@sam it certainly doesn't work like that
"We are now required to prevent from using the Website unless you change your mind..."
Not that's sure how the GDPR works...
On the topic of these consent flows, here you can see an approved GDPR-compliant flow. It’s not worth it. It’s impossible to make a good experience out of gaining consent for collecting people’s personal data. It’s too risky and expensive to build a business model from it.
whathifi.com, after dark-uxing the user to hell, tries to convince them to go back and enable tracking.
Server4you employs a #DarkUX pattern so much that initially I didn't see the "Decline" link at all. (maybe it's because I've been trained to click "More Info" or "Manage Settings" by now, but maybe it's because it is tiny and far away from the other choices) but they do have a one-click opt-out.
Etsy.com uses the usual dark pattern and when you click "Update Settings" the relevant checkboxes are unchecked. However, neither clicking "Accept", nor "Update Settings" and then "Done", and not even checking everything seems to make any difference in the cookies stored in my browser.
History.com presents with the classic now dark pattern where I Agree is a big colored button and the opt out is hidden before a small "more information" link or something else that sounds equally boring.
At least after clicking that you can actually Reject All
The cultofmac doesn't say which cookies are recommended. When opening the "cookie details" pane you are presented with a list of checkboxes of which only the "necessary" is checked. I suspect however that this is not what happens when you just accept the recommended cookies.
DxoMark does not offer a way to opt out of data collection, however they do state that they will not share any data with anybody else.
It's debateable if they are #GDPR compliant as they do say that they "might" track user sessions.
@iona I suspect however that this might be a bandwidth-saving measure. Their advertisers probably do not target European customers so they have nothing to gain from EU residents listening.
@codesections granted, there's still a dark pattern there though. Still haven't seen a website without one. Closest to date is sourceforge.
Just as a counterpart to all the examples @GDPRHallOfShame has been posting, here is what an opt out option *should* look like. One prominent button to entirely opt out. Nice job Open Knowledge International! https://blog.okfn.org/2018/10/25/open-washing-digging-deeper-into-the-tough-questions/
No, facebook, you actually can't do that. "By tapping on the site" isn't explicit consent. And what's that about "off Facebook"?
So many sites do:
“Here are cookie, advertising, tracking policies. Here is an OK button.”
After not clicking the ok button but attempting to continue:
“You must agree to our tracking policy”
That is explicitly not allowed/illegal under GDPR.
American companies including the Washington Post really have a damn hard time wrapping their head around that an agreement means you can decline to agree to it, and GDRP says refusing to be tracked is not grounds for a site to refuse service.
Ok, Techradar, you are disgusting.
Please note that in the second screenshot "Accept All" checks all the checkboxes and quits, i.e. NOT what you're expecting.
And as if this wasn't enough, you have to click "Leave" on the 3rd screenshot to actually save your opt-outs.
@luka believe me from what I have seen this will be the least violation.
And also, you know, spirit vs letter of the law: some of these hideous #darkPatterns are compliant but I'll be damned if I will not complain about them. Your situation is far better, morally, the way I see it.
But I'm just a half-serious fediverse account and I had to make that joke, go ahead :-P
@neilalexander my favorite is being in the US and seeing the GDPR notices and then finding out that 90% of them don't allow US users to opt out. that, or they claim to allow opt-outs but actually don't, or if you opt out the page won't work/load at all .....
so much fun
Not to mention GDPR requests for consent, which frequently use dark UI patterns to make it obtusely difficult to opt out of tracking and advertising cookies.
Happy with being tracked? Sure, just click this "Accept" button.
Don't want to be tracked? Here, uncheck these 412 checkboxes by hand listing everywhere we might sell your data to.
... Seriously? Watch as I close this tab and never revisit your site.
Same goes for hiding content under "please don't ad-block" dialogs. Leave. Me. Alone.
It feels like frontend engineers and web designers do their hardest work to make the whole experience of browsing the web completely miserable.
Why can't I open some embedded YouTube videos in full-screen? Why can't I just click Back when I want to go back without breaking the entire page? Why is this video playing by itself when I didn't ask it to?
Who are the people designing these completely terrible experiences? What happened to them? Who hurt them?!
