Fun facts about GDPR and its effect on the Internet
The General Data Protection Regulation (GDPR), a new law to protect the data of people in the EU and EEA, was implemented on Friday.
While I have to admit that I'm not particularly fond of some of the requirements of GDPR, I think something like the GDPR was necessary to get online advertisement and tracking by large and small publishers in check.
One effect that I'm not particularly fond of is that European users are bombarded by "please accept" overlays or popups on sites, by emails stating that privacy policies were updated, and by emails asking users to verify newsletter subscriptions. It feels like the "we use cookies" invasion of sites all over again.
Some companies decided to block users from the European Union instead of creating a service that is compliant with the GDPR. That's somewhat understandable from a pure business perspective but if you look at it from a customer's perspective, it is probably not.
I'd like to present two examples of positive effects that the GDPR has either directly or indirectly.
Example 1: USA Today
If you visit the USA Today website from the European Union right now, you are redirected to https://eu.usatoday.com/. The page loads blazing fast as it comes without advertisement, tracking, and many of the scripts that run on the main USA Today website.
The site makes a couple of connections to a content delivery network but no third-party requests besides that.
Downside to this is that you get a basic site; it has no menus, no news sections, or anything else. You can read the top news on the site without ads or tracking.
Example 2 The Verge
The Verge displays a "we use" message at the bottom of the page. The only option presented to users is to click on the "I accept" button.
Unless users click on the button, virtually no script or tracking code is loaded. You can navigate the site without hitting accept, but the message won't just go away if you don't.
What you can do, however, is hide the overlay without accepting it. If you use uBlock Origin for example, you could use the element hider to hide the overlay and browse the Verge website without advertisement or tracking.
The technique should work on any site that displays similar messages to you when you visit them.
Closing Words
Many sites and businesses still work on their implementation of getting user consent and things will probably change for many of them in the coming weeks and months.
Users from outside of the EU may benefit from the GDPR as well as some companies announced that the worldwide implementation of GDPR compliance. Another interesting option that users have is to use a VPN and a connection to a European server to get the same treatment that EU citizens get.
Now You: What's your take on the GDPR so far?
I know that the advice that you sometimes read about never clicking on links in emails is totally impractical, but this sounds like a gift to spammers and hackers.
@anonymous said on May 29, 2018 at 6:50 am – that is not necessarily true
GDPR has certainly become a topic of discussion. I view it as an imperfect solution to a very difficult problem, with the bottom line being at least someone has decided it’s time to step forward and actually take action. Here in America our government, clearly being ignorant of almost everything related to the Internet, has opted to do very little about consumer privacy issues. So despite all the perceived flaws tied to GDPR, it’s still a step forward. Its detractors can come up with dozens of faults, but most are apparently unaware that there’s no easy way to craft a law. In the end some will benefit, some will not, that’s just a given. For those who live in their own bubble of entitlement and can only find fault with GDPR, please come up with your own magic solution that will benefit anyone and everyone.
I couldn’t agree more, svim.
Let’s take an example of how some sites dare treat visitors given the GDPR.
I was checking a few places yesterday to see how they’d deal with this GDPR, wasn’t surprised when sending https://search.yahoo.com/ led me to a full page notification/barrier/warning :
https://guce.oath.com/collectConsent%5B…] where I’d read:
“Select ‘OK’ to continue using our products, otherwise, you will not be able to access our sites and apps.”
Now that’s explicit, right? In other words the user has to consent to Yahoo! tracking policy in order to access their very search engine page (at least, haven’t tested other services).
When I see that, I do click … to quit the page. I’m sorry, no intention to be rude, but I call such an attitude in the face of the GDPR as that of a jerk company. Period.
“Select ‘OK’ to continue using our products, otherwise, you will not be able to access our sites and apps.â€
…….and that is not permitted, under the terms of the GDPR!
USA Today is yet another great example of what is too often seen here in the Wild West when connecting to websites.
Content blocking disabled: One minute, “149 domains connected”, 1,447 network requests for 48.7 MB of data.
Content blocking enabled: Page load time 8 seconds, 5 domains connected, 264 network requests for 10.8 MB of data. I’ve allowed 2 domains to be connected to for embedded video to work otherwise total domains connected would be 3.
