Personally, I am that sort of privacy maven. I do find the "reject all" button for cookies; I use multiple plug-ins to block all of this stuff. And I don't think that personalised advertising is a fair trade for free things on the internet. As far as I'm concerned, every person that looks at a piece of content should get the same ad - permanently: when I look at an article from 1999, I should see the pets.com ad that originally ran with it; when I look at articles form 2006, I should see Enron ads, just like when I read a magazine from back then.
But I absolutely understand that I'm in the small minority who think like this.
Same here, I always go for Reject All. I don't think "free stuff" is a good reason for most organisations on the planet to have access to, say, which politicians I'm following on social media. Anonymity means little if the data comes with my age, city and job. I also have no love for an ad-based economy, because it creates a financial incentive to collect as many clics as possible, so if the Internet has to adjust, fine with me.
I don't understand why there's not an option in every browser to answer this question for me in the background. Is it part of the law that I have to answer this cookies question all the time every time?
The law doesn't say "you have to have a pop-up." It says "you need to get consent" and this is just the way most of them implement asking for it.
In theory each website is different for the kinds of cookies it has. The W3C has put forth various proposals for tracking and a law could potentially codify that.
The website doesn't have to ask you. They just have to ask if they want to use cookies. So *they* try to wear you down by asking a lot if you say no, and try to retain your "yes" as long as possible.
I think GDPR means that this button is supposed to be very easy to find. It's almost funny how they make you hop through exactly *one* hoop, and they always present the hoop with the same language.
Hey, a thing I know about! I worked in a company that had a huge data compliance team, so I can speak to this.
Quick background: "SQL tables" are how programmer and data analysts can access and use data in an intuitive manner. Engineers create "data pipelines" that put data into SQL tables in an efficient and automated manner.
So because of GDPR we couldn't put some Salesforce (customer relations) data into SQL tables without some long approval process from the compliance team. For what it's worse, I could easily download this Salesforce data, attach it to an email, and send it to literally anyone. In other words, keeping the data out of SQL tables secured no one, but GDPR applies to the SQL tables and not Salesforce itself for reasons.
So keeping the data out of SQL tables was pointless... but we didn't keep the data out of SQL. We needed the data for our jobs, so multiple teams would just say fuck it and manually upload the data to SQL tables. Until my last day, I was manually uploading this data while waiting for compliance to approve a data pipelines.
Basically, GDPR created extra compliance processes to allow people to do what they were doing anyway, and the data could have been attached to an email and sent out anyway.
The GDPR isn't a technological control; it requires companies to have controls. Those controls can be technological or legal. Legal controls are usually a lot easier on everyone.
I agree on your main point -- I'm no great fan of the GDPR & its idiot clicking nightmare, but I do care about privacy (as do many people I know) and take steps to minimize tracking, and I work in this field. So please forgive my "akshully" here, but for the record, "incognito mode" merely grants you privacy from your spouse (or anyone else who shares access to your computer) -- only local data is deleted, so it does exactly nothing to prevent you from being tracked online by the wider internet powers that be.
This is a good point and I think I did a bad job of describing the level of privacy that incognito mode provides -- I was too eager to get to that "the other 30 percent of the time" joke! I've changed the second reference to read "such as using a VPN to make themselves more anonymous".
Privacy issues are all fun and games when it's someone trying to sell a humidifier, it gains a luster of some danger if it turns out to enable anti-abortion vigilantes using Texas' personal lawsuit law to track down people who left the state for abortions.
Sure, looks like people don't care about privacy. But... idk man, shouldn't they? My impression is that the reason people are okay with the lack of privacy is that we're largely inured to it. Older people are uninformed, and younger people have given up. But even if people don't care about the issue, doesn't mean it isn't an issue. And I'd say we're worse off, whether most people know it or not, with the boundaries of our tastes persistently reinforced by online advertisers.
I'm sympathetic to the idea that people really *would* care if they knew.
But this attitude can be used to abuse a lot of things about how people need to do things for their own good, even that they don't want, even if they're asked.
Lots of people would rather have a life filled with ads than pay $5 a month for Facebook, though. One of the big reasons the "we give it away for free and sell you ads" model took off about 20 years ago was because it got rid of the purchase decision.
...plus, I can't imagine Facebook not still collecting all that data, even if they were also charging for it (Google charges for YouTube premium but still tracks exactly what/when/how/why you're watching).
