This is fantastic, and I hope it stands up on the presumably inevitable appeal. It's the most obvious way of eventually getting rid of per-site cookie notices - make DNT legally enforceable and cookie notices become irrelevant for people who have it switched on. I run an agency that builds websites for non-profits and we respect DNT by not tracking and not even displaying the cookie notice. The only thing I've wondered about is whether we show a one-off notice saying "we note your DNT setting and we've disabled tracking" just because I wonder if users become suspicious that we're tracking them by default if they don't see a cookie notice!
Better would be to not (try to) do anything that requires cookie notices in the first place. Might not always be your decision but at least try to push back on the notion that this kind of tracking is needed at all.
Never our decision you mean ;) Funnily enough, the nonprofit space can be even tricker to dissuade from tracking. ROI in nonprofits can be really ephemeral if the the aim is "raising awareness" whereas if you're selling something, there's a clear bottom line. In those circumstances if you want figures to present to the board in terms of ROI, something that requires tracking like "return visits" is a hard number. Nonprofits also have to make the best use of minimal funding, so efficient use of resources on publicity is absolutely key. The only site we've built that doesn't have opt-in tracking is one for a domestic violence prevention service which didn't want any tracking to reduce the traces in visitors' browsers.
Need can only be assessed relative to one's goals. Many business models depend on tracking, so if your goal is to run such a business, then it's needed.
This is how the cookie law should have been implemented and it was absolutely one hundred percent the fault of the lawmakers for not implementing it this way. The millions of hours bureaucracy has wasted having people click through banner pop-ups is entirely on the makers of the law, not the offenders.
Are you being sarcastic? Cultural mores are different in the EU, lawmakers there began with a presumption of basic good faith on the part of business which turned out to be lamentably lacking in the international market. This is 50% the fault of the people trying to circumvent/undermine the law rather than cooperate with it.
There is no “cookie law” and no mandate that banners are used etc. Regulation should try to avoid languages in specific technology as much as possible - and the GDPR does.
> It's the most obvious way of eventually getting rid of per-site cookie notices - make DNT legally enforceable and cookie notices become irrelevant for people who have it switched on.
I think this is unlikely to happen, because most websites actually want to track you. So they will display the banner anyway, or perhaps a slightly modified version like "we noticed you have your DNT turned on, but are you willing to make an exception just for us?"
That gives them a chance users will consent anyway to get rid of the cookie banner. And they will argue that a specific consent given on their website overrides the generic non-consent represented by DNT.
My mom actually texted me once that she didn't like a site I shared with her, because it did not allow her to disable cookies... After a quick investigation it was because they weren't collecting any.
It's important to note that Cookie banners and GDPR are separate things and that these pop-ups are covering both purposes in a lot of cases. So even with a DNT flag, many sites will still need explicit, advance permission to process data, and cookies will still be a method for technical enablement.
In an ideal world, respecting DNT would instantly bin 95% of the cookies and data processing requests, but I'm still getting automatic (and permissionless) marketing subscriptions from companies when I make purchases, and the British ICO seems unwilling to intervene, so it seems unlikely that DNT being case law is going to have any quick effect on things.
I wouldn't worry about that last concern. The overwhelming signal from users is that they don't actively think about tracking most of the time. If you show no banner, they'll assume nothing one way or the other.
Just put up a `Privacy` link for those actually conscious of the topic to give them details; you'd be doing both categories of users a solid tucking that info out of the way.
You are one of the good people. Unfortunately, many will go the easy route: What it will do is that even more websites won't be available over here, and direct to a 451 ("Unavailable due to legal restrictions") error. This fragmentises the net.
The best way to fix that is for other countries to start improving their consumer protection laws so cutting off "problem" countries becomes less and less feasible for unscrupulous businesses. Meanwhile (slightly) more ethical companies can take over the EU market.
EU is a massive market. If some unscrupulous businesses don't provide their services here, I'd say good riddance. If there's enough demand, other businesses will take over.
I find it a bit hypocritical to associate the unauthorised tracking of visitors, usually for advertising purposes, with the themes of the Fahrenheit 451 book, which are are censorship, conformity vs individualism, the destructive role of technology, and the loss of critical thinking.
I use a lot of news aggregators, and never once got a link to a 451.
