If I use Private Browsing (to protect my privacy) I am punished with more popups. If I open a website within a browser shell on mobile that doesn't have my cookies (some kind of webview of an app), I am punished with more popups.
Am I expected to look at every one of those dialogs and figure out what I have to click to "customize" my tracking?
Then there are the technical problems; one of those consent "solutions" that you see around actually shows a spinner while your "preferences are being saved". Sometimes it never closes.
I am frankly already so tired of this that I don't even care to look which of the buttons says "Agree" and which one says "Refuse". I just click on whatever I see. I know for certain that for less experienced users (my parents), every additional button to click is just another hindrance to achieving what they need to do. The thought "what if I click the wrong thing" is a permanent companion of their computer use.
These are very real, very concrete negative effects of GDPR. Is there something that we gained to make me feel better next time I am annoyed with all the popups?
Your annoyance is misplaced. Don't be annoyed at GDPR: be annoyed at all the companies who have spent the last decades building an entire web-infrastructure with zero respect for user privacy. We built massive amounts of technology infrastructure that just assumed that privacy and tracking wasn't an issue. Why do these websites need all these cookies in the first place? If I'm visiting a random blog with no advertising on it, why is it asking my for cookie consent? What possible purpose could that cookie serve, except tracking users?
As an analogy, imagine taking a black-light to a hotel room and realizing that the room is absolutely filthy. Would you be angry at the black-light for revealing the filth to you? Or would you be angry at the hotel, for not properly cleaning up?
If cookie consent forms or GDPR compliance forms annoy you, don't blame GDPR. Blame the sites that have no regard for your privacy and make no effort to comply beyond throwing up annoying prompts.
If a new regulation insisted that on entering a hotel room, a member of the hotel staff had to use a blacklight and you needed to explicitly approve every illuminated mark larger than a quarter, then you would be annoyed at that regulation.
There are supposed to be all sorts of other GDPR protections, about rights to be forgotten, about being able to access and selectively remove personal data from an online profile, that I have no idea how to activate. Instead all I get, as a user, is a bunch of consent forms, like the stupid cookie warnings, that I have no idea how to respond to, and no idea what I'm committing to when I click them.
Pragmatic realizations of cause and effect are required instead of blame.
What about people who had absolutely no issue with the tracking and "privacy" concerns? I don't care if advertisers target me. If I do care, I use incognito sessions. I'm happy with all the free services I get on the internet and I don't mind giving them a bit of information about myself especially since I've literally never clicked on an ad, ever, so their efforts aren't even effective.
I think there's a small minority of people who care about this stuff, they just had loud voices and the ability to push global legislation through to make everyone else's life more difficult.
Actually, I think we should be annoyed at browser vendors for letting the problems with cookies get to this point. They're obsessed with backwards compatibility, but sometimes you need to break things to fix a problem.
This is one of those times. Consider, what is the greatest lever we have in this scenario? There are hundreds of thousands of companies and billions of users. Measures to change the behaviour of this huge set of people are futile.
However, there are only a handful of browsers, and the past few years they're somewhat responsive to user feedback. Browsers are our greatest lever, and the privacy solution will have to come from there. Remove cookies or neuter them significantly, like removing JS access to cookies and/or making cookies opt-in only for sites storing login info.
If necessary, add new types of concepts for gathering anonymous analytics data that's guaranteed to respect privacy, and new concepts to specifically store persistent credentials rather than general data and to which JS again has no access.
What I see, is that mostly companies continue the same behavior, but now with a disclosure you are prompted to accept.
I predicted everyone would just accept those terms in exchange for free services they already have invested into. Now we just have an extra annoyance. Has anything substantially changed?
Also, still waiting for the first major company-wrecking GDPR fine everyone was losing their minds over... any day now. There are doubtless plenty of companies still in violation.