Ok, I have to laugh, because today in my German class--possibly at the very moment this post dropped--a student who is Belgian was passing around Belgian chocolates so we could have a Swiss vs. Belgian chocolate taste-off. (For the record, even though I live in Switzerland, I prefer Belgian chocolate.)
I agree with you that most people are much less concerned with privacy than the EU authorities think, and that those “accept cookies” buttons on everything are super-annoying. Another issue is that my Google searches turn up an order of magnitude fewer results over here than they do in the US. That seems to me to be a much bigger problem than that I get suspiciously well-targeted ads for, to take one example, a special sling for your dog in case she injures herself on a hike.
> You probably wouldn’t want your credit card number to be public, but you might not care if a company knows that you “liked” some random YouTube video.
I am perfectly okay with my credit card number (occasionally) being leaked. It's a hassle and I would prefer it not happen, but if it does it's not *that* bad because I can change it and reverse any transactions done with it.
On the other hand, once my first pet's name is leaked, I can't change it.
Loved your humor, completely disagree with your conclusion. Included in the data that can be stored on your phone is not just that you visited LustyLasses.com but that your location was the Sisters of Charity Convent when you did. And maybe no one cares where I went but I don't want someone who spends Monday to Friday from 9 to 4:30 at a credit card company to be "discoverable" because then their data might give a clue to what their password might be. That's when your paid subscription to SupportAOC.org gets you arrested during the second Trump administration (2025 through they cancelled all future elections).
I appreciate the respectful disagreement, though my honest reaction is: Seems awfully abstract. Yes, we can imagine situations in which things like location data could be compromising, but aren't those situations extremely rare? And aren't the steps people would have to go through (e.g. unmasking an IP address, publicizing those findings) pretty elaborate, thus making potential abuses even more rare? Do those concerns outweigh the costs of an elaborate regulatory structure, which we're now learning are pretty substantial? I'm leaning towards "no".
You are right that the costs for such regulations can be substantial. I only have anecdotes about what can be done when our private data is discoverable. I'm sure you'll remember the case from last summer when a Monsignor in the Catholic Church was outed as gay and forced to resign through data purchased legally from his cell phone vendor:
This article makes a much stronger case than I can for the harms that can come from use of personal electronic data and the amount of data and increasing ability to comb through data with ever greater alacrity only makes the problem worse.
In the pre Internet era what books you checked out from the library could be used against you so laws were past to prevent just that sort of intrusion:
And in the alternative authoritarian universe when your dead-naming someone in a private email gets you arrested. There's no monopoly on the desire for control. (Not at all a denial of your assertion; the right would do it in a heartbeat.)
It's incredibly scary what can be done with location data and location history and how it's there on the open market for pennies. It's one of the things that should be considered highly sensitive.
The big part of this that isn’t mentioned in the post is it hinders a Government state from buying and using seemingly innocuous information for nefarious means. (As in people could avoid cookies or other data saving on those sites to try to stay out of those data lists)
The examples I specifically think of are in nations where it is illegal to be gay, the Government buying data not even necessarily about porn but about people that may use gay chat rooms or similar sites and tracking down people using it. Similarly people doing things like buying equipment used for protests.
The modern EU countries wouldn’t be the prime suspects with this but:
1. It protects for the future in case they ever were to become extremely fascistic
2. As you say in the post, GDPR affects people all over the world so pushing countries that would be likely to do this away from that possibility is a good thing
There’s also a good podcast episode of Reasons to be Cheerful called ‘Data, Mine’ about similar issues here
I'm slightly curious (i.e. not curious enough to try to look it up myself) as to why the GDPR had a big impact when the EU had already had a Data Protection Directive for about 20 years, a directive that defined personal data similarly to the GDPR and so on. Is the difference just the DPD being a directive and the GDPR being a regulation?
To contribute an actual observation...I'll pick at the "advertising makes most of the internet go" concern. The GDPR doesn't ban advertising as such, so online companies relying on ads can still push ads without triggering GDPR requirements; they just can't TARGET ads based on individual information. So, faced with the prospect of the GDPR blowing a hole in the ad-subsidized Web, I'm pretty optimistic — advertising's still an option for funding free online stuff.
Exactly. And frankly I'd much prefer to see an ad for Toyota when I'm on a car review site than an ad for diapers (just because Google somehow came to the conclusion I've got a newborn). I'm happy to get advertised to, but that doesn't mean I need to be tracked all over the web.