I think part of that is also that it's not foolproof to identify where a user is connecting from. Because I think legally, you can't use "but that user had an US IP address" as an excuse why you broke EU law against an EU citizen connecting from inside the EU.
We should get rid of cookies in general! And the web. Hear me out.
The Web makes it so that there is one server and lots of customers. It has to be hardened against SPAM, DDOS, etc. It pays all the costs. But also recoups them by tracking, it’s called surveillance capitalism.
Every site should have no idea how many people visited, actually. Just a bunch of static front-end content that gets passed around.
If people want to store their data, they can pay dumb pipes to store encrypted data.
Get rid of email too. Anyone who gets ahold of your email address can spam you. Instead people should pay for the dumb pipes to store messages, and you can give out capabilities for your attention. They can be transferable but if they are abused then you cut off the root of that tree. And you should charge for using them, too. Just cause someone has your public address doesn’t mean they can reach you.
In short, DNS and the Web and Email promote a certain dynamic where people invest in an upfront service and then take advantage of extreme power disparities forever, to recoup costs. And if they take on equity investors in a ponzi scheme until they IPO then they have more and more costs to recoup. There is no end to it. Wall street earnings depend on surveillance capitalism to continue.
It's a sad state of affairs that if I saw that message I would think positively of the website... Except that of you're only showing it once that means you're tracking me to know I'm a repeat visitor
That’s setting a cookie/local storage that can be used purely client side to determine whether to show the message or not. No tracking required because the server never has to see or store this.
Tracking cookies identify you across multiple sites. If some front-end JavaScript sets and checks a cookie for "has visited" on a single site, that's not considered tracking. It's non-identifying and harmless.
Storing previous_visitor=1 into local storage is not the type of tracking most people are objecting to, nor is it against the gdpr until you start having user specific indicators or trying to use a collection of values as a fingerprint.
I still don't get why websites are not able to find in-house ad solutions that are not provided by third parties. Major sites look like shit due to ads placed without thought or care. This should be handled like magazine or newspaper ads. People selecting and placing them in the page with care. Would result in a better experience and wouldn't require any tracking.
I think that tracking to get "good ads" is a wish that never came true and it needs people with taste to choose products people would like to buy.
That's because of the silo formation in the advertising market. Agencies want to have an easy time to spend a large budget and they don't want to negotiate individually with thousands of parties. So they do a bulk buy from some large provider which then provides a centralized way to return the statistics. These serve to - somewhat - keep property owners honest because both click fraud and placement fraud would probably be rampant.
Not every kind of advertising is that suspect to fraud but for every budget out there there is some way to siphon it off without giving the advertiser what they were looking for. It's been an arms race between fraudsters and marketeers with the end-users caught in the middle, and between the marketeers and the users with respect to privacy issues. This ruling injects some sanity for those that have declared themselves to be non-combatants.
Youtubers get paid way more for custom in-video ads than they do for the automated ads that Youtube runs before and throughout their videos. If what you said was true then content creators wouldn't be going through the work getting these sponsors and sponsors wouldn't be bothering with the hassle of working with individual content creators.
> I still don't get why websites are not able to find in-house ad solutions that are not provided by third parties.
Because interacting with the advertising industry, or advertisers directly, is a lot more complicated than just slapping a banner spot on your page/app¹, and sites want to concentrate on with their core business rather than learning another one.
--
[1] finding people to advertise, negotiating rates, arranging reports of add positioning and response², detecting click-fraud, convincing your ad partners that you have dealt with any click-fraud & other such issues, convincing your ad partners that your agreement with them really did involve them paying you at some point before the heat death of the universe, etc.
[2] so they can marry that up with the logs of incoming attention on their systems
Even if a third-party is involved, they could serve ads based on the content of the page instead of showing me ads for the products I bought yesterday.
The market is full of fraud, and the surveillance exists as a counter to the fraud. Users are surveilled in an effort to prove that they are real users, not bots that are being used to fake impressions or clickthroughs. It's all very messy.
Place yourself in the shoes of an ad buyer: a random website offers to display your ad. How do you know what you're getting?
Only some billing models are vulnerable to fraud though. The old school "your ad here for 2 weeks for this price" is not vulnerable to it since you're no longer charging per click/impression.
The "measurement function" becomes the uptick in sales resulting from the unique link embedded in said ad and ultimately the money that lands in the bank.
