This is not GDPR’s fault. The guidelines are clear. Websites have to:
- ask users to explicitly opt-in to share their data
- not use legalese or similarly unclear language
It would be very easy to design an unobtrusive banner that did this. Something like:
We can share your anonymised browsing history with advertisers so you get tailored adverts Share your browsing history →
Of course, no-one would ever click this link because no-one wants to be served adverts, or share their data with someone they don’t know. As a consequence, sites that rely on tracking and identifying visitors are getting round GDPR by the way they know best: obfuscation. They could rephrase this request to collect data by being honest about why they need it:
We can share your anonymised browsing history with advertisers so you get tailored adverts. We rely on the money we get from tailored adverts to pay our journalists. Please share your browsing history →
There are very few examples of sites doing this well. Smashing Magazine is one, although it recently moved to a part-subscription model for its income, so isn’t reliant on installing tracking cookies. The pop up is a minor annoyance which presents a simple binary choice:
But old habits die hard. Techradar writes reviews of electronic things – it’s a useful resource if you’re comparing products. Here’s the popover they display when you visit their site. I’m sure they’re not the only website doing this sort of thing:
There are a few dark pattern techniques at play here that make proceeding without opting-in difficult:
- You only get to access the site immediately by clicking ‘I accept’ – the popover makes proceeding any other way impossible. Most users will therefore click ‘Accept’ without thinking.
- The ‘I accept’ link is bigger than the link to not opt-in (which isn’t labelled clearly, of course). It’s labelled ‘Show purposes’ and set in pale blue, hard to see 12 pixel type. It’s easy to ignore. The design implies it’s a secondary, perhaps technical action.
Unfortunately, clicking ‘Show purposes’ to not opt-in doesn’t end the process. Instead, it reveals the following:
Another popover to negotiate, using the same dark pattern techniques. The primary action is not to not opt-in (we’re in the land of the double negative), but to accept the site’s cookies. The secondary, ‘technical’ option is to Reject all. Presumably that’ll do the job:
I get the feeling Techradar really don’t want us not to opt-in. Again, the primary action leads us to opt-in, and the alternative is very confusingly labelled. Presumably, ‘Leave’ means leave the website? But I do want to read the article. Techradar have put me in a situation where it seems I have to accept cookies in order to use the site. Let’s see what happens if you do click ‘Leave’, though. Ah, success! Sort of:
At least the text here is clearer, and Techradar are honest about why they don’t want you to use an adblocker. Incidentally, we’d need to change our more straightforward banner:
We can share your anonymised browsing history with advertisers so you get tailored adverts. We rely on the money we get from tailored adverts to pay our journalists. Please share your data → and turn off your adblocker.
This is an easy one. We’ll continue with our Adblocker, thank you. And we’re there. Of course, this being Techradar, we get a popover for our troubles:
Are Techradar complying with GDPR?
Technically speaking Techradar are getting explicit consent to collect visitor data. They’re obviously not operating in the spirit of the regulations, but I also think they’re in breach in at least two areas:
- They make it seem as if you can’t use the site unless you opt-in. According to the ICO website, you have to
Avoid making consent to processing a precondition of a service.
- On the same page, the ICO says you must
Be clear and concise. Although this is a subjective requirement, I can’t see how anybody could interpret this process as clear and concise.
Bearing in mind the murky history of online advertising, and some sites’ reliance on it as a source of income, it’s depressingly inevitable that organisations will find ways to get round the new regulations. The only way GDPR will achieve what it set out to do will be through prosecutions. If they don’t prosecute, people will just click or tap ‘Accept’ and the online advertising industry will carry on as before, while claiming it’s doing the right thing. I’m skeptical. If you’ve any interest in privacy and you’d like to keep websites fast, make sure you’re using a browser that puts you in control of trackers and cookies, and use an adblocker. Firefox (or, better still, Firefox Focus on a mobile) is the obvious choice.