GDPR Hall of Shame

@sam it certainly doesn't work like that

"We are now required to prevent from using the Website unless you change your mind..."

Not that's sure how the GDPR works...
cc @GDPRHallOfShame

On the topic of these consent flows, here you can see an approved GDPR-compliant flow. It’s not worth it. It’s impossible to make a good experience out of gaining consent for collecting people’s personal data. It’s too risky and expensive to build a business model from it.

techcrunch.com/2018/12/13/this

Wait WHAT, InVision ? « Up to several minutes » to save my cookie policy preferences and NO way to refuse the « mandatory » ones that include « targeted ads »? It is such a lack of respect to your visitors and users... #rgpd #gdpr #darkPattern #WTF #respectYourUsersFFS

whathifi.com, after dark-uxing the user to hell, tries to convince them to go back and enable tracking.

Server4you employs a pattern so much that initially I didn't see the "Decline" link at all. (maybe it's because I've been trained to click "More Info" or "Manage Settings" by now, but maybe it's because it is tiny and far away from the other choices) but they do have a one-click opt-out.

I'm on the fence of admitting them to the

Lol, mashable's "more options" are actually no options :-P

Etsy.com uses the usual dark pattern and when you click "Update Settings" the relevant checkboxes are unchecked. However, neither clicking "Accept", nor "Update Settings" and then "Done", and not even checking everything seems to make any difference in the cookies stored in my browser.

History.com presents with the classic now dark pattern where I Agree is a big colored button and the opt out is hidden before a small "more information" link or something else that sounds equally boring.

At least after clicking that you can actually Reject All

The cultofmac doesn't say which cookies are recommended. When opening the "cookie details" pane you are presented with a list of checkboxes of which only the "necessary" is checked. I suspect however that this is not what happens when you just accept the recommended cookies.

@GDPRHallOfShame Washington Post does not work at all when accessed from a Netherlands VPN with Javascript disabled
image.png

DxoMark does not offer a way to opt out of data collection, however they do state that they will not share any data with anybody else.

It's debateable if they are compliant as they do say that they "might" track user sessions.

@iona I suspect however that this might be a bandwidth-saving measure. Their advertisers probably do not target European customers so they have nothing to gain from EU residents listening.

If you disagree, null-byte.wonderhowto.com gives you a 404 and then the same popup all over again. If you then capitulate, you are stuck with the 404 and weird redirections upon clicking the back button.

Movie mobster tactics.

I bet npr thought sending you to a plain text site upon decline would incentivise you to accept cookies, but hell yeah I like the speed and readability of plain text sites.

They thusly do belong in the

No way, XiaoYi

usenix.org does not let you opt out from cookies and tracking but at least does a good job of letting you know what it's cookies do in comprehensible English, instead of handwaving or using cheesy jokes.

usenix.org/cookies

I visited gamespot and "manage settings" got me redirected to CBS's privacy policy page which doesn't even work...

@codesections granted, there's still a dark pattern there though. Still haven't seen a website without one. Closest to date is sourceforge.

Just as a counterpart to all the examples @GDPRHallOfShame has been posting, here is what an opt out option *should* look like. One prominent button to entirely opt out. Nice job Open Knowledge International! blog.okfn.org/2018/10/25/open-

dummies.com

You can only agree to cookies and learn more just sends you somewhere :-P

No, facebook, you actually can't do that. "By tapping on the site" isn't explicit consent. And what's that about "off Facebook"?

No syfywire, I don't want to work for google to receive your spam, nor dismiss multiple pop ups and neither visit 5 external websites and check who knows how many checkboxes to opt out...

errorcodespro.com needs 11 clicks to opt out of tracking cookies

So many sites do:

“Here are cookie, advertising, tracking policies. Here is an OK button.”

After not clicking the ok button but attempting to continue:

“You must agree to our tracking policy”

That is explicitly not allowed/illegal under GDPR.

American companies including the Washington Post really have a damn hard time wrapping their head around that an agreement means you can decline to agree to it, and GDRP says refusing to be tracked is not grounds for a site to refuse service.

@dustin Great photo.

Laughing at "All Rights Reserved. This website is not intended for users located within the European Economic Area." Laziest #GDPR compliance ever. (Of interest, @GDPRHallOfShame ?)