> I still don't get why websites are not able to find in-house ad solutions that are not provided by third parties.
Because marketing department people come and go so they don't have time/motivation to learn some in-house tool. They know gtag and they are happy with it.
A webmaster wants to sell ad space, but doesn't want to go and court each and every marketer buying ad space who will just rebuff individual proposals anyway.
A marketer wants to buy ad space, but doesn't have time to sift through millions if not billions of websites and court their webmasters one by one.
Ad platforms bring together the webmasters and the marketers with a one-stop shop. The webmaster courts Google and gets ads to sell his ad space to. The marketer courts Google and gets ad space to put his ads on.
Finally! The Do Not Track header is the ultimate consent negation. It's an explicit "no". It's part of the request header which the server cannot claim ignorance of. That the web turned into this mess of consent popups despite the existence of Do Not Track is evidence of the bad faith of these corporations. They were clearly attempting to circumvent the manifest will of users. Worse: they turned it into an additional bit for tracking.
I would love for a codified way to specify this in the browser but that also makes way for the inevitable exclusions.
for example taken to the extreme, compliance with the DNT means that you can not use any site that even requires a login.
> it does not provide for a way to allow specific sites
That's a browser limitation. They currently implement it as a global setting. They could also allow the user to configure a whitelist of websites.
The lack of that feature doesn't invalidate it though. It's not a problem.
> the meaning of what to not track is not defined anyway
At a minimum, it means denying consent to everything you can deny consent to.
> taken to the extreme
All this complication and confusion just isn't necessary in my opinion. Tracking is the collection of any information the user did not explicitly provide for any purpose other than what the user wanted.
If I log into a website, I'm explicitly providing my username and password. The site didn't fingerprint me and automatically log me in based on that unique identifier, I did it myself. If I give a store my address so it can ship an order to me, I'm the one providing that information and only for that exact purpose. I certainly don't expect the store to sell my address to some marketing company which then starts spamming my physical inbox with advertisement garbage.
These corporations need to learn to do exactly what's asked of them and nothing else. We don't want them exploiting the information we trusted them with for unknown purposes.
This is the spirit of the GDPR: inform users of the data you collect and what it's used for, and anything not absolutely essential to the transaction may be denied. It is obvious to me that a Do Not Track header represents that blanket denial of any non-essential data collection and processing.
Most of the pseudo-contract BS that defines consumer-company relations is trash legal theory. It should have never held water in the first place.
The fact that our legal systems have tolerated and supported it, mostly demonstrates how intellectually weak the legal profession's philosophy and ethic is.
Companies, especially interacting digitally, use TCs, EULAs and other such nonsense like an incantation. Those are not agreements. They are stupid little rituals that strip users/consumers/whoever of all rights.
Any right that can be stripped by TCs... doesn't exist.
The whole concept of "by agreement" in these circumstances is bogus but... If it must be this way... Stack the deck in the other direction.
"By serving this browser a webpage, you agree to the following..."
By dripping a cookie, by recording this person's data. Pro user, pseudo-legal defaults.
Make "you must agree to X, before you use the product you bought" invalid. Give consumers the full right to unlimited time refunds, if divulging data or agreeing to terms (old or new) is a condition for using the product
This ridiculous deck can be stacked either way.
If I have to agree to a coercive contract intended not to be read, in order to use a device... Give me the right to say no and get a full refund at any time. At least invalidate the agreement.
Where TF are our judges, judicial philosophies, law professors? I want to ask "How could they let this happen' but the correct question might be "Why did they do this to us."
> you must agree to X, before you use the product you bought
To my understanding in many countries this is already illegal in practical terms. Users in those countries are usually permitted to just click through those kinds of agreements and they'll hold no legal water. A EULA must be shown before the user obtains the application or appliance (this for example is why Steam will ask you through click through accepting any third party EULAs before you can download a game and why third party EULAs for a game are listed and readable in an attention drawing yellow bar on their store page) and "back of the box link to the EULA" isn't allowed. (And even then, the majority of stuff in EULAs that goes beyond the liability-related stuff is illegal anyway since they forbid things that are considered rights you just have.)
The US is basically the only country where these kinds of shrinkwrap EULAs tend to have more use than fancy toilet paper as far as I know.