Using the modern web doesn't feel empowering. It feels immensely frustrating.
The web is barely usable without ad-blocking. Pages take an age to load and the content jumps around as more ads download and display. Also the ads are spying on you.
The entire JS ecosystem is dependency hell and sometimes you have to download massive JS files just to view a web page. The JS is probably also spying on you.
Worse still, JS is also probably why the Back button doesn't work properly on so many sites.
I don't know the details of this case but even the possibility of leveraging the GDPR against journalism is a legitimate concern. Reportedly some romanian Politicians did just that https://www.occrp.org/en/40-press-releases/presss-releases/8875-occrp-strongly-objects-to-romania-s-misuse-of-gdpr-to-muzzle-media via @bob
@bob that's an interesting case to say the least. Even if it turns out it is a legitimate GDPR case just alerting to the possibility of misuse is worth it. Thanks.
@GDPRHallOfShame ironically, blocking third party cookies seems to cause that in my experience.
This was in front of an article where the journalist goes on and on about how privacy-invading our smartphones are.
Btw, "show purposes" leads to a "reject all" button that seems to do nothing when tapped.
Not honoring Do Not Track (DNT) is a #GDPR violation. If you receive a DNT signal, you must turn off all tracking. Furthermore, as the person has made their choice explicit and clear, you must not ask them again (via popovers, modals, etc.)
How do we get this enforced. The first part seems like it is already covered by GDPR. Would the second half we enforceable under the current framework?
Legal reasons my ass! Laziness is what this is called! https://whisper.tf/media/wjcVW56KHlDnxBDl7k8
@GDPRHallOfShame Does that count towards the GDPR Hall of Shame ?
I don't see anything except that big white box with no button to deny cookies...
@jasper not a native speaker but I meant "without expressing opinion". The description was meant exactly to explain what you are seeing in the video.
Presented without comment.
AnTuTu Benchmark requires you to share your location just after you click on "Don't collect any data"
@pperrin I've never thought of it that way. However, in this case, before the regulation it was ok to violate your users privacy, i.e. there was no unwritten law about this practice...
How to NOT handle privacy:
Huffington Post throws this at new visitors,
giving the appearance of freedom to choose privacy or to become a commodity,
a choice that as far as I can tell doesn't actually exist...
but I know most people won't read through all that.
I was evaluating ending my old labor-exploitation boycott because a headline seemed like they had important content.
After this? Absolutely not. Boycott more firm than ever.
@pperrin unfortunately I do know it. I'm just trying to make up for it with a bit of negative publicity.
newatlas.com: We care about your privacy and yet we ask you to disable your ad blocker and then we tell you to go to a labyrinth of options to opt out...
They sure have some audacity.
Not exactly about the GDPR but certainly privacy-related. A little thing I wrote because I find needing to explain "hacking" to people often enough.
(full disclosure, my blog uses self hosted piwik analytics and honors Do Not Track. I just like to know how many visitors I have and I do not share data with anybody)
@GDPRHallOfShame Argh! It drives me f***ing nuts!
"We value your privacy, but here's some small print saying 'our partners' are going to track you across the web."
Honestly, I am now getting to the point where I just hit 'back' when I get a screen saying how much my privacy is valued.
@IzzyOnDroid AIUI they start tracking before you click accept which is also a violation, but I have to confirm that with the DevTools first.
@IzzyOnDroid they clearly do not want you to easily opt out as that would rob them from their revenue. However it would be the right thing to do, and as journalism depends on ethics, the fact that they don't makes me seriously doubt their journalistic integrity.
@GDPRHallOfShame On mobile devices, they cover up to 4/5th of the screen on some sites (I had a case where between their fixed-positioned header and that fixed-positioned footer you couldn't see more than a single line of text).
Wouldn't that provide some space for a second button, saying "No, keep your cookies to yourself, I'm on a diet"?
Not only polygon/vox directs you to change browser settings to opt out, the popup never goes away...
I don't know if I should be happy that "more info" is just that and not a euphemism for opt out, or angry because there is no opt out.
#GDPRHallOfShame for you adorama.gr
So wargaming.net (World of Tanks, World of Warships) has a data
export function that supposedly shows the information associated to your
Unfortunately I'm unable to use it unless I provide them with my phone number...
