Except that if the sites don't do annoying things there is no need for annoying popups.
The EU law:
- doesn't require opt-in permission for essential cookies and similar. So basic non-personalized website usage statistics (analytics) do not need a opt-in only if it's tracking people in any way are such opt-ins needed
- if you login you are known to have accepted the terms of service and as such after login no opt-in pop-up is needed either
- is not limited to cookies btw.
All in all this means that for any site not based on ad-revenue they fully can get away without needing any annoying popups, if they don't do some sneaky questionable things.
Even for ad's there are ways to do them without annoying popups, you just need to not track people, tracking the number of times a website was loaded doesn't require annoying popups, just tracking who opened it does.
Similar if you track people only after they clicked on the ad you don't need annoying popups on the site the add is one but only on the site the app navigates to (through only start tracking after opt-in). Which given that many adds try to sell you stuff and buying thinks only requires a account isn't that big of a problem as it might seem.
In the end you can say the only reason there are so many annoying popups is because most companies have not intention to respect the privacy of their users. Actually if you look into it and realize that many popups are not legally conform or borderline illegal it becomes clear that they do not only not respect the users privacy but the users themself.
Through I have to note, that while many (most?) companies can switch to respectable advertisement, some companies can't as easily do so.
The thing is, tracking cookies don't annoy me, because I block all cookies anyway (unless it's one of the few sites I need to actually log into), so they can't track me with them.
It's the popups that actually annoy me, especially because they keep on popping up -- ironically they need to store a cookie to remember that the user has accepted/denied, and my cookie-blocking blocks that cookie as well.
I think browsers blocking cookies by default and asking for permission before storing cookies is a better solution to this issue than a GDPR popups all over the web, and leaves far less room for malicious websites to track you in spite of the user denying.
But the EU law is not just about cookies. It's also about e.g. fingerprinting your browser which is very hard to effectively block in practice.
It's a common misconception that it's about cookies. It's about data processing, i.e. tracking. There is a different law then GDPR which is about storing data on user PC's but that is also not about cookies but about any browser storage and more or less got superseded(1) by GDPR.
(1): Ok, that is quite a oversimplification, but most popups are now about GDPR and having them also covers the other law.
> if you login you are known to have accepted the terms of service and as such after login no opt-in pop-up is needed either
Apologies if I've misunderstood your claim here but it seems to me that you are saying you can bury consent to processing inside your legalise.
That doesn't comply with the GDPR as I understand it; the consent must be informed and freely given. Informed in that case is debatable since you are lumping a lot of terms together. You certainly can't claim it's freely given if accepting the terms of service is not optional.
Hm true ToS checkmark is not enough, you need to make the opt-in part clear. But it should be enough to do so when creating a account and for every change. At least if you put a reasonable findable setting page in which allows you to review/change such settings.
But I still believe you can do it once on account creation and then never again if people are logged in and nothing changed.
As far as I know if you only use the logs for DDoS protection and not for e.g. statistics and only store it as long as you need it for it and then delete it, it _I_ think should be legal without a popup banner, through maybe only if you don't give it to 3rd parties for DDoS protection? I have to look into this again.
The problem is the "only" part(s) ;=)
Oh, and you must reasonable convey that DDoS protection is essential for your service etc. Which if you ever had any (non super small) DDoS attack should be reasonable easy.
But I'm no lawyer and a bit of time passed since I last looked into it, so if I now would need to do a cooperate decision I would look it up again.
No, it applies to every resident in EU and EU citizens all over the world.
Edit: https://gdpr-info.eu/art-3-gdpr/ ("where Member State law applies" and "subjects who are in the Union" [...] "regardless of whether the processing takes place in the Union or not" respectively)
Edit 2: https://gdpr.eu/companies-outside-of-europe/ for more info: "The whole point of the GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not, known as “extra-territorial effect.”"
It's related to the ePrivacy Directive, which is deeply intertwined with GDPR but a separate piece of legislation. It's not clear whether the GDPR's territorial applicability also holds for ePD. France in particular is drawing a divide between GDPR and ePD, because ePD lets them fine Google directly but GDPR require they mediate through the Irish DPA.
The "cookie law" as part of the ePD is indeed older than the GDPR, but the GDPR kinda supersedes it by including all tracking/data collection not just cookie data collection.
It's also not entirely correct that the GDPR would require going through the Irish DPA or wherever a company in violation has their primary EU presence for tax purposes. True, the GDPR says the nation where a company has the primary presence of business within the EU take lead within the EU should take lead, but the French courts figured out that Google's Irish subsidy is actually not making any decisions, the US parent is, and therefore it's fine for the French watchdog to issue fines skipping Ireland [1].
GDPR does not supercede the ePD. The ePD is, according to its own text, a law that extends the general privacy regulations to certain aspects of internet technology. So in many cases it defers out to the general privacy law in effect.
