The tyranny of GDPR popups and the websites failing to adapt get me to feeling that The GDPR is Annoying and Ineffective. Too often The practical effect of GDPR seems to me that I have to click away about half a dozen consent popups every day. Sometimes a cookie warning in addition to that. Those who use Private Browsing (to protect my privacy) are punished with even more popups. I have really begun to mentally filter out the popups because there’s just so darn many too often. The popups are insanely stupid, frustrating, and a usability and design disaster.
The dark UX patterns of popups before first interaction feels like a disaster. However, the concrete design of these pop-ups is mostly not GDPR-compliant: for example, users not agreeing to being tracked must not be disadvantaged, and having to click through a cumbersome array of options is certainly a disadvantage. Then there are the technical problems; one of those consent “solutions” that you see around actually shows a spinner while your “preferences are being saved”. Sometimes it never closes. Sometimes on the mobile browsing the buttons to close those pop-ups are unreachable.
Then there are also websites that are now blocking all EU users because of GDPR. There are sites that ask (or automatically try to detects) if citizen/in the EU and if they answer yes, send them to a static “we don’t service the EU” page. “Unfortunately, our website is currently unavailable in most European countries,” is the message still greeting visitors too often. It seems that some websites aren’t planning on making themselves available to people in the EU at any point.
GDPR’s implementation fundamentally changed the experience of using the web in another, more annoying, way: popups. These inform visitors of how websites are tracking them, offer options to see privacy policies and in some cases give the choice of turning off cookies that monitor user behaviour. The increase in transparency has been greeted positively by privacy campaigners.
Maybe you should not be annoyed at GDPR. What GDPR tries to do is to restore some sane defaults into the process. There are supposed to be all sorts of other GDPR protections, that most people have no idea how to activate. You don’t have to do anything to “activate” these rights under GDPR. GDPR regs focus on what data a company is collecting, how are they using that data and did they get consent for that. GDPR is a regulatory band-aid to a technical problem.
But is GDPR really making the kind of difference people wanted? Forcing people to read and agree to individual portions of the ToS can be seen as a downside of GDPR. I think there’s a small minority of people who care about this stuff and really read those legal texts before clicking. The view of the persons who care is: GDPR has given me a ton of rights over my data that I should have, and everybody should have. It has given me access to my own data. It has given me the power to delete it. This shit is important, and now it’s law.
Maybe the nuance here is that it’s not really the regulation’s fault but rather HOW websites chose to comply to it. But the fact is that I’M SO TIRED of having to opt out of every website’s cookies. In addition to the GDPR popups many web sites are loaded with also other annoying pop-ups.
If cookie consent forms or GDPR compliance forms annoy you, don’t blame GDPR. Blame the sites that have no regard for your privacy and make no effort to comply beyond throwing up annoying prompts. That there’s cookie popups because the companies in question suck? Maybe you should be annoyed at all the companies who have spent the last decades building an entire web-infrastructure with zero respect for user privacy. We built massive amounts of technology infrastructure that just assumed that privacy and tracking wasn’t an issue. Everyone tried to grab as much data as they can and then sells it to whoever wants to buy it. Maybeyou should direct your anger towards every company showing you a GDPR popup. The more complex it is, the more they’re trying to fuck with you. Ads are a requirement for free content. However, some websites go too far and spy on the Internet user more than they would like if they knew exactly what is going on.
Website choose to comply in the most obnoxious way possible to get people to accept loss of privacy. How effective the popups are will vary between websites. Bounce rates must be through the roof, especially for clickbait. I strongly doubt that this persistently annoying popup situation will stick around forever. This again, is the fault of most websites. GDPR requires opt-in for tracking, etc. A website could just, by default, not do tracking. Then provide the tracking options in the preferences. However, most sites have gotten so data hungry that they can’t accept GDPR’s privacy-by-default and have to bother you with pop-ups to try to get your consent to track you. Add some dark patterns, like designing these pop-up forms such that they are effectively opt-out.
The reason all these pop ups and consent forms are so complicated have nothing to do with GDPR, and everything to do with the fact that companies are trying to nudge you into making a choice against your own best interests. Many sites are probably in violation of the GDPR. They’re hoping that by adding a big notice telling you about their violations they’ll be OK. Most annoying that many companies by default assume opt-in to their spying activity, despite GDPR regulation saying that all consents should be opt-out by default.
It will probably take a few ‘product iterations’ to get it perfectly right.
And the GDPR regulations also can be annoyance if you are a web developer that is building the site that comply all those regulatory demands (you need to understand what needs to be done and the try to figure out how to do it). GDPR has changed the internet for millions of people. But nobody can agree on how to stay on the right side of compliance.
If they implemented GDPR correctly and in a sensible manner, you would get one popup per site, once. You would give your consent to data collection and usage, and they would save that preference in a cookie or your profile settings for that site. And how is that supposed to work, exactly? If you choose “deny” then they can’t track you, so they can’t set a cookie or save profile data! Of course you’ll get the same prompt the next time you show up. At that point you’re just another anonymous visitor of whom they have no prior knowledge. You have to consent before they are allowed to remember your preference.
Instead all I get, as a user, is a bunch of consent forms, like the stupid cookie warnings, that I have no idea how to respond to, and no idea what I’m committing to when I click them. Many of those forms are really stupid. There are also plenty which simply say: accept our tracking or you can’t use the service. Which is plainly in breach of Ch. 2 Art. 7.4 of the GDPR.
What we wish is to be able to opt-in once and for all, to get rid of these incessant interstitial pop-ups sprouting like mushrooms across the Internet. Abolish the popups entirely, move the consent forms to a voluntary options page. Implement a user profile system, so people can create a profile and opt-in to tracking and profiling through that. Turn off tracking and profiling completely for anonymous users who choose not to create a profile, or who haven’t opted in. I know there will be an outcry of “but the amount of data we would be able to gather is miniscule!”, and I say that’s a good thing.
Could Browser Ad Permissions are the Solution we want? The idea in that would be that each individual internet user can select which ads to give permissions to allow or block. These permissions would then be applied to all websites accessed with that browser.
They could also simply support the Do Not Track header, or a “Please Track Me” counterpart. But they won’t do that, because that would make it too easy to escape data collection and profiling, and wouldn’t let them annoy you into accepting their onerous terms.