@Coffee neither do I. I actually don't understand why would you want to treat your online customers in any way differently than a customer that walks in your store. Just because I can't yell to the webpage "why are you trying to trick me?" it doesn't mean I feel fine with it and will come back.
Everytime I open a site which says something about GDPR and then starts saying "Your privacy is very important to us" makes me remember this image.
Shame on you bmw for not giving any opt outs to you potential customers and telling them to go disable cookies in their browser. This is hostile.
I forgot to reply here to say that this has been sorted. Thanks to all for the boosts and to @Pedro for the awesome new avatar.
Shame on you shondaland: tiny type and mystery meat navigation full of #DarkUX that leads to a page where all opt-out checkboxes are disabled.
WHY?! Do you hate your users?
If you're going to be so blatantly non-compliant why take me through a maze of clicks? just don't prompt at all from the start.
Look at how small the consent tool link is!
And look at how many checkboxes I have to untick.
And look at how many 'partners' are greyed out.
Shame on you NewYorker.
Seriously someone has to start spraying fines.
Not exactly GDPR related but Google now prompts you to enable "high accuracy" i.e. share location with them *every* time an app requests location. Sometimes multiple times a minute as you swipe through a list.
Thanks to @Pedro I have a new avatar!
However what's a new piece of art without a big reveal?
Like every creative process the avatar involved iteration. I will start with the first version that shows a bewildered user who just confronted a nasty GDPR popup.
@iona in the older days I would actually think this is cool as it shows they care. Now it just shows they are trying to not get fined...
IKEA belongs to #GDPRHallOfShame
I just called them and they said that if I don't accept them recording my call they will not be able to provide assistance.
@KeaW they have one but it excludes advertising cookies so as far as I am concerned, they might as well hadn't
@pauricthelodger kk I'll check it out. Any chance you took any screenshots before deleting the account?
@tuxicoman this looks really interesting but my French is rusty to say the least. Any chance of toot-storming a short version in English? Will gladly boost.
There is a #GDPR hall of shame
Can I add my contribution ?
@GDPRHallOfShame I so love the dark pattern that hides the opt-out button. Not.
nytimes.com belongs squarely in the #GDPRHallOfShame as it sends you to multiple external sites in order to opt out.
It also provides an opt out button which is (a) hidden and (b) doesn't include advertising cookies.
I think I've shamed them before, but wth, one more doesn't hurt.
@GardenOfForkingPaths I think this can be solved cryptograpically. Or with a PO Box :-P
Of course you can always just redirect your cookies to me :-)
@iona as if the EU can fine a local radio station in the US.
I think it's more likely that since the local radio stations usually have local advertisers they're just trying to conserve bandwidth/prioritise customers their advertisers care about.
#GDPR improvement proposal: websites have to snailmail you an actual 🍪 every time they store a cookie on your computer.
I'd like to commission an avatar for this account. I was thinking something on the lines of a frustrated user or something, but ideas are welcome.
I can spend around €15, any takers?
Any time I see that sanctimonious, hypocritical "we value your privacy" popup, my immediate response is to close the browser window.
If you really value folks privacy, the answer is simple: do not set, do not read, do not allow to be set, any tracking cookies.
@allo true that. I guess I'm trained by now to have to uncheck multiple checkboxes so this looked better but we shouldn't praise half-hearted attempts. No tracking should be a default.
@Privacy I'm thinking of commissioning an artist on mastodon(.art?) to create an avatar for this account, what do you think?
Except if you've already worked on something.
citylab.com: another one of the same, this time a tiny bit better: if you tap "set my preferences" (which is an adequately sized button) you get the chance to opt in instead of out. Still, it should be available from the first page. #GDPRHallOfShame
@iona I didn't know that practice. I have seen some 403 errors that look fine on ddg results. I will investigate, thanks for the tip.
Salesforce just sends you in various directions to opt out, not to mention they are collecting whatever they can get their tentacles on. I suppose that's what they do though... #GDPRHallOfFame
If you created an account on the site and would like to delete it, you may do so by clicking here,
logging into your account to verify your ownership, and using the delete account link in your account settings, accessible via the sidebar menu.