We don’t need no stinking “GDPR” here in the US of A. Or do we? :)
Screenshots:
https://s33.postimg.cc/8vwsk3q1b/USAToday_Content_Blocking_Disabled.png
https://s33.postimg.cc/6rcfj13u7/USAToday_Content_Blocking_Enabled.png
Let’s take Tom Hawack and comments he makes on ghacks–go ahead, highlight, right click, search for on DDG and we have a site promoting privacy exposing comments made by readers:
https://www.ghacks.net/2018/04/11/youtube-container-for-firefox-isolates-youtube-in-the-browser/
https://www.ghacks.net/2018/02/08/how-to-enable-extensions-in-microsoft-edges-inprivate-browsing-mode/
On and on . . . .
The “point” jasray intends is unclear. In any event, it seems like an unmerited attack (bullying) of a fellow commenter.
Martin, please consider deleting this.
Strangely enough, I did not read anybody who was writing about the Mozilla Addon I don’t care about cookies 2.8.5 which does totally get wright of all GPDR effect’s on main Windows 10 64 bit pro. 64-bit Firefox browser version 60.0.1?
https://www.i-dont-care-about-cookies.eu/
https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-about-cookies/
My problem with the ‘I don’t care about cookies’ is that I don’t know,
if it only removes the notifications (“This add-on will remove these annoying cookie warnings from almost all websites!”)
or if it removes them by accepting, via script, the consent these notifications require (“By using it, you explicitly allow websites to do whatever they want with cookies they set on your computer”)
When I get a notification removed with either a css line (i.e. #cookie), or by a uBO filter, I’m not accepting anything. If an extension removes the notification by simultaneously (via script) accepting its requirement, it’s not at all the same thing.
Indeed, its not the same thing Tom.
But I don’t actually worry what cookies “any” site puts on my setup. I hold a text file containing my master list of cookies, on a NAS, so it works from any and all PCs, and each browser re-start erases the entire list of cookies, and loads up the master list.
Job done! :)
OK, Sophie, but cookies remain during the entire browser session and, unless (in Firefox) ‘First Party Isolation’ is set to true, there may be cross-site cookie access…
Searching for ‘GDPR’ on Mozilla’s AMO just brought me to an extension which intends to allow non-EU users to be perceived as being from the EU in order to take advantage of the GDPR regulations:
Trans Europa Express at https://addons.mozilla.org/en-US/firefox/addon/trans-europa-express/
Described as “a browser extension to find and run the JavaScript that sites use to detect whether or not you’re European, so that you get better better privacy by default.”
And, as a comment states it “Making it look like I am in Europe so I get all the fancy European respect for my privacy starting May, 25, 2018! Good plan”
Enjoy!
That’s an interesting idea, wonder how they do it.
And the funny thing is that, while EU users may complain of this GDPR motivated “please accept†overlays or popups, users from elsewhere may wish to take advantage of GDPR despite these overlays and popups : it is definitely relevant of a user’s concept of the importance he gives to his privacy.
On one hand, non-EU users very keen to have EU-privacy…..on the other hand, EU users, very keen not to have pop up overlays!
The problem is, we all remember only too vividly, how incredibly annoying the EU Cookie directive was!!! It mushroomed everywhere, into almost every corner, and we don’t want to see that all over again, in a different form.
I’m part of a company that has decided that doing business with anyone in Europe is not worth the headaches. It’s not just this but many other past stipulations as well that broke the camel’s back.
For example:
https://www.practicalecommerce.com/Selling-in-Europe-Beware-strict-consumer-protection-laws
When does the walled garden start to become a detriment? Not sure but I guess we’ll all eventually find out.
Ah, yes, pretending that the solution to the problem is the problem itself. Maybe your (and other) companies should rethink what the heck they are doing before criticizing the GDPR and new ePrivacy that replace the DPD (1995) and old ePrivacy (2002), both of which foremost harmonize the relevant legislation across the EU.
There is nothing anti-American, anti-capitalist, or anti-competition about it.
@Jessica,
“There is nothing anti-American, anti-capitalist, or anti-competition about it.”
So true, except for those who consider whatever intervention in their enforcement-free concept of business as a communist-driven approach to the free world. America itself is starting to realize that the very basis of its economical and cultural philosophy is at risk with the loss of competitive standards tied to oligarchies’ aim to drive the world. Ant that, that only, is dictatorship, financial dictatorship in its conquest of a world which would be free of any regulation, hence destabilizing the very fundamentals of democracy. Read American press, medias; indeed, nothing to do with anti-American or anti-capitalist aims, but rather in fine with the survival of competition. That’s the whole point.
This is no politic, it is sanity.