Of course, the state of "what the State of California knows" changes every few days, and there's no penalty for being proactive and posting your signs without actually verifying that one of the ~800 chemicals exists on your property. So every business just places a warning sign anyway, and consumers ignore the signs.
No, these are very real, very concrete negative effects of every company and their grandma spying on your internet usage.
I know it's too much to ask, and I'm happy the GDPR went through as it is, but I wish EU could nudge browsers to centralize cookie and GDPR consent forms. Both to fix the UX (a standard browser interface would be much better than most of the popups out there), and to enable me to select "decline everything" once and for all, and never be bugged by it again.
The way GDPR works out it sort of expects us to care to follow this annoying process, and I don't think people do / want to and thus ultimately won't make good choices.
GDPR demands users engage in the process on the web in a very particular way. As far as that goes I suspect it will fail on that aspect.
GDPR isn't only related to internet services. I received a phone call today from my mobile operator, they got bought by a larger company and it was a sales call. However, they were asking to speak to person in charge in regards to company-wide mobile subscription and services - we use none.
What was disturbing is that I was contacted on my private phone number in regards to a sales call related to the company I work at.
The details I left when buying their mobile service (which was 20 years ago) don't contain where I work at. I didn't work at all at the time, but I kept paying for the service.
I didn't update my account details so I found it a huge surprise when they knew exactly who to call and on what number.
Being a EU citizen, I went GDPR on them. I don't want people to call my personal number and disturb me in my own free time with sales calls in regards to my company. How did they get my details? Who authorized them to contact me? I've many questions and luckily - now I have legal backing when asking them to anonymize my data.
This is simply false. GDPR only allows opt-in for these choices, companies are just implementing GDPR incorrectly.
Hopefully you'll choose not to use those sites.
For the first couple of months, I clicked all the "manage my choices" buttons. I felt the pain, but decided it was worth it. Then I discovered that for many sites, I would have had to enable 3rd party cookies in order for the choices to stick. That made me realise that I simply didn't want the marketers to even know that I didn't want them to track me; that I didn't want to enable the malpractice of companies that hadn't offered me the choice to disable their options; that I wasn't prepared to rely on the devs behind those dialogs to implement the design implied.
So now, I just close the tab and read something else. My hope is that others make similar choices.
I don't see any such things. What I got is many emails when GDPR started and companies asked me to click a link so that they can keep my data and emails saying that they changed privacy. I didn't click any of those links.
BTW I use ad blocker and that hides many nonsense. Even before GDPR there were too many of these dickbars[1] everywhere and I'm annoyed at those. Every site has those subscribe to email popup and other dickbars floating around.
So GDPR didn't make things worse like you say. Although the internet has become worse with tracking everywhere and stupid designs making us suffer.
I usually browse the web from within the EU, and I have really begun to mentally filter out the popups because there's just so darn many, but on a recent trip back to the US, the difference was remarkable. A visit to commonly used sites like SourceForge or Washington Post were suddenly just seamless, and on some other sites I was no longer even searching around for the obnoxious cookie warning so that my screen didn't feel so cluttered.
That’s just the tip of the iceberg of the problems with GDPR. Watch as the enforcement side becomes selectively weaponized as a political tool against unpopular sites and the other shoe will have dropped.
GDPR is a regulatory bandaid to a technical problem. That geeks are calling for more regulation to fix their own failings to design privacy resilient network protocols and decentralized software which truly and actually puts users in control of their own data, is shameful.
It’s a common trope that users don’t care enough to seek out and use privacy enhancing and protecting solutions. I think that’s a load of crap. The current solutions are alpha quality and are not ready for general use. But the technology will improve and I am convinced they will destroy the competition when they get there.
It might not be necessary, or even compliant, to notify and gather consent for cookies via popup. This is just something that many web site operators are assuming will bring them into compliance, but there's no way to know that yet. Just like there's no way to know if you'll still be clicking through cookie prompts 5 years from now once we have a few GDPR test cases.
