>This is a personal decision to be made by the data "donor".
My problem is that users cannot make this personal decision based on the cookie consent banners because all sites have to request this consent even if they do exactly what they should be doing in their users' interest. There's no useful signal in this noise.
The worst data harvesters look exactly the same as a site that does basic traffic analysis for basic usability purposes.
The law makes it easy for the worst offenders to hide behind everyone else. That's why I'm calling it counterproductive.
[Edit] Wrt NHS specifically - this is a case in point. They use some tools to analyse traffic in order to improve their website. If they honour their own privacy policy, they will have configured those tools accordingly.
I understand that this can still be criticised from various angles. But is this criticism worth destroying the effectiveness of the law and burying far more important distinctions?
The law makes the NHS and Daily Mail look exactly the same to users as far as privacy and data protection is concered. This is completely misleading, don't you think?
I don't think it's too misleading, because in the absence of any other information, they are the same.
What you could then add to this system is a certification scheme to permit implicit consent of all the data handling (including who you hand it off to and what they are allowed to do with it, as well as whether they have demonstrated themselves to be trustworthy) is audited to be compliant with some more stringent requirements. It could even be self-certification along the lines of CE marking. But that requires strict enforcement, and the national regulators so far have been a bunch of wet blankets.
That actually would encourage organisations to find ways to get the information they want without violating the privacy of their users and anyone else who strays into their digital properties.
>I don't think it's too misleading, because in the absence of any other information, they are the same.
But other information not being absent we know that they are not the same. Just compare privacy policies for instance. The cookie law makes them appear similar in spite of the fact that they are very different (as of now - who knows what will happen to the NHS).
I do understand the point, but other then allowing a process of auditing to allow a middle ground of consent implied for first-party use only and within some strictly defined boundaries, what else can you do? It's a market for lemons in terms of trustworthy data processors. 90% (bum-pull figures, but lines up with the number of websites that play silly buggers with hiding the no-consent button) of all people who want to use data will be up to no good and immediately try to bend and break every rule.
I would also be in favour of companies having to report all their negative data protection judgements against them and everyone they will share your data with in their cookie banner before giving you the choice as to whether you trust them.
If any rule is going to be broken and impossible to enforce, how can that be a justification for keeping a bad rule rather than replacing it with more sensible one?
I said they'd try to break them. Which requires vigilance and regulators stepping in with an enormous hammer. So far national regulators have been pretty weaksauce which is indeed very frustrating.
I'm not against improving the system, and I even proposed something, but I am against letting data abusers run riot because the current system isn't quite 100% perfect.
I'll still take what we have over what we had before (nothing, good luck everyone).
Then we clearly disagree on what they should be doing.
And this is the crux of the problem. The law helps a tiny minority of people enforce an extremely (and in my view pointlessly) strict version of privacy at the cost of misleading everybody else into thinking that using analytics for the purpose of making usability improvements is basically the same thing as sending personal data to 500 data brokers to make money off of it.
I would draw the line where my personal data is exchanged with third parties for the purpose of monetisation. I want the websites I visit to be islands that do not contribute to anyone's attempt to create a complete profile of my online (and indeed offline) life.
I don't care about anything else. They can do whatever A/B testing they want as far as I'm concerned. They can analyse my user journey across multiple visits. They can do segmentation to see how they can best serve different groups of users. They can store my previous search terms, choices and preferences. If it's a shop, they can rank products according to what they think might interest me based on previous visits. These things will likely make the site better for me or at least not much worse.
Other people will surely disagree. That's fine. What's more important than where exactly to draw the line is to recognise that there are trade-offs.
The law seems to be making an assumption that the less sites can do without asking for consent the better most people's privacy will be protected.
But this is a flawed idea, because it creates an opportunity for sites to withhold useful features from people unless and until they consent to a complete loss of privacy.
Other sites that want to provide those features without complete loss of privacy cannot distinguish themselves by not asking for consent.
Part of the problem is the overly strict interpretation of "strictly necessary" by data protection agencies. There are some features that could be seen as strictly necessary for normal usability (such as remembering preferences) but this is not consistently accepted by data protection agencies so sites will still ask for consent to be on the safe side.
My problem is that users cannot make this personal decision based on the cookie consent banners because all sites have to request this consent even if they do exactly what they should be doing in their users' interest. There's no useful signal in this noise.
The worst data harvesters look exactly the same as a site that does basic traffic analysis for basic usability purposes.
The law makes it easy for the worst offenders to hide behind everyone else. That's why I'm calling it counterproductive.
[Edit] Wrt NHS specifically - this is a case in point. They use some tools to analyse traffic in order to improve their website. If they honour their own privacy policy, they will have configured those tools accordingly.
I understand that this can still be criticised from various angles. But is this criticism worth destroying the effectiveness of the law and burying far more important distinctions?
The law makes the NHS and Daily Mail look exactly the same to users as far as privacy and data protection is concered. This is completely misleading, don't you think?