@riking ok will CW when I use words like 'disgusting' but not all, hope that's ok.

Ok, Techradar, you are disgusting.

Please note that in the second screenshot "Accept All" checks all the checkboxes and quits, i.e. NOT what you're expecting.

And as if this wasn't enough, you have to click "Leave" on the 3rd screenshot to actually save your opt-outs.

This deception is shameful

@luka believe me from what I have seen this will be the least violation.

And also, you know, spirit vs letter of the law: some of these hideous are compliant but I'll be damned if I will not complain about them. Your situation is far better, morally, the way I see it.

But I'm just a half-serious fediverse account and I had to make that joke, go ahead :-P

Merriam webster dismisses privacy with snarky comments.

Autodesk sketchbook automatically shares data with them unless you go into the settings and disable it.

Liliputing does the usual to trick you into surrendering your data and then plays the sentimental card to make you reconsider or donate to them.

@neilalexander my favorite is being in the US and seeing the GDPR notices and then finding out that 90% of them don't allow US users to opt out. that, or they claim to allow opt-outs but actually don't, or if you opt out the page won't work/load at all .....

so much fun

Not to mention GDPR requests for consent, which frequently use dark UI patterns to make it obtusely difficult to opt out of tracking and advertising cookies.

Happy with being tracked? Sure, just click this "Accept" button.

Don't want to be tracked? Here, uncheck these 412 checkboxes by hand listing everywhere we might sell your data to.

... Seriously? Watch as I close this tab and never revisit your site.

Same goes for hiding content under "please don't ad-block" dialogs. Leave. Me. Alone.

It feels like frontend engineers and web designers do their hardest work to make the whole experience of browsing the web completely miserable.

Why can't I open some embedded YouTube videos in full-screen? Why can't I just click Back when I want to go back without breaking the entire page? Why is this video playing by itself when I didn't ask it to?

Who are the people designing these completely terrible experiences? What happened to them? Who hurt them?!

Using the modern web doesn't feel empowering. It feels immensely frustrating.

The web is barely usable without ad-blocking. Pages take an age to load and the content jumps around as more ads download and display. Also the ads are spying on you.

The entire JS ecosystem is dependency hell and sometimes you have to download massive JS files just to view a web page. The JS is probably also spying on you.

Worse still, JS is also probably why the Back button doesn't work properly on so many sites.

I don't know the details of this case but even the possibility of leveraging the GDPR against journalism is a legitimate concern. Reportedly some romanian Politicians did just that occrp.org/en/40-press-releases via @bob

@bob that's an interesting case to say the least. Even if it turns out it is a legitimate GDPR case just alerting to the possibility of misuse is worth it. Thanks.

The Atlantic is presenting you with the same popup each time firefox reloads the page.

#Darkpattern: If your want to unsubscribe marketing communication from yahoo, the big fat button "No, cancel" means "Cancel canceling".

@GDPRHallOfShame

@GDPRHallOfShame ironically, blocking third party cookies seems to cause that in my experience.

This was in front of an article where the journalist goes on and on about how privacy-invading our smartphones are.

Btw, "show purposes" leads to a "reject all" button that seems to do nothing when tapped.

Not honoring Do Not Track (DNT) is a #GDPR violation. If you receive a DNT signal, you must turn off all tracking. Furthermore, as the person has made their choice explicit and clear, you must not ask them again (via popovers, modals, etc.)

How do we get this enforced. The first part seems like it is already covered by GDPR. Would the second half we enforceable under the current framework?

Thoughts?

Legal reasons my ass! Laziness is what this is called! whisper.tf/media/wjcVW56KHlDnx

techwalla.com: but at least a one-click opt-out.

We know what privacy means, dictionary.com

You either don't, or you're violating it on purpose.

@GDPRHallOfShame I was going to make a gab account to promote the fediverse, I did not accept the terms of service to read it. Then they send me a email a few days later. https://pst.moe/paste/smpjiv #GDPR #DumpGab

@l4p1n of course it does. This popup is probably pre-GDPR were just notifying was enough.

@GDPRHallOfShame Does that count towards the GDPR Hall of Shame ?

I don't see anything except that big white box with no button to deny cookies...