Let's wait and see how this all plays out.
At this point I just want those consent forms to be standardized via ARIA tags or whatever so that some extension can click the "yea, sure, whatever" button for me.
Integration of legalese into browsers should have been done a long time ago (another useful thing would be a "ToS" button in the address bar, so you don't have to go hunting for ToS and privacy statements, and read them in whatever painful CSS flavouring the site uses).
I think an equivalent of the GDPR becoming US law would go a long way to improving the problems of enforceability.
- by default they are not allowed to collect more data than strictly necessary.
- additional collection must be opt-in, and there can be no punishment for not opting in.
- showing these dialogs that are opt-out seems like a way to beg for a fine: "We hereby declare to all our visitors that by default we collect way more information than we are allowed to."
They are annoying precisely because they do comply and require explicit opt-in into tracking. In other words, they ask you to make your choice as the first interaction.
By default, they collect nothing - and immediately show the form. You are not punished for opting out and can continue the same way as those opting in.
But everybody is annoyed by being asked. Regulators perhaps expected this to be some setting hidden somewhere, but that’s so incompatible with free content business models that it was clear that won’t happen. This is the compliant consequence.
In addition, this is a bit like fire safety regulations. Sure, they are very annoying. All of us probably have experienced the empty battery beep of a smoke sensor in the middle of the night, and many have experienced a false alarm. That's the price you pay for lowering a significant risk.
Wait a few years, and you will see significantly lower risks of your data being collected and distributed without your consent.
I'd like to add that the GDPR is truly disruptive, and it will probably take a few 'product iterations' to get it perfectly right. That alone would be a reason to wait a bit and learn from experiences before rolling such regulations out everywhere. (I'm saying this as an EU citizen)
We have waited a few years with cookies law and nothing changed. Unless some browser based fix takes place, this degradation of web is staying with us.
Most of the sites you're talking about are probably in violation of the GDPR. They're hoping that by adding a big notice telling you about their violations they'll be OK. We'll have to see. But there should be a "Refuse" option that's just as prominent as the "Accept" option.
1. Private Browsing, separate sessions in web previews, etc. are all somewhat less privacy protecting than you'd hope (IP tracking[A], browser fingerprinting, etc.) the GDPR mandates that companies ask you about tracking before they do it. Those notices are a sign that they're trying to do that.
2. I do work in the tech, marketing and security arenas and the GDPR was like kicking a beehive. Everyone at least looked around and asked themselves: "Do we really need to keep this data?" and in many/most cases the answer was: "No". So they got rid of it.
The GDPR is a lot like a vaccine, the power is in the prevention. Which won't make splashy headlines, nobody is going to write: "A million records weren't leaked today b/c they were deleted off the server 6 months ago as they weren't needed."
A - every time GDPR comes up on HN, someone complains about IPs (either that it doesn't matter and/or that their Apache log file is full of them, so why bother). GDPR regs focus on what data a company is collecting, how are they using that data and did they get consent for that. In the case of IPs, you can consider implicit consent b/c they're browsing your site. But you did _not_ consent to have your IP tracked as part of a 3rd party marketplace for retargeting ads.
Nope. Likewise you aren't expected to read a car lease contract or the papers you sign to buy a house.
That is illegal under GDPR. I’ve yet to see it. The only dark pattern I’ve seen mentioned is “agree” and “fine tune the settings” (with rejecting all as level 2).
Of course, these fine grained access controls are also a dark pattern, make it annoying and look difficult just so you consent. There's even a few out there that take a minute with a spinner going "Please wait, storing your preferences..." even if just hitting "accept" is instant. As is "cancel". Dark patterns.
With an unregulated internet, any internet user has to take care of their own privacy and anonymity. Barriers for entry for new websites and services are very low. Data breaches and abuses of data can lead to users being concerned about giving their data to tech monopolies, which can enable competition.