It's not illegal, it's just not legally binding. Accepting an EULA after purchase is more like "we would like you to comply to these license terms, but if you violate them, we can't do anything"
In a lot of countries only the terms that were accepted during purchasing are legally binding. So if you buy a windows license in a shop without signing a contract, than no additional terms except general copyright laws apply.
With SaaS and online services this got way more complicated though. They can always ask to accept new conditions and stop providing their services if you don't accept them.
Dishing out an EULA that contains non-enforceable terms should be criminalized. Probably if the deck wasn't so stacked for business, it would be quite clear to interpret such EULAs as fraud or attempted fraud.
But as the GP said, the whole thing is a total corrupt farce.
In Belgium, someone sued because windows showed its license only after you paid for it. It was declared illegal. Instructions about the license are now printed on every boxed copy of windows, so you know the license before you pay.
>> They are writing law in MS Word and negotiating any changes in law by sending paragraphs over email, which they check once a day at most.
Fair point. But, I don't think it's good enough, at this point.
Software is not new or marginal anymore, and the business of software certainly isn't.
Practices like terms and conditions... Its not something lawyers can't see. I've heard the same thing about patents and I don't really believe that either. Patent lawyers, specialists and reviewers are nerds... They're not "boomers."
There are no more excuses. It's just makes suck now.
Excellent news. Now let's see this taken up by the EU courts as well if they are challenged on this. But my guess is that the advertising world would rather do this on a country-by-country basis rather than to risk losing in all of the EU at once.
I'd love if this became a EU-wide law. If you send the DNT header, then you can't get cookie consent alerts since you already do not consent being tracked.
I don’t think there’s anything that would disallow asking the user questions. It’s rather that even if the user gives consent through a web UI, the DNT header would still continue to be sent, thus presumably immediately revoking the consent given.
Alternative reading: if mechanized expression of consent is now possible, then if you send a different header "Tracking-OK: True" all the cookie consent banners should now disappear.
It could be a great thing. 99%+ of all people would quickly learn to opt in to tracking to get rid of the annoying popups.
The US (outside of California) only has extremely anaemic data protection law. I don't think there's an established right to not be tracked there at all?
you can go only up so far the country court chain before you either lose or EU courts get involved.
If this goes to the Federal Court (BGH) in Germany they will "ask" the European Court of Justice for their interpretation of the applicable Union law (in this case the GDPR) and other national courts will take this precedent into account.
If LinkedIn does not appeal they will be required to follow the ruling. Even in this case it's not uncommon that national courts will look across the border.
As far as I understand it, they were not forced to respect the DNT header in their processes. They were only forbidden to claim that the DNT header would not be legally binding and therefore not respected.
The court did not force LinkedIn in any way to actually respect or at least consider the DNT-header in their processes.
The full decision can be found here [1]. The consumer protection agency did also seek that LinkedIn be forced to respect DNT, but the court did not grant this relief, reasoning that it was overly broad in two ways. First, it did not specify precisely enough what is meant by DNT — in particular, the suit did not limit itself to the DNT header, but referred to any kind of configured signals sent by the browser. Second, it described the behaviour that LinkedIn is supposed to cease when encountering such a signal in an overly broad manner.
If upheld, the judgement certainly seems to open the door for future litigation, and one might even hope for potential targets to adjust their behaviour in anticipation of it, but I would not hold my breath there.
To read that article, you need to pay or "freely consent" to personalised tracking. Sometimes I wonder if the people writing for that site, who no doubt have an IP whitelist or are logged in all the time, even realise the irony anymore
While that's true, the court also said, that DNT is legally binding. That's also in the article from heise that you linked, in the second to last paragraph.
But you're right. It sounds like the court interpreted it that way, but anyways, the ruling is only about the claim, not about whether they respect DNT or not.
One problem I've always seen when debating tracking was the broad scope of the word.
Take for instance three examples:
1. A shopkeeper that watches his customers for shoplifting and observes their flow in the store to know where to place products.
2. An online store that tracks what products people are looking at and what carts are abandoned the most.
3. A global ad-network that gets fed most of your browsing activity across the internet and creates an advertising profile for you.
Don't you agree that a difference in scale brings on a difference in kind somewhere on this axis?
The way I personally see it is that what a user does on your website is fine to observe, but when data is being shared to third parties is must explicitly have your agreement.
