It’s worth re-mentioning this whenever it pops up.
The GDPR does not mandate the cookie pop-up. The GDPR just says that companies cannot gather personal information about you without your consent,
If companies weren’t trying to build a profile about you all the time, they don’t need a banner in the first place. The GDPR is amazing because it makes it immediately obvious which rare companies actually respect you and your right to privacy, due to not needing cookie banners in the first place
As someone from the UX side of the fence, I can assure you that there are a lot of legitimate convenience and or fraud protection reasons for why a company might store PII server side for the user’s convenience. Targeted marketing isn’t the only reason to store identifying information.
Fraud prevention is a legitimate interest and does not need a consent request.
I’m pretty sure that is specifically called out in GDPR. Certainly ICO (UK) has loads of articles on it.
However legitimate interests are often difficult to demonstrate compliance, so it can be easier to rely on consent.
God, let’s hope nobody ever tries that. Higher prices because you don’t consent to more invasive tracking, because it poses a higher fraud risk to the company.
Thankfully, processing the same data for fraud prevention should be a different consent process/option than processing it for targeted advertising.
That’s kinda the point.
Any server you connect to knows your IP address. As does any equipment between your home network and the remote server. It has to, that’s how networks work.
Processing that to ensure your IP isn’t abusing their servers is legitimate interest.
Processing that along with your interactions with their website likely isn’t legitimate interest, so has to get consent (as this is likely profiling or user tracking, regardless of cookies used)
You could argue that it is legitimate interest, but then you have to back it up in your privacy policy as to why it is required, and it could be easily challenged as it’s such a broad and subjective term (whether that challenge goes anywhere is up to enforcing bodies, like the EU/ICO/whatever).
The idea is that the barrier of entry for “legitimate interest” is high enough and that abusing legitimate interest carries a risk, so that it isn’t the default.
Just because you have access to the data, doesn’t mean you can use it however you want.
Some French websites have already started saying “Accept advertising trackers or subscribe to the paid plan”. Marmiton started it, some newspapers followed suit, and I don’t believe the French courts have reached a conclusion on legality yet, but clearly some legal experts at those companies are convinced it could work.
I can understand where the newspapers are coming from. At lot of mobile apps do this, ads vs paid versions.
But an ad companys product is not to the end user, and often their interests are at odds to the end users privacy.
They want to show ads to people where they are most effective. They want to prove they have shown the ads, and they want to prove that the user has been influenced by the ad.
All of this needs ridiculous tracking to support their business model.
It’s the ad companies at fault.
If you decline consent to an ad company, then they should show you generic adverts.
If a website requires ads vs subscription, then accepting data processing consent should not be part of the contract.
So, as long as the websites give you the option to decline data processing from the ad company without affecting your ability to use the website, then it’s fine.
It’s worth re-mentioning this whenever it pops up.
The GDPR does not mandate the cookie pop-up. The GDPR just says that companies cannot gather personal information about you without your consent,
If companies weren’t trying to build a profile about you all the time, they don’t need a banner in the first place. The GDPR is amazing because it makes it immediately obvious which rare companies actually respect you and your right to privacy, due to not needing cookie banners in the first place
As someone from the UX side of the fence, I can assure you that there are a lot of legitimate convenience and or fraud protection reasons for why a company might store PII server side for the user’s convenience. Targeted marketing isn’t the only reason to store identifying information.
Fraud prevention is a legitimate interest and does not need a consent request.
I’m pretty sure that is specifically called out in GDPR. Certainly ICO (UK) has loads of articles on it.
However legitimate interests are often difficult to demonstrate compliance, so it can be easier to rely on consent.
Imagine if fraud prevention mechanisms were ineffective if you do not consent to targeted advertising.
Black Hat: Darts! These darks patterns got me again, I accidentally consented, now I won’t be able to bypass the captcha!
God, let’s hope nobody ever tries that. Higher prices because you don’t consent to more invasive tracking, because it poses a higher fraud risk to the company.
Thankfully, processing the same data for fraud prevention should be a different consent process/option than processing it for targeted advertising.
That’s kinda the point.
Any server you connect to knows your IP address. As does any equipment between your home network and the remote server. It has to, that’s how networks work.
Processing that to ensure your IP isn’t abusing their servers is legitimate interest.
Processing that along with your interactions with their website likely isn’t legitimate interest, so has to get consent (as this is likely profiling or user tracking, regardless of cookies used)
You could argue that it is legitimate interest, but then you have to back it up in your privacy policy as to why it is required, and it could be easily challenged as it’s such a broad and subjective term (whether that challenge goes anywhere is up to enforcing bodies, like the EU/ICO/whatever).
The idea is that the barrier of entry for “legitimate interest” is high enough and that abusing legitimate interest carries a risk, so that it isn’t the default.
Just because you have access to the data, doesn’t mean you can use it however you want.
Some French websites have already started saying “Accept advertising trackers or subscribe to the paid plan”. Marmiton started it, some newspapers followed suit, and I don’t believe the French courts have reached a conclusion on legality yet, but clearly some legal experts at those companies are convinced it could work.
I can understand where the newspapers are coming from. At lot of mobile apps do this, ads vs paid versions.
But an ad companys product is not to the end user, and often their interests are at odds to the end users privacy.
They want to show ads to people where they are most effective. They want to prove they have shown the ads, and they want to prove that the user has been influenced by the ad.
All of this needs ridiculous tracking to support their business model.
It’s the ad companies at fault.
If you decline consent to an ad company, then they should show you generic adverts.
If a website requires ads vs subscription, then accepting data processing consent should not be part of the contract.
So, as long as the websites give you the option to decline data processing from the ad company without affecting your ability to use the website, then it’s fine.