Regulations like GDPR arguably make users complacent and lowers their guard, as well as strengthens the tech monopolies by adding to their moats. Would Facebook have been able to displace Myspace in the current environment? Or Google displace Yahoo?
The internet was doing fine for decades with minimal involvement from governments - why change things?
The earliest years of commercialisation were pretty good too - hundreds of small sites, all trying really hard, but all with terrible site design. :) The worst that adtech could yet come up with was an ugly animated gif and a little flash - which was super easy to block.
"Regulations like GDPR arguably make users complacent and lowers their guard"
What guard? How does a non IT expert envisage the ways that harvested data impacts their lives? Or the countless ways it can be connected up with other sources until it becomes pervasive? How are they meant to know that the news article they read has 15 different trackers on it along with the ads, or the reason some creepy retargeting ad turns up later in the day as though it knew what they were thinking?
Sometimes I wonder if _I_ know enough to take care adequately, and I've been online since before the www.
Now add the dark patterns and misinformation to completely misrepresent what most of these sites are doing with that data. Some of the big names excel at this.
"why change things?"
Facebook, Google, Microsoft and a hundred others got so greedy about data and tracking that the overreach was impossible to ignore. If GDPR wasn't already in progress, Cambridge Analytica and similar stories would have ensured it would get a reaction soon. Probably a worse reaction.
Yeah, people use to complain, loudly, about sites that allowed animated gif banner ads.
>With an unregulated internet, any internet user has to take care of their own privacy and anonymity. Barriers for entry for new websites and services are very low. Data breaches and abuses of data can lead to users being concerned about giving their data to tech monopolies, which can enable competition.
How is this the 'old internet' and not still the current internet. With exeption maybe to the EU with GDPR now, this is what the internet is: everyone has to take care of their own privacy and anonimity.
Barriers for entry for new website and services are lower than they've ever been. You don't even need your own hardware, just rent it.
>Regulations like GDPR arguably make users complacent and lowers their guard,
So according to this theory, people living outside GDPR territory, like the US, are less complacent regarding their data?
Do you really think the _average_ American is less complacent than the average European? I hardly think so.
>The internet was doing fine for decades with minimal involvement from governments - why change things?
The internet was literally built by government(s).
Why Change things? Because we are now finding out people are building massive databases with personal information, bought from small, medium and bigger websites who happily sold it without telling users they did.
GDPR prevents this.
How can I be 'less complacent' and 'have my guard up' if I don't even know that companies sell my data behind my back?
By assuming they will, and taking steps to not provide your data to all and sundry. At the end of the day, companies can sell your data because they have it.
Things change on their own. The internet used to be accessed by highly sophisticated and technical users. Now it's mainstream.
And all mainstream things follow two basic rules:
1. Everything move at the speed of the slowest person.
2. The weakest members of the community need to be protected.
Quaint but that's simply not true unless you're talking pre 90's. No point in kidding ourselves.
The internet was accessed by people who accessed the internet. They popped a floppy/cd in a drive and followed instructions. They then opened a browser and typed a url.
Nothing sophisticated about it.
Nobody was creating electrical signals by hand and sending them down a home made wire.
The old, unregulated Internet was not made of companies milking users of data and violating their privacy.
Of course it was better.
Right, but then Eternal September happened.
Nowadays, the vast, vast, vast majority of Internet users don't have the necessary background knowledge to understand how to protect their privacy online, and the people who do have that knowledge tend to concentrate into organizations that have a lot of financial incentive not to respect others' privacy.
Because the threat landscape — both malware and privacy-related — have seen a sea-change.
Not really, because much of the information data brokers have about you comes from other people. Oh, your mom gave LinkedIn access to her contact list? Now they’ve got your phone number, mailing address, email address, a contact photo for facial recognition, and lord knows what else.
Oh, your friend and confidant gave an app access to their text messages and email? Great, some data broker now has a copy of every email and text message sent between you. Hope there wasn’t anything private in there.
