I get that too many regulations is a bad thing. But when we talk privacy and personal data there should be no gray zone. It has to be black and white. When I see a stupid cookie banner I search for "Reject all". There's no some data that companies can collect and process without my consent, they just shouldn't be able to collect anything without me actively opting in. Business never respects anything, but profits. Seeing news about relaxing these laws with the "AI" going after this leaves a bitter taste. And with them also trying to push the Chat Control thing, it gets even worse.
I've stopped thinking of regulations as a single dial, where more regulations is bad or less regulations is bad. It entirely depends on what is being regulated and how. Some areas need more regulations, some areas need less. Some areas need altered regulation. Some areas have just the right regulations. Most regulations can be improved, some more than others.
And when it comes to privacy, consumer advocate types and privacy wonks (I include myself in this group) want the heater to be on, and technology companies and advertising companies and all of their hangers-on want the heater to be off.
One group has a lot more money, power, and influence than the other.
It is the perfect and correct antidote to any slippery slope argument. If the consequences of the law turns out to be as bad as you say they will be then we adjust the law.
Bizarrely horrible approach. A lot of damage would already be done, most importantly changing the status quo is inherently much harder than doing nothing. So going back won’t necessarily be straightforward.
Claiming that “slippery slope” is always a fallacy is a gross misconception and misinterpretation. It varies case by case, very often it can be a perfectly rational argument.
“Let’s restrict democracy and individual freedoms just a bit, maybe an authoritarian strongman is just what we need to get us out of this mess, we can always go back later..”
“Let’s try scanning all personal communication in a non intrusive way, if it doesn’t solve CSAM problems we can always adjust the law”, right.. as if that was ever going to happen.
Some lines need to be drawn that can never be crossed regardless of any good and well reasoned intentions.
I very heavily disagree here, we aren't doing as much of this as we should be.
Society is too complex of a system to predict what consequences a law will have. Badly written laws slip through. Loopholes are discovered after the fact. Incentives do what incentives do, and people eventually figure out how to game them to their own benefit. First order effects cause second order effects, which cause third order effects. Technology changes. We can't predict all of that in advance.
Trying to write a perfect law is like trying to write a perfect program on your first try, with no testing and verification, just reasoning about it in a notebook. If the code or law is of any complexity, it just can't be done. Programmers have figured this out and came up with ways to mitigate the problem, from unit testing and formal verification to canaries, feature flags, blue-green deployments and slow rollouts. Lawmakers could learn those same lessons (and use very similar strategies), but that is very rarely done.
In the same post you are arguing for and against "slippery slope".
Either it is possible to easy change law to make it worse ("slippery slope" is valid objection) or changing law is "much harder than doing nothing"("slippery slope" is a fallacy).
>Some lines need to be drawn that can never be crossed regardless of any good and well reasoned intentions.
Too late. We already let the government cross the lines during Covid with freedom of movement and freedom of speech restrictions, and they got away with it because it was "for your protection". Now a lot of EU countries are crossing them even more also "for your protection" due to "Russian misinformation" and "far right/hate speech" scaremongering, which at this point is a label applied loosely to anyone speaking against unpopular government policies or exposing their corruption.
And the snowball effect continues. Governments are only increasing their grip on power(looking enviously at what China has achieved), not loosening it back. And worse, not only are they more authoritarian, but they're also practicing selective enforcement of said strict rules with the justification that it's OK because we're doing it to the "bad guys". I'm afraid we aren't gonna go back to the levels of freedom we had in 2014- 2019, that ship has long sailed.
Nothing is more permanent in politics than temporary solution. As a Norwegian, for example, I am still paying a temporary 25% on all spending that was enacted as a "temporary" measure over 100 years ago.
Control Theory does not work (in the general) for politics for the simple reason that incentives are misaligned. That is to say that control theory itself obviosuly works, but for it to be a good solution in some political context you must additionally prove the existance of some Nash equilibrium where it is being correctly applied.
The thesis argues that dictators regularly both harm groups clearly inside the winning coalition, and please groups clearly outside of it. A common, but not the only reason, is ideology.
One has to be careful when using game-theory models on messy human entities. Sometimes it works, sometimes it doesn't, and it's hard to determine just at what point the model breaks down. At least without empirical research.
(Another example is that actual negotiation outcomes rarely end up at the minimax or Nash product equilibria that game theory sequential negotiation concepts would suggest.)
> If the consequences of the law turns out to be as bad
This is the usual "the market will regulate itself" argument. It works when the imbalance arises organically, not so much when it's intentional on the side with more power and part of their larger roadmap.
The conflict of interest needs to be accounted for. Consequences for whom? Think of initiatives like any generic backdooring of encrypted communication but legislators are exempt. If legislators aren't truly dogfooding the results of that law then there's no real "market pressure" to fix anything. There's only "deployment strategy", roll out the changes slowly enough that the people have time to acclimate.
Control theory doesn't apply all that well to dynamical systems made entirely of human beings. You need psychohistory for that.
So, you do think “useCase.regulation” being a single dial. It’s a pretty reductive framework. I have an easier framework where in 90% of cases current law was already good enough and we don’t need to tweak that dial
Regulations are like lines of code in a software project. They're good if well written, bad if not, and what matters more is how well they fit into the entire solution
A major difference with regulations is there’s no guaranteed executor of those metaphorical lines of code. If the law gets enforced, then yes, but if nobody enforces it, it loses meaning.
There's a reason we call them judges. Selective enforcement is there for a reason. Lawmakers can't anticipated everything. Just look at how bad of an idea zero tolerance policies in schools have been with thinks like getting expelled for biting a sandwich into the shape of a gun.
The world isn't black and white. Flexibility, including selective enforcement, is necessary in a just system.
The reason that selective enforcement exists is that it is very hard to avoid having rules selectively enforced.
But the history of selective enforcement strongly suggests that it does not usually lead to just results. It is often instead something that unaccountable officials find themselves easily able to exploit for questionable purposes.
For a notable example, witness how selective enforcement during the War on Drugs was used to justify mass incarceration of blacks, even though actual rates of drug usage were similar in black and white communities.
Yes, I would argue that it would be better for more to have been incarcerated, for that would bring greater focus to injustice and the law would be changed. Selective enforcement interferes with the feedback mechanism that would otherwise make the law work better.
Any instance of selective enforcement being necessary is ipso facto evidence of a bad law. This is completely orthogonal to the matter of the world not being black and white - you're right, it's not, but a good law recognizes that fact, and laws can also be amended as needed.
> Any instance of selective enforcement being necessary is ipso facto evidence of a bad law.
All laws are in some degree bad; perfect laws do not exist.
Some laws are useful and produce more good than harm in the concrete situation in which they exist.
Should laws be improved where possible? Yes. Does the need for selective enforcement indicate a problem? Yes. Does it provide sufficient information to determine the precise form of a better law to replace the one it shows a problem with? Very rarely.
Legislation is much worse than organically derived common law, for the common law comprises decisions that apply to particular conditions with all their details while the former are mere idealizations.
> Any instance of selective enforcement being necessary is ipso facto evidence of a bad law.
Yep, and while we fix that bad law we need judges to be able to say "I won't apply that" or "I won't sentence you to jail for this". That's kinda the point.
That's what jury nullification is for, in principle.
Allowing judges to not enforce bad laws turns them into unelected legislators. It's also worse from a corruption perspective because a single bought judge in the right place is much more cost effective than having to buy a new randomly selected jury at every trial.
Not only in the executive/enforcement, but in the actual impact of the regulation in practice as applied by millions in a distributed system. Regulations influence decision paths as opposed to encoding deterministic code paths.
The problem with laws that both the enforcer and the subject (enforcee?) agree are bad, is that enforcement is variable. And that leads to corruption. Every damn time.
The fix for corruption is vote the bums out of office. It is not to go whole hog into blind application of the law.
Think about how hard it is to write code that has no bugs. Now imagine you're using English and working with a system with so many parameters and side effects that you can't possibly anticipate all eventualities.
And now you want to rigidly apply your operators to this parameter space?
Selective enforcement is necessary for justice, because no law is perfectly just, and selective enforcement helps move toward justice.
It unfortunately also means there is the eventuality of corruption. So you just have to keep vigilant. Because a rigid system with no selective enforcement has no fix for injustice other than "live with it."
> The fix for corruption is vote the bums out of office.
That doesn’t seem to be working.
I argue there’s an acceptable level of corruption, only the particular flavours change from time to time.
Come out of government better off than when you when in. Fine, good on ya. No need to tells us about how you’re going about it while you’re going about it.
Learn to be at least a little bit discreet, and at least do something occasionally that comes across as good for the average person.
You could also optimize everything for future updates that optimize things even further for even more updates...
Humm.. that was supposed to be a joke but our law making dev team isn't all that productive to put it mildly. Perhaps some of that bloat would be a good thing until we are brave enough to do the full rewrite.
Ah, but "simplicity" is not necessarily "fewest lines of code".
Code is first and foremost for human consumption. The compiler's job is to worry about appeasing the machine.
(Of course, that's the normative ideal. In practice, the limits of compilers sometimes requires us to appease the architectural peculiarities of the machine, but this should be seen as an unfortunate deviation and should be documented for human readers when it occurs.)
This is just a belief about code, and one of many. Another belief is that code and computer systems are inseparable, and the most straightforward and simple code is code that leverages and makes sense for it's hardware.
As in, you can pretend hardware doesn't exist but that doesn't actually change anything about the hardware. So, you are then forced to design around the hardware without knowing that's necessarily what you're doing.
Exhibit A: distributed systems. Why do people keep building distributed systems? Monoliths running on one big machine are much simpler to handle.
People keep building distributed systems because they don't understand, and don't want to understand, hardware. They want to abstract everything, have everything in it's own little world. A nice goal.
But in actuality, abstracting everything is very hard. And the hardware doesn't just poof disappear. You still need network calls. And now everything is a network call. And now you're coordinating 101 dalmatians. And coordination is hard. And caching is hard. And source of truth is hard. And recovery is hard. All these problems are hard, and you're choosing to do them, because computer hardware is scary and we'd rather program for some container somewhere and string, like, 50 containers together.
> code and computer systems are inseparable and the most straightforward and simple code is code that leverages and makes sense for it's hardware
You're missing the point. Code is separable from hardware per se, even if practically they typically co-occur and practical concerns about the latter leak into the former. The hardware is in the service of our code, not our code in service of the hardware. Targeting hardware is not, in fact, the most straightforward option, because you're destroying portability and obscuring the code's meaning with tangential architectural minutiae and concerns that are distracting.
> you can pretend hardware doesn't exist but that doesn't actually change anything about the hardware
You're mischaracterizing my claim. I didn't say hardware doesn't matter. Tools matter - and their particular limitations are sometimes felt by devs acutely - but they're not the primary focus.
My claim was that code is PRIMARILY for human consumption, and it is. It is written to be read by a person first and foremost. Unreadable, but functioning code is worthless. Otherwise, why have programming languages at all? Even C is preposterously high-level if code isn't for human consumption. Heck, even assembly semantics is full of concepts that have no objective reality in the hardware, or concepts with no direct counterpart in hardware. Hardware concerns only enter the picture secondarily, because the code must be run on it. Hardware concerns are a practical concession to the instrument.