Even the term “advertising profile” is a very broad statement that leaves much to the imagination. They’re not all the same.
You can view and modify the ad profiles Google has for you [1] [2]. I leave it running because I’m vaguely curious what it will find. So far, the ad topics are extremely generic and not anything I worry about.
I'm not so sure those advertising profiles are "the data" as much as a simplified representation of the data for users to manage. I don't know about Google specifically but there's no way in hell the limit of Facebook's marketing profile is what they show you in their analogous interface.
In what way? What are the "necessary terms"? I honestly have read some of that legislation and didn't get clarity.
GDPR created a lot of burden for small companies and at the same didn't seem to offer that much protection against abuses from the likes of Google/Facebook.
What are those "European values" you speak of? I am in Europe and I shiver at the thought of others assuming that I feel the same way about certain issues than someone who lives all the way across the continent.
As someone who lives in the EU, I see this very often with US based websites - the ones that absolutely need the tracking cookies and the data suckage.
For the longest time I noticed that many of those websites, typically small-town newspapers, all ran the same CMS, developed by a former employer of mine. Part of the problem, at least back then, could have been that the CMS simply didn't have the ability to disable the tracking cookie based on visitor settings, and development had pretty much stopped years earlier.
What do you mean "need"? The only website whose business model is user tracking that I can think of are Facebook and google. Without tracking they would cease to make money.
Other than those two I don't see how spying on users is a business necessity.
I remember back in the day when GDPR was announced this was an actual thing. Nowadays tho, 9/10 of the website that used that message caved and are serving EU without problems.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
“Freely given” consent essentially means you have not cornered the data subject into agreeing to you using their data. For one thing, that means you cannot require consent to data processing as a condition of using the service. They need to be able to say no.
I've always thought that's a bit weird. I think companies ought to be able to give the customer a choice of "paying" either by consenting to spying or by coughing up some cash.
excellent, at least the site is being honest. I would not need it in such a case. It's somewhat illegal (GDPR) but likely unenforceable when the entity resides outside the EU, and has no (official) business there.
Readit News
Better would be to not (try to) do anything that requires cookie notices in the first place. Might not always be your decision but at least try to push back on the notion that this kind of tracking is needed at all.
I think this is unlikely to happen, because most websites actually want to track you. So they will display the banner anyway, or perhaps a slightly modified version like "we noticed you have your DNT turned on, but are you willing to make an exception just for us?"
That gives them a chance users will consent anyway to get rid of the cookie banner. And they will argue that a specific consent given on their website overrides the generic non-consent represented by DNT.
How would you make it one-off?
In an ideal world, respecting DNT would instantly bin 95% of the cookies and data processing requests, but I'm still getting automatic (and permissionless) marketing subscriptions from companies when I make purchases, and the British ICO seems unwilling to intervene, so it seems unlikely that DNT being case law is going to have any quick effect on things.
Just put up a `Privacy` link for those actually conscious of the topic to give them details; you'd be doing both categories of users a solid tucking that info out of the way.
I use a lot of news aggregators, and never once got a link to a 451.
I think part of that is also that it's not foolproof to identify where a user is connecting from. Because I think legally, you can't use "but that user had an US IP address" as an excuse why you broke EU law against an EU citizen connecting from inside the EU.
Isn’t quite the argument you think it is.
The Web makes it so that there is one server and lots of customers. It has to be hardened against SPAM, DDOS, etc. It pays all the costs. But also recoups them by tracking, it’s called surveillance capitalism.
Every site should have no idea how many people visited, actually. Just a bunch of static front-end content that gets passed around.
If people want to store their data, they can pay dumb pipes to store encrypted data.
Get rid of email too. Anyone who gets ahold of your email address can spam you. Instead people should pay for the dumb pipes to store messages, and you can give out capabilities for your attention. They can be transferable but if they are abused then you cut off the root of that tree. And you should charge for using them, too. Just cause someone has your public address doesn’t mean they can reach you.
In short, DNS and the Web and Email promote a certain dynamic where people invest in an upfront service and then take advantage of extreme power disparities forever, to recoup costs. And if they take on equity investors in a ponzi scheme until they IPO then they have more and more costs to recoup. There is no end to it. Wall street earnings depend on surveillance capitalism to continue.
It is arguably tracking required for the functioning of the site which is a clear exception to the ban.