The argument that you can somehow protect your own privacy on the internet rings hollow when it’s invaded without any action on your part.
Easy to say, hard in practice when there's some really dodgy shit going on and given that most people don't actually (want to) dive into the subject, this isn't something that can apply to the modern age.
I mean while I agree, you postulate some libertarian ideal - freedom for all on the internet. And while I agree, there's some scummy companies that take liberties with that - and when they have a data leak, it's your information that's out there, despite your own protection.
I mean you could advise people to use an adblocker, but when said adblockers are exploited (so that advertisers can be unblocked if they pay a fee, mafia like schemes), or when the creator takes the money and hands over the code and effectively silently-auto-updating backdoor into the user's machine, they're fucked - not because of your best intentions, not because of their ignorance, but because something outside of their control.
When there's a big government with the power to shut down companies looming over there telling people to not allow said breaches in the first place, you'll be better off.
2) I can't help but notice that GDPR is a great idea for Brave / BAT. And look: I'm long on BAT (I'm not wealthy enough to be a whale or anything, but I bought a small amount in the very early days). But this seems self-interested to me, rather than an assessment of the proper course for American politics.
Eich admits this in part, of course, saying early in the letter that "I view the General Data Protection Regulation (GDPR) as a great leveller. The GDPR establishes the conditions that can allow young, innovative companies like Brave to flourish."
But he also says "The enormous growth of ad-blocking by people across the globe (to 615 million active devices by late 2017) proves the terrible cost of inadequately regulating the tracking-based advertising system."
Does it? It seems to me that people are working to find ways to improve their lives, and that they'll keep doing so to the shegrin of the internet behemoths absent any "regulation". In other words, the state is not needed to make this phenomenon regular - it's already quite regular and becoming moreso.
Let Brave and Chrome fight it out and the best (not the most politically expedient) one win. For now, I'm using Firefox.
GDPR isn't the right to be forgotten, it's mainly about ownership of customer data, consent & privacy. You can have a look at this developer guide: https://techblog.bozho.net/gdpr-practical-guide-developers/ for what it means as a developer.
I'm not sure if you're making a humorous observation about how the "right to be forgotten" is not a legitimate form of privacy. If you are, bravo.
If you're not, and you are actually unaware of article 17, please see this link:
I think the EU missed a trick by not making Do Not Track legally enforceable.
I'd agree with you if ad & tracking blocking was mainstream, or even better, built into major browsers & operating systems and enabled by default. We are not there yet (and might never be since a major OS developer - Google - has a vested interest in keeping the cancer that is called advertising alive) so we need regulation.
In these conversations "advertising" is a very loaded term, not all advertising is tracking, not all advertising is invasive and not all advertising is served by shady clickbait companies.
With a little stretch even a review of a movie or a game is advertising. The GDPR might push toward a more sustainable advertising model and honestly I cannot see anything negative in that.
(also not all advertising is fake news and product discovery is a hard problem for both sellers and buyers)
But isn't Eich making the argument that it is mainstream? That's the whole reason I'm quoting him here.
Which is it?
Is Eich correct that the "enormous growth of ad-blocking by people across the globe" is evidence of some desire on the part of a global community to fight back on the ability of internet giants to track us?
If so, isn't this evidence that this phenomenon is already "regular" without needing any further "regulation" by the state?
He's trying to eat his cake and still have it.
So I'm just saying their track record isn't great.
Seems like he might possibly have encountered a computer or two given his special interests https://en.wikipedia.org/wiki/Jan_Philipp_Albrecht
As well as GDPR, which is one of the better IT related laws, he has sensible views on mass surveillance.
Politics is a slow game, the people who grew up with Windows 95 are only now starting to get elected.
Again I'll take none, but if this ridiculous fervor that's been built requires something, how about not-tech-specific rules around data sharing transparency? Just require details on what's shared and with whom for those seeking it (ideally companies publish it to prevent requiring individual request/response scaling issues, but their choice). You're gonna find most people don't care anyways, so they shouldn't be burdened with more hardline privacy requirements. Just increase the visibility for now.