So, in practice, you may need to be concerned with the performance/memory characteristics of your compiled code on a particular architecture (which is actually knowledge of the compiler and how well it targets the hardware in question with respect to your implementation). Compilers generally outperform human optimizations, of course, and at best, you will only be using a general knowledge of your architecture when deciding how to structure your implementation. And you will be doing this indirectly via the operational semantics of the language you're using, as that is as much control as you will have over how the hardware is used in that language.
> Exhibit A: distributed systems. Why do people keep building distributed systems? Monoliths running on one big machine are much simpler to handle.
In principle, you can write your code as a monolith, and your language's compiler can handle the details of distributing computation. This is up to the language's semantics. Think of Erlang for inspiration.
> People keep building distributed systems because they don't understand, and don't want to understand, hardware.
Unless you're talking about people who misuse "Big Data" tech when all they need is a reasonably fast bash script, that's not why good developers build distributed systems. Even then, it's not some special ignorance of hardware that leads to use of distributed systems when they're not necessary, but some kind of ignorance of their complexity and an ignorance of the domain the dev is operating in and whether it benefits from a distributed design.
> But in actuality, abstracting everything is very hard. And the hardware doesn't just poof disappear. You still need network calls. And now everything is a network call. And now you're coordinating 101 dalmatians. And coordination is hard. And caching is hard. And source of truth is hard. And recovery is hard. All these problems are hard, and you're choosing to do them, because computer hardware is scary and we'd rather program for some container somewhere and string, like, 50 containers together.
This is neither here nor there. Not only are "network calls" and "caching" and so on abstractions, they're not hardware concerns. Hardware allows us to simulate these abstractions, but whatever limits the hardware imposes are - you guessed it - reflected in the abstractions of your language and your libraries. And more importantly, none of this has any relevance to my claim.
> Code is first and foremost for human consumption. The compiler's job is to worry about appeasing the machine.
Tangentially, it continues to frustrate me that C code organization directly impacts performance. Want to factorize that code? Pay the cost of a new stack frame and potentially non-local jump (bye, ICache!). Want it to not do that? Add more keywords ('inline') and hope the compiler applies them.
(I kind of understand the reason for this. Code Bloat is a thing, and if everything was inlined the resulting binary would be 100x bigger)
`inline` in C has very little to do with inlining these days. You most certainly don't need to actually use it to have functions in the same translation units inlined, and LTO will inline across units as well. The heuristics for either generally don't care if the function is marked as `inline` or not, only how complex it is. If you actually want to reliably control inlining, you use stuff like `__forceinline` or `[[gnu:always_inline]]`.
Regarding code size, it's not just that binary becomes larger, it's that overly aggressive inlining can actually have a detrimental effect on performance for a number of reasons.
I disagree with this otherwise seemingly reasonable position. Draghi's latest report pointed out that overregulation is a major problem in the EU and costs EU companies the equivalent of a 50% tariff (if I remember correctly). Of course, Draghi's report has led to nothing more than a few headlines.
That 50% figure seems extremely dubious. I'd expect either methodological failures, or a definition of "costs" that I disagree with (e.g. fair-competition regulations preventing price-hikes, "costing" EU companies the profit they could obtain from a cartel). However, skimming the report (https://commission.europa.eu/topics/competitiveness/draghi-r...), I can't find the 50% figure.
> Mario Draghi has argued that the EU's internal barriers, which are equivalent to a high tariff rate, cost more than external tariffs. He has cited IMF estimates that show these internal barriers are equivalent to a \(45\%\) tariff on manufactured goods and a \(110\%\) tariff on services. These internal market restrictions, which include regulatory hurdles and bureaucracy, hinder cross-border competition and have a significant negative impact on the EU's economy.
Sure, someone argues something. Who knows if it's right or wrong? It's not a hard science.
How do you estimate the cost of regulations on businesses? You ask businesses. Businesses have absolutely zero incentive to say that regulations are not bad. "Just in case", they will say it hurts them.
That is, until there is a de facto monopoly and they can't compete anymore, and at that point they start lobbying like crazy for... more regulations. Look at the drone industry: a chinese company, DJI, is light-years ahead of everybody else. What have US drone companies been doing in the last 5+ years? Begging for regulations.
All that to say, it is pretty clear that no regulations is bad, and infinitely many regulations is bad. Now what's extremely difficult is to know what amount of regulation is good. And even that is simplistic: it's not about an amount of regulation, it depends on each one. The cookie hell is not a problem of regulations, it's a problem of businesses being arseholes. They know it sucks, they know they don't do anything with those cookies, but they still decide that their website will start with a goddamn cookie popup because... well because the sum of all those good humans working in those businesses results in businesses that are, themselves, big arseholes.
> Businesses have absolutely zero incentive to say that regulations are not bad.
Your overall point is solid, but I'd like to what I think is another reason that businesses could desire regulation. You're right that a dominant business can use its political power to "regulatory capture" its market and prevent new entrants, but I believe this isn't limited to uncompetitive markets.
Regulation can also prevent "arms races" by acting like explicit collusion. A straightforward example is competitive advertising in a saturated market, like cigarettes. Under the rough assumption that cigarettes are all equivalent and most potential smokers already smoke, then competitve advertising cuts into the profit margin, and companies have to participate or lose out. If you ban advertising then it's as if the bosses all got together and agreed not to compete like that. See e.g. https://pubmed.ncbi.nlm.nih.gov/31547234/
That's an executive order (regulation) requiring proposed regulations undergo a cost-benefit analysis before being promulgated.
It's why we got mandated backup cameras in cars: the cost-benefit analysis revealed the cost to have these in every new car was dwarfed by the cost in human lives of all the kids who were being run over in driveways bc they weren't visible behind cars.
Right, but that's a follow on to regulations about increased rear and side still heights for occupant protection, and that's a follow on from increased vehicle sizes, and that's a follow on from commercial vehicles being sold to the general public instead of regular passenger vehicles due to tax breaks, etc.
I was somewhat disappointed, however, to aee that this applies only to "major rules" from "executive agencies" and as such doesn't seem to apply to an executive order. There would have been some recursive satisfaction to see EO12291 itself tested by its own standard.
That article does contain the correct answer, so thank you very much for finding it, although the passage you've quoted is ChatGPT gibberish not in the source given.
Per https://iep.unibocconi.eu/europes-internal-tariffs-why-imfs-..., the model treats shopping local as evidence of the existence of a trade barrier, as opposed to a rational preference based on cultural and environmental considerations. This is why the numbers are ridiculously high. (Is there a 120% implicit tariff for textiles? Or do people just prefer warm clothes in the north and breezy clothes in the Mediterranean?)
At scale, no. But when very small there is a reason that people from Norway made rain jackets, and the brand cachet follows that too.
European people also still have a much stronger national identity than a European identity, especially compared to the US with state vs. country level.
Where? When there's not a more obvious choice trade is done in English, packaging usually has multiple languages (which are often mutually comprehensible with other nearby languages) and your instruction booklets and regulations are given in the 24 official languages. Sure not every country has a good standard of English, but even France seems to be able to get by.
The translation infrastructure is huge, and reasonable-quality machine translation⁰ has been freely available for years now.
I don't mean to refute your experience, but I am suprised by the claim, because it's really not what I've seen here. Could you give some more detail on what you mean.
> Where? When there's not a more obvious choice trade is done in English, packaging usually has multiple languages (which are often mutually comprehensible with other nearby languages) and your instruction booklets and regulations are given in the 24 official languages. Sure not every country has a good standard of English, but even France seems to be able to get by.
All of this is correct, and that's why the single market for goods (except for booze and tobacco) has been such a massive success. However, lots of growth (particularly in the US) comes from services, and for this, languages matter a lot more.
Sure, lots of continental Europeans speak multiple languages, but the vast discrepancies in languages and regulations (insolvency, capital markets etc) means that there are dis-economies of scale in the EU. Like, there's a reason that companies start selling in their home market and then move directly to the US.
A common language can't be assumed across the EU, while other large blocs (China, US) can make this assumption which is important for services trades in particular, as well as bespoke goods trade.
Ah, you're absolutely right. Only when reading your comment did I realise that I'll often go to the UK for some human-mediated service I need in English.
(This despite Ireland and Malta having it as an official language, and the Nordics often having better English skills than natives.)
Seems pretty real. E.g. CRA official impact assessment estimates one-time (in addition to ongoing costs) compliance cost at €500K per one product. That is enough for 10 man years per product.
I agree if we look at what has happened to the EU over the last 2 decades the costs have to be much higher. 50% seems optimistic at best for how far behind the EU has gotten.
That depends, are the people who are negatively impacted aware, and able to do anything about it?
There are some "mosquito" businesses that imho provide no net value and we'd be better off if they didn't exist (c.f. Bastiat's window breaker⁰). For example; payday loans, gadget insurance, MLMs, f2p games. The trouble is that there is an apparent need they're meeting, and nobody wants to "destroy jobs" or even worry too hard about exploiting the vulnerable.
Even if I were emperor and believed hese businesses were unjustifiably bad, I'd be worried about the authoritarian consequences of shutting down the less egregious ones. I'd also hope to have the humility to entertain the idea that I don't understand their full benefits.
In conclusion I think it's bad to have unethical businesses, and that even if they make the indicator go up, they are probably a net negative on the economy and society. However, I don't know what's to be done about it.
Pay day loans are generally good _for the borrower_ - they aren't just window breaking. The consequences of missing an important payment can be way worse than the high interest on the pay day loan, e.g. if you don't pay for a course in time, they disenroll you and you no longer get to take the course; if you don't pay rent in time, you might get eviction proceedings filed against you; if you don't pay for your car repairs the garage will not return your car and you will lose time every day taking public transport.
I won't argue that the availability of payloans (or any other product) is a net positive for the rational consumer. I'd still be willing to bet that (ceteris paribus) a society like the ones we live in is better off without them than with.
(Coda: You might say that's impossible, and local loan sharks will spring up to meet the need. That's probably true, but at least those guys merely break your legs, rather than advertising incessantly on daytime tv.)
Lmao you can’t be serious. This is something that can only be said if you can’t/won’t quantify social cost.
Deregulated gambling has had a horrible impact on individuals. Repealing Glass—Steagall led to a global financial crisis. Gig economy businesses are exploiting workers by the thousands through self employment loopholes. We have insane monopolistic pricing and practices in the US in eg the telecom industry. Worst of all is that we’ve likely doomed the entire planet based on what is effectively too little environmental regulation.
>Deregulated gambling has had a horrible impact on individuals.
Yes, but gambling and all vices for that matter, are a centuries old issue that's well studied and well understood by everyone, while AI(hate that term in this case) LLMs are only an issue since November 2022, while most influential politicians are dumbass boomers who don't understand how a PC or the internet works let alone how LLMs work but yet are expected to make critical decisions on these topics.