I think that tracking to get "good ads" is a wish that never came true and it needs people with taste to choose products people would like to buy.
Not every kind of advertising is that suspect to fraud but for every budget out there there is some way to siphon it off without giving the advertiser what they were looking for. It's been an arms race between fraudsters and marketeers with the end-users caught in the middle, and between the marketeers and the users with respect to privacy issues. This ruling injects some sanity for those that have declared themselves to be non-combatants.
Because interacting with the advertising industry, or advertisers directly, is a lot more complicated than just slapping a banner spot on your page/app¹, and sites want to concentrate on with their core business rather than learning another one.
--
[1] finding people to advertise, negotiating rates, arranging reports of add positioning and response², detecting click-fraud, convincing your ad partners that you have dealt with any click-fraud & other such issues, convincing your ad partners that your agreement with them really did involve them paying you at some point before the heat death of the universe, etc.
[2] so they can marry that up with the logs of incoming attention on their systems
Place yourself in the shoes of an ad buyer: a random website offers to display your ad. How do you know what you're getting?
The "measurement function" becomes the uptick in sales resulting from the unique link embedded in said ad and ultimately the money that lands in the bank.
If I buy a newspaper ad I don’t buy unless the paper is well known enough that I can trust their number they claim is their total circulation.
Yes: for the web this means no one buys ads on the bottom 99% of sites.
Because marketing department people come and go so they don't have time/motivation to learn some in-house tool. They know gtag and they are happy with it.
A marketer wants to buy ad space, but doesn't have time to sift through millions if not billions of websites and court their webmasters one by one.
Ad platforms bring together the webmasters and the marketers with a one-stop shop. The webmaster courts Google and gets ads to sell his ad space to. The marketer courts Google and gets ad space to put his ads on.
TL;DR: Efficiency and logistics. Capitalism ho!
So good to see legal precedent for it!
I would love for a codified way to specify this in the browser but that also makes way for the inevitable exclusions. for example taken to the extreme, compliance with the DNT means that you can not use any site that even requires a login.
That's a browser limitation. They currently implement it as a global setting. They could also allow the user to configure a whitelist of websites.
The lack of that feature doesn't invalidate it though. It's not a problem.
> the meaning of what to not track is not defined anyway
At a minimum, it means denying consent to everything you can deny consent to.
> taken to the extreme
All this complication and confusion just isn't necessary in my opinion. Tracking is the collection of any information the user did not explicitly provide for any purpose other than what the user wanted.
If I log into a website, I'm explicitly providing my username and password. The site didn't fingerprint me and automatically log me in based on that unique identifier, I did it myself. If I give a store my address so it can ship an order to me, I'm the one providing that information and only for that exact purpose. I certainly don't expect the store to sell my address to some marketing company which then starts spamming my physical inbox with advertisement garbage.
These corporations need to learn to do exactly what's asked of them and nothing else. We don't want them exploiting the information we trusted them with for unknown purposes.
This is the spirit of the GDPR: inform users of the data you collect and what it's used for, and anything not absolutely essential to the transaction may be denied. It is obvious to me that a Do Not Track header represents that blanket denial of any non-essential data collection and processing.
The fact that our legal systems have tolerated and supported it, mostly demonstrates how intellectually weak the legal profession's philosophy and ethic is.
Companies, especially interacting digitally, use TCs, EULAs and other such nonsense like an incantation. Those are not agreements. They are stupid little rituals that strip users/consumers/whoever of all rights.
Any right that can be stripped by TCs... doesn't exist.
The whole concept of "by agreement" in these circumstances is bogus but... If it must be this way... Stack the deck in the other direction.
"By serving this browser a webpage, you agree to the following..."
By dripping a cookie, by recording this person's data. Pro user, pseudo-legal defaults.
Make "you must agree to X, before you use the product you bought" invalid. Give consumers the full right to unlimited time refunds, if divulging data or agreeing to terms (old or new) is a condition for using the product
This ridiculous deck can be stacked either way.
If I have to agree to a coercive contract intended not to be read, in order to use a device... Give me the right to say no and get a full refund at any time. At least invalidate the agreement.
Where TF are our judges, judicial philosophies, law professors? I want to ask "How could they let this happen' but the correct question might be "Why did they do this to us."