And please please learn from EU mistakes and establish enforcement mechanisms. Don't just make exorbitant ceilings and move on. Have a framework to punish violators, and again start with small legislation until it can be shown enforcement occurs and is working.
Having said all that, can we just start with pro-privacy PSAs, education, targeted advertisement awareness, punitive measures for breaches, and relaxation of legislation preventing me from scraping/manipulating/proxying these sites however I want? If we all have to hire lawyers and/or compliance assistance, then the first step is too large. We can make our way towards delete-all-my-data-on-request laws later. Not sure what made this an emergency (actually I do know based on media and political driven fervor, but that will be best studied through the lens of history). But all these tech people, OP and commenters here especially, don't speak for many people who accept the current state or reasonably understand heavy-handed government regulations on the internet bring more bad than good.
And for goodness sake, don't use the domain of your should-be-neutral software to make a political post. You aren't gonna feel any pain now because you are in the same line with other popular pitchfork wielders, but your political leanings have bit you before, why would you associate your company with them?
There are enforcement mechanism in the GDPR. IMO they also are quite good. The max fine are huge, but there are mechanism to help misbehaving companies into compliance and also protect companies from random lawsuit by individuals.
Based on my research into the lax enforcement of GDPR predecessors and GDPR leveraging those same enforcement bodies, I disagree. This is why I advocate an incremental approach; so you can prove you are adept at implementing the measures you write down lest it become just words, or worse, an economic warfare tool to subjectively apply on a whim. Sometimes you even have to temper those words knowing your enforcement mechanisms aren't yet prepared. Nobody's asking for going after all offenders, just reasonable attempts at equitable large-scale enforcement.
Such as... a General Data Protection Regulation? GDPR is not "tech-specific", it applies to technical solutions, yes, but also to business requirements and administration, and non-technical data collection. One non-tech consequence here is that stores are encouraged not to ask your SSID equivalent, since that exposes deeply personal information to others nearby.
> Just require details on what's shared and with whom for those seeking it
That's a big part of GDPR, actually. You're allowed to collect data, with certain rules about transparency and anonymization, and as long as there are reasonable motivators for collecting it. Within reason and with exceptions, I'm sure, but nonetheless, that's a big part of it.
> You're gonna find most people don't care anyways
I'm willing to bet few people cared about regulations on traffic safety and alcohol as well. That doesn't mean that regulations to hold bad actors responsible aren't necessary, as has been proven countless times through leaks, sometimes very large or sensitive leaks.
> And please please learn from EU mistakes and establish enforcement mechanisms.
What do you mean by this? What "mistake" has the EU made? They have enforcement mechanisms in place to target companies for violations of GDPR. It will take time to work out the details and establish case law, but I don't see anyway around that. Even if you introduce "small" regulations, companies will fight the charges or fines that you bring to establish precedent.
> If we all have to hire lawyers and/or compliance assistance, then the first step is too large.
You all don't. Larger corporations probably do, but that's unavoidable. GDPR was announced something like two years before implementation, and published in a lot of different ways beforehand. There were compliance consultants, yes, but there were also PSAs, education, advertisement, easy-to-read summaries and tons and tons of material to read up on.
> heavy-handed government regulations on the internet bring more bad than good
The view of pre-GDPR internet as something free of regulation, or free from government involvement, or as nothing but a land of milk and honey seems to me like a pretty severe case of rose-tinted glasses, especially if we're talking the last 10-15 years.
There have been a lot of issues with the internet, even without mentioning all the severe privacy breaches, or breaches that are a concern for national security.
Without the rest, sure. Law's also exist for consumer data sharing transparency in the US, they just need to require more detail and have their scope increased (again, if we're resigned to the fact that something must happen).