When ePD was passed, that law was the DPD, Data Privacy Directive. When GDPR was passed, all ePD references to the DPD became references to GDPR instead (this is Article 94 of GDPR). But ePD remains entirely in effect, just with updated references.
Most importantly, ePD requires Consent in certain cases, but defers to DPD/GDPR for what is the definition of consent. GDPR's definition of consent is much more stringent.
In cases where the ePD did not refer out to DPD, it remains unchanged by the passage of GDPR. So, according to CNIL, it does not include the one-stop-shop mechanism. See section "The competence of the CNIL" in the link below:
And as far as I know there is no ruling that using a VPN or other kind of proxy does make you count as "being in the country of the exit node wrt. actions done through the VPN".
Which means that you can't say a user is not residing in the EU (without a popup asking the user if they are residing there... ;=) ).
On the other hand if there would be such a law it would have kinda interesting consequences.
Well, somehow we in EU have to comply with DMCA, which is not an EU law. Every company that _does business in_ EU can get in trouble for not following EU law irrespective where it violated that law.
Sure they can, at least in theory. US citizens have to pay taxes no matter where they reside. Most countries will prosecute certain crimes abroad if those crimes were committed by their citizens or against their citizens or against the state.
The practical question is just if they can get hold of the people acting unlawfully.
The GDPR is implemented in British law, that's how these directives work.
Once the UK leaves the EU, they're no longer obliged to keep their implementation of the GDPR. The government can choose to keep their implementation, and in practice keep the same regulations as the GDPR, or they could reduce or remove their privacy protection laws as they see fit.
With London being famous for their camera surveillance, I expect the UK to reduce some if not all of the privacy protections the GDPR brought to the world.
The GDPR is a regulation (hence the R at the end) not a directive.
It became UK law as soon as it was passed by the EU, and it didn't need to be implemented in to UK law.
The UK has already passed their amendments to the GDPR,[0] which will effectively fork it into the "UK GDPR". These will come in to force on the 1st of January.
There's a "Keeling Schedule" available[1], which is effectively a diff between the EU GDPR and the UK GDPR.
I read that and it said that it applies to data not processed in the EU. I always interpreted that as applying to data centers and such in something like an was availability zone in the US. It said “ the monitoring of their behaviour as far as their behaviour takes place within the Union.” I never thought that applied to EU citizens all over the world. EU citizens living in another jurisdiction would be subject to that jurisdictions laws right? For instance GDPR wouldn’t apply to a Spanish expat that lives in Thailand, as far as I understand it.
Yes, but if you reside in Spain and use a VPN with Thai exit node to access a site in Thailand you are stil residing in the EU and in turn the Thai website needs to comply with GDPR.
Through non compliance can only be enforced if the entity behind the website/app or similar does enter the EU or does business with the EU.
I really wonder genuinely if the regulation has improved anything at all. I just click through the banners without even thinking. It has become so annoying. The value I get is below zero. I wonder if the majority is like me.
The regulation explicitly forbids annoying banners, the problem is that there’s currently zero enforcement of it so websites continue breaching it and lying to themselves (and others) by thinking their consent banners are compliant.
You have to love how the regulator did not even try to define what they mean by "annoying". Thus making the whole law completely useless.
In my book, any single pixel of my limited screen real estate that gets dedicated to this useless regulation is annoying. If the EU wants to enforce this, they need to provide a way for me to basically say "Yes, I agree with all tracking cookies for all sites forever", and never see a banner again.
Enforcement is already happening. Multiple confirmed cases of fines being handed out to businesses, organisations etc :-)
More importantly IMO they are also contacting entities up front to tell them about violations and how to get compliant, the fines we have seen yet seems (again IMO) to be only for particularly nasty cases and/or cases where the entities in question refuses to change.
This means the fines we are seeing is just the top of the iceberg: most changes happens underneath the surface and only trickles up in the form of less annoying websites (or fines) little by little.
Yeah, maybe. But not by clever design. The opt-out boxes are usually designed as secondary buttons. The opt-in is designed as primary button. So if you want to change something you have to really think and make a deliberate choice, whereas most people in that moment just want to see the damn content of the site.
That's because the website operators deliberately design the experience to be obnoxious and frustrating.
They want you to have a bad experience if you decide to opt-out of detailed behavioural tracking, so that you'll feel pressured to "consent" to detailed behavioural tracking, and so you'll feel like the GDPR is to blame, even though it isn't.
I've put "consent" in quotes because it's not freely given consent if you are heavily pressured into it, and it's not consent at all if you end up believing you don't really have a choice.
These banners/dialogs do not even comply with the GDPR (despite saying the GDPR requires them), as GDPR says consent to non-essential personal data collection about you must be as easy to withdraw as it is to give, and the service you get must be the same if you don't consent as if you do.
Same here. and I'm on ublock origin and the rest. It's just ghastly, of all the scams (tech support and more) and other misery on the internet, the EU is just absolutely fixated on some of these random things.
Not that I am pro-privacy invasion, I'm not, but I'm definitely anti-annoying-popups.