> tracking people without their knowledge, approval or a court order is just flat-out wrong.
Requiring them to check an "I agree to be tracked" checkbox and signing an agreement (which has just happened to me yesterday in an EU country in accordance to GDPR) before they can use a product/service is hardly much better. This reminds me of the Android app permission system which requires you to allow an app to do everything it wants (including ridiculous requirements like when a game requires access to your contacts list) or just give up the idea of installing it (as for me I just grant the permissions at the installation time and then block everything redundant with XPrivacy). So I doubt it is going to do much good, a way like the cookie law doesn't really do anything but just introduces useless cookie warning banners.
Requiring them to check an "I agree to be tracked" checkbox and signing an agreement (which has just happened to me yesterday in an EU country in accordance to GDPR) before they can use a product/service is hardly much better.
That's specifically not allowed under the GDPR. Either the information is needed to provide the service (and needed means actually needed, not "my business model depends on it"), in which case they don't need to ask, or the use of the service can't depend on that consent.
(By the way, even if the information is needed, they still need consent to use it in other ways, and the same applies)
See the ICO guidelines on the issue: "If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis."
How is "my business model depends on it" not a bona fide legitimate purpose for information collection? Nobody is forcing anyone to patronize a business that relies on data collection for profitability.
I'm extremely skeptical of regulation that interferes with consensual deals between economic actors. You want transparency? Fine. But you don't get to randomly outlaw certain entire classes of business.
> How is "my business model depends on it" not a bona fide legitimate purpose for information collection?
Business models are arbitrary and orthogonal to services provided.
> But you don't get to randomly outlaw certain entire classes of business.
Why not? Some business models are clearly antisocial and don't deserve to exist. GDPR is only outlawing business models based on large-scale abuse of people's private and identifying information. If you can obtain proper consent from enough percentage of your users, then your business model will be fine. If that's a problem for you, then ask yourself why.
I find it funny to see people complaining that their business model will be in trouble under GDPR. GDPR literally only outlaws being a huge asshole (in context of users' data).
> Business models are arbitrary and orthogonal to services provided.
that doesn't change the fact that the business model depends on that orthogonal action. Is it unlawful for gyms to charge by subscription instead of per-use knowing that most people don't use them? Should the NYTimes be forced to go pay-per article instead of subscription? Should nightclubs not be allowed to overcharge the bottle?
> GDPR literally only outlaws being a huge asshole (in context of users' data).
It goes beyond that, by forcing you to serve people that don't agree to your business model.
> Is it unlawful for gyms to charge by subscription instead of per-use based on the model that most people don't use them? Should the NYTimes be forced to go pay-per article instead of subscription?
It isn't, and it shouldn't. Either can choose whatever works for them best. GDPR only outlaws a few particular antisocial behaviours, which makes a particular class of business models illegal or much less profitable.
The "but business model!" whining sounds a bit like complaining that you can't make money mugging people, because the government disallows theft and assault. Cry me a river.
Sure it is. How effective this business model is is another story.
Either way, you don't have an inherent right to specific business models and the EU is simply not allowing a business model anymore that has been widely abused. Of course it'll hurt some but I think overall the industry will adapt and change for the better.
One example might be the provision of a ‘free attraction’ service in exchange for surveillance capabilities, and the business model being various unrelated ways to exploit those capabilities (targeted ads, selling the raw data, selling products derived from the data, etc).
This has become the default business model of the B2C Internet, as distinct from offering a service in exchange for payment.
You wouldn’t think that militant orders of Christianity would have been workable, but they clearly were. I have no doubt that money and power can lead any ideology far from what we’d associate with their base principles. I doubt that vegans are the exception.
There are a lot of companies that are collecting data about you and I that we aren't patronizing. For example, even if you don't have an account at Facebook, they have a profile of you. Even if you don't do business with Equifax, they are collecting your data.
People want more control over how information about them is used.
Personally, I am extremely skeptical of entities where the only motivation is pure profit, and I personally would like to organize to protect myself against these entities that don't align with my civic concerns.
For web, most people don't understand the scope of tracking and privacy. None of the people I know understand what these web companies are doing, how they are being tracked and what data companies have about them. Nobody reads the privacy notice in those websites. Even after someone tells them facebook is tracking everything, they don't understand and just ignores it. There are no consensual deals on web. So GDPR is for all of them (and for people who understand and wants protection).
Also in America a company is more important than people. That's why there are so much negativity towards GDPR.
I have visited a drugstore to buy some vitamins yesterday. They have handled me a touch-screen where I had to check a checkbox (saying that I agree to allow my medicines shopping history to be stored and analyzed to track my health (which I obviously don't want them to do actually)) and an electronic signature tablet with a stylus where I had to put my signature. This was a mandatory condition for continuing using a discount card that gives bonuses when you buy meds. I could opt-out but this would mean I won't be given discounts any more.
Although it initially seems kind of scummy, isn't this better than the majority of ad services anyway? In exchange for selling your medical data, you get a discount. It's essentially getting paid for sharing your data.
Of course if it's essential medication which people can't afford without the discount then that's another matter, but otherwise it seems kind of fair to me. And it gets a bit more complicated if you're in America where that data is going to be used by health insurance to adjust your premiums.
That's a good question, I don't know if it's valid to offer discounts and such in exchange for consent. It goes against the EU principles ("personal information cannot be conceived as a mere economic asset"), but I'm not sure if the law actually prevents it.
One of the criteria for freely given consent is that the customer must be able to revoke it at any time without detriment.
If revoking consent causes a detriment, then it's not freely given, and so that "consent" isn't sufficient to grant the data controller a legal permission to use that data.