> That's a big part of GDPR, actually
Right, my whole point is starting small, i.e. without all the other big parts.
> I'm willing to bet few people cared about regulations on traffic safety and alcohol as well
We have to stop debating like this. I could bring up drug laws or prohibition to bolster my point about government regulatory overreach and its consequences. But doing this at a high level negates the nuances in the debate on this issue which has no historical equivalences from which to draw.
> What do you mean by this?
I have not seen large scale equitable enforcement of EU internet laws to justify their size. It's becoming a more rational approach to ignore the laws. Even proponents of the GDPR use subjective enforcement to allay small business fears of compliance. This is why I promote proving you can enforce before expanding scope.
> You all don't
That is a product of levels of risk, legislation scope, and market reaction to the general murkiness of how it will be interpreted and enforced. It's like telling a business they don't need an accountant, the information is all out there.
> The view of pre-GDPR internet as something free of regulation, or free from government involvement, or as nothing but a land of milk and honey seems to me like a pretty severe case of rose-tinted glasses, especially if we're talking the last 10-15 years.
Agree and I definitely don't share that view. I am proud of my peers for fighting it where we have, I just wish we could separate what we want vs how we get it.
Speaking of breaches, I think that's a great initial place to direct legislation and build citizen support against reckless companies without going all in on legislation of data specifically. It also has the benefit of punishing violations instead of prescribing specific maintenance rules.
Full-blown GDPR is overkill. It makes more sense to wait a few years and see if the situation in Europe evolves differently from the U.S. I personally believe the law fails to incentivise the sort of behaviour it aspires to, but that’s merely a hunch—better to wait until we have data.
That’s disengenuous. I’m saying this is the time to talk about data. But instead of coming out of the gate with a gargantuan salvo or complicated, expensive and unpredictable regulation, let’s start small and work gradually.
https://www.hanselminutes.com/647/how-gdpr-is-affecting-the-...
The text of the amendment, as I'm sure you're aware, reads as follows:
> Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.
I admit I fail to see how this prohibits introducing a law preventing an organisation from collecting data from individuals without them explicitly opting in to it.
Oddly enough, you're frustrated about "degraded UX", but for several years now - UX has been terrible with annoying popups asking you for your email, advertisement-ridden websites that attracts traffic via well-crafted titles while the content is something to be desired...
Don't be a peon. But if you decide you want to be one, think about your other fellow humans - maybe they don't want to be peons.
I don’t get it. Have you ever been materially harmed by businesses storing, analyzing, or reselling information regulated by the GDPR?
Neither Google nor Facebook is in compliance with GDPR. FB was busted using 2FA phone number for ad targeting. Google has been taking data for various purposes for decades and linking it all together for other purposes. These are bright-line violations of GDPR's purpose-limitation design.
Smaller companies, by contrast, can change more quickly or start with compliance by construction, as Brave has.
It's a silly slogan that GDPR only helps big incumbents. Regulation tends to help incumbents under varying degrees of regulatory capture, as in the US. Europe is different, and India, Brazil, and others jurisdictions are following suit. California's CCPA is weaker (on protected data, opt out rather than opt in, ambiguity about duress = denial of service if off-purpose data not provided, enforcement), but also in line.
Obviously there are also still a lot of sites that try to wiggle around the GDPR by saying "By entering the site you agree to X", a practice that should soon be found to be in violation of the regulation. If that is allowed, the regulation for storage/processing becomes almost pointless.
That data collection should be opt in if it isn't an essential function of the app/site/service.
Strangely, we are still enduring this terrrible UX experience, mostly because we don't have good alternatives or those that exist, are not known. I think we should spend time creating those and discovering and promoting healthier information sources.
Brendan Eich is seeking protection for his failing business from the government. He wants to use the force of law to make his browser more competitive.
I’ve got a better idea: let’s make JavaScript illegal. That’ll hurt the advertising industry too!