So then it's safe to assume that the politicians will either fudge up the regulations due to sheer cluelessness, or they will just make decisions based on what their most influential corporate lobbyists will tell them. Either way it's bad.
ML and other automated systems are not new, and we know enough about automated systems to come up with regulations like "no, you should not use these in a certain set of specific circumstances" or "if you're unleashing this onto the world, you have to show that you understand what you're doing" etc.
Let's not be overly pedantic and overly Pius on petty semantics like that. It was clear from my original comment, the context of what I was talking about.
E.g. "if a decision cannot be explained by a human, it should bot be done by a machine" applies to them, too.
Basically, if you read the EU AI Act for example, it's hard to find anything you'd disagree with regardless of whether it's about ML, LLMs or three if statements in a trench coat.
Of course the industry is up in arms about it (just like GDPR)
Actually, around here they are giving a second chance to people whom over-regulation of the work market made too expensive to hire.
> insane monopolistic pricing and practices in the US in eg the telecom industry
It's actually regulations deterring competition in telecom who are responsible to those practices.
It goes like this: (well intended) regulation => raise price of doing business => fewer startups => less competition => incumbents enjoying practically monopoly => incumbents behaving like monopolistic a-holes.
> too little environmental regulation
In China. You forgot "in China". That is where most of that planet dooming is happening. Good luck promoting environmental regulation there.
> Actually, around here they are giving a second chance to people whom over-regulation of the work market made too expensive to hire.
Over-regulation being what, minimum wages? Coverage for basic social safety nets? ‘Cause that’s what we lost.
> It goes like this: (well intended) regulation => raise price of doing business => fewer startups => less competition => incumbents enjoying practically monopoly => incumbents behaving like monopolistic a-holes.
Bell system was broken up into seven different companies, thanks to regulation. It’s _lack_ of regulation that let telecoms merge together into behemoths. There _are_ small ISPs and telecoms in the US, they just can’t compete due to the size differential.
> In China. You forgot "in China". … Good luck promoting environmental regulation there.
Right, let’s jump for a Tu Quoque. China is destroying the planet so who cares what we do ¯\_(ツ)_/¯
I’m not blind to the existence of plain bad regulation, regulatory barriers and capture — but the overwhelming majority of these arguments have just been used to make regular people’s lives’ worse.
“Cheap housing isn’t being built in the UK because regulation makes it more expensive!” -> remove regulations -> there’s still no cheap housing but anything from 1990s onwards is now also badly built.
As a construction developer I’m sure I’d say there’s still too much regulation though. Gotta bump those margins.
One easy example is regulation making it hard to fire people. Then, naturally, firms will hire just as hard. The tradeoff is thus between a healthy, fast, dynamic and competitive job market with plenty of opportunities but with job insecurity and - fewer jobs, smaller salaries but the lazy unproductive bum slowing everybody down is now impossible to get rid of.
Yes, minimum wage is another. In effect it makes people whose work is worth less than the minimum wage - legally unemployable.
> Bell system
Bell system was a monopoly thanks to government regulation in the first place. The government actually passed a law that made illegal to connect a 3rd party telephone to Bell's network!
Yes, you need more regulation when your regulation f'd up a market. In free markets competition keeps market participants honest and even breaks monopolies. This is why one of the first regulation incumbents lobby for is meant to deter competition.
> Cheap housing isn’t being built in the UK
I do not live in the UK, but I am willing to bet everything that there is still a ton of regulation stopping building there. Last summer I visited London during a heat wave. We were sweating in our AirBnB, complained to the owner but he answered that he couldn't install an A/C because he wasn't allowed to change the building facade...
We’ve had “legitimate” for-profit firms supplying authoritarian governments with phone malware that they allegedly used to spy on and sometimes murder their dissidents. The slippery slope isn’t a fallacy, we’ve seen what happens if it isn’t guarded.
That's technically true, but I was using it to prove my point that there's more to think about than company profits.
Maybe I should have used dumping waste in a river and paying workers below minimum wage as examples. Profits could go up, but most people would agree it should still be illegal.
>latest report pointed out that overregulation is a major problem in the EU and costs EU companies the equivalent of a 50% tariff (if I remember correctly). Of course.
Normally I'm against overrgulation, but when it comes to privacy more fine for big corp is need if ANY violation is found. Rather NOT have AI than compromise on privacy.
How about "we store your precise geolocation with all associated device ids, travel and purchasing habits across all areas of your life for a decade and sell it/share it with thousands of other entities"? https://x.com/dmitriid/status/1817122117093056541
>Our ancestors survived perfectly fine with telephone directories dropped at every house for free which contained everyone's name and address.
Yeah but our ancestors also doesn't amount of processing power that the current big corps have. Constrain what big corp can collect personal data is beneficial for average users in current day and age.
Interesting that you have privacy so high on your list of priorities. The general public usually considers other small thing like "cost" and "convenience" when thinking about privacy.
Most of us actually don't mind losing a little privacy to read a news article when faced with the alternative of paying money or that news website ceasing to exist at all.
But, hey, keep pushing your warped privacy sense onto all of us, I am sure you are right.
There is no universal measure for that, only each individual can answer the question for herself. GDPR is robbing people of that chance though.
> Is this a small amount
For me, yes. I already have a device in my pocket reporting my exact location to a private company at all times and I accepted that a long time ago.
> 96% of people opt-out
I bet they would chose very differently when the alternative is to pay or stop using the product. Just look how many people use privacy-destroying fidelity cards in supermarkets for some measly discounts.
How exactly? GDPR is quite literally "you can ask people for their consent to give you their data".
> I already have a device in my pocket reporting my exact location to a private company at all times and I accepted that a long time ago.
There's a difference between "one company" and "thousands of companies". And yes, there's an expectation that the company doesn't sell that location data which even in the US results in lawsuits: https://www.reuters.com/legal/litigation/us-court-upholds-ve...
> I bet they would chose very differently when the alternative is to pay or stop using the product.
False dichotomy. You don't need 24/7 suveilance to show ads or monetise products.
> How exactly? GDPR is quite literally "you can ask people for their consent to give you their data".
Patently untrue. Under GDPR you are not allowed to withhold your services from users refusing to give you "their" data. Their opt-out costs them nothing.
This is what you pretend to care about: "There is no universal measure for [what small amount of privacy constitutes], only each individual can answer the question for herself."
What you actually want (and what is actually happens): "users are not given no privacy whatsoever and every single scrap o user data has to siphoned off and sold to the highest bidder, and the false alternative should be for users to pay to preserve their privacy". That is basically what Facebook is arguing.
So. First you define what "small amount of privacy" is, and put a price on that. And then present users with a choice. Or skip the pretence.
I'm happy to burden EU companies with responsibilities like securing storage of my private data, having processes to update and delete my data, having to consider whether data collection can be minimized, and getting my consent if they want to repurpose or sell the data they've collected.
It would be much cheaper and pro-business to let them collect everything and secure nothing.
Such unhinged takes are one of the reasons EU has fallen behind so much. Nobody is arguing for child labor. We are just fighting for the right to build startups without worrying about reading hundred-page regulation manuals and having to hire "compliance officers" before even turning a profit.
Yeah, regulation generally tries to do good but that is going to be little consolation when EU's economy will go broke because all products and services we consume are build in less-regulated territories (USA and China to be specific).
> We are just fighting for the right to build startups without worrying about reading hundred-page regulation manuals and having to hire "compliance officers" before even turning a profit.
Oh no. How are you going to build your new ChatGPT wrapper without selling user data to thousands of "privacy-preserving partners"?
GDPR (and a very small number of other applicable regulations) are somewhere between place 1000 and 1500 of things that hinder startups. And unless you are a complete moron those regulations will maybe apply to you when you reach 10 million+ users.
> GDPR [...] somewhere between place 1000 and 1500 of things that hinder startups.
No. GDPR was presented as a company ending regulation. You make a mistake - you are doomed. The fines are in revenue percentages. User data was said to be "toxic". You touch it, you better know what you are doing or else.
This kind of regulation has a strong chilling effect on the budding founder. Countless web-startups were never created because the most common monetization model (ads) became basically illegal (for European startups only, US/Chinese competitors kept enjoying full freedom).
> and a very small number of other applicable regulations
But it's not a small number. And regulations have a cumulative effect. See, startups are like distance running. You know it's a hard thing, but you believe you can try to do it. But then regulations are like potholes. You run around a few, but the more potholes to avoid the harder the run, until your main job turns from running to avoiding potholes. Then you simply say "why bother" and give up.
The more regulations you have, the more obstacles you put in front of startups, the fewer young people choose the entrepreneur path and decide to just get some bureaucratic job instead.
This is the tragedy we are living in the EU right now, in the clapping of bureaucrats who never build a product or service in their entire life and do not understand what those damn entrepreneurs are complaining about.
> No. GDPR was presented as a company ending regulation.
Bullshit
> You make a mistake - you are doomed. The fines are in revenue percentages.
Tell me you didn't even read a line of GDPR in the past 9 years or know anything about European regulations without telling me
> This kind of regulation has a strong chilling effect on the budding founder.
A moron who gets their advice from ads industry, sensationalist headlines and HN? Perhaps.
> But it's not a small number.
It is.
> The more regulations you have, the more obstacles you put in front of startups
GDPR is not an obstacle. It quite literally is "do not scrape user data and sell it to third parties without user consent".
> in the clapping of bureaucrats who never build a product or service in their entire life and do not understand what those damn entrepreneurs are complaining about.
Yeah, "entrepreneurs" complain about a lot, and then make a surprised pikachu face when they are told in no uncertain terms that no, sending precise geolocation data to third parties to store for 12 years is not okay: https://x.com/dmitriid/status/1817122117093056541
> Tell me you didn't even read a line of GDPR in the past 9 years or know anything about European regulations
As a matter of fact, I am the founder&owner of a small ISV (nothing ad, privacy, crypto or AI-related) in the Eastern EU. Everything I am telling about European regulations comes from dozens of years of direct, painful, personal experience.
(long time no reply due to hitting HN's rate limit)
> Everything I am telling about European regulations comes from dozens of years of direct, painful, personal experience.
Strange that you then spew absolute bullshit about GDPR.
> How about you?
I've worked in large multinational corporations (banking, streaming) that were "hit" with GDPR and spent several years making sure they are compliant. Not because GDPR is bad, but because no one really cared about the data collected, and where it ended up. [1]
Startups had it and have it easy since they can just not siphon all the data. Especially now, when you have all the tools to handle data properly. Hell, a decade ago you couldn't even get privacy-preserving analytics. Now you're drowning in them.
We're also preparing to launch a few (admittedly small scale) projects with friends, and what do you know? GDPR is the absolute last thing that even bothers us. You know why? We know what data to collect and for how long to store it, and we're not sending that data to thousands of "privacy-preserving partners".
"Company-destroying fines" boogeyman or whatever other "chilling effect" bullshit belongs in the mind of children and morons. Hell, I've seen banking regulators come, list issues, and give a deadline to fix them. Much less GDPR.
