The GDPR’s biggest fail


If the GDPR did what it promised to do, we’d be celebrating Privmas today. Two years after the GDPR became enforceable, privacy should have become be the norm rather than the exception in the online world.


But it didn’t. And it’s not because the GDPR is poorly enforced. It’s because it’s too easy to claim compliance to the letter of GDPR law while violating its spirit.


Want to see how easy? Try searching for GDPR+compliance+consent:


https://www.google.com/search?q=gdpr+compliance+consent


Nearly all of the ~21,000,000 results you’ll get are from sources pitching ways to continue tracking people online, mostly by obtaining “consent” to privacy violations that almost nobody would welcome in the offline world.


Imagine if every shop you passed on the street sent someone outside to painlessly jab a needle into your neck, to inject a load of tracking beacons into your bloodstream. If you were to ask why they do that, they’d say it’s so their third parties can do “analytics” and show you “relevant” and “interest-based” advertising. Would you be okay with that?


Well, that’s what you’re saying when you click “Accept” or “Got it” when a typical GDPR-complying website presents a cookie notice that says something like this:



That one is from Vice, by the way. Here’s how the top story on Vice’s front page looks in Belgium (though a VPN), with Privacy Badger looking for trackers:


The number of potential trackers Privacy Badger finds here in California (without a VPN) is fourteen.


What are these entities up to? I do know DoubleClick follows you for advertising purposes. Google Analytics follows you too. Yes, Google says you’re anonymized somehow in both systems, but you are being followed. Worse, stalked. (Look up the verb. Top result: “to pursue or approach prey, quarry, etc., stealthily” That’s what’s going on.)


Get this: There is also no way for you to know exactly how you’re being tracked or what is done with that information, because the instrument for that—a tool on your side—isn’t available. It probably hasn’t even been invented.


And this: You have no record of having agreed to anything. No audit trail. Nothing of the kind.


Let’s go back to first principles here: It is just as wrong to track a person like a marked animal in the online world as it is in the offline one.


The GDPR was made to thwart online tracking. On the whole it has not. Instead, it has made the experience of being tracked online a worse one.


Yes, that was not the intent. And yes, the GDPR has done some good.


But if you are any less followed online today than you were when the GDPR became enforceable two years ago, it’s because you and the browser makers have worked to thwart at least some of it.


So, nothing to celebrate. Not this Privmas.

 •  0 comments  •  flag
Share on Twitter
Published on May 25, 2020 17:07
No comments have been added yet.


Doc Searls's Blog

Doc Searls
Doc Searls isn't a Goodreads Author (yet), but they do have a blog, so here are some recent posts imported from their feed.
Follow Doc Searls's blog with rss.