@jasper not a native speaker but I meant "without expressing opinion". The description was meant exactly to explain what you are seeing in the video.

@iona ehm I don't know who does that?

(whistling indifferently)

Presented without comment.

AnTuTu Benchmark requires you to share your location just after you click on "Don't collect any data"

@pperrin I've never thought of it that way. However, in this case, before the regulation it was ok to violate your users privacy, i.e. there was no unwritten law about this practice...

How to NOT handle privacy:
Huffington Post throws this at new visitors,
giving the appearance of freedom to choose privacy or to become a commodity,
a choice that as far as I can tell doesn't actually exist...
but I know most people won't read through all that.

I was evaluating ending my old labor-exploitation boycott because a headline seemed like they had important content.
After this? Absolutely not. Boycott more firm than ever.

@pperrin unfortunately I do know it. I'm just trying to make up for it with a bit of negative publicity.

Little did I know that it gets worse. Look at that save button.

systutorials.com: more . One of the darkest patterns to date.

newatlas.com: We care about your privacy and yet we ask you to disable your ad blocker and then we tell you to go to a labyrinth of options to opt out...

They sure have some audacity.

@GDPRHallOfShame @iona

Of course they value your privacy, it's worth exactly $1.03 an hour. Would they really want it so hard if they didn't value it?

Not exactly about the GDPR but certainly privacy-related. A little thing I wrote because I find needing to explain "hacking" to people often enough.

qwazix.com/mixt/posts/14-every

(full disclosure, my blog uses self hosted piwik analytics and honors Do Not Track. I just like to know how many visitors I have and I do not share data with anybody)

@iona and 'our partners' count is usually in the tens, if not hundreds

@GDPRHallOfShame Argh! It drives me f***ing nuts!

"We value your privacy, but here's some small print saying 'our partners' are going to track you across the web."

Honestly, I am now getting to the point where I just hit 'back' when I get a screen saying how much my privacy is valued.

A lesson on how to do by bleepingcomputer.com

@IzzyOnDroid AIUI they start tracking before you click accept which is also a violation, but I have to confirm that with the DevTools first.

@IzzyOnDroid they clearly do not want you to easily opt out as that would rob them from their revenue. However it would be the right thing to do, and as journalism depends on ethics, the fact that they don't makes me seriously doubt their journalistic integrity.

@GDPRHallOfShame On mobile devices, they cover up to 4/5th of the screen on some sites (I had a case where between their fixed-positioned header and that fixed-positioned footer you couldn't see more than a single line of text).

Wouldn't that provide some space for a second button, saying "No, keep your cookies to yourself, I'm on a diet"?

Not only polygon/vox directs you to change browser settings to opt out, the popup never goes away...

@UnclearFuture Good idea. Btw uBlock blocks their whole cookie policy website, no idea why.

I don't know if I should be happy that "more info" is just that and not a euphemism for opt out, or angry because there is no opt out.

for you adorama.gr

Ehrm, let's say I do not consent. Now what?

Notice that the cookie policy link is behind the modal popup.

So wargaming.net (World of Tanks, World of Warships) has a data export function that supposedly shows the information associated to your account. Great.

Unfortunately I'm unable to use it unless I provide them with my phone number...

@Privacy thanks for tagging @jlhertel rofl

@Coffee neither do I. I actually don't understand why would you want to treat your online customers in any way differently than a customer that walks in your store. Just because I can't yell to the webpage "why are you trying to trick me?" it doesn't mean I feel fine with it and will come back.

Everytime I open a site which says something about GDPR and then starts saying "Your privacy is very important to us" makes me remember this image.

How much do you value my privacy softpedia?

$1, $10, $100, $1000?

@sbassoon degraded experience lol

submission to @GDPRHallOfShame

"higher perspectives.com"

Shame on you bmw for not giving any opt outs to you potential customers and telling them to go disable cookies in their browser. This is hostile.

I forgot to reply here to say that this has been sorted. Thanks to all for the boosts and to @Pedro for the awesome new avatar.

Shame on you shondaland: tiny type and mystery meat navigation full of that leads to a page where all opt-out checkboxes are disabled.

WHY?! Do you hate your users?

If you're going to be so blatantly non-compliant why take me through a maze of clicks? just don't prompt at all from the start.