I feel like people would be more concerned about their privacy and more supportive of these sorts of laws if they could see how the data being collected now will get used in 5 or 10 years.
Right now, we've got big data collection but relatively small data relationship processing.
You might not have a problem with a company knowing which school you went to, or what brand of toothpaste you like. But, in a few years, when billions of those sorts of obscure data points are used to create a perfect model that knows 'you' better than you know yourself, and a potential employer or insurer or tinder date can buy or build or find it on an unsecured Amazon cloud server, it's a very different problem.
Human minds don't do well with exponential change. As much as news anchors might over-react about it now, the use of our personal data is actually still right at the bottom of the hockey stick chart.
I think ARE wrong in thinking that the EU will back off on the data law when it becomes clear it is having ill-effects and that people mostly don’t care about privacy. That’s not how the EU works. Let’s just say they have a lot of self-confidence.
Terrific post. I always have thought online privacy was totally overblown and I'm one of the billions who Accepts Cookies for everything (then maybe I clean the cache every 6 months or so). That said - online advertising has been such a hellscape for so long, I wonder if GDPR has had any positive knock-on effect in encouraging subscription-based models to sites and apps, as opposed to pure ad-supported models...?
I do all kinds of things to hide ads and not be tracked. (web containers, ad block plugins, pi-hole DNS server, VPNs etc) and I don't think this GDPR law has helped me in any way. Except to annoy me.
Personally, I am that sort of privacy maven. I do find the "reject all" button for cookies; I use multiple plug-ins to block all of this stuff. And I don't think that personalised advertising is a fair trade for free things on the internet. As far as I'm concerned, every person that looks at a piece of content should get the same ad - permanently: when I look at an article from 1999, I should see the pets.com ad that originally ran with it; when I look at articles form 2006, I should see Enron ads, just like when I read a magazine from back then.
But I absolutely understand that I'm in the small minority who think like this.
Same here, I always go for Reject All. I don't think "free stuff" is a good reason for most organisations on the planet to have access to, say, which politicians I'm following on social media. Anonymity means little if the data comes with my age, city and job. I also have no love for an ad-based economy, because it creates a financial incentive to collect as many clics as possible, so if the Internet has to adjust, fine with me.
I don't understand why there's not an option in every browser to answer this question for me in the background. Is it part of the law that I have to answer this cookies question all the time every time?
The law doesn't say "you have to have a pop-up." It says "you need to get consent" and this is just the way most of them implement asking for it.
In theory each website is different for the kinds of cookies it has. The W3C has put forth various proposals for tracking and a law could potentially codify that.
The website doesn't have to ask you. They just have to ask if they want to use cookies. So *they* try to wear you down by asking a lot if you say no, and try to retain your "yes" as long as possible.
> I do find the "reject all" button for cookies;
I think GDPR means that this button is supposed to be very easy to find. It's almost funny how they make you hop through exactly *one* hoop, and they always present the hoop with the same language.
Hey, a thing I know about! I worked in a company that had a huge data compliance team, so I can speak to this.
Quick background: "SQL tables" are how programmer and data analysts can access and use data in an intuitive manner. Engineers create "data pipelines" that put data into SQL tables in an efficient and automated manner.
So because of GDPR we couldn't put some Salesforce (customer relations) data into SQL tables without some long approval process from the compliance team. For what it's worse, I could easily download this Salesforce data, attach it to an email, and send it to literally anyone. In other words, keeping the data out of SQL tables secured no one, but GDPR applies to the SQL tables and not Salesforce itself for reasons.
So keeping the data out of SQL tables was pointless... but we didn't keep the data out of SQL. We needed the data for our jobs, so multiple teams would just say fuck it and manually upload the data to SQL tables. Until my last day, I was manually uploading this data while waiting for compliance to approve a data pipelines.
Basically, GDPR created extra compliance processes to allow people to do what they were doing anyway, and the data could have been attached to an email and sent out anyway.
> I could easily download this Salesforce data, attach it to an email, and send it to literally anyone
You are likely a "data processor" and I bet you aren't allowed to do that, but I wouldn't want to get in a fight with your compliance team about it.
Of course I'm now allowed to, but there's basically nothing stopping me from doing so
The GDPR isn't a technological control; it requires companies to have controls. Those controls can be technological or legal. Legal controls are usually a lot easier on everyone.
