On one hand, I agree that these "dark patterns" undermine what legislators and voters want in terms of consumer protections and rights. Consumers and legislators need to be aware of it.
On the other, I think it leads to a banal conclusion. Legislation tried to achieve something by putting responsibilities/restrictions on corporations. It did not achieve its goals, because companies "implementing" the law have different things they want to achieve.
One common sense conclusion is "moral failings." I expect most journalists and legislators refering to this report will be in this category. Google is greedy. FB is cynical. Nowhere to go from here but moral righteousness.
Another common conclusion will be "loopholes." This will send us down the legislative rabbit Warren that financial regulation and tax law has been down.
The right (imo) conclusion is that the whole approach is wrong. We cannot rely on explicit (or even implicit) contracts between a website and every person who visits it.
There must be rules, not contracts. Where users need control or an agreement has to be made, these need to be baked into browsers, where the party implementing "user empowerment" are not the ones losing from it.
Moving to a world where an average consumer "signs" multiple agreements with companies per day.. that's not what our legal conventions were made for.
The GDPR is quite explicit on what consists of consent.
This means that if European privacy regulators agree that this approach does not in fact means that users consented then Facebook/Google/Microsoft may be violating the GDPR.
I think this is where, at least in theory, the GDPR is a major step forward: it has clear instructions on how information should be presented to users. Now we have to see if that theory actually becomes reality.
The GDPR is quite explicit on what consists of consent
I've had this argument a couple of times and I think it comes down to the semantics, though legal and legislative semantics are a little richer than most.
What I mean is that gdpr makes its intentions quite clear, but that's not how the legal system parses laws. What the consequences of gdpr are, in terms of practice is (1) all website visitors must sign a contract with the site owners (2) there are now some conventions and controls governing these contracts (3) the contracts empower the website owner to do most (not all) of what they could do before gdpr.
Gdpr does quasi-explicitely force website operators to provide "i don't agree" option. There are two potential ambiguities that could nullify this: (1) the exceptions in gdpr are ambiguous enough that all sites/services can claim them (2) dark patterns described in this paper make it so that a majority of users consent anyway.
IMO, considering "click here to agree and continue to the article" a valid consent is ridiculous. Contracts work when they are rare. We cannot solve this consent problem this way.
Contracts work fine if they are common. Suppose you are in a bar buying one drink at a time. Each time you buy a drink you enter a new contract. Is that a problem? No.
The 'click here to agree and continue to the article' is a problem in the context of the GDPR because consent has to be given freely and cannot be a requirement to obtain a service.
That's a big departure from the cookie law, where this kind of forced consent is allowed.
1) they really are not ambiguous at all in these cases, it is clear cut that these sites deliberately tries to get away with going directly against the law
2) these dark patterns are illegal, and they are illegal just because they do "force" users to consent
> It did not achieve its goals, because companies "implementing" the law have different things they want to achieve.
If this is what we think the law has become, we're screwed. Not just on privacy or dark patterns but generally.
I think you are missing a small, but crucial, step. We haven't yet seen how much effort will go into enforcement of those responsibilities and how many major fines result. I still have (probably extremely naïve) hope to see some $1bn+ fines, and soon. Then repeat for each follow-up attempt to evade the law. Presumably to Facebook for the "show trial" as they always seem the most egregious offender on clear privacy choices. As so nicely demonstrated by the pattern flowcharts here.
Then companies might interpret the law as something they must obey rather than deciding if they align with corporate goals before opting in.
> There must be rules, not contracts. Where users need control or an agreement has to be made, these need to be baked into browsers, where the party implementing "user empowerment" are not the ones losing from it.
Yes! This is the right way. Unfortunately it's also looks like it's going to be really, really hard, because the platform did not evolve with this foresight.
On one hand, I agree that these "dark patterns" undermine what legislators and voters want in terms of consumer protections and rights. Consumers and legislators need to be aware of it.
On the other, I think it leads to a banal conclusion. Legislation tried to achieve something by putting responsibilities/restrictions on corporations. It did not achieve its goals, because companies "implementing" the law have different things they want to achieve.
One common sense conclusion is "moral failings." I expect most journalists and legislators refering to this report will be in this category. Google is greedy. FB is cynical. Nowhere to go from here but moral righteousness.
Another common conclusion will be "loopholes." This will send us down the legislative rabbit Warren that financial regulation and tax law has been down.
The right (imo) conclusion is that the whole approach is wrong. We cannot rely on explicit (or even implicit) contracts between a website and every person who visits it.
There must be rules, not contracts. Where users need control or an agreement has to be made, these need to be baked into browsers, where the party implementing "user empowerment" are not the ones losing from it.
Moving to a world where an average consumer "signs" multiple agreements with companies per day.. that's not what our legal conventions were made for.