a guess. I suppose their geoIP tracking may've just improved and spotted I'm in a GDPR country.
When does this type of legislation reach a point of critical mass where the UK is simply behind the curve and most companies just show the popup by default?
From a development perspective, having a whitelist or varying set of conditions per country adds complexity, I could very easily see a development decision being made to use GDPR as the common denominator and just code once for that, knowing that'll cover the company globally. Sure if your business relies on tracking and serving ads, then you may accept the additional complexity to behave different for different countries, but it still becomes a development decision that didn't have to be made before, and it's one with diminishing returns as legislation on privacy tightens.
I'm pretty sure those hyper-annoying multiple-popup flows that happen on YouTube, Google search, etc. are completely localized.
Yes it adds complexity, but the size of the markets and companies involved means there's a massive leverage effect. If you get 1,000 people landing on your homepage, small changes in conversion don't justify engineering time or complexity, true. If you've got billions of users, engineering cost pales in comparison to the revenue gain from even a marginal improvement in conversion rate, so it gets done.
Very true, for a big company, the time may well be worth it, particularly for the likes of FAANG where they have UK branches of their company.
I suppose my only counter left would be "is the UK market alone worth the complexity?" Having split off from Europe, and in-fighting among ourselves to the point where we may see the UK itself splitting up again in the next decade. Is it really worth adding additional complexity for a comparatively small market when companies could simply target the continent of Europe as a single market, regardless of EU membership, and probably reach a similar audience with a similar conversion rate.
I'm probably being overly cynical and only time will tell, but I just don't feel the UK alone commands the importance to have things its own way, so to me being lumped in with the EU as the lowest common denominator seems inevitable.
I think it will just depend whether the UK starts aligning with the US, say, or goes off to have it's own esoteric regulatory environment. In the latter case, yeah, it seems likely some companies will just not bother.
The UK does get advantages from being an Anglophone country though. That's one of the issues with the EU single market: it sounds great in theory--a unified regulatory system that lets you attract customers from the whole EU. In practice though, you start having to consider whether Poland or Lithuania or wherever is worth localizing for.
From my experience, unless I'm missing something, they're annoying because they're not that well implemented, maybe even on purpose?
Sites where I have granted access keep asking me to re-grant no matter what. Sites where I have denied do the same (although here I would expect it, not that I agree, since I already clicked "no").
And actually it's cool, sometimes you go to some docs and there's 33 "essential" cookies for the well functioning of the website (for a paid product) from which 30 are trackers.
Others, like wetransfer will show them as non-essential when receiving a file, but about the same amount of trackers, and this is ok, it's well defined and they're not trying to trick me into clicking "accept essential cookies" with 30 trackers tackled on them.
Perhaps one day we can start blacklisting those who don't implement a correct consent cookie form from the internet and dns wouldn't resolve for those non-compliant domains.
I think you're absolutely right. But I also think it was predictable. If we trusted the companies to do the right thing, we could have done that without GDPR. So OK, they live off advertising, they want to track, so now they just use dark patterns. What's next? Yet more regulations about exactly how to show this fundamentally annoying consent question? I just want to browse the internet!!!
Sometimes people talk about technological solutions to social problems. I think here the tech solution (like tracker blocking) kind of works, like I can use it on Firefox or Safari and it doesn't waste my time; and the legal solution is a failure.
But that forces you to install a plugin that you would need to review the code for which can even be more harmful than tracking - not saying it is, but if ToS are cryptic for a common person, reading the source code of a plugin more so (given that browsers don't offer a way to block what kind of information they provide - with exception of location - which should be something essential, but then perhaps google would stop developing chrome which in terms of functionality/performance has done great for pushing other things).
For me this is a question of privacy, I'm ok with ads, but you don't need this to show me ads. It's not a problem that FB has a face recognition pipeline capable of linking me to any image posted in their platform and that a state sponsored agency could use, and track me throughout internet while logging me around, and which emails I open, and my location individually, and then my chats and probably WhatsApp too now, and instagram likes.
The problem is when you connect all these systems, with everything else and suddenly you can derive almost a 24/7 coverage of the life of an individual. If you and another person meet and both are carrying their phones then it's easy to sort of connect the remaining dots, specially in light of all other data points captured, security surveillance (public and covert), etc. And this is not problematic by itself, it's problematic when it becomes a system that is available to be used by whatever powers that sit in a position to use them. Today it might not be nefarious but you don't know if tomorrow is the same, but once there it might be difficult to revert the situation.
The GDPR forbids dark patterns and unclear or annoying consent flows. A consent flow that assumes opt-in (pre-ticked checkboxes, etc) or hides the option to opt-out is not compliant.
The problem is the complete lack of enforcement, and the ICO has been particularly incompetent regarding this.
Facebook and google takeout only exist because of gdpr.
Right to delete (not just deactivate) your account only exists due to gdpr.
Right to opt out at all only exists because of gdpr, and many companies do actually stick to it.
That many don't follow the spirit of the regulation is not really the fault of the regulation. Thing is its not been tested much in the courts yet, but the cases have really started last year so hopefully more enforcement incoming.
That is true, it’s pure naivety to believe GDPR changed anything. It enforced cookies to ask for permission and a few billions in extra bureaucracy. I don’t get why people want to live in a Kafka novel
I work in the privacy field. I can tell you that after GDPR the multi national I work for has become a lot more careful/aware about data privacy. We went from collect everything and just store it, to actually having limitation of data collected and how long they are stored.
Does this mean no more of those stupid little popups every time I see a site? HOORAY.
Does it mean less absurd bureaucracy and non-jobs? GREAT.
As for data privacy... does anyone seriously think that Facebook was stopped from collecting data due to GDPR?