...but the clown can get angry, and scary! And we should become angry and scary because not only they are violating our right to privacy, they are doing it in the most sleazy way. They don't deserve or business.

@Pedro @inkscape @opensourcedesign @Curator

Look at how small the consent tool link is!

And look at how many checkboxes I have to untick.

And look at how many 'partners' are greyed out.

Shame on you NewYorker.

Seriously someone has to start spraying fines.

The next iteration is a clown, that's how these websites treat their customers. Like clowns to be laughed at.

@Pedro @inkscape @opensourcedesign @Curator

Not exactly GDPR related but Google now prompts you to enable "high accuracy" i.e. share location with them *every* time an app requests location. Sometimes multiple times a minute as you swipe through a list.

Thanks to @Pedro I have a new avatar!

However what's a new piece of art without a big reveal?

Like every creative process the avatar involved iteration. I will start with the first version that shows a bewildered user who just confronted a nasty GDPR popup.

@iona in the older days I would actually think this is cool as it shows they care. Now it just shows they are trying to not get fined...

IKEA belongs to

I just called them and they said that if I don't accept them recording my call they will not be able to provide assistance.

cosmote.gr belongs to the because it has everything pre-checked and requires two clicks per cookie category to opt out.

Also their unsubscribe link in emails doesn't work and this has been going on for years. A complaint to the local regulator never got a response. Sigh.

@KeaW they have one but it excludes advertising cookies so as far as I am concerned, they might as well hadn't

@pauricthelodger ok thanks I'll investigate when I'm a bit more awake.

@pauricthelodger kk I'll check it out. Any chance you took any screenshots before deleting the account?

🤦‍♂️
overshop.gr just changed the status of an order completed in May so that they can spam me without triggering the and without an unsubscription link.

Shame, overshop.

@tuxicoman this looks really interesting but my French is rusty to say the least. Any chance of toot-storming a short version in English? Will gladly boost.

@GDPRHallOfShame I so love the dark pattern that hides the opt-out button. Not.

@aadilayub it's firefox. Fennec f-droid to be precise.

nytimes.com belongs squarely in the as it sends you to multiple external sites in order to opt out.

It also provides an opt out button which is (a) hidden and (b) doesn't include advertising cookies.

I think I've shamed them before, but wth, one more doesn't hurt.

@GardenOfForkingPaths I think this can be solved cryptograpically. Or with a PO Box :-P

Of course you can always just redirect your cookies to me :-)

@iona as if the EU can fine a local radio station in the US.

I think it's more likely that since the local radio stations usually have local advertisers they're just trying to conserve bandwidth/prioritise customers their advertisers care about.

improvement proposal: websites have to snailmail you an actual 🍪 every time they store a cookie on your computer.

I'd like to commission an avatar for this account. I was thinking something on the lines of a frustrated user or something, but ideas are welcome.

I can spend around €15, any takers?

pinging @Curator

@GDPRHallOfShame
Any time I see that sanctimonious, hypocritical "we value your privacy" popup, my immediate response is to close the browser window.

If you really value folks privacy, the answer is simple: do not set, do not read, do not allow to be set, any tracking cookies.

@allo true that. I guess I'm trained by now to have to uncheck multiple checkboxes so this looked better but we shouldn't praise half-hearted attempts. No tracking should be a default.

@Privacy ok will do. No worries, be well.

@benrob0329 thanks for the tip. I just posted it (a bit late but... 🙂)

@Privacy I'm thinking of commissioning an artist on mastodon(.art?) to create an avatar for this account, what do you think?

Except if you've already worked on something.

citylab.com: another one of the same, this time a tiny bit better: if you tap "set my preferences" (which is an adequately sized button) you get the chance to opt in instead of out. Still, it should be available from the first page.

vocabulary.com: I don't like the of having just one giant I AGREE button and a tiny "show purposes" link (wtf is purposes?) but I do like the REJECT ALL button presented after clicking it.

Screenshots I couldn't upload before, for the toot above

@iona I didn't know that practice. I have seen some 403 errors that look fine on ddg results. I will investigate, thanks for the tip.

Salesforce just sends you in various directions to opt out, not to mention they are collecting whatever they can get their tentacles on. I suppose that's what they do though...