Nothing complicated when companies have a clean data-collecting policy. They frown, threaten because the Web is not deploying in conformity to their expectations, expectations all based on user data collecting in the same way countries’ economies collapse with the oil barrel price drowns with oil-dependent income.
Just stop it, change your business plans, you’ll survive as hundreds of Web sites survive, with advertisement (which is already a pain for users) but without data-tracking-driven systematic inquisition.
Some companies close their doors to EU users? No problem. Same as hell’s door which, according to an English theologian, is closed from the inside : those companies are excluding themselves far more than excluding users.
@Tom – I agree. Keep the advertising, as its understandable that sites have to support themselves. But make that advertising “ethical”, and stop the tracking!!! It’s greed for data, that sometimes seems insatiable.
And close the door to EU users? Well, either good riddance….or I’ll use my VPN if I have to.
Long Live GDPR. Ouf, finally.
Not all sites deliver the “please accept” overlays or popups and I assume that those who do are directly concerned by this GDPR given their privacy policy whilst others are not (or have’t yet injected the GDPR obligations in their policies).
As mentioned by Martin in the article,
1- “It feels like the “we use cookies” invasion of sites all over again.” : so do I. Maybe dedicated extensions, filters will be made available as they are for the ‘EU Cookie Law’.
2- ” If you use uBlock Origin for example, you could use the element hider to hide the overlay […]”
Indeed. I’ve added a GDPR dedicated sub-group in my ‘uBO / My filters’ for rules pertinent to hide site specific (or global if applicable) GDPR “please accept” overlays or popups:
! EU GDPR (General Data Protection Regulation)
timeanddate.com###mpo
userstyles.org##.NotificationLine
Only 2 rules at this time, lol. A work in progress :=)
Note : I haven’t encountered a GDPR notification on theverge, which could mean (just an hypothesis) that user browser defense settings (mainly uBO) maybe make the warnings obsolete in some conditions. No idea, really.
I doubt that The Verge is fully compliant to GDPR. You can’t show only an “I accept” button.
Forbes and TechCrunch are also in the “we don’t care for laws” club.
Then again, GHacks’ wording is “In order to run a successful website, we and certain third parties ….”, like Martin means to say that it’s a necessary legitimate interest of his to show me adverts and collect information about me in order to provide the service of … static text.
Whois will become usesless if Brian Krebs is right
and a new dawn for spam will begin
“A lot of people who are using this data won’t be able to get access to it, and it’s not going to be pretty,†Rasmussen said. “Once things start going dark it will have a cascading effect. Email deliverability is going to be one issue, and the amount of spam that shows up in peoples’ inboxes will be climbing rapidly because a lot of anti-spam technologies rely on WHOIS for their algorithms.â€
I agree with Brian Krebs that it could be a disaster for spam.
The Whois system will become useless as details are hidden on privacy grounds.
Even fake ID’s are used repeatedly and are therefore useful,
but soon they’ll disappear with GDPR.
A few emails from legit companies mean little,
contacting them to delete data is unlikely
and most are confused as to whether they update their policies or delete people wholesale.
The fines however are real and will begin with the bigger companies,
who can afford to address the issue.
A mixed bag then…
WHOIS was already useless before the GDPR and it’s an archaic system that needs to be replaced or retired. And those that need legitimate access to its info can still get it.
@Jessica:
I was going to say this. Whois has been useless for a long while now, except for spammers. Many people (such as myself) have been using “privacy shield” systems from registrars for years, and even more people simply lie or fail to keep the contact information current.
It will be a potential disaster, if the EU-style “we use cookies” type issues are repeated all over again. For a long time, I have used filters and an addon to try and suppress some of those messages. (block-eu-cookie-shit-list + prebake)
But you can’t generally hide the overlay without accepting it, as Martin alludes to, because generally – those overlays will come with some form of Javascript screen dimming, so if you hide the box with an element hider, you’ll still end up with a dimmed screen. Probably best to turn Javascript off to assist with that then, but that will reduce the functionality of the page.
I’m all for what GDPR tries to promise, but policing it and getting it all right, could be harder than policy makers might think, and if we end up with yet another whole batch of “EU cookie/privacy prompts”, then it could end up being a rather mixed blessing.
VPN use is increasingly a must, especially when you put Net Neutrality into the mix. To be honest, I’m up to 100% VPN usage now. It’s a key component of Net usage.
Ultimately, the Net is being too controlled in so many ways, and presents us with “humanity” in quite an ugly form. I often yearn for simpler, more innocent days, now only fond memories.
