It would be nice if, unlike GDPR, some veteran UX leaders would be consulted before this legislation was drawn up.
GDPR was well intentioned, but many of the pop experiences are littered with dark UI patterns, and most of those pop up experiences are annoying as hell.
My hot take is that GDPR, CCPA, etc. should require sites to go through a standard user experience native to the browser’s chrome. Kind of like how Android and iOS handle tracking permissions for Play and App Store apps.
That seems like it would be way easier to audit / govern, and it would be a better overall experience for end users.
The issue with that is that there are so many different apps that process data in so many different ways.
A phone has a bunch of physical features. Letting a website/app know what’s available and request access is a small extension of the hardware APIs with clear defined purposes.
But a financial app is going to have widely different data interests and processing than a workout app, which will be different from a video game, a calculator, a forum etc.
I don’t know how it can be normalised into something programmatic.
I guess it’s why law and courts are so complex. Sure, laws are written down, it should be easy… but they are regularly challenged and tested.
It’s a difficult problem to solve.
The ideal way would be to cut the legalese bullshit in the privacy policy.
However, that’s a legal document, so it needs the legalese.
It actually needs an honest human readable summary that sums up what’s collected, why it’s used etc.
Oh, I’d noticed that a lot of sites now seemed a lot better. It’s so frustrating when a site has you jump through 4 delays to reject, but accept keeps working fine. As soon as there is a delay now, I’m out of there.
It’ll be nice when we have the settings built into your browser and the sites need to comply so it’s on them not you to verify your preferences.
It’s worth re-mentioning this whenever it pops up.
The GDPR does not mandate the cookie pop-up. The GDPR just says that companies cannot gather personal information about you without your consent,
If companies weren’t trying to build a profile about you all the time, they don’t need a banner in the first place. The GDPR is amazing because it makes it immediately obvious which rare companies actually respect you and your right to privacy, due to not needing cookie banners in the first place
As someone from the UX side of the fence, I can assure you that there are a lot of legitimate convenience and or fraud protection reasons for why a company might store PII server side for the user’s convenience. Targeted marketing isn’t the only reason to store identifying information.
Fraud prevention is a legitimate interest and does not need a consent request.
I’m pretty sure that is specifically called out in GDPR. Certainly ICO (UK) has loads of articles on it.
However legitimate interests are often difficult to demonstrate compliance, so it can be easier to rely on consent.
God, let’s hope nobody ever tries that. Higher prices because you don’t consent to more invasive tracking, because it poses a higher fraud risk to the company.
Thankfully, processing the same data for fraud prevention should be a different consent process/option than processing it for targeted advertising.
That’s kinda the point.
Any server you connect to knows your IP address. As does any equipment between your home network and the remote server. It has to, that’s how networks work.
Processing that to ensure your IP isn’t abusing their servers is legitimate interest.
Processing that along with your interactions with their website likely isn’t legitimate interest, so has to get consent (as this is likely profiling or user tracking, regardless of cookies used)
You could argue that it is legitimate interest, but then you have to back it up in your privacy policy as to why it is required, and it could be easily challenged as it’s such a broad and subjective term (whether that challenge goes anywhere is up to enforcing bodies, like the EU/ICO/whatever).
The idea is that the barrier of entry for “legitimate interest” is high enough and that abusing legitimate interest carries a risk, so that it isn’t the default.
Just because you have access to the data, doesn’t mean you can use it however you want.
Some French websites have already started saying “Accept advertising trackers or subscribe to the paid plan”. Marmiton started it, some newspapers followed suit, and I don’t believe the French courts have reached a conclusion on legality yet, but clearly some legal experts at those companies are convinced it could work.
I can understand where the newspapers are coming from. At lot of mobile apps do this, ads vs paid versions.
But an ad companys product is not to the end user, and often their interests are at odds to the end users privacy.
They want to show ads to people where they are most effective. They want to prove they have shown the ads, and they want to prove that the user has been influenced by the ad.
All of this needs ridiculous tracking to support their business model.
It’s the ad companies at fault.
If you decline consent to an ad company, then they should show you generic adverts.
If a website requires ads vs subscription, then accepting data processing consent should not be part of the contract.
So, as long as the websites give you the option to decline data processing from the ad company without affecting your ability to use the website, then it’s fine.
Others have said it already but… That shitty UX experience is the website’s own fault. I suspect many of them make it especially shitty just to spite the legislation.
Making it more annoying to not consent is already illegal so otherwise that’s just the website having poor UX. What’s the EU got to do with a website that intentionally or by incompetence has poor UX? That’s not illegal and shouldn’t be… As long as both consenting and not consenting is equally shit it isn’t unfair, and the poor UX is really just a detriment that the developers brought upon themselves.
You shouldn’t assume the contents of the GDPR based on what most companies are doing. It’s not legally consent, if it was not given freely. So, no dark patterns, no coercion, no inaccurate descriptions, nothing. You need to inform the user as accurately as possible and ensure that they choose what suits their interest. Then it’s consent.
It would be nice if, unlike GDPR, some veteran UX leaders would be consulted before this legislation was drawn up.
GDPR was well intentioned, but many of the pop experiences are littered with dark UI patterns, and most of those pop up experiences are annoying as hell.
An amendment has changed the rules on that. They need to be as easy to reject as to accept. Lots of websites atm are breaking the law on this still.
