New cookies consent which violates GDPR

I’ve just loaded the forum and got the new intrusive modal by OneTrust asking for consent about cookies, designed to be extremely boring and unintelligible for non-tech people to manage them to click on “accept all even when I’m not aware of what all of these means and that’s not aligned with the GDPR consent”, but anyway.

I’m an informed user. I’m a web developer, a conscious person aware of the surveillance capitalism era and multiple methods used for invading our privacy, our freedom of information, and even our democracies.

So I went through the process to uncheck (!) all the options. I want to highlight this fact: checks should be DISABLED by default, according to the GDPR. All of those categories (except one) were ENABLED by default.

But what I found tremendously incoherent and even hypocritical was the “Strictly Necessary Cookies” category:

Strictly Necessary Cookies

Always Active

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Cookies used

[…]
Google Analytics:
[…]
GoogleTagManager

Note the “strictly necessary” part of the name. Please, explain me how the f*** analytics are strictly necessary to run a service. Here’s a hint: they are not.

I express my direct rejection for this data to be collected and processed, since it’s not strictly necessary to the service to run in any technical sense. I want to express my concerns about this nonsensical GDRP consent modal window —suposedly by a specialized company— which doesn’t align with the actual regulation.

26 Likes

#darkpatterns

See https://darkpatterns.org and https://twitter.com/darkpatterns

2 Likes

I had already linked to the official website in the first paragraph, second link, :wink:

1 Like

@Monica.Ciovica could you look into this?
@Douwe could you come back to Fairphone and finish the job?

2 Likes

Nice! Recently I saw a variant where everything off was a blue toggle (like on Apple devices, it being on) while it being gray meant off (EDIT: it was at Phoronix). The other annoying thing is that websites fail to work when you don’t accept the cookie (which is illegal). Many major websites even do that… :frowning:

2 Likes

I’ve just literally stumbled upon that shamelessness. Illegible black text on dark green background; even the “Reject all” button is not working! :face_with_symbols_over_mouth:

I need to become friends with a lawyer to start pushing these into the courts. It’s blatantly illegal, and they know it. This needs to change.

5 Likes

I need to become friends with a lawyer to start pushing these into the courts.

No need to go to court. GDPR simplified the complaint process and the data protection authority of your country should provide a form allowing you to file a complaint.

7 Likes

I’m actually looking at it. Thank you, Rudloff, :blush:

3 Likes

Hi all,
Please let me quickly address these concerns from the teams working on the project, and if you have any more questions or thoughts please share them and I will follow-up with the team.

First of all thank you for pointing out the Google Analytics in the strictly necessary category, this is an oversight and one we will be correcting. We have chosen to do the implementation of Google Analytics without involving personal data and we do not provide personalised content or targeted advertising without the prior consent of our customers (which we obtain through the cookie banner only when customers tick the Social Media box). In any case, we are in the process of setting up and configuring the categories of Cookies in a more understandable way.

The new cookie banner is part of a larger project Fairphone has initiated aimed at improving the customer journey. A key goal of this project is creating clearer standards on data tracking and analytics, respecting privacy, providing transparency regarding our cookies, while at the same time providing the best possible service to our webshop customers. For a small company such as Fairphone, this type of project is by definition a step-by-step process in which we focus our limited resources on one issue at a time. As a result, the current cookie banner is the same for all Fairphone websites, and the categorization was completed by an automated tool. Our next steps in this process are fine-tuning the categories of cookies, specializing the configuration of the Cookie banner and improving the documentation and the subsequent transparency of our Cookie policy.

I will make sure to keep you updated on this process :slightly_smiling_face: Questions? You know how to find me :raised_hands:

6 Likes

Thanks for replying, @Monica.Ciovica. Hope it doesn’t take long for the team.

Here’s a short version to ease you the process:

  • (legal) Checks shouldn’t be enabled by default
  • (legal) Google Analytics in the Strictly Necessary Cookies category
  • (ethical) Should be a don’t accept any button at the same level as the accept all button.

Fair enough. Now I want to raise the question. If the forum is a community, it’s not a product, and vice versa. If it’s not a product, it shouldn’t need analytics at all, right? Therefore, is the forum a community or a product?

8 Likes

Sorry, I am busy… :blush:

But I do remember that analytical cookies are (legally) seen as functional cookies as they help Fairphone optimize the website. For this you do not need opt-in and the box can be ticked by default.

Now… whether you want this and if it feels like the right thing to do, also on the forum, and not just on the main website, is an entirely different matter and depends more on how you view your customers, users and guests of your website.

Luckily you are less dependent on website owners choices these days and can choose to use different tools with various levels of protection against tracking of many kinds.

4 Likes

Thank you for the legal reading. I just need to deep more into the GDPR, but I have the feeling that that data should be anonymized to be checked by default (which is exactly the case of Fairphone’s use of GA, as @Monica.Ciovica stated above, but wasn’t properly explained).

Of course, the category of functional cookies should be on by default, the issue was with those other categories.

:heart:

I’m all into surveillance self-defense, but that’s just a blue pill of it’s own. I don’t have any doubt you know this, but I need to write it here for other people. Self-defense doesn’t solve anything at all because privacy is a team sport. From the latter link:

Privacy is like voting. An individual’s privacy, like an individual’s vote, is usually largely irrelevant to anyone but themselves … but the accumulation of individual privacy or lack thereof, like the accumulation of individual votes, is enormously consequential.

5 Likes

The GA helps us better understand and improve the user journeys on our website and the forum. For example: to improve our customer support journey/support articles, we are looking into the traffic coming from the forum to the page and vice versa. If it appears at some point that people leave a section in the support page for the forum, then that indicates the need for improvement.

Just make a nice and easy to use website where one can quickly find any relevant information. You don’t need any analytics to do that, just use common sense. The analytics stuff might make sense for a company with a billion users where the fraction of a percent is still a lot. But in my opinion it is a complete waste of time and resources for a small company like Fairphone. To stay in business, Fairphone needs to maximize sales and minimize the cost of support. Doing analytics on the website doesn’t contribute any new insights to achieve these goals. Just get rid of them completely.

2 Likes

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.