The so-called “cookie law” was added as an ammendement in 2011 to the ePrivacy Directive from 2002. The new ePrivacy Regulation complements the GDPR and aims to put an end to the prompt excess and consecutive user fatigue by instead requiring sites to respect browser settings for site data (which includes cookies) by law.
So, clear enough. Thanks Jessica.
You’re welcome, Tom! Also, s/ammendement/amendment
The new ePrivacy also means that explicit consent is not required for non-tracking purposes such as storing shopping cart items (and similar) via cookies.
@Jessica,
“The new ePrivacy also means that explicit consent is not required for non-tracking purposes[…]”
This is fundamental. One must be available to visit a website without whatever consent, explicit as implicit. Once data is required to carry on a service, paid or free, then and then only is consent required, consent which obliges both parties. Many sites inverse the process by asking consent for data tracking as a condition to visit the site, which is in contradiction with the GDPR. I do hope these behaviors will be taken care of.
@Sophie “those overlays will come with some form of Javascript screen dimming, so if you hide the box with an element hider, you’ll still end up with a dimmed screen”
I just click on the dimmed area and remove it. Done. No problem here.
Good to know, Malte. Thank you, and I’ll try it as and when I see it. Element hiding is going to be one of the only tools I think, if we are not prepared to keep a sites’ persistent cookies.
@Sophie, good morning,
“if you hide the box with an element hider, you’ll still end up with a dimmed screen.” — Depends. I’ve seen sites where hiding the GDPR message box works fine and some other sites which block at one point or another if the user hasn’t explicitly given his consent (by clicking an agreement checkbox).
Sites which keep EU-IP users out can do just that as far as I’m concerned: competition is the master-word in a master planet Web economy and if their business plans cannot handle their sudden misfortune then they might as well keep their doors closed.
Sites which require a user’s explicit consent to run can go to hell. When cookies are regularly cleaned having to click again on the consent form is a pain. GDPR explicit user consent made mandatory = site ejected, here.
It’s a user’s choice. GDPR will inevitably have an impact on several sites where users will pay the consequences of these sites’ frustration : it’ll be up to each of us to decide if we skip those sites or not. I will.
@Tom Hawack
Yup, that’s my thinking too. I can do without such sites (except this one, ha), and it’s great to know who they are.
That said, I think they could come up with a better method to alert users, so as to not continuously nag users who regularly visit such sites who clear their cookies and/or such. Or just an easier/standard way to keep specific cookies as needed, if that’s even how it works with GDPR. Note, I’m amusing here that if you keep the cookies then you only get those nags once, but IDK if that’s always the case with this GDPR thing. Regardless, I’m sure there’s room for this to get better for all users and admins, but I like this first step.
@ Tom – yes, agreed…..many sites will fall by the wayside, and there will be a drive for what really matters in the scheme of it all.
I have found it hard to get rid of screen dimming, but I guess that’s a case by case thing.
My “master cookie list” is quite small, and ring-fenced. So you can imagine that if all “those sites” – whoever they may be, get their cookies quite rightly erased, and often…then those messages/warnings really will soon become tiresome, when they keep coming up. Goodness knows, the original EU cookie warning practice – was really quite awful.
There then exists the decision, do we bother with them any more!
Poor old Martin has even had to make us tick a box each time just to comment. The jury is still out for me, as to how much GDPR is to be welcomed. Let’s hope its generally an improvement.
@Sophie, comparing the ‘EU Cookie Law” to GDPR, beyond their very content, has its limits, IMO.
The ‘EU Cookie Law’ concerns practically all sites when the GDPR aims sites collecting user data (collecting and sharing), which are far less numerous. I don’t think we’ll be bothered with GDPR overlays, popups as we’ve been and continue to be with ‘EU Cookie’ reminders, not to mention that filters and extensions will likely appear to help users visit a site without having to agree to have their data collected for such a futile reason.
Thank you Tom. I didn’t consider that filters might be able to help, because Javascript “overlays” have (I think) a history of being quite hard to control and eliminate. I hope you’re right then, in your belief, that filters will soon be able to be added to assist in stopping such overlays!
The Washington Post: Displays the WaPo white letters on black banner at the top of screen & blank white page below. The LA Times & Chicago Tribune display this message: “Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism.”
I love it. I wish America would be as much as private as Europe. In America, you can easily look up people’s home address, phone number, and date of birth. Not so in Europe.