Sorry for that non GDPR related boost. I thought I was on my personal account.
I will not unboost it though, that would be rude.
Btw I seem to be running out of sites I visit regularly so I don't have new ones to shame, can you please feed me any you might encounter in your travels?
One more auth system that will give you nightmares...
The longer you look at it the more insane it gets.
@GDPRHallOfShame Have you taken a look at Last.fm? Just saw this pop up and cemented my drive to make sure I start looking into hosting a Libre.fm instance ASAP.
Going further down the list of trackers and the majority of them are opt-out by having to go through each individual company.
The Java GDPR compliance : disconnect from internet 🙃
cnet.com does not belong to the #GDPRHallOfShame
2 clicks are enough to opt out. Way to go cnet. Cheers.
@DetectiveHyde this is how it should be done.
I believe it will have positive effects on sales too. You get a hyper focused mailing list who actually pays attention and reads your stuff instead of spray and pray.
4 taps and about a minute of processing
one of the best so far, but of course it could be a lot better.
Will not admit into the #GDPRHallOfShame yet.
@Privacy I'm getting Error 500 when trying to upload images via web and "Upload Failed" via Tusky. Is this on your end? I believe so since I have no trouble posting on mastodon.social
I don't like having to work for Google to unsubscribe.
Also I never subscribed.
At least their cookie opt-out is a two-click process
(Unfortunately I'm getting error 500 on image upload, but their unsubscribe page requires a re-captcha)
No vox, "Expressly consent" ≠ "not opt out" in any interpretation of the English language, sorry.
the guardian: ∞ number of clicks including a misleading option that does nothing.
All opt outs take you to partner pages which is just hopeless.
This is ridiculous.
The third image does not work, as the full list is with a size of 860x9260 too large.
Here is a link to the full list: https://imgur.com/a/VNISmjF
And an opt-out for the rest can (and does) take a few minutes:
"We are processing your request to optin/opt-out of receiving targeted ads. Your web activity will no longer be used for targeted advertising by the companies.
This may take up to a few minutes to process."
@feld on the other hand, you could say that white can be pushed (like the buttons) but it can't. The black can be pushed and it becomes white Still, it's confusing and the user shouldn't have to investigate to see what is enabled.
So we must have to figure out how to remove cookies, when they shouldn't be set at the first place....great!
#GDPRHallOfShame twitter: bundles acceptance with provision of service.
To be fair, it then has some options to opt out of.
It keeps getting worse
vox.com just sends you to all kinds of directions (browser settings, ad choices) with links drowned into walls of text in order to opt out, and disclaims itself in case they don't work.
Some of these methods start looking really spiteful to me. A great percentage of people would succumb to the faintest of dark patterns. I really do not understand why all this extra effort. It just pisses off the few of us that care.
@freakazoid something leaks though because when I used chromium the popup appeared. I accepted and then opened an incοgnito tab. Popup was shown again.
@freakazoid I now visited imgur.com again from fennec private browsing and I was not greeted with their GDPR stuff.
How did they know? Does private share cookies with normal mode? Local storage?
Anyway what I wanted to check was whether that "Allow All" link disables everything if presses, and indeed it does.
It's virtually impossible to opt out.
It needs dozens of taps, some require you to go to the partner site to opt out which I didn't even attempt, and the navigation actually coerces you to go to the site instead of going back to opt out of the other categories.
Shame, imgur. One of the worst. Deserves an
It is worrying that the news organizations that we trust to inform us use such means to manipulate us into accepting their "privacy" policies.
This is the worst so far...
Fake X button that does the same with I Accept, dark patterns from hell, and you have to scroll down more than 4 screens to find a camouglaged Opt Out button.
This one truly belongs to the #GDPRHallOfShame
4 taps and a dark-ish pattern. No save button on consent page, user has to return manually. Not the worst offender.
The options say:
- I consent to cookies, even just using the website counts as consent (I can revoke my consent here*)
- Pay for the PUR-Abo to see the website without unneccessary cookies and ads
* Revoking the consent means you get the #GDPRWall again.
This account will host cases of GDPR "compliance" which are either actually non-compliant, abusive or use dark patterns to wrangle the user into accepting terms of service that track him or otherwise abuse their data.