Shame on you tested.com for presenting different policies for different regions and just walls of text instead of opt outs

This is arguably one of the best approaches. Good stuff, thedodo.com

Sportys.gr

Having to opt out from marketing communications is non compliant.

Bonus WTF:

If you created an account on the site and would like to delete it, you may do so by clicking here,

*temporarily agreeing to our terms of use and privacy policy*,

logging into your account to verify your ownership, and using the delete account link in your account settings, accessible via the sidebar menu.

#GDPR #gdprhallofshame

wonderhowto deserves a place in the #GDPRHallOfShame.
@GDPRHallOfShame #gdpr

Sorry for that non GDPR related boost. I thought I was on my personal account.

I will not unboost it though, that would be rude.

Btw I seem to be running out of sites I visit regularly so I don't have new ones to shame, can you please feed me any you might encounter in your travels?

Thanks.

One more auth system that will give you nightmares...

This JavaScript code powers a 1,500 user intranet application.

The longer you look at it the more insane it gets.

@jlhertel @ostfriese if you could please translate I will gladly boost.

@pinguino I'm pretty sure that listing google analytics as required violates the in more that one ways.

@GDPRHallOfShame Have you taken a look at Last.fm? Just saw this pop up and cemented my drive to make sure I start looking into hosting a Libre.fm instance ASAP.

Going further down the list of trackers and the majority of them are opt-out by having to go through each individual company.

The Java GDPR compliance : disconnect from internet 🙃

twitter.com/notdan/status/1030

hypebeast.com

easy to opt out but dark,

You have to actually open each section to verify that nothing is pre-checked.

(and yeah I'm into sneakers if you haven't noticed)

cnet.com does not belong to the

2 clicks are enough to opt out. Way to go cnet. Cheers.

Sol Chadguy @DetectiveHyde 2018-08-15 20:52
@fsf What a time to be alive.

cc: @GDPRHallOfShame

@DetectiveHyde this is how it should be done.

I believe it will have positive effects on sales too. You get a hyper focused mailing list who actually pays attention and reads your stuff instead of spray and pray.

Sol Chadguy @DetectiveHyde 2018-08-15 13:01
@GDPRHallOfShame I'd just like to give a positive shout out to English Heritage for actually sending my a physical letter notifying me of what the GDPR means in terms of my relationship with them, default opting me out of everything, and apologising for the inconvenience caused by having to take actual steps (namely, going on their website or calling them) to opt back IN to marketing materials.

I actually did it since I like their marketing materials, it's all stuff I actually care about.

wunderground.com

4 taps and about a minute of processing

one of the best so far, but of course it could be a lot better.

Will not admit into the yet.

@Privacy confirmed. Thus, back to regular service.

thanks

@Privacy I'm getting Error 500 when trying to upload images via web and "Upload Failed" via Tusky. Is this on your end? I believe so since I have no trouble posting on mastodon.social

thanks

complex.com

Want privacy? Go away*

*by away we mean YouTube. Appreciate the irony™.

c.d-e.gr/s/gVR18H9J33FkfK6

Dear aegean.gr

I don't like having to work for Google to unsubscribe.

Also I never subscribed.

At least their cookie opt-out is a two-click process

(Unfortunately I'm getting error 500 on image upload, but their unsubscribe page requires a re-captcha)

@GDPRHallOfShame
Also, cookies are *not* local storage objects.

No vox, "Expressly consent" ≠ "not opt out" in any interpretation of the English language, sorry.

pcworld.com

PC world displays an autoplaying video that cannot be dismissed if you don't accept their terms.

Fortunately things are easy once you tap "Update Privacy Settings"

the guardian: ∞ number of clicks including a misleading option that does nothing.

All opt outs take you to partner pages which is just hopeless.

This is ridiculous.

#GDPRHallOfShame

olastifora.gr

This one shows you ads interleaved with the cookie policy. 🤦‍♀️

I'm not going to comment on the fact that there's no opt out.

The difference between the first and the second image is not only a #DarkPattern, but plain deception.

The tracking cookies are neither required for login, nor for tracking orders.

#DarkUX

The third image does not work, as the full list is with a size of 860x9260 too large.

Here is a link to the full list: imgur.com/a/VNISmjF

And an opt-out for the rest can (and does) take a few minutes:

"We are processing your request to optin/opt-out of receiving targeted ads. Your web activity will no longer be used for targeted advertising by the companies.

