Because the law obviously didn't help stopping companies from doing shady shit and made the user experience of the web worse?
The user experience is made shit by the companies doing shady things. If they didn't do shady shit, they wouldn't have to display any banner.
I'd rather be informed, at least I can make a decision that way.
Why shoot the messenger?
The part that is missing is making rejecting as easy as accepting. So far there are a lot of dark patterns, but there are sites that make it very clear and easy, and I appreciate it.
The law could have been much better if it simply asked browser makers to provide a single place to configure your preference, and then forced companies to abide by that setting.
Just because it's free and somewhat nice looking, doesn't mean it isn't shady shit. Maybe all you care about is counting unique visitors, but by doing that with Google Analytics, you're exposing your visitors to a complex surveillance product that collects data for its own purposes, and it sees much more than what's needed to just count unique visits.
I would love to have a technical solution for browser-wide consent management, but it wouldn’t solve the issue of granular, informed consent for all the shady things that are possible in adtech.
Also, the law certainly doesn’t prohibit a technical solution, but that really is something that the industry should work out.
The problem is that Google Analytics isn't _just_ collecting data for you, it's collecting a trove of other data that it's using to track and link users accross other websites.
The fact that a question can be phrased like this really illuminates how much society has changed in 20 years.
Not so long ago sharing data between sites was definitively shady. Then Google somehow institutionalized it, and now it is completely mainstream.
> I would think counting unique visitors is a legitimate business interest
Yes, that's not it. Identifying people are, and collecting their personal data is.
Truly open culture does not accept tracking, for example there is no way to count Linux users. And people would not be kin to those who track physical news papers.
Meanwhile I use uMatrix and uBlock Origin.
Setting a cookie is not in itself a GDPR violation. Collecting personally identifiable information is. You can collect unique visitors by setting a cookie but without collecting personally identifiable information, so no consent popup would be required for that:
1. Set a "site last visited: <date>, <serial-of-the-day>" cookie if it is not set.
2. Count hits as appropriate by examining the cookie - without collecting IP addresses.
Since no personally identifiable information is being collected with this scheme, consent is not required.
It helped immensely. I work in the financial sector in an EU country, and most institutions in my country are terrified about the GDPR.
The fact that some people will happily operate on the border or even closely beyond the border of law, applies to any other regulation as well.
Running a website without a popup is easy. Just stop any processing that is not necessary for you to provide the service.
"But I want to track what users are doing!" - Well, then you have to show them a popup about that.
The GDPR holds that data protection is a fundamental right. Consequently, the user's interests generally trump a website owner's interest.
The cookie stuff, yes, it's annoying for us end users. I get it.
But take how H&M were fined for violating the privacy of their employees. That they had to stop doing that is a Good Thing, right?
GDPR is a highly complex piece of legislation that is very hard to navigate and therefore only established companies with big bucks to spend on lawyers and extra engineering can profit from the ecosystem while everybody else is put at risk.
Complex legislation and regulations is the best way to keep monopolies in place. Same goes for the financial sector, telecoms, etc. It's nearly impossible for new players to emerge.
This complex frameworks are put it place so that big companies that do nasty things can get away with it because they will be able to demonstrate that they have complied with the regulations while emerging players will break their teeth on it.
Instead of regulating _how_ data collection and processing should be done, we should penalise _what_ is done with the data in simple clear terms, and make _people_ (CEOs, etc.) responsible not just giving fines to companies. Basically, reintroduce skin in the game.
If anything, it was the big players getting work to do. Thousands of people on mailing lists with no control of how they got there. Asked and kept insane amounts of not necessary data. Data floating in hundreds of database tables spread over various services and third party vendors and data centers with no control. Cleaning up that was a huge job.
