"He warned that the decision would go beyond Facebook and effect all social media plug ins, which are important for many firms to expand their reach on the web."
Add an image on your own website that links to Facebook. Problem solved. You keep your like buttons, their servers are no longer involved in serving your web page.
I did this and wrote about it[0]. It works really well, is very fast and doesn't compromise your users' data. There are also libraries that make it very easy to add.
Note that by not setting rel="noopener noreferrer" on the links you let the linked sites control the opener window (and of course see a detailed referrer header).
For the case of opening in a new tab, consensus seems to be moving to making it default, though that's not true everywhere yet. It's currently default on Safari and Firefox.
Well if the referrer header matches the shared url it's just bloat in the request headers, and if it doesn't it's possibly leaking details it shouldn't, like perhaps a token in a query parameter. Twitter, Facebook, etc doesn't really need to know where a user initiated a share anyway.
Either way making sure that window.opener isn't available to random sites is a critical security feature and in some browsers that require you to set noreferrer, so better safe than sorry.
Yes, and there's no loss of functionality, you can still share/Tweet/whatever. Really makes you think about what exactly all that extra JS the real button loads is doing.
Unless you have rights holders permissions then the social links at the bottom of that article look like copyright and probably trademark infringements. (I'm not saying that's a good thing, just how it appears.)
Who cares? Facebook is a zero sum game at this point for advertisers/content creators. Facebook stacking the odds like a casino does chuck-a-luck. There's only them winning here, nobody else.
And they will be suing for what? For attempting to send more people to facebook? What's the damage?
Facebook has no right to have their arbitrary code on other people's websites. So they can't force any specific way to show their button. From the end user's perspective it's all the same.
Facebook could reasonably argue that by bypassing their established use policies for the like button, you are depriving them of value - in this case the value of the data that their JavaScript collects and sends back to them, and that you (the site owner) are being unjustly enriched through the use of their copyrighted image(s) on your site.
Except in cases of fair use, which isn’t nearly as broad as people think, the use of other parties’ images is subject to whatever licensing restrictions they choose to put on them. You can choose not to display their images if you do not accept those terms.
That’s a very broad question. For one thing, fair use is a concept only in US law. Other countries may have their own versions of it, but all of them have their own unique limits. Even under the US version, it is not at all clear that it would fall under fair use. If I start making t-shirts with the Facebook logo on them, is that fair use? No, it isn’t. Is there much difference between that and putting it on a website that I make money from? The right jury would say no.
> 8. You must not use or make derivative use of Facebook icons, or use terms for Facebook features and functionality, if such use could confuse users into thinking that the reference is to Facebook features or functionality.
We know that Facebook uses that paragraph against alternative like buttons. Many years ago German computer magazine publisher Heise created a version of the like button that works like this: The button is initially greyed out and has to be activated by a slide button to be used. Communication with Facebook's servers starts only when the button is activated.
After threats from Facebook Heise had to change the look of the initial button so that is has none of the Facebook branding. Only the dynamically loaded original Facebook button looks like Facebook like button. [1]
Link to the original alternative like button project in German is [2]. An fork with English documentation is [3].
EDIT: Their current branding guidelines for the "thumb icon" [4] say:
> Do link the Thumb Icon directly to your Page on Facebook when using the Thumb Icon online.
So a thumb icon linking to your page should be OK.
EDIT 2: The branding guideline also says:
> Don't use an outlined thumb with the cuff detached.
So you can use the "Thumb Icon" but not in a way that replicates the current original Facebook like button because that one is outlined and has the cuff detached.
BTW this is exactly what Privacy Badger does: It replaces the original Facebook Like Button (cuff detached) with the thumb icon from the official assets (cuff connected).
>> 8. You must not use or make derivative use of Facebook icons, or use terms for Facebook features and functionality, if such use could confuse users into thinking that the reference is to Facebook features or functionality.
> We know that Facebook uses that paragraph against alternative like buttons.
Did you quote the wrong section? That term can't really apply to alternative "like us on Facebook" buttons, because such a button can't confuse users into thinking it refers to Facebook features or functionality, because it actually does refer to Facebook features and functionality.
> > 8. You must not use or make derivative use of Facebook icons, or use terms for Facebook features and functionality, if such use could confuse users into thinking that the reference is to Facebook features or functionality.
As written, if the reference is to Facebook features or functionality, then there can be no confusion and this clause does not apply. This would seem to be the case here.
Fair use is a defense. You, at best, get sued, have to pay a ton of money in attorneys fees, on the chance that you "bet" it's going to work. Tough sell.
I know I am part of the HN bubble but I have not used any of those buttons if ever in years. I wonder how many legit use the buttons vs how many copy and paste a link and it shows up under those metrics somehow? Guessing I am part of the weird bubble.
I put Github "star" buttons on my portfolio site[1], but I also created my own Gitstars API [2] and am hosting my own Button Generator [3] because of some limitations on how Github's API works with static front end websites. This has the added privacy benefits as the improved stability.
I’d guess the number of users that copy and paste a link to share it is statistically is insignificant considering that many modern browsers don’t even display URLs in the header anymore.