[1] That's not entirely true. Payment and payment-adjacent regulations are significantly more stringent than GDPR, so everything related to that was and is extremely serious. As anything related to things like "data of persons under state protection". It's never black and white.
However, in big companies, especially at the time, you would eventually end up with a lot of data duplicated across many systems, often barely connected. 10 years ago cleaning up that mess required companies to reverse engineer and document 10-15 years of bad/hasty/adhoc decisions and assumptions. Surprisingly often that resulted in just retiring certain internal microservices wholesale (they just were no longer needed) and/or significantly reducing bandwidth and storage requirements in certain cases (because you no longer cary and store heavy duplicate objects around).
So the main opposition to GDPR came not from "poor chilled startups", but from companies like Facebook and Google who rely on 24/7 surveillance exclusively, ad industry, and large corporations who didn't want to deal with cleaning up internal messes.
One of the problems with regulation is that politicians "understand" complex systems like computers or software or "the platforms" almost entirely by way of analogy. Yet at the point of actually introducing rules about (for example) tracking or what happens to your data, you need to throw away analogy entirely and start talking and thinking (and implementing) not an analogy but what the thing _actually_ is. Rarely do they resolve down to this last stage where you move from analogy to how things really work, or might work. I see this everywhere I have touched government and regulation over many years.
I think the real question has to be: how do we determine what the regulations should be. Today, regulations are typically the product of dysfunctional political processes, and, no surprise, a lot of those regulations are unhelpful and a lot of helpful regulations are absent.
When we let the market bubble-up protective conditions through buyer behavior, we advantage innovation at the cost of accepting more harms, because the market response is always reactive instead of proactive, and the reaction can sometimes take decades or more (like GHG emissions and global warming).
When we let structural regulations assert protective conditions on a market, we try to advantage proactive harm reduction at the cost of innovation, because artificial market limitations will be barriers to innovation and create secondary game conditions that advantage some players.
Which way we lean should depend on the type and severity of potential harms, especially with consideration of how permanent or non-reversible those harms are.
I like this post. I was recently talking to a friend about using surveillance to improve recycling rates. The purpose of the discussion was not to advocate for more state-sponsored surveillance, but rather to imagine beneficial uses of surveillance. More to your point "more regulations is bad or less regulations is bad": Holy shit: Look at environmental protection laws. Consider the developed world in 1960 to today. The environment is night and day. It is so much cleaner and safer than ever. And, yes, most of those changes came about from regulations. I don't want to go back to a world where I come home from work in New York City and wipe my face clean in the mirror, and the tissue/towel comes away smudged with black & brown from soot in the air. (That is a true story that my mother told me from living in NYC in the 1970s.)
The challenge with regulation is that its the result of those in charge of a power imbalance being able to decide what is "good" PR "bad."
Yes, some regulations will result in outcomes most might want and others may result in outcomes most don't want. In both cases, though, everyone not in power has to accept that they gave up some level of free will in hopes that those in charge will always wield that power well.
Stuff like e.g. ChatControl is also regulations, so no, it doesn't follow at all. If in practice the people doing the regulating don't have your interests in mind, more regulations is indeed bad.
Unfortunately politics has become the religion of modernity.
Nuance and sober analysis like you've suggested do not mix well with religious dogma. It's much easier for people to react emotionally to symbols.
For many here, 'GDPR' is a variable that equals 'privacy' in their brain computer. So any criticism of it or its implementation realities, no matter how well argued, will not be met with reasoned response, but instead religious zeal.
Most criticism of GDPR on HN is a criticism of bad-faith attempts to pretend to comply, many of which are expressly forbidden by the GDPR. It's a well-written, plain English regulation, and I encourage everyone to read it before criticising it. (At the very least, point to the bits of the regulation you disagree with: it should only take around 5 minutes to look up.)
And even if it was, being easy to read is not necessarily good when it comes to regulation, because this means there is a WIDE berth for interpretation by court cases and judges. This becomes a shifting target that makes compliance impossible.
For example, you could write a one sentence net-zero law that says "All economic activity in the EU must be net zero by tomorrow."
However, what constitutes economic activty? Is heating my home in the winter economic activity? What if I work from home? What about feeding my children food? What about suppliers and parts from outside the EU? Finished goods vs. raw materials? How will we audit the supply chains on each globally? Who will enforce those audits and how detailed do they need to be? Etc. etc.
To these questions, the religious green fanatics on EcoHackerNews will simply reply: it's actually super easy to comply, you can read it yourself, it's one sentence!
Right, but there's also the competing religious zealots who are ideologically opposed to regulation... like as a concept.
What you need to realize is that of course companies hate regulations. Every company, anywhere on Earth, will tell you regulation X is bad. All of them. They will do everything they can possibly do to not have the regulation.
When slavery was outlawed in the US, you can bet your ass that every single bad-faith recreation of slavery was tried. Many of them highly successful, and some taking over 100 years (yes, really!) to be fixed.
What that means is that, just because a company puts up a cookie banner, or says "this law sucks", doesn't mean you should take that to heart. Of course, to them, it sucks, and it's too complicated, and it's all legalese, and la dee da. They would prefer to hire children, okay? And we know that, for a fact, because they did. So just, grain of salt.
Doesn't mean the law is good either, but just know these are the adversarial forces here.
> Every company, anywhere on Earth, will tell you regulation X is bad. All of them. They will do everything they can possibly do to not have the regulation.
Have you missed all the large AI companies in US loudly demanding and otherwise lobbying for more regulation?
Regulations can be good for companies when you can make sure that they are written in a way that entrenches them against any new competitors.
Big enterprises like regulation because it enables them to capture the market and slow startups down: that's why they invest so much in standardization, for instance.
It allows them to force startups to match their (slow) pace of development.
> The full text of GDPR is 261 pages long with 99 articles and 173 recitals. Here's a condensed version and guide to reading the actual passages that matter, still 88 pages long
My feeling is that in 9 years you could read it.
However, I read most of the relevant bits in an afternoon. Most people on HN making preposterous claims about GDPR have never in their life read anything but industry's take on it.
> it's actually super easy to comply, you can read it yourself, it's one sentence!
It's trivial to comply with for the absolute vast majority of companies, you can very easily read it yourself, the bits that are relevant to most businesses shouldn't even take an hour to read.
> Every HN thread about GDPR devolves into this circular argument.
The only reason it devolves into a "circular argument" is that the vast majority of anti-GDPR comments on HN come from people who have never ever read even a single line from the regulation and just parrot the same old "GDPR requires these stupid banners".
> You’ll find zero intelligent engagement here if you bring this up however, because nobody here actually knows what they’re talking about when it comes to Europe’s legal patchwork and its kneecapping effect on the private sector that Europe desperately needs to fund its inverted social welfare liability death spiral.
Yup. And this is the other reason: bad faith word soup that doesn't even pretend to be coherent, mixes up everything together, and goes from non-sequitur to non-sequitur.
So. Yes, complying with GDPR is trivial for most companies. No, your yet-another-shitty-startup does not need to sell my precise geolocation data to data brokers to store for 12 years to survive: https://x.com/dmitriid/status/1817122117093056541 And no, it's not a burden not to do that.
> So. Yes, complying with GDPR is trivial for most companies. No, your yet-another-shitty-startup does not need to sell my precise geolocation data to data brokers to store for 12 years to survive: https://x.com/dmitriid/status/1817122117093056541 And no, it's not a burden not to do that.
this is exactly the attitude of these people
for most legitimate businesses the "pain" of the GDPR consisted of maybe removing Google Analytics from their website
the entire point is to stop the shitty companies (facebook) data harvesting everything they can get their dirty mits on
My company had consultants come in to help with GDPR, I left after months of them being hired: more confused than I went in.
So I went to the source, and I found it surprisingly easy to read and quite clear.
I think theres a lot of bad faith discussion about the GDPR being complex by people who have a financial interest in people disliking it (or, parroting what someone else said).
It is an outright lie that there are “10 sentences per page”. You can open the PDF and see that this is not even a little bit correct. 10 sentences per page would maybe be appropriate for an Early Reader book. It’s certainly not we have here.
You also didn’t read 56k words in 20 minutes. This is nonsense, at 46 words per second.
I could suspend my disbelief for a moment and imagine that you are capable of reading 46 words per second. Sure. You happen to read about 10x faster than the average person at 250-300 words per minute. Congrats.
What I cannot believe is that you would in any way imagine that this is normal. Speed readers know that they read faster than other people and do not casually assume others could read The Hobbit in 34 minutes.
So no, I don’t actually believe you read this in 20 minutes, at >4 pages per minute, >46 words per second, and 10x faster than an average reader. Generously I would say you perhaps skimmed the doc in that time.
On the off chance that this is true, again congrats. You should know for the future that your experience reading does not map to the typical person who literally reads about 10x slower than you.
The amount of effort I’ve spent replying to you is more than was necessary to understand the entire fucking text.
Every statement is very clear what they’re saying, don’t record what you don’t need, how do you define what you need, make sure personal information can be deleted, what constitutes personal information.
It’s really really really fucking easy, like dude; you’re halfway through a sentence you know exactly what they’re getting at. You finish it anyway in case there’s an exception or something, and it’s never the case that there is.
Whatever… you believe whatever the fuck you wanna believe don’t call me a fucking liar though you cunt.
At no point did I say the law was very difficult to read. I said that your claim that it should take 20 minutes to read is absurd.
That the other replies to you said basically the same should clue you in that this is not realistic for others even if it were realistic for you.
> don’t call me a fucking liar though you cunt.
You could have easily just walked your claim back and said “Okay, 20 minutes is an exaggeration but it’s not a hard law to read”. Instead you repeatedly doubled down and backed yourself into a corner where the only possible options are that you are an ultra speed reader at 10x normal pace or you are a liar.
GDPR is not dense legalese. Start on page 33, read the first 3 chapters and then until bored, start again from page 1 until you reach 33 again, and then read from where you left off: it'll make perfect sense.
I've never seen anyone here, or elsewhere, displaying a positive opinion on GDPR without readily acknowledging it, or the way it has turned out and is (not) being policed, has many shortcomings.
I have seen people that are fanatical on privacy. Cheers to them!
Ok. I hereby do. The only complaint I have is that it isn't enforced automatically and that we often don't have a way to force the worst offenders, because they have the military we rely on on their side.
Seems like only AI could possibly keep track of all the practically countless variables involved in running human civilization now and keeping everyone happy.
>I've stopped thinking of automobile repair as a single dial, where more automobile repair is bad or less automobile repair is bad. It entirely depends on what is being repaired and how. Some areas need more automobile repair, some areas need less. Some areas need altered automobile repairs. Some areas have just the right amount of automobile repair. Most automobile repairs can be improved, some more than others.
Well you can't just replace a word with a different word and then act like things are the same. If you do choose to do that, you, at the very least, have to explain how 'automobile repair' and 'regulations' are analogous.
Because in my mind, they are not. There are many, many people ideologically opposed to regulation. I've never met anyone ideologically opposed to auto repair, or even just opposed in general.
i could have chosen anything, you choose and do it. he didn't say anything at all.