To my understanding in many countries this is already illegal in practical terms. Users in those countries are usually permitted to just click through those kinds of agreements and they'll hold no legal water. A EULA must be shown before the user obtains the application or appliance (this for example is why Steam will ask you through click through accepting any third party EULAs before you can download a game and why third party EULAs for a game are listed and readable in an attention drawing yellow bar on their store page) and "back of the box link to the EULA" isn't allowed. (And even then, the majority of stuff in EULAs that goes beyond the liability-related stuff is illegal anyway since they forbid things that are considered rights you just have.)
The US is basically the only country where these kinds of shrinkwrap EULAs tend to have more use than fancy toilet paper as far as I know.
(I am however, not a lawyer.)
In a lot of countries only the terms that were accepted during purchasing are legally binding. So if you buy a windows license in a shop without signing a contract, than no additional terms except general copyright laws apply.
With SaaS and online services this got way more complicated though. They can always ask to accept new conditions and stop providing their services if you don't accept them.
But as the GP said, the whole thing is a total corrupt farce.
I'm not sure how this works if it's one of them subsidised phones however.
They are writing law in MS Word and negotiating any changes in law by sending paragraphs over email, which they check once a day at most.
Fair point. But, I don't think it's good enough, at this point.
Software is not new or marginal anymore, and the business of software certainly isn't.
Practices like terms and conditions... Its not something lawyers can't see. I've heard the same thing about patents and I don't really believe that either. Patent lawyers, specialists and reviewers are nerds... They're not "boomers."
There are no more excuses. It's just makes suck now.
It could be a great thing. 99%+ of all people would quickly learn to opt in to tracking to get rid of the annoying popups.
If this goes to the Federal Court (BGH) in Germany they will "ask" the European Court of Justice for their interpretation of the applicable Union law (in this case the GDPR) and other national courts will take this precedent into account.
If LinkedIn does not appeal they will be required to follow the ruling. Even in this case it's not uncommon that national courts will look across the border.
I think it will have to be challenged country by country to make them use this interpretation.
But this 100% sets a precedent for other EU countries.
The court did not force LinkedIn in any way to actually respect or at least consider the DNT-header in their processes.
This is how I (being a German native-speaker) understood this article by the usually very reliable heise online: https://www.heise.de/news/Do-Not-Track-LinkedIn-darf-nicht-m...
If upheld, the judgement certainly seems to open the door for future litigation, and one might even hope for potential targets to adjust their behaviour in anticipation of it, but I would not hold my breath there.
[1] https://www.vzbv.de/sites/default/files/2023-10/23-10-10_Stn...
But you're right. It sounds like the court interpreted it that way, but anyways, the ruling is only about the claim, not about whether they respect DNT or not.
1. A shopkeeper that watches his customers for shoplifting and observes their flow in the store to know where to place products.
2. An online store that tracks what products people are looking at and what carts are abandoned the most.
3. A global ad-network that gets fed most of your browsing activity across the internet and creates an advertising profile for you.
Don't you agree that a difference in scale brings on a difference in kind somewhere on this axis?
The way I personally see it is that what a user does on your website is fine to observe, but when data is being shared to third parties is must explicitly have your agreement.
You can view and modify the ad profiles Google has for you [1] [2]. I leave it running because I’m vaguely curious what it will find. So far, the ad topics are extremely generic and not anything I worry about.
[1] https://myadcenter.google.com/ [2] chrome://settings/adPrivacy/interests (if using Chrome on desktop)
If a person is the subject of your tracking, then you need that person's consent.
If an inanimate object is the subject of your tracking, then you likely in the clear.
The caveat is that if you track a person via your tracking of inanimate objects, then you better have that person's consent.
GDPR created a lot of burden for small companies and at the same didn't seem to offer that much protection against abuses from the likes of Google/Facebook.
is this "need for my business model" or "need because we can't send a package without your address"?
Other than those two I don't see how spying on users is a business necessity.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Consent must be freely given
“Freely given” consent essentially means you have not cornered the data subject into agreeing to you using their data. For one thing, that means you cannot require consent to data processing as a condition of using the service. They need to be able to say no.
https://gdpr.eu/gdpr-consent-requirements/
The argument is that denying doesn't prevent you from acessing the site.
I recall there's precedent for this being legal, but I can't seem to find it. Search engines have really gone down the drain lately.
Deleted Comment