This may take up to a few minutes to process."

forbes.com had a strange idea of "required cookies".

1) Nice looking UI to allow only "required cookies"
2) Different Tracking cookies are "required"? WTF.
3) The full list of cookies including advertisment cookies is 10 screen pages long.

#GDPR #GDPRHallOfShame

@RyuKurisu @saxnot thanks for mentioning

@feld on the other hand, you could say that white can be pushed (like the buttons) but it can't. The black can be pushed and it becomes white Still, it's confusing and the user shouldn't have to investigate to see what is enabled.

ieee.org

ieee does not give you any option to opt out of anything and pads the fact that they ignore DNT with some useless information. Also there's some hostile text regarding GDPR data subject requests.

It certainly belongs to the

bloomberg.com

This one is quite easy to opt out from... if you can guess which state is on and which is off.

@GDPRHallOfShame
So we must have to figure out how to remove cookies, when they shouldn't be set at the first place....great!

@excecate have a cookie :-)

photo by Erol Ahmed on unsplash

#GDPRHallOfShame twitter: bundles acceptance with provision of service.

To be fair, it then has some options to opt out of.

thenextweb.com gets a cookie for creativity but it hasn't really addressed GDPR

There isn't any obvious way to opt out.

It keeps getting worse

vox.com just sends you to all kinds of directions (browser settings, ad choices) with links drowned into walls of text in order to opt out, and disclaims itself in case they don't work.

Some of these methods start looking really spiteful to me. A great percentage of people would succumb to the faintest of dark patterns. I really do not understand why all this extra effort. It just pisses off the few of us that care.

@freakazoid something leaks though because when I used chromium the popup appeared. I accepted and then opened an incοgnito tab. Popup was shown again.

In a to the , the "Allow All" link requires two taps to disallow all making the UX pattern ridiculously dark. I had dismissed it as a mistap before.

@freakazoid I now visited imgur.com again from fennec private browsing and I was not greeted with their GDPR stuff.

How did they know? Does private share cookies with normal mode? Local storage?

Anyway what I wanted to check was whether that "Allow All" link disables everything if presses, and indeed it does.

at it's worse but at least one does not have to tap that many times.

imgur.com

It's virtually impossible to opt out.

It needs dozens of taps, some require you to go to the partner site to opt out which I didn't even attempt, and the navigation actually coerces you to go to the site instead of going back to opt out of the other categories.

Shame, imgur. One of the worst. Deserves an

After all this shaming, let's put in a good word.

sourceforge.net has an one-click opt out. Kudos and we excuse the grey pattern.

It is worrying that the news organizations that we trust to inform us use such means to manipulate us into accepting their "privacy" policies.

And this is how far you have to scroll to reach that opt out button.

This is the worst so far...

nytimes.com

Fake X button that does the same with I Accept, dark patterns from hell, and you have to scroll down more than 4 screens to find a camouglaged Opt Out button.

This one truly belongs to the

#GDPRfail business insider: you need to accept cookies to read the cookie policy page. I didn't bother searching for opt outs. #GDPRHallOfShame

protagon.gr

GDPRWall that only has an accept button and a link that just sends you to a labyrinth of text that is actually intended for publishers, not end users.

unbound.com

4 taps and a dark-ish pattern. No save button on consent page, user has to return manually. Not the worst offender.

Still,

derstandard.at belongs in the #GDPRHallOfShame.

The options say:
- I consent to cookies, even just using the website counts as consent (I can revoke my consent here*)
- Pay for the PUR-Abo to see the website without unneccessary cookies and ads

* Revoking the consent means you get the #GDPRWall again.

vice.com

to make you click accept but at least opting out of all trackers is only two clicks away. User has to return to previous page with browser back button and click accept though. I hope that does not invalidate the opt-out.

slate.com belongs in the #GDPRHallofShame for using a #GDPRWall.

@Otuk no this is a human. Run by @qwazix

This account will host cases of GDPR "compliance" which are either actually non-compliant, abusive or use dark patterns to wrangle the user into accepting terms of service that track him or otherwise abuse their data.

Keep an eye on and . Will boost nice relevant toots. Be civil though.