"i no longer consider these issues to be black and white [riffing on another comment], i now see it more nuanced, where some things need more of something and others need less of that thing. deep, no?"
Your midbrow dismissal only makes sense if there is nobody who denies that regulation is nuanced. In fact, the entire political landscape is set up around a "regulation is GOOD" vs "regulation is BAD" worldview.
There is an infinitely more effective and trustworthy solution: an adblocker that blocks trackers. You don't have to spend minutes daily on dark-pattern banners. You don't risk the broken implementations that still track you no matter what you click, that regulators can't oversee on billions of websites.
They should just keep the thing that lets you request full deletion of your account and data, the rest is total security theater. The EU's top #1, #2, #3, #4, and #5 priority right now should be achieving digital sovereignty and getting a strong homegrown tech industry (ban American social media and force local alternatives?) so the US can't coerce it. That'll require some additional, different regulations, and that's the kind they should focus all efforts on for the foreseeable future. They put the cart before the horse.
Look at the sanctioned ICC judges (EU-based). Can't use any credit/debit cards (all American). Can't do any online e-commerce (there's a US entity somewhere in the flow). No Google/Apple accounts (how useful is your iPhone without the App Store?). "Regulate" foreign companies all you want, ultimately you still have no power over them. Cart before the horse.
> There is an infinitely more effective and trustworthy solution: an adblocker that blocks trackers. You don't have to spend minutes daily on dark-pattern banners. You don't risk the broken implementations that still track you no matter what you click, that regulators can't oversee on billions of websites.
try untangling the tracking code from the rest of the javascript code which is required for the sites to work - simply unrealistic.
The problems are in the details: why are news organizations exempt from this rule in Europe? You can’t read news websites unless you accept all cookies or pay to read.
Who decides these things? How is such a rule in favor of privacy? Why is my site where I regularly post news not eligible? Who decides which sites are eligible?
It’s these kind of moral double standards and cognitive dissonances that people have to endure. I wish it was black and white. But reality simply isn’t.
> You can’t read news websites unless you accept all cookies or pay to read.
You can't even read news websites when you accept all the cookies, and then, oh surprise, you'd have to pay. But they installed the cookies nonetheless, those scammers.
Are you sure they are exempt? I was always under the impression that their practice is pretty obviously illegal. I just did a quick google search and didn't find anything about exemption. So they are as exempt from the GDPR as much as Al Capone was exempt from taxes ;)
What they seem to be exempt from is getting consent if they require the data for journalistic purposes.
IANAL, but I think they are simply not following the law and waiting for a definitive decision by a court.
ed: So I kept reading and from my understanding it's TBD whether the practice is lawful. The European Data Protection Board has issued an opinion against it a year ago.
the edpb did not. that was explicitly -- in the very first paragraph -- under the DSA, not GDPR:
> The scope of this opinion is indeed limited to the implementation by large online platforms
Separately, in the first couple of paragraphs, they basically complain that they don't like the alternative that platforms can legally implement of paywalls for all. :shrug: Which they may not like, but is legal. So consent or pay is essentially a realpolitik deal to not implement paywalls.
> why are news organizations exempt from this rule in Europe?
In the main, because the GDPR is an attack on advertising-supported services. You cannot build a business on context-free ads given they pay somewhere between 1/100 and 1/10000 as much as ads that profile.
Thus news orgs basically told regulators that the options were no free news (or realistically, the mess America is in, where real news orgs charge and the free ones are propaganda arms) or being allowed to do consent or pay. Because a paywall complies with all laws but has negative societal effects.
More regulation, or stronger regulation, as in less wiggle room for businesses, may be a good thing. Case in point: a regulation requiring to disclose the ingredients of food.
Too many regulations is almost always a bad thing: numerous pieces of regulation rarely fit together seamlessly. It becomes easier to miss some obscure piece, or to encounter a contradiction, or to find a loophole. The cost of compliance also grows, and that disproportionately favors big established players.
> The cost of compliance also grows, and that disproportionately favors big established players.
Not true at all. Most of the harsher regulations only come into effect when the company hits a specific size. Examples from Australia (my country):
- Online shops that operate overseas, and import to Australia have to collect sales tax... but only if they make more than $75,000 from Australia per annum.
- Social media has to ban Australians under 16... but only if they make more than a billion per annum.
> Most of the harsher regulations only come into effect when the company hits a specific size.
That’s very market and country specific. Spain makes more than 1k tweaks to it’s food regulations each year, which would kill lots of restaurants if they were to be in compliance.
The result is that everyone tries to make as much money as they can and build a “inspection fund”, because you’re guaranteed to get a fine if inspected.
Why isn't #1 an import duty sales tax system instead and you need to declare the proper value as part of shipping, or the good is rejected / confiscated?
Actually, online shops that mail stuff to Australian customers who request them to do so don't have to collect or pay any sales tax. The Australian government might stomp their feet and declare otherwise, but they have no legal or jurisdictional authority to do so, nor any real means for enforcement.
This trend of countries declaring that everyone on the planet is under their jurisdiction if they mail something there (or respond to a network request) is bananas.
> This trend of countries declaring that everyone on the planet is under their jurisdiction if they mail something there (or respond to a network request) is bananas
I disagree.
Imagine I ban health potions in my realm. I am running a Darwininistic experiment to make my people the most resilient people of the world and I want them to succeed through survival of the fittest. I tolerate non magical medicine but anything else will pay 1000% duties or be confiscated. A merchant comes by with a delivery of health potions to "Johnathan Man". The guards point to the "Survival of the ssssttttrrroooong" banner, while the merchant throws a fit saying she has a very powerful uncle that just happens to be a known warlord. The guards laugh, close the gates and go back inside for another pushup context. Meanwhile Johnathan and the merchant complain things about jurisdiction to no one in particular.
I have no idea what you're even trying to say here. Australia is welcome to try and confiscate goods that are mailed without paying sales tax, but we both know they lack the ability to actually execute that. And their ability to do anything about digital sales is basically non-existent.
So if I'm understanding your analogy correctly, the guards can't really do anything, so the merchant and the buyer will be the ones going about their business.
That cookie banner needs to be standardized and offered by the browser. It should be like a certificate popup. Why is every website forced into doing a shoddy job ?
They aren't forced, they choose to. They're forced to get user permission before tracking them across websites and sharing info with 3rd parties, but how they do it is left up to the industry. And the industry chose dark patterns, hoping to annoy the users into complaining to the EU about them.
It is the fault of the EU. If you leave a steak on the floor you don't punish the dog for eating it. Site operators just chose to do what was most convenient for them within the boundaries of the law, as would you.
We had a do-not-track header that has been deprecated. Simply enforcing the header legally and having it on by default would suffice and it would be much easier to test, because it's not bespoke from the client side of things.
I assume it's because a business has different ideas about what to collect from their users and users are more or less willing to share some data with some specific businesses. Hence, every business needs their own consent rules. The fact that this is achieved with a cookie banner for 99,9% of all businesses is a side-effect. Could there be a better solution? Probably. But the law and the incentives aligned to cookie banner hell.
The law doesn't even mention cookies. This is a common misunderstanding and causes a lot of annoyance as I've seen websites ask for permission to store cookies even when they don't need explicit permission.
The law only concerns itself with tracking. If you don't use a mechanism to uniquely identify people over multiple visits and/or websites, you're fine. You can store simple preferences in a cookie without asking. No need to bother your users with a cookie wall for that.
Fingerprinting is actually covered by the regulations and needs to be "consented" to.
There are different regulations, but basically they are technology agnostic (a good thing). If you as a compnay want to use data that could theoretically be used as an identifyer for me, you need my consent. For any type of use. Except if it is absolutely necessary to provide the basic service. Or if we have a contractual relationship, but there are also protective rules in place to protect the customer.
Different regulations handle storing data (like cookies, but also local/session storage and similar things on the devices of your users. But those are separate from GDPR.
GDPR is - as said - only concerned with data that could be theoretically linked to me as an individual. Regardless what this data is. Could be an id in a cookie, could be a fingerprint, could be smoke signals. It could even be the combination of different data points, that taken together allow for an identification.
Theoretical example:
Imagine I live in a village with 500 people. The company tracks the location and that I am male (so roughtly 50% of the population), that I am between 45 - 50 (say about 10% of the population), have multiple cats (say maybe only three people now in that village, use a Linux based machine - bingo: You found me. And now you have a set of data that falls under the GDPR. Welcome in having to ensure you only use this data in a way that I gave consent to.
See: The law doesn't even just look at marketing or tracking data. Or what happens in an app or a browser. It covers all data that is either pointing ti me as an "ID" - like a cookie ID, or at personal identifiable data - like bei combination in my example.
They are regulating websites anyway, surely they can just invent some standard format to say what function each cookie has. How about requiring that the name of every cookie has to start with one of "Strictly Necessary", "Functional", "Performance", and "Targeting/Advertising"?
I mean, websites don't need to use non-functional cookies in the first place. If they use it, they have to declare it. It's a problem created by website owners themselves.
> But when we talk privacy and personal data there should be no gray zone.
It took me to move to Germany to figure that privacy is a spectrum, and I, despite being a crazy on privacy and security, actually don't want that much.
I've been to a German factory where robots could not distinct between humans and objects bc Datenschutz.
My colleagues had 3 bikes stolen in a week bc we have no CCTV cameras.
Privacy definitely has costs, and not only for business, but for regular people in daily life. It should, as anything, be balanced against costs of doing business, people security concerns.
Same goes for security: few private cctvs are ok, massive coordinated surveillance and chat control not ok. Everything is on spectrum and is a trade off.
Yeah, I can tell you that the only thing CCTV does is making the thief wear hoodies. And you get some clips of them carrying expensive bikes around the corner out of CCTV range to their parked transporter.
True. I don't know from where people get the idea that the police would bother with an investigation for your (personally important) case if you had full-on surveilance.
You may have your laptop snatched, go to the police station and show them the exact location of the thieves using e.g. find my Mac. The will do nothing, even if it's in the building across the street.
Now, showing them some blurry (at best) faces in CCTV footage and ask them to investigate? Good luck.
> I've been to a German factory where robots could not distinct between humans and objects bc Datenschutz.
It sounds interesting but I'm not sure what it means. Could you clarify this?
Related, recently in the UK news. British Transport Police won't even look at CCTV for bike theft at train stations (because of resource constraints, but the presence of CCTV doesn't automatically mean it will be used).
Users can opt-out by not using the service or buying an ad-free version if available.
One would think that developers should not be forced to offer for free a version monetized with 60% less effective ads. And I understand currently this is indeed not the case for small developers, they can offer paid ad-free or free but with personalized ads. Large platforms apparently cannot.
If you want to do business in the EU, just follow the law.
You are not allowed to sell Heroin to anyone in Germany. I don't see you making the argument, that we should - in the same fashion as with digital spyware using companies - not target drug dealers. Becase hey, people can just decide to not buy drugs.
