Struggling with GDPR, or just ignoring it?

It’s been over a year now, but are we all still feeling our way with GDPR?

PwC’s data practices rejected in GDPR rebuke
With enforcement of the EU’s General Data Protection Regulation (GDPR) still in its infancy, companies may be floating trial balloons to see which arguments resonate with authorities. PriceWaterhouseCoopers (PwC) recently tested the air currents in Greece, but was shot down by the Hellenic Data Protection Authority in a case involving the processing of employee data.

PwC will have to work to rebuild trust after shock GDPR fine
The Greek representative of PwC is the first of the “Big 4” to be fined under the GDPR. Moreover, it’s the first consultancy that has actually helped many of its clients with GDPR compliance over the last year. It seems astounding that a company of PwC’s size and reputation that’s making a lot of money on giving advice on the GDPR has been burned by the very fire they help clients to avoid on a daily basis.

Or perhaps we’re just ignoring it completely. Research just out has shown what we already know to be the case — most of those cookie notices everywhere aren’t following the EU privacy-first GDPR regulations. At all.

Most EU cookie ‘consent’ notices are meaningless or manipulative, study finds
Their industry snapshot of cookie consent notices found that the majority are placed at the bottom of the screen (58%); not blocking the interaction with the website (93%); and offering no options other than a confirmation button that does not do anything (86%). So no choice at all then.

A majority also try to nudge users towards consenting (57%) — such as by using ‘dark pattern’ techniques like using a color to highlight the ‘agree’ button (which if clicked accepts privacy-unfriendly defaults) vs displaying a much less visible link to ‘more options’ so that pro-privacy choices are buried off screen.

And while they found that nearly all cookie notices (92%) contained a link to the site’s privacy policy, only a third (39%) mention the specific purpose of the data collection or who can access the data (21%).

[…]

This is an important finding because GDPR is unambiguous in stating that if an Internet service is relying on consent as a legal basis to process visitors’ personal data it must obtain consent before processing data (so before a tracking cookie is dropped) — and that consent must be specific, informed and freely given.

Yet, as the study confirms, it really doesn’t take much clicking around the regional Internet to find a gaslighting cookie notice that pops up with a mocking message saying by using this website you’re consenting to your data being processed how the site sees fit — with just a single ‘Ok’ button to affirm your lack of say in the matter.

In the way that those US academics highlighted the dark patterns used with shopping sites, there needs to be a way of reporting and highlighting these non-compliant cookie notices, or they’ll just get away with it.

Author: Terry Madeley

I enjoy reading about art and design, culture, data, education, technology and the web.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s