The strongest rules and the weakest enforcement
It is coming up to one year now since GDPR came into operation, giving the European Economic Area (EEA) the world's strongest privacy regulations. But has it helped improve our privacy, or has it just made the web experience even more cumbersome?
A report by the European Data Protection Board indicates that over 200,000 cases of GDPR violation were reported to supervisory authorities in the 31 EEA countries in the first nine months of GDPR enforcement, resulting in a touch short of 56m Euros in fines handed out. However, most of that sum was a single fine, the 50m Euro fine of Google by the French authorities.
The success of a law should not be judged by how many fines it issues, but rather by how well it is complied with, and how much positive change it has on behaviour. If the objective of GDPR was to educate businesses into respecting individual privacy, it has failed. For example, many more websites now demand consent to use cookies, and go to great lengths to make the site unusable if you choose to block tracking mechanisms, and perhaps the worst offenders are the news and newspaper websites. A check by privacy researchers shows that the number of sites requiring cookie consent on entry jumped from 16% prior to GDPR to over 60% immediately after GDPR. On the whole, companies did not change their behaviour or respect privacy more. They simply added a mechanism at the front which they believe makes it legal.
Sites which create a cookiewall, a mechanism where you cannot use the site unless you agree to the use of tracking cookies, do not comply with GDPR. This was affirmed this month by the Netherlands Data Protection authority which has received numerous complaints on this issue. It declined to name the worst offenders at this time, but has sent warning letters to the organisations involved. Despite what the tracking industry would have you believe, GDPR does not inhibit the ability of sites to use advertising to finance themselves, only that you cannot make your provisions of service conditional upon people giving up their privacy.
Since GDPR, average cookie lifetimes seem to have shortened, but a quick check on some newspaper sites showed it not uncommon for cookies set today to persist until 2025, which will often exceed the lifetime of the computer, and The Times, for example, still sets a couple of cookies with an expiry date of 2099, some 80 years into the future, which will outlive not only my computer but me as well. Most of the cookies used by websites could just as easily be temporary cookies, or session cookies. Under GDPR, you do not need to seek permission to use temporary cookies but it is in the interest of the tracking industry to force people to go through a cookie-agreement process, to cultivate the notion that this is all just some cumbersome bureaucratic process inflicted on website users for no good reason, to condition us into routinely agreeing to cookies, and to obscure the fact that it is only the privacy-invading tracking cookies which really need consent.
Some sites, especially the newspaper groups, provide opt-out procedures which involves being presented with a huge list of partner companies who they might share the data with, and requiring you to go through the list unticking each one individually. Perhaps this is designed to make the whole process so wearisome that even the most hardened privacy advocate will resign the battle and just click the "I agree" box. However, under GDPR, you cannot pre-tick the boxes and assume consent. Consent must be freely given and require a positive action from the user. This was also reaffirmed earlier this month when the EU's Advocate General, Maciej Szpunar, gave the opinion that the pre-ticked boxes used on a German lottery site does not reach the bar for consent.
But at least government websites set a better example,... or do they. A recent study of privacy on government websites across the EU found that 89% of webpages on government operated websites contain one or more tracking cookies issued by advertising agencies, and the most eye-opening statistic is that "63 companies track German citizens on a single public webpage about maternity leave".
www.cookiebot.com/media/1121/cookiebot-report-2019-medium-size.pdf
28th March 2019
This article comes from the SKILLZONE email newsletter, published monthly since January 2008, and covering topics related to technology and the internet. All articles and artwork in the SKILLZONE newsletter are orignal content.