My search told me that unless you are a gatekeeper, offering a reasonably priced ad-free tier allows to make the ad-monetized version personalized only.
I think it makes sense. Either pay, or consent to effective ads. There's no free lunch
I'm 100% on the same page as you. I just wanna point out that apparently, the enforcement of said regulation just failed. There are way too many businesses that don't give you a single "reject all" button and get away with their dark patterns. A regulation that can't be enforced consistently is not desirable and failed to some degree.
I recently registered a complaint with my local data protection authority. This then got routed to their colleagues in North Rhine-Westphalia that are responsible, as the company in question had their business location there.
What the company did? They showed a consent banner - but already sent my data to all manner of analytics and marketing companies. Before I even denied consent. They also did not mention all of those trackers/companies/cookies in their consent solution nor on their privacy page.
The result from the authorities was a clear: Go f*k yourself e-mail to me (I had screenshots attached in my complaint). Basically stating: We do not see any way you are personally affected and we also have too much to do, so we won't go after a company, just because they tracked you and sent your data to a bunch of marketing companies and tracking firms, even as you denied consent. And we also don't care, that they actually did not mention quite a bunch of those receivers of my data in their data privacy page.
So yeah - when governments actually have no interest in enforcing the rules in place to protect citizens, I am lost for words. Might have been, because the company in question being in violation of the law here was a former state-owned business, that while privatised is still run by politicians (like currently by the Chairman of the FDP Federal Committee for Justice, Home Affairs, Integration, and Consumer Protection to be precise).
What pisses me off about this the most, though is, that companies that actually follow the regulations, treat customers well and respect their data privacy concerns, they are at a disadvantage. It is not that our government and those EU conservative ars**es are for a free market. They want a market in which their buddies and the ones providing the juicy jobs after governmental terms come to an end, to win. As always, conservatives follow Wilhoit's Law.
But to have a lot of regulations, especially in fields where there is not much to be gained but oh so much being lost in the interest of capital gains like in generative AI, is a blessing rathr than a curse.
FTA: “Under the new proposal, some “non-risk” cookies won’t trigger pop-ups at all, and users would be able to control others from central browser controls that apply to websites broadly.”
Implied consent is valid for most functionality, just not selling peoples tracking data or giving it to a third party who could.
Its entirely possible to have no pop-up.
Someone once told me they wanted one anyway because it made the site seem more legitimate than if I removed it (the only thing I would have needed to change was the embedded video from youtube and I could have dropped the popup. Oh well).
Look at what YT loads in terms of tracking, when opening a page with an embedded YT video - even if you do not play that.
Or install something like pi-hole and watch how many analytics calls to Adobe Analytics the Adible app is sending out. Even if just idle in the background. Given the fact that you pay Adobe by the server call, Audible clearly must earn a shitload of money, if they can burn tracking calls like this.
If you are on a Mac, try Little Snitch and see where your data is going while surfing the net. No wonder in the US there are companies, that can sell you a clear image of all relevant data on nearly any person to enable algorithmic wage discrimination [1].
I know, that industry is trying to push EU further and further towards less consumer protections. But we have a great example of what that means for workers, consumers and all of us in the US.
So anywhere there is a YouTube embed we instead display a static thumbnail with 2 inline buttons underneath. 1 button to accept cookies and then load the embed and 1 button to view the video directly on YouTube in a new tab.
It works nicely and also pushed us to switch most of our videos to being first party hosted instead of YouTube.
arguably if there was a browser setting for this the current GDPR would require you to respect that setting. But that's arguably, it would still need to adjudicated.
My conclusion would be that under the current GDPR that if someone had the browser setting on, if a company did not respect that setting and kept private data, that they could be reported for GDPR violations and then the issue could be adjudicated, i.e that the courts would then decide if in fact GDPR violations occur by not following that browser setting.
Secondary conclusion - it might be more beneficial if one just contacted the EDPB and said since this browser setting exists and nobody is using it please issue a ruling if the browser setting must be followed, set it to go into effect by this date giving people time to implement it, and if they agreed the browser setting would be adequate to represent your GDPR wishes they might also conclude that it would be an onerous process to make you go through a GDPR acceptance if it were turned on, howe ver as this article is saying that they are "scaling back" the GDPR that would seem to be dead in the water, which is why I said under "the current GDPR".
In the absence of any explicit consent, no-consent is always assumed by the GDPR. The absence of a DNT header definitely doesn't count as consent, so that header is kind of useless, since the GDPR basically requires every request to be handled as if it has a DNT header.
A pre-existing statement of non-consent doesn't stop anyone from asking whether the user might want to consent now. So it is not legally required to not show a cookie dialog when the DNT header is set, which would be the only real purpose of the DNT header, but legislating such a thing, would be incompatible with the other laws. It would basically forbid anyone from asking for any consent, that's kind of stupid.
The GDPR requires the consent to be given fully informed and without any repercussions on non-consent. So you can't restrict any functionality when non-consenting users, and you can also not say "consent or pay a fee". Also non-consenting must be as easy as consenting and must be revocable at every time. So a lot of "cookie-dialogs" are simply non-compliant with the GDPR.
What would be useful is a "Track me" header, but the consent must be given with an understanding to the exact details of what data is stored, so this header would need to tell what exactly it consents to. But no one would turn it on, so why would anyone waste the effort to implement such a thing in the browser and web applications?
They should have gone farther. Don't require the user's permission for non-essential tracking cookies. Just ban them outright. No opt in, no opt out, it's just straight-up illegal to track people unless they're actively using a signed in account.
Every regulation has some unforeseen consequences. Most of the time it's impacts are worse than the effect we wanted to regulate from the start. Us humans discard the effects we can't predict as benign even over smaller inconveniences we can see.
> Every regulation has some unforeseen consequences.
This argument would feel a lot less insincere if the people who always trot it out also used it every time something gets deregulated.
> Most of the time it's impacts are worse than the effect we wanted to regulate from the start.
Are they though? Or do you only hear a disproportionate amount of complaints because of manufactured consent? Because I sure as hell don't trust the talking heads on TV backed by billionaires who don't like to see people push back at their greed and lust for power.
Laws should punish wrongdoing. Regulations that seek to stop all wrongdoing place burdens on law abiding citizens and businesses that were never going to harm anyone. We can't stop all wrong upfront, and the costs of attempting to do so are substantial.
You can do this trivially in modern browsers: private browsing.
I have one "normal" browser window for "persistent cookie" use (like gmail, youtube, etc) and another "private" window for everything else. Cookies are lost anytime a tab closes.
Private browsing is equivalent to creating an ephemeral browser profile everytime. It might get rid of more browser storage, but for how tracking works now-a-days, it is useless. It is only for what you want to store on your disk, not for how you want to be seen to remotes.
I assume a subset of these bits could be used, meaning the "unique" or not claim of this test probably doesn't reflect if you can be tracked. I also assume that a VPN would help tremendously.
For that test, as is, I get "unique" every refresh when using Brave Browser. With Safari and Chrome, I get a fail an subsequent sessions.
Edit: not just Google. Incognito mode does not prevent websites from tracking you, period.
--- start quote ---
Once these new disclaimers make their way to stable builds of Chrome, you’ll see a message that looks like this when going incognito:
“Others who use this device won’t see your activity, so you can browse more privately. This won’t change how data is collected by websites you visit and the services they use, including Google."
I don't use browsers made by ad companies, because I fully expect that browser to stay out of the way of their revenue stream. There are many browsers out there that care about privacy.
Are you sure cookies get scrapped after you close a tab? Does opening a single session-based web site in multiple tabs work (eg. logged into Amazon in a private browser)? What browser are you using?
Who is the audience your comment is trying to reach? Who are these mysterious "companies"?
It's important to realize companies are made of people.
Someone had to explicitly code the dark pattern in the GDPR cookie dialog. Ever notice the button for "Accept All" is big and shiny, while refusing all is more often than not a cumbersome, multi-click process?
That's not an accident. That was coded by people. People around us, people who post here. I'm sure "made GDPR dialog deceptively confusing" went on someone's accomplishment report that they then used to justify a raise or promotion.
My theory is that companies are not the sum of their employees. Employees are generally good; toxic humans are a small minority (unfortunately they tend to be over-represented at the head of companies).
But put employees together into a profit-maximisation machine, and the machine will try to maximise profit, with dark patterns and downright evil things.
Similar with our species as a whole: nobody is actively working to break the climate so much that their kids will die long before they reach the age of retirement. But that's what we as a species are doing together, somehow. Individually, we don't want that, but that's not enough.
That explains passively malignant processes, like not radically overhauling your business to address climate change. It doesn't explain actively malevolent things like "let's bury the "Decline Cookies" dialog under 3 layers of clicks. That's a proactive choice, that some software developer chose to implement.
I'm guessing that in many cases, it's not one software developer who decides. Most people are told what to do, and for many websites I'm guessing that it's just some kind of Wordpress add-on.
Someone realised that they sold more add-ons if they implement those dark patterns, so they did it ("it's not me, I offer a good one but they buy the evil one"). In my experience in startups, the website was managed by marketing people who honestly had no clue: they seemed to genuinely believe that they needed those cookies ("I am in marketing, I need the data") and they did not understand the consequences. "I just install this Google thing, and then Google gives me nice data for free".
Why do people build weapons? That's a lot worse than a cookie popup, but I'm sure every single person in that industry will tell you that they "save lives".
That's why we need to realize, that decisions in the small constitute what happens in the large. If some person comes and tells me to implement dark patterns into the consent popup, I'll tell them that this is illegal. I'll also tell people, when their current consent is manufactured or when their cookie/consent popup does not conform with GDPR. Been there, done that. Only unfortunate, that it was not my role to deal with that. It was simply that most people didn't care (I must assume frontend developer knew better, otherwise they were utterly uninformed about their job), some people who should have known better didn't (everyone else in the engineering team), some people wanted dark patterns to be in there (project management and marketing/sales, as usual), and I was the only one pointing out the tiny problem with the law. Of course no one ever thanked me for that.
It's not that people who implement those things don't care, per se. It's that they care about getting their paycheck more (or, in the current climate, retaining their job). And they are also acutely aware that if they refuse to do it, a replacement that won't is easy to find.
I have been in that situation in a startup. The boss would come to me and ask for some dark pattern (not cookies, I don't remember exactly what it was). I said I wouldn't do it. They literally asked a guy in the adjacent room, and he took it as a new task and did it.
He was not a bad guy: I did not care about getting fired (I was young and single), he did (he had a family). And in his opinion, if the boss wanted it, anyway it would end up being done. His job was to implement what the boss wanted, not to contradict the boss.
Having coded multiple such buttons in the past, I'd like to ask to consider that the person doing the coding is barely the person making the decision. It's hard to reject such a request when your lifelihood depends on the job
It might be hard in some places, with especially toxic higher ups. A good start is pointing out the law a few times. If that doesn't get them to stop, what you can do is ask them to give you a signed piece of paper, where it says, that against your objection and warning about this being illegal, they want you to still do that. Usually at that point they will find someone else, or stop trying to do it.