I agree on your main point -- I'm no great fan of the GDPR & its idiot clicking nightmare, but I do care about privacy (as do many people I know) and take steps to minimize tracking, and I work in this field. So please forgive my "akshully" here, but for the record, "incognito mode" merely grants you privacy from your spouse (or anyone else who shares access to your computer) -- only local data is deleted, so it does exactly nothing to prevent you from being tracked online by the wider internet powers that be.
This is a good point and I think I did a bad job of describing the level of privacy that incognito mode provides -- I was too eager to get to that "the other 30 percent of the time" joke! I've changed the second reference to read "such as using a VPN to make themselves more anonymous".
https://www.vice.com/en/article/m7vzjb/location-data-abortion-clinics-safegraph-planned-parenthood
Privacy issues are all fun and games when it's someone trying to sell a humidifier, it gains a luster of some danger if it turns out to enable anti-abortion vigilantes using Texas' personal lawsuit law to track down people who left the state for abortions.
Anytime you think "What could go wrong with unconsciously accepting cookies?" just look at how China uses them.
Sure, looks like people don't care about privacy. But... idk man, shouldn't they? My impression is that the reason people are okay with the lack of privacy is that we're largely inured to it. Older people are uninformed, and younger people have given up. But even if people don't care about the issue, doesn't mean it isn't an issue. And I'd say we're worse off, whether most people know it or not, with the boundaries of our tastes persistently reinforced by online advertisers.
I'm sympathetic to the idea that people really *would* care if they knew.
But this attitude can be used to abuse a lot of things about how people need to do things for their own good, even that they don't want, even if they're asked.
Lots of people would rather have a life filled with ads than pay $5 a month for Facebook, though. One of the big reasons the "we give it away for free and sell you ads" model took off about 20 years ago was because it got rid of the purchase decision.
...plus, I can't imagine Facebook not still collecting all that data, even if they were also charging for it (Google charges for YouTube premium but still tracks exactly what/when/how/why you're watching).
They can be restricted from doing that by law or by contract (i.e., we promise not to track you in exchange for your five bucks a month).
Ok, I have to laugh, because today in my German class--possibly at the very moment this post dropped--a student who is Belgian was passing around Belgian chocolates so we could have a Swiss vs. Belgian chocolate taste-off. (For the record, even though I live in Switzerland, I prefer Belgian chocolate.)
I agree with you that most people are much less concerned with privacy than the EU authorities think, and that those “accept cookies” buttons on everything are super-annoying. Another issue is that my Google searches turn up an order of magnitude fewer results over here than they do in the US. That seems to me to be a much bigger problem than that I get suspiciously well-targeted ads for, to take one example, a special sling for your dog in case she injures herself on a hike.
I also live in CH and prefer Belgian chocolate. THE FORBIDDEN FRUIT TASTES SO GOOD!!!
Preach, sister!
> You probably wouldn’t want your credit card number to be public, but you might not care if a company knows that you “liked” some random YouTube video.
I am perfectly okay with my credit card number (occasionally) being leaked. It's a hassle and I would prefer it not happen, but if it does it's not *that* bad because I can change it and reverse any transactions done with it.
On the other hand, once my first pet's name is leaked, I can't change it.
Loved your humor, completely disagree with your conclusion. Included in the data that can be stored on your phone is not just that you visited LustyLasses.com but that your location was the Sisters of Charity Convent when you did. And maybe no one cares where I went but I don't want someone who spends Monday to Friday from 9 to 4:30 at a credit card company to be "discoverable" because then their data might give a clue to what their password might be. That's when your paid subscription to SupportAOC.org gets you arrested during the second Trump administration (2025 through they cancelled all future elections).
I appreciate the respectful disagreement, though my honest reaction is: Seems awfully abstract. Yes, we can imagine situations in which things like location data could be compromising, but aren't those situations extremely rare? And aren't the steps people would have to go through (e.g. unmasking an IP address, publicizing those findings) pretty elaborate, thus making potential abuses even more rare? Do those concerns outweigh the costs of an elaborate regulatory structure, which we're now learning are pretty substantial? I'm leaning towards "no".
