If a new regulation insisted that on entering a hotel room, a member of the hotel staff had to use a blacklight and you needed to explicitly approve every illuminated mark larger than a quarter, then you would be annoyed at that regulation.
There are supposed to be all sorts of other GDPR protections, about rights to be forgotten, about being able to access and selectively remove personal data from an online profile, that I have no idea how to activate. Instead all I get, as a user, is a bunch of consent forms, like the stupid cookie warnings, that I have no idea how to respond to, and no idea what I'm committing to when I click them.
How about this. For the past 25 years every hotel that you checked into has kept a record of:
- How often did you visit?
- How much money did you spend?
- What type of CC do you have?
- Did you watch porn?
- If so, what is your favorite type?
- Did you pass on dietary restrictions to the chef?
- Were you alone?
- Did someone other than the person listed as your wife on FB join you for the night?
- etc... etc... etc...
And then, without your consent, without even notifying you they sold this information to credit score companies, to advertising companies and to whoever the fuck will buy it.
Without. Your. Consent.
THIS is how the internet works today. Everyone grabs as much data as they can and then sells it to whoever wants to buy it. You have no vote in this. It just happens and it says so in weird legal terms on page 373 section 44 subsection 7a of their 700 page Terms of Service.
GDPR gives you this vote.
GDPR says: if you want to resell data you harvest you HAVE to get their consent, in clear and understandable terms. Can't bury it in your TOS.
GDPR says: you cannot make your website / app / service unavailable if people refuse this.
GDPR says: you can ask companies how much and which data they got on you and they have to provide it.
GDPR protects you from an invisible industry many people don't even know exists.
>GDPR says: if you want to resell data you harvest you HAVE to get their consent, in clear and understandable terms. Can't bury it in your TOS.
>GDPR says: you cannot make your website / app / service unavailable if people refuse this.
>GDPR says: you can ask companies how much and which data they got on you and they have to provide it.
>GDPR protects you from an invisible industry many people don't even know exists.
And it does it by in effect forbidding you from interacting with parties that don't follow EU mandated criteria for what needs to happen for a packet to go from A to B. I don't care about what the EU thinks is good for me, I want to interact with server X whether or not it is GDPR compliant and whether or not it's over a protocol that lends itself to this nonsense; my data is supposedly mine, so fucking let me.
GDPR is fine with the selling of information, as long as you have given consent in clear language and not buried in TOS.
> Without. Your. Consent.
I'm really sure that every hotel has its terms of services. So does Facebook and every other site. What you described has always been illegal, and it has also never happened. What was sold was composed of data according to the terms of service that every person included agreed with. If agreement isn't consent, what is?
As a regular person, you should not need to be aware of such things. What GDPR tries to do is to restore some sane defaults into the process, just like customer protection laws do.
You don’t have to do anything to “activate” these rights under GDPR. You can just email the website in question and ask them to send an accessible copy of your data, or remove some or all of it from their servers. GDPR simply requires companies to adhere to certain consumer demands about my own data and respond within reasonable time frames.
Also I disagree with your analogy. Companies are allowed to track users for internal purposes Uber GDPR. But they are not allowed to sell your data to third parties without consent. The reason all these pop ups and consent forms are so complicated have nothing to do with GDPR, and everything to do with the fact that companies are trying to nudge you into making a choice against your own best interests.
Okay ... let me try this.
> TO: cnn.com
> SUBJECT: Remove my data
Okay, let's send it!
> gmail: The address "cnn.com" in the "To" field was not recognized. Please make sure that all addresses are properly formed.
Oh. I've been around the block; maybe I can try admin@ or support@ or look at whois data, or browse around their website for a "Contact us" link, and maybe I can figure out how to properly assert that I do in fact own the account in question whose data I wish to remove, assuming I even have an explicit account rather than just a tracking cookie and a "shadow" profile. But isn't the GDPR supposed to be consumer-focused? What earthly consumer is going to go through these steps?
I have requested the removal of my personal data from multiple business, and I can assure you I'm quite earth-bound. Copy-pasting a template and filling in my name and account ID is not that hard.
This is the template they seem to be using for erasure requests: https://github.com/opt-out-eu/opt-out/blob/master/src/email-....
--
[0] - Maybe. I'm not endorsing it, I just found it today. I wish someone (maybe the author) could say something more about the validity of such process, and whether this kind of e-mail is enough in practice.
This again, is the fault of most websites. GDPR requires opt-in for tracking, etc. A website could just, by default, not do tracking. Then provide the tracking options in the preferences. However, most sites have gotten so data hungry that they can't accept GDPR's privacy-by-default and have to bother you with pop-ups to try to get your consent to track you. Add some dark patterns, like designing these pop-up forms such that they are effectively opt-out.
I can't wait until some organization sues some big fish to send a signal that blanket data collection or using dark patterns to trick people into data collection is not an acceptable modus operandi.
Also, we as consumers of the web can also help to improve things. Contact companies and ask them to switch to opt-in (as required by the GDPR), encourage them to not collect data by default (avoiding popups), exercise your right to remove data and/or see what data is collected. If enough people request this by e-mail, companies will have to set up automated procedures (provide a webpage to see or remove data).
Actually, it's easy. You can say "NO" to everything and still use the service. If the site denies service, they're violating the GDPR.
This analogy doesn't work because a) the vast majority of illuminated marks aren't harmful, b) the ones that are harmful aren't revealed by a blacklight, and c) you can take a shower after you leave to deal with the gross ones.
If, however, the light revealed signs of bed bugs we would be in the right ballpark.
Because:
a) everybody should want to minimize how much they deal with bedbugs
b) if you regularly sleep in places that have bedbugs you risk bringing bedbugs along with you to the other places you go
c) because of education and time constraints, people typically do not manually inspect each and every place in a hotel room that bed bugs could be. So if hotel staff could force the user to click a dialog that says, "This hotel room uses bedbugs for the following purposes..." that would be extremely useful for public health and sanity.