My hot take is that GDPR, CCPA, etc. should require sites to go through a standard user experience native to the browser’s chrome. Kind of like how Android and iOS handle tracking permissions for Play and App Store apps.
That seems like it would be way easier to audit / govern, and it would be a better overall experience for end users.
The issue with that is that there are so many different apps that process data in so many different ways.
A phone has a bunch of physical features. Letting a website/app know what’s available and request access is a small extension of the hardware APIs with clear defined purposes.
But a financial app is going to have widely different data interests and processing than a workout app, which will be different from a video game, a calculator, a forum etc.
I don’t know how it can be normalised into something programmatic.
I guess it’s why law and courts are so complex. Sure, laws are written down, it should be easy… but they are regularly challenged and tested.
It’s a difficult problem to solve.
The ideal way would be to cut the legalese bullshit in the privacy policy.
However, that’s a legal document, so it needs the legalese.
It actually needs an honest human readable summary that sums up what’s collected, why it’s used etc.
Oh, I’d noticed that a lot of sites now seemed a lot better. It’s so frustrating when a site has you jump through 4 delays to reject, but accept keeps working fine. As soon as there is a delay now, I’m out of there.
It’ll be nice when we have the settings built into your browser and the sites need to comply so it’s on them not you to verify your preferences.
It’s worth re-mentioning this whenever it pops up.
The GDPR does not mandate the cookie pop-up. The GDPR just says that companies cannot gather personal information about you without your consent,
If companies weren’t trying to build a profile about you all the time, they don’t need a banner in the first place. The GDPR is amazing because it makes it immediately obvious which rare companies actually respect you and your right to privacy, due to not needing cookie banners in the first place
As someone from the UX side of the fence, I can assure you that there are a lot of legitimate convenience and or fraud protection reasons for why a company might store PII server side for the user’s convenience. Targeted marketing isn’t the only reason to store identifying information.
Fraud prevention is a legitimate interest and does not need a consent request.
I’m pretty sure that is specifically called out in GDPR. Certainly ICO (UK) has loads of articles on it.
However legitimate interests are often difficult to demonstrate compliance, so it can be easier to rely on consent.
Imagine if fraud prevention mechanisms were ineffective if you do not consent to targeted advertising.
Black Hat: Darts! These darks patterns got me again, I accidentally consented, now I won’t be able to bypass the captcha!
God, let’s hope nobody ever tries that. Higher prices because you don’t consent to more invasive tracking, because it poses a higher fraud risk to the company.
Thankfully, processing the same data for fraud prevention should be a different consent process/option than processing it for targeted advertising.
That’s kinda the point.
Any server you connect to knows your IP address. As does any equipment between your home network and the remote server. It has to, that’s how networks work.
Processing that to ensure your IP isn’t abusing their servers is legitimate interest.
Processing that along with your interactions with their website likely isn’t legitimate interest, so has to get consent (as this is likely profiling or user tracking, regardless of cookies used)
You could argue that it is legitimate interest, but then you have to back it up in your privacy policy as to why it is required, and it could be easily challenged as it’s such a broad and subjective term (whether that challenge goes anywhere is up to enforcing bodies, like the EU/ICO/whatever).
The idea is that the barrier of entry for “legitimate interest” is high enough and that abusing legitimate interest carries a risk, so that it isn’t the default.
Just because you have access to the data, doesn’t mean you can use it however you want.
Some French websites have already started saying “Accept advertising trackers or subscribe to the paid plan”. Marmiton started it, some newspapers followed suit, and I don’t believe the French courts have reached a conclusion on legality yet, but clearly some legal experts at those companies are convinced it could work.
I can understand where the newspapers are coming from. At lot of mobile apps do this, ads vs paid versions.
But an ad companys product is not to the end user, and often their interests are at odds to the end users privacy.
They want to show ads to people where they are most effective. They want to prove they have shown the ads, and they want to prove that the user has been influenced by the ad.
All of this needs ridiculous tracking to support their business model.
It’s the ad companies at fault.
If you decline consent to an ad company, then they should show you generic adverts.
If a website requires ads vs subscription, then accepting data processing consent should not be part of the contract.
So, as long as the websites give you the option to decline data processing from the ad company without affecting your ability to use the website, then it’s fine.
Others have said it already but… That shitty UX experience is the website’s own fault. I suspect many of them make it especially shitty just to spite the legislation.
It was a predictable outcome that politicians should have foreseen.
Making it more annoying to not consent is already illegal so otherwise that’s just the website having poor UX. What’s the EU got to do with a website that intentionally or by incompetence has poor UX? That’s not illegal and shouldn’t be… As long as both consenting and not consenting is equally shit it isn’t unfair, and the poor UX is really just a detriment that the developers brought upon themselves.
While “technically true” it’s naive to assume the law will be implemented the way you imagine.
Government raises taxes on gas. “OMG the companies are charging more for their products!”
Government makes it harder to meet emission standards for small trucks. “OMG companies aren’t making small trucks anymore!”
You have to assume that companies will act as petulant children. They will almost always exercise malicious compliance.
I mean it costs money to design for and be compliant with. Doing it properly even more so.
You shouldn’t assume the contents of the GDPR based on what most companies are doing. It’s not legally consent, if it was not given freely. So, no dark patterns, no coercion, no inaccurate descriptions, nothing. You need to inform the user as accurately as possible and ensure that they choose what suits their interest. Then it’s consent.