This is why am glad to live in a country with comparatively good employee protections. In other countries, where people can be fired at will, this might be more problematic. But at least in this country, it would be a very clear cut case, if your employer asks you to do something illegal, that they will not be able to legally fire you. Of course you might have to go to court to get your right.
Which is why we need professional licensure: You get to tell your boss "If I tell you to go fuck yourself, then I risk this job. If I implement your feature, I risk losing every future job by losing my license. And everybody you can hire to do this will tell you the same thing".
I don't want to live in your hellscape where my government tells me I can't program a website without a license.
Grow up and tell someone you won't implement a feature because you don't like it. I do it all the time - "that's a bad idea, I'm not doing that". I still manage to eat, it's not either/or, you have agency, you can refuse without resorting to regulation saying you must.
As far as I know most (all?) open source and free software licenses include terms, that explicitly states, that there is no warranty. So I think maybe a license there wouldn't be required. It is an interesting question though.
In that case I would say, since they are getting paid for their work by the company, they are in a different position than someone developing FOSS on their own private time.
I think a lot of commercial software that is not open source or free software, doesn't have licenses in the same sense. They are proprietary and they might have an EULA, that prohibits you from reverse engineering or something like that, or that declares the no warranty. But not licenses like for example GPL or MIT license. Such a license would be useless for proprietary software projects, because the user isn't supposed to ever get the code.
Lucky you. In my experience it ends up with talks to HR, where they will explain that "you are being difficult to work with" and "things are going to have to change" or "we are going to have to look for alternative avenues"
IMO, this is a great example of the lack of professionalism in the software development field. No individual software developer is responsible for violating the GDPR's prohibitions on cookie banners in a legal sense, but we could be. Real engineers have that leverage: A PE who thinks a bridge's design amounts to professional malpractice gets to refuse to approve that design, and anybody who the employer could find to approve it risks their entire career, on top of personal liability.
But that's a great example of why we might not need to turn into professionally licensed experts: the risk of messing the implementation of GDPR up is nowhere near messing a bridge or even a single family home up.
Now sure, with software controlling everything today (even the tools an engineer would use to design and build a bridge: imagine a bug in software setting the cement ratio in concrete being used), there are accountability reasons to do it.
Sure, we programmers aren't likely to kill anyone with malpractice (in most software development disciplines, anyway). But we have a much, much broader impact. An exceptionally bad bridge collapse kills maybe a couple hundred people. Incompetent or malicious coding practices on a site negatively effect millions, with some sites getting up to the billions.
No disagreement there, but opportunity costs are present and unregulated everywhere: eg. a bad traffic light design (timings) might increase congestion and greenhouse gasses emissions 10×, but nobody is losing their traffic engineering license for that.
someone coded it once, everyone else just adds another dependency that fulfills the spec, they don't even have to search for "dark patterns", just "most effective"
How much incompetence do we accept or tolerate, before we deem it negligence? If someone adds a consent popup or similar thing to a website, usually knowing, that there is a reason why this must be done, and that this reason is GDPR, it seems quite incompetent to not know the first bit about what is required, and not doing their due diligence to read up on it when not one doesn't know.
Perhaps it would change things for the better, if this special kind of people were at least temporarily removed from the job, until they have gained basic knowledge about their job and how it affects other people.
Yep, it is exactly what the EU shouldn't do. This will actually further disadvantage EU companies, when US companies are left to run rampant. It also will take away any "made in EU" advantage that EU-local companies had over US competition. GDPR was exactly the right step. In fact it was not enforced strictly enough and should have been enforced much stricter, punishing all the shady businesses which employed dark pattern to extract personal data from citizen.
That is taken as a law of the universe by some but B-Corps, Social Purpose Corps, FairShares Commons... There are exceptions and some are working to do better. That statement has mostly become an excuse.
Are cookies really tracking you? 3rd party cookies don’t work in any browser. Ads are passing session data on the URLs instead. You can alow easily change some settings to stop persistent cookies. You can install privacy extensions like ghostery to block beacons. You can use features like ICloud private relay to prevent IP tracking. Solutions are all there and they aren’t because of any law.
Everything you mentioned is advanced knowledge. An average person, who doesn't deal with all these technicalities simply doesn't know this. It's like Telegram saying that it's the most secure messenger while not offering encrypted chats by default and not allowing to have encrypted group chats. An average person in tis case ends up completely unprepared and unprotected.
Don't mix PII data and cookies (or any other similar tech). There are different regulations in place here.
If you want to use ddata that can identify me (even in theory), you need to ask me, if I am fine with that. If you want to store data on my computer, you also need to ask me, if I am fine with that. Because, if I request a download, I expect to download the file. If I request a website, I expect the website content. I do not expect data that you or others can use to see how often I visited your site. Like meta-shit, or google-crap, or linkedin-slop...
If you want to do that, just ask m. And explain in clearly understandable words, what you do and why. That is just human decency.
Yes, I can (and strongly do) protect myself against this (and I am working in that business, I know the tricks and tools and stuff). But my late mom can't. Or her 80+ year old neighbor. Or SO#s my 19 year old niece that only uses a tablet and a crapload of apps that target her and spew a shitload of targeted ads for wheightloss onto her since she was an early teen...
So no -> Those companies need to be highly regulated. To me, those companes need to rott in hell, but that is my take. I want people to be protected. From business, from government. Thst is the basis of European privacy law - protecting the small person from the big entities. And rightly so. We have our history from which those protections originated.
There are a bunch of sites that stop working if you tweak privacy related settings. Twitter straight up tells you that if you experience problems, you should disable Firefox's tracking protection.
And by that they are actually in violation of GDPR. But hey - since when was Musk interested in following regulations. And since when has a governmental or supra-governmental entity been able to curb that tendency of the super rich and biggest cooperations.
Like with meta: They know they mke 7 billion annualy from serving 15 billion scam ads daily. They calculated that they will have at most have to pay about a billion in governmental fines all over the world, if they should one day be regulated for that.
So it is a clear business decision to go on shoing 15 billion+ scam ads per day to their "users". Were some interesting journalistic pieces on that a few days ago.
And exactly those companies are the reason we need stronger protection. And these protections more heavily enforced.
Europe has much more fatal startup-killing regulation problems than cookies, however. Who cares about cookies? I am on your site, you are going to plant/collect cookies. These goddamned banners are a solution in search of a problem, and it's yet another hurdle a company of, say, 3 has to go through, for very little reason.
People don't know whether they are or are not doing things that require consent under the law. That's because, if you haven't noticed, the people concerned are computer programmers, UI designers, and PMs. Notably missing from that list is "lawyers who can be bothered to research the question".
People put the banners up because they see other people doing it and it seems safest. That all of this would be so should have been perfectly obviously to whoever contemplated bringing the regulation into existence. Therefore they are either imperceptive or malign.
> if you haven't noticed, the people concerned are computer programmers, UI designers, and PMs.
Those are the people who should know best what is meant by "ask visitors for consent before you track them.".
Lawyers and more work is needed if you want to track anyway and look for ways to make people accidentally consent. "Let's ask the question, but hide the unwanted answer as deeply as possibly without breaking the law."
You may blame EU bureaucrats, I blame the unwillingness of the companies to fulfill the spirit of the law and putting all the work into pretending.
> People don't know whether they are or are not doing things that require consent under the law.
This knowledge is taught in school and we also had one lecture in university and I am not even studying CS or anything computer adjacent. You can very much rely on CS graduates to know this, and even if they don't, the company could organize a training day, like they do for all the other stuff. This is really a dumb excuse for a company.
Is that what really happens though? EU countries usually don't immediately punish violations unless they're particularly egregious. You're more likely to get a warning and a grace period to meet the requirements. So the rational approach would be to not bother with consent banners, GDPR and whatnot until you attract the attention of the regulators, at which point you should definitely hire a legal team that can tell you what exactly you need to do to comply.
Any company that can hire teams of software developers can afford to hire a lawyer to tell them whether they need to irritate all their customers. And frankly, they'd be dumb not to hire a lawyer if they think they need some legal cover to determine whether that cover is sufficient.
Good god. I certainly wasn't suggesting this situation would be improved by software teams hiring lawyers to advise on their software! You appear to have completely lost perspective.
You think a company worried that they have a legal issue should just ask the programmers and ui designers to sort it out? Or that programmers who think the company has a legal issue should take it upon themselves to come up with a feature that they think addresses it without consulting legal?
Since you asked: I care. I leave sites which insist on tracking me and appreciate that it is now mandatory for said sites to inform me about their intentions. So this is a solution to a problem I actually have.
There are sites which place a "reject all" button above all and make this easy for me. Others try it the sneaky way, by making me turn off every single tracking vendor and then a lot more hidden under legitimate interest. Those are the sites I leave and never come back.
The hurdle in question has a lot of simple solutions. 1, don't use cookies. Github does that AFAIK. 2, be transparent about your tracking intentions and use one of the several premade solutions. 3, design a dark pattern UI that hides the important switches in technical named lists and count on the laziness and confusion of users to use them. That is probably the most expensive way for a 3 person company, as you need devs and UX designers and lawyers to judge if you bended the regulation requirements just enough without breaking them.
Why not accept and let cookie autodelete delete it after closing the site?
Expecting any industry to follow the law is foolish, if it gets big enough, they will wear down and overturn any annoyance against it, malicious compliance is the only way.
We had our underground parking and storage units broken into in apartment building. And we couldn't see the CCTV camera, to be on a lookout for the thief and call cops. Only cops could see it. Thieves have higher protection than your property.
The trouble is that everyone else is pursuing tech unhindered by such regulations at breakneck speed, and Europeans realize that Europe - once the center of science and technology - is increasingly sliding into a backwater in this space and an open air museum.
Now, some will agree with you and say that privacy should never be violated, but nonetheless accept a certain measure of tolerance toward that kind of violation, because they see rigid intolerance as causing more harm than the violation of privacy itself is causing [0]. This harm is chiefly the economic harm caused by the burden of regulation and the roadblocks it introduces.
Perhaps this isn't true, but if it is, then moral offense is likely to have little effect. A more effective means might be the make following regulations cheaper. Of course, as we know, when you make something cheaper, you increase demand. This means that EU institutions would likely see this as an opportunity to increase regulation, nullifying the gains of introducing less costly ways to adhere to regulation.
[0] This reminds me of Aquinas's view of prostitution. Naturally, Aquinas saw prostitution as a grave, intrinsic evil. No one is ever justified in soliciting the services of a prostitute, much less of being a prostitute. That's the moral stance; it concerns our personal moral obligations. However, from the position of the state and how the state should police such activity through law, Aquinas saw the criminalization of prostitution, however good in principle it might be, as a policy that would be practically worse - even disastrously so - than law and policy that is permissive toward prostitution. Whether you agree or disagree with him, the principle holds, namely, that the state not only does not need to police every bit of immorality, but by doing so, may actually contribute to the destabilization of society and to an even worse condition than the one it is saddled with.
