this post was submitted on 23 Sep 2023
964 points (98.7% liked)

Technology

59312 readers
4597 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Can you blame it?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 7 points 1 year ago (1 children)

As someone from the UX side of the fence, I can assure you that there are a lot of legitimate convenience and or fraud protection reasons for why a company might store PII server side for the user’s convenience. Targeted marketing isn’t the only reason to store identifying information.

[–] [email protected] 23 points 1 year ago (1 children)

Fraud prevention is a legitimate interest and does not need a consent request.
I'm pretty sure that is specifically called out in GDPR. Certainly ICO (UK) has loads of articles on it.

However legitimate interests are often difficult to demonstrate compliance, so it can be easier to rely on consent.

[–] [email protected] 10 points 1 year ago (1 children)

Imagine if fraud prevention mechanisms were ineffective if you do not consent to targeted advertising.

Black Hat: Darts! These darks patterns got me again, I accidentally consented, now I won't be able to bypass the captcha!

[–] [email protected] 2 points 1 year ago (1 children)

God, let's hope nobody ever tries that. Higher prices because you don't consent to more invasive tracking, because it poses a higher fraud risk to the company.

Thankfully, processing the same data for fraud prevention should be a different consent process/option than processing it for targeted advertising.

That's kinda the point.
Any server you connect to knows your IP address. As does any equipment between your home network and the remote server. It has to, that's how networks work.

Processing that to ensure your IP isn't abusing their servers is legitimate interest.

Processing that along with your interactions with their website likely isn't legitimate interest, so has to get consent (as this is likely profiling or user tracking, regardless of cookies used)

You could argue that it is legitimate interest, but then you have to back it up in your privacy policy as to why it is required, and it could be easily challenged as it's such a broad and subjective term (whether that challenge goes anywhere is up to enforcing bodies, like the EU/ICO/whatever).
The idea is that the barrier of entry for "legitimate interest" is high enough and that abusing legitimate interest carries a risk, so that it isn't the default.

Just because you have access to the data, doesn't mean you can use it however you want.

[–] [email protected] 2 points 1 year ago (1 children)

Some French websites have already started saying "Accept advertising trackers or subscribe to the paid plan". Marmiton started it, some newspapers followed suit, and I don't believe the French courts have reached a conclusion on legality yet, but clearly some legal experts at those companies are convinced it could work.

[–] [email protected] 3 points 1 year ago

I can understand where the newspapers are coming from. At lot of mobile apps do this, ads vs paid versions.

But an ad companys product is not to the end user, and often their interests are at odds to the end users privacy.
They want to show ads to people where they are most effective. They want to prove they have shown the ads, and they want to prove that the user has been influenced by the ad.
All of this needs ridiculous tracking to support their business model.

It's the ad companies at fault.
If you decline consent to an ad company, then they should show you generic adverts.
If a website requires ads vs subscription, then accepting data processing consent should not be part of the contract.
So, as long as the websites give you the option to decline data processing from the ad company without affecting your ability to use the website, then it's fine.