Quoting recital 42 from https://gdpr-info.eu/recitals/no-42/ "[...] Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.", so it's quite explicit.
> personal information cannot be conceived as a mere economic asset
I wonder why not? Personal information is useless for most people, they give it away for free to the state institutions and the police wont even ask your consent. Some websites and services have found a way to make money off it, in exchange for free services etc. Why is this an ethically unacceptable proposition?
Because it ends up abused by marketers, and frequently ends up facilitating crime as well. GDPR as a law came out directly from the last decade of mass surveillance economy.
So what? It was part of the agreement when you consented. The same way that when you go to a club, a strip club, or a casino you know you 'll be exploited in a way. Sounds like advocating for overreaching laws that "save you from yourself" and keep you away from harm / drugs etc.
It's a bit ironic that you brought up mass surveillance because GDPR explicitly exempts the police and security services from its reach.
Edit (i can't post a reply):
- consent should always be required, but if you don't consent i shouldn't be legally required to service you. GDPR is more than just consent hence the overreach
- The NSA has more data than any single actor on the internet, we can't possibly claim that private surveillance is worse. The NSA may have a better profile of me than any private actor even though (and especially because) i m not american. And their profiling can harm something that businesses generally don't care to harm: my freedom
I didn't consent to shit. GDPR is the response to rampant abuse of personal data without obtaining proper consent. You're still allowed to use my data if I consent, you only have to obtain an actual, informed consent.
> The same way that when you go to a club, a strip club, or a casino you know you 'll be exploited.
What kind of clubs are you visiting? :o. Are you sure they're legal?
> It's a bit ironic that you brought up mass surveillance because GDPR explicitly exempts the police and security services from its reach.
It isn't, because adtech surveillance dwarfs government surveillance. Also, the police and security services are doing something valuable for me, even though they do it imperfectly. Advertising industry exists only to fuck me over. It's a cancer on society.
> It was part of the agreement when you consented.
That's a big point in GDPR, I think -- there never was consent. It's the same as why terms and conditions aren't legally binding: nobody actually considers there to be a valid agreement when they click next. In a sense GDPR is just enforcement of people's expectations, and ending predatory practices that were misusing them.
> consent should always be required, but if you don't consent i shouldn't be legally required to service you. GDPR is more than just consent hence the overreach
Yeah, and in a world where companies were not abusive, it would work that way. As it is, we both know perfectly well what happens - companies have leverage over users, and they'll use it. They'll make you consent to every kind of data abuse and sharing to use the service, exploiting the fact that giving up privacy doesn't feel like it's hurting at the point the data is being taken. GDPR is designed to remove that leverage - to make it unable for companies to extract arbitrary consents on the threat of refusal of service.
This only really affects you if your business model was baiting users with "free" services, spying on them, and selling that data to adtech industry.
> The NSA has more data than any single actor on the internet, we can't possibly claim that private surveillance is worse. The NSA may have a better profile of me than any private actor even though (and especially because) i m not american. And their profiling can harm something that businesses generally don't care to harm: my freedom
Sure, so NSA may have pulled in your e-mail history at some point in time. But it's mostly sitting there. NSA doesn't care about you unless make yourself important to US national security. Adtech surveillance, on the other hand, track you constantly, through pretty much every device you have, every site you visit, and makes use of your data all the time. And all in all, this data might at some point finds its way to NSA too, already nicely packaged. NSA vs. adtech is kind of like choosing high potential loss but very rarely, vs. low loss all the time. I'd say the expected loss is worse with adtech, but I'm still happy GDPR will make the life difficult for both.
Legitimate question; if you're not American, why do you think the NSA would be impacting your individual freedom, or perhaps the freedom made available by the state(s) of your citizenship(s)? Or were you more referencing that it is violating your privacy?
there is international law which allows the US to affect me and my freedom even in my home country. It would be up to the local courts to decide. And of course when i visit the US, as well as my freedom to do business with US companies. Also, in this case the tracking is both without my consent , and without the protections that american law provides to americans.
> Sounds like advocating for overreaching laws that "save you from yourself" and keep you away from harm / drugs etc.
I understand you probably move in tech/libertarian circles so it doesn't seem like this, but the majority of the world population is in favor of laws protecting people from themselves and keeping them away from harm.
Now what is overreaching or not is a matter of opinion, and hence politics.
I might be wrong, but I don’t think that this is allowed under GDPR. They have to offer to you the same services with or without the consent to collect your data.
Also, under GDPR, you can always request export and removal of all your profile data from their data stores.
Well, I guess that answers the questions "how much is my privacy worth to me" and also "how much does the society i live in value privacy" quite succinctly.
I think a lot of people/companies have been misled into thinking that the GDPR is just another type of cookie law and the same solution will work - get them to ok it by having an obtrusive message at the top of the site. They are in for a rude and costly awakening.
I wonder if there will ever be a suit in which that cookie banner ("Got it!" ugh) is found not to apply because users basically agree to it simply by seeing it. You have their stupid cookie by the time you can read that message. That doesn't seem like an agreement to me, but I'm not even slightly a lawyer.
The whole strategy seems to be in bad faith. I wish more sites would react by minimizing usage of cookies instead of just adopting that dumb overlay.
Requiring them to check an "I agree to be tracked" checkbox and signing an agreement (which has just happened to me yesterday in an EU country in accordance to GDPR) before they can use a product/service is hardly much better. This reminds me of the Android app permission system which requires you to allow an app to do everything it wants (including ridiculous requirements like when a game requires access to your contacts list) or just give up the idea of installing it (as for me I just grant the permissions at the installation time and then block everything redundant with XPrivacy). So I doubt it is going to do much good, a way like the cookie law doesn't really do anything but just introduces useless cookie warning banners.