You are right that the costs for such regulations can be substantial. I only have anecdotes about what can be done when our private data is discoverable. I'm sure you'll remember the case from last summer when a Monsignor in the Catholic Church was outed as gay and forced to resign through data purchased legally from his cell phone vendor:
https://apnews.com/article/technology-europe-business-religion-data-privacy-97334ed1aca5bd363263c92f6de2caa2
This article makes a much stronger case than I can for the harms that can come from use of personal electronic data and the amount of data and increasing ability to comb through data with ever greater alacrity only makes the problem worse.
In the pre Internet era what books you checked out from the library could be used against you so laws were past to prevent just that sort of intrusion:
https://www.ala.org/advocacy/intfreedom/librarybill/interpretations/privacy#:~:text=The%20right%20to%20privacy%20includes,information%20private%20on%20their%20behalf.
Oh, darn. My pedantic meter is pinned! I gotta go.
And in the alternative authoritarian universe when your dead-naming someone in a private email gets you arrested. There's no monopoly on the desire for control. (Not at all a denial of your assertion; the right would do it in a heartbeat.)
It's incredibly scary what can be done with location data and location history and how it's there on the open market for pennies. It's one of the things that should be considered highly sensitive.
The big part of this that isn’t mentioned in the post is it hinders a Government state from buying and using seemingly innocuous information for nefarious means. (As in people could avoid cookies or other data saving on those sites to try to stay out of those data lists)
The examples I specifically think of are in nations where it is illegal to be gay, the Government buying data not even necessarily about porn but about people that may use gay chat rooms or similar sites and tracking down people using it. Similarly people doing things like buying equipment used for protests.
The modern EU countries wouldn’t be the prime suspects with this but:
1. It protects for the future in case they ever were to become extremely fascistic
2. As you say in the post, GDPR affects people all over the world so pushing countries that would be likely to do this away from that possibility is a good thing
There’s also a good podcast episode of Reasons to be Cheerful called ‘Data, Mine’ about similar issues here
I'm slightly curious (i.e. not curious enough to try to look it up myself) as to why the GDPR had a big impact when the EU had already had a Data Protection Directive for about 20 years, a directive that defined personal data similarly to the GDPR and so on. Is the difference just the DPD being a directive and the GDPR being a regulation?
To contribute an actual observation...I'll pick at the "advertising makes most of the internet go" concern. The GDPR doesn't ban advertising as such, so online companies relying on ads can still push ads without triggering GDPR requirements; they just can't TARGET ads based on individual information. So, faced with the prospect of the GDPR blowing a hole in the ad-subsidized Web, I'm pretty optimistic — advertising's still an option for funding free online stuff.
Exactly. And frankly I'd much prefer to see an ad for Toyota when I'm on a car review site than an ad for diapers (just because Google somehow came to the conclusion I've got a newborn). I'm happy to get advertised to, but that doesn't mean I need to be tracked all over the web.
I feel like people would be more concerned about their privacy and more supportive of these sorts of laws if they could see how the data being collected now will get used in 5 or 10 years.
Right now, we've got big data collection but relatively small data relationship processing.
You might not have a problem with a company knowing which school you went to, or what brand of toothpaste you like. But, in a few years, when billions of those sorts of obscure data points are used to create a perfect model that knows 'you' better than you know yourself, and a potential employer or insurer or tinder date can buy or build or find it on an unsecured Amazon cloud server, it's a very different problem.
Human minds don't do well with exponential change. As much as news anchors might over-react about it now, the use of our personal data is actually still right at the bottom of the hockey stick chart.
I think ARE wrong in thinking that the EU will back off on the data law when it becomes clear it is having ill-effects and that people mostly don’t care about privacy. That’s not how the EU works. Let’s just say they have a lot of self-confidence.
Terrific post. I always have thought online privacy was totally overblown and I'm one of the billions who Accepts Cookies for everything (then maybe I clean the cache every 6 months or so). That said - online advertising has been such a hellscape for so long, I wonder if GDPR has had any positive knock-on effect in encouraging subscription-based models to sites and apps, as opposed to pure ad-supported models...?
Big Government ❤️ Big Business.
That is two wonderful, broadly libertarian themed posts in a week. Heaton must be rubbing off on you!
I do all kinds of things to hide ads and not be tracked. (web containers, ad block plugins, pi-hole DNS server, VPNs etc) and I don't think this GDPR law has helped me in any way. Except to annoy me.
Anyone else check out RaunchyMeterMaids.com?
God help me if that's real. Because I did not ask for any money for the referral.