> sliding into a backwater in this space and an open air museum
Or a place that follows a different approach than "break it to make it" mad dash, that fosters a different - perhaps richer - culture with tech more aligned to people's needs, and overall healthier to live in. If there is a good set of regulations in place. And that is where EU is not consistent, and this backtracking not helpful.
> a place that follows a different approach than "break it to make it" mad dash
You don't have to convince me of the foolishness of mad dashes. Or the emptiness of consumerist culture. But is the EU not consumerist? Does it even have any viable or good ideas about alternatives? Without consumerism, the modern world doesn't know what to do with itself. It has no other modus vivendi. Consumption is all it knows.
> a different - perhaps richer - culture with tech more aligned to people's needs, and overall healthier to live in.
Sounds great, and I do not contest these as aspirations. And economies are supposed to serve the objective good of human beings. But is the EU on the path of greater cultural richness, or one of cultural decadence?
> If there is a good set of regulations in place. And that is where EU is not consistent
Bingo. What is good regulation, not as just an expression of principle and aspiration, but as a matter of practicality and prudence in the given circumstances?
It also takes more than good regulation as well. You have to ask: what does it take - and that's possible within morally licit limits - to encourage a richer culture, a culture that is also more conducive to health, and a tech industry that serves the human good? Is the EU succeeding, or merely stagnating and reacting defensively (for better or worse) to the changing conditions of the world?
Some things are only possible in vibrant economies, and where tech is concerned, the EU is not exactly vibrant.
I don't think GDPR is the problem that makes science and technology succeed more elsewhere or fail more in the EU. There are far, far bigger problems, that are at play here. For starters we have a war still ongoing in the east. Economic power houses have had utterly corrupt governments for decades. Standardization of many things is difficult with so many separate nations. Education systems are questionable. All of these will play a larger role than GDPR.
Indeed, and I'm not blaming GDPR for all of the EU's problems, or even blaming it for anything specifically. I was entertaining a plausible rationale for a particular case and using this as an occasion to pose a more general question about the EU's effectiveness in balancing various concerns when regulating.
This is why I just bought a Pixel and put GrapheneOS on it. And one with a SIM card that I can take out whenever I want. No AI, limited tracking, and no big tech. This is my personal boycott.
It's broader, it's about users data. For example, you can store my address so you can send the item I ordered to me. You can't, without permission, use that to send me marketing stuff.
You could prevent all car accidents by banning motor vehicles. You could prevent all side-effect related deaths by banning all the drugs. You could stop all phone scams by banning telephones.
Obviously, that's excessive overregulation. Just as obviously, letting people get away with car accidents, phone scams and drugs that kill more people than they cure is not what we should be doing either. It's the job of the lawmakers to find the tradeoffs that work best for society.
The moment you say "it's black and white, the other side has 0 good arguments", you lose the discussion in my view. If you don't understand what we're even trying to trade off here, we can't have a productive discussion about what the right tradeoff is.
What kind of a discussion can there be? It's very simple. I don't want any business or individual or whatever to collect any of my personal data if I don't agree to it. Right now companies do everything they can to do the opposite. And there's nothing here that can prove them right.
Using an Ad blocker I feel regret for stealing the site's revenue. So I allow them to collect my personal data. Anyways, I think most of them will not respect my rejection.
A site that cannot exist without collecting not needed personal data and without selling out its visitors, has no justification of continuing to exist. Don't let them guilt-trip you.
Do you think anyone cares in the slightest about your 'personal data'?
It's garbage and no one would waste energy for it, if it weren't for the ability to serve more effective advertisements.
If I'm going to offer an application monetized with Ads, I'm going to use a big ad network like Google which requires cookies to personalize the ads and prevent fraud. I could not care less about collecting your personal data.
Well, without any personal data, FB/Meta and Google would have nothing. Their whole business model is selling the idea, that they are able to advertise better, due to them knowing things about people and their preferences or interests.
Obviously you need to consider what happens in the large.
A blog writer who injects ads cares in an analogy similar to how a low-level street dealer cares about pushing to clients. It provides the income. Further up the chain it goes much further than just ads, up to state actors who try to influence elections all across the globe, based on such data. And with AI a new Wild West wide open to explore.
I would consider making people to vote for a criminal dictator to be more harmful than selling drugs, the former is destroying way more lives than the latter. And I am someone who would vote for more enforcement and regulation of bans on drugs.
Not every business model is viable, and that's life. I can't run a hitman business. Because that's illegal. Oh well, too bad, so sad. This is what makes the world a somewhat decent place.
If we make things that suck ass illegal and then, as a byproduct, a bunch of businesses can no longer make money - then good. That's the correct outcome. This is how a free market works. You want to win customers? Make a good product, have a good model, don't cheat by lying to customers, or doing shit without their consent.
We don't want scams, scams are bad. If those go away that's a net benefit for humanity.
Right, and that sucks major fucking ass. It's bad and literally nobody likes it.
If it went away overnight, I would not lose sleep. I don't think I'm alone in that.
If you want to run a business that relies on gathering obscene amounts of data on people and then using it in aggregate to commit crimes against humanity, then fine. But at least make them consent to you fucking them up the ass. I don't think that's too much to ask for.
Uh, no, not in the same way. You have absolutely zero proof that you NEED to fuck users up the ass to make the service work.
Many services worked without the ass fucking. We did it for a very long time.
> but most people prefer free with ads to paid without ads.
No, you can't actually say this, because part of the deal is that nobody actually knows HOW or WHAT they are giving up for this free service.
Things like GPDR or consent, again, do not outlaw the actual thing. Ads are still legal, personalized ads are still legal, tracking is still legal. It just forces you to ask consumers. If what you're saying is true, then GPDR is fantastic!! All the users should click 'accept all cookies', because that's what they actually want right?
Unless, wait, you think... maybe that's not what they want? And they're only agreeing to the current situation because they don't know what they're agreeing to? Hmm... what a conundrum!
this is a false dichotomy. You don't need to track your users to show ads.
Contextual advertising works fine for many sites, especially those with a specific targeted audience (for example a gaming website can show ads for gaming related products).
Imagine if grocery stores had someone standing at the front asking if you'd like to pay for your groceries or opt-out. Of course most people would opt-out, because that's what's best for them individually. But they probably won't love it when the grocery store closes...
You don't need to collect obscene amounts of data for any of these businesses, and we know that for a fact because that's how we've done for the majority of human history, including a good chunk of the internet.
You do need to sell products at a price that makes up their cost.
Once again, I must repeat. Nobody is making whatever evil ass shit we're building illegal. They're not, it's just not happening. What they ARE doing is saying "be honest to consumers about it".
You want a free market? Think about what the principles are that make up a free market. Consumer choice, switching cost, informed consent. These are the foundations of a free market. If your high school economics teacher didn't make that clear, then they were a bad teacher.
The market works because consumers can figure out what the best product is and choose that, so the best products win. What's the prerequisite to that? Knowing what the product actually is and what you're paying for it.
so you want people cant earn livelihood by your saying?????
for some people and I mean some people in this are entire industry that working with directly and indirectly. this is the only way to earn a living for them and you saying this people cant do that????
"If you want to run a business that relies on gathering obscene amounts of data on people and then using it in aggregate to commit crimes against humanity, then fine. But at least make them consent to you fucking them up the ass. I don't think that's too much to ask for."
well. you are free to choose not to?????? what we even doing here? life its about choice and you are free to not sign up service that scummy
it literally totally difference case that worth another article/post for that
1. Consumers can't just 'not use something' because of network effects, and you know that. Don't play stupid with me.
2. The service is scummy because they lie. That's the scummy part. Sit back and read what I wrote. I'm not saying services CAN'T commit crimes against humanity. They can! I'm saying they must DO IT HONESTLY.
If this is about choice, and you want users to choose what they want, then you have to be on my side. It's not optional. IF what you're saying is true, and consumers have the choice "not sign up service that scummy", THEN they must know if the service is scummy. Necessarily!
> if there are better ways to do this, it would be born already
That's not how it works in capitalism. If there are more profitable ways to do this, then it would have been adopted. But better is subjective - better for whom? For the users? The businesses don't give a fuck about the users, only about their money.
Typical ad blockers won't block ads that are served natively by the site you're viewing. And outside ad networks are a security and privacy risk. So I don't feel too bad. It's not my fault that they made their revenue contingent on loading untrusted third-party content.
Reminder that cookie banners are not a regulation problem, they're a privacy problem. If you don't spy on your users you don't have to have cookie banners.
no.
even including a font from a different host is not allowed under the gdpr because you are leaking the users IP to that host.
you are poorly informed on this topic.
But the different host IS tracking because that's how they make money from serving "free" fonts. So if what you're saying is true, that's exactly how it should be. When I go to a website I don't want others involved.
That's true. But it's just a small part of overall tracking. And nobody would care if the cookies were used only for auth or purely functional reasons.
There is nothing stopping the industry from standardising on an alternative form of expressing consent, for example on browser installation. GDPR is agnostic to the form the consent takes, as long as it's informed and freely given.
However, by far the biggest browser is funded by a corporation that wants tracking data across the web. I'm not very surprised that the corporation haven't made it easy to refuse just once.
Do you really think that clicking on any button on cookie consent popups actually does anything? It's just an illusion of choice. The reality is that these sites will still track you, whether that's via cookies or, more commonly today, fingerprinting. When they list thousands of "partners" with "legitimate interest", it's a hint that there's a multi-billion-dollar industry of companies operating behind the scenes that will do whatever it takes to profile and track you, regardless of what you click on a silly form. Regulations like the GDPR don't come close to curtailing this insanity.
I very much doubt, that the practice of putting hundreds or thousands of partners into the legitimate interest category is legal. I wish this was more challenged and brought in front of the courts. And not just wristslaps dished out. Such practices need to have business threatening punishments attached to them.
I'm sure that happens in some cases. But the EU is building a reputation for handling out fines that actually hurt, and I'm sure that actively lying to consumers about this would warrant a big one, if ever discovered. And in any case, tracking will be a lot less robust without those 388 cookies.
But we are not dealing here with the public data. Stalking people, recording their every step and action so then you can sell their behavioural habits is not collecting public data, it’s stalking and invading people's private life.
Yeah, but a lot of the rules around privacy and personal data make it hard to accept business from Europeans. If you are a small business or startup you might not even accept business from Europeans because navigating these rules are almost impossible.
I'm not sure how this makes sense. Functionally the rules are the same across the entire bloc and it's pretty straightforward: unless you have a legitimate reason to store the data, you need to ask for consent and the consent must be free. I want to make more money is not a legitimate reason. I have a legal requirement to fight financial fraud is a legitimate reason. Obviously the reality is more nuanced, but understanding this basic idea gets you there 95% of the way.
Just don't track users. Don't store any information you don't need, don't try to spy on them beyond what information they choose to share with you freely, and the GDPR has zero issues with you.
> But when we talk privacy and personal data there should be no gray zone. It has to be black and white.
you are wrong. If one followed your ways, we would never do a lot of things. There are things called regulatory sandboxes for a reason. But those don't really work in fields where the "scale of the data" is the core reason of why things work.