Mobile browser generally have a "share" functionality that can share anything to Facebook or any app that supports that easily, so that's what people would be using rather than copy and paste.
All my Firefox browsers do with the exception of the one on my phone and only cause I changed it to show when I scroll back up to save on screen real estate. Its all configurable. Heck... When people press F11 accidentally they start calling all their kids, nephews and grandkids all scared and confused.
Because without that address bar that tech people seem to think normal users dont use they lose their ability to reason about the web.
It will wind up similar to the missing start button on Windows.
Disclaimer: I worked at a local college and had to support students in CS and other Microsoft Office courses. They lost it whenever Microsoft took away the start button but I would tell people its still on your keyboard... Anyway also saw a lot of F11 people losing it.
The last public site I worked on, did this for all the social links... was the easiest way to keep it normalized. I didn't want to use their images, etc anyway.
Sites using the like button are dumb to begin with, especially if they are in e-commerce. You’re handing your competitors an ability to do lookalike targeting of your customers via Facebook ads. This is one of the biggest advantages of that platform. Surprised nobody writes about this while gasping at Facebook’s profits.
How would you do that? You can only do lookalike of an audience you upload yourself (ex: your customer list). How would you do a lookalike of your competitor?
You can target by purchasing history either through "Partner Categories", or "Purchase behavior". Facebook knows what anyone is (interested in) buying through pixel or aforementioned widgets.
Yeah but you cannot target specifically a competitor's customers just by the fact that they have a like button on their site, which is what OP was mentioning.
I don't think he meant a specific competitor rather than a whole category. Aka you buy a shirt at one site and then every e-commerce site that sells shirts can target you.
The data from the Facebook javascript integration is much richer as it lets Facebook see each customer's complete journey before purchase. This helps tremendously with ad targeting as it tells FB (for example) what other products the customer viewed before purchasing, and possibly even how they got to the site in the first place.
E-commerce, possibly, but less true for journalism. Nobody browses news site front pages anymore. They visit news article links directly from their Facebook feed of other people sharing/liking stuff, Reddit, HN, or other social media.
When was the last time you typed in nytimes.com or some similar foo into a browser?
A long time ago, because I've got bookmarks for 5 or 6 news sites that I regularly visit (usually daily). And of course those bookmarks go to the front pages.
Facebook for news...seriously? Even HN, though I sometimes follow links to news sites, is primarily of interest for me as a source of links to obscure blog posts and similar non-news stuff. The news links are usually colored as "already visited" for me. Nevertheless, quite often the comments to these news articles are still worth reading. Which stands in stark contrast to Facebook comments on news articles...
Also, I don't use Facebook. Most of the people I know navigate to the news site directly, as social media is just an echo chamber, there are lots of links to obscure news sites publishing fake news, etc.
Most e-commerce sites use the Facebook pixel - they'd be crazy not to. Retargeting is actually where most e-commerce profits through Facebook ads come from. Advertising to cold traffic is often a loss leader, just to get an audience to retarget to. They lose money getting people into the top of the funnel, and then make it back as a smaller number of people progress to the end of the funnel.
So no, sending your data to Facebook isn't dumb, and in fact, it would destroy most smaller e-commerce businesses if they couldn't send their data to Facebook.
I think all these privacy protection rulings are a step in the right direction, in that we are seeing governments respond to dark patterns similar to how they respond to spam and telemarketing.
The loose thread now is in how the companies are required to communicate their data mining. These twenty page privacy policies that I agree to with a flick of the scrollbar and a button click, or these equally boring popovers when I visit a site, are where the governmental innovation needs to happen next.
All it takes is strict enforcement. The rules are already there.
Many of the popovers (basically all that you can't easily dismiss without giving consent to anything unnecessary) don't result in valid consent.
Twenty page privacy policies are also questionable: "the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language."
I also hope that the ones that ask for consent with a modal pop-up create a modal pop-up offering you to revoke consent on every page load: "It shall be as easy to withdraw as to give consent."
Strict enforcement of the existing rules is all that's needed. Getting consent is going to be really hard, to the point where web sites may be best of not asking for it, and only doing what they can without processing personal data.
The popovers are the result of government innovation. I'm skeptical whether it's actually possible to get people to read the privacy policy before using a website.
Edit: just realized pbhjpbhj has written much of this elsewhere in this thread, upvote that instead, although I'll keep mine since it is slightly different: https://news.ycombinator.com/item?id=20607528
It would help if companies could respect the rules in EU that says data collection should be voluntary and opt in.
Then the privacy policies could be really short.
That said I agree with others that reasonable standard policies would be great for both consumers and businesses:
Something like the Creative Commons licenses comes to mind:
- 0, green: nothing (no analytics, no state, so no login possible)
- sessions, green: login possible
- telemetry, yellow: anonymized, short lived (< 3 business days) data, not linked to use, not shared outside of development
- 1 party analytics, yellow: like telemetry but longer lifespan and shared outside of development
- 3 party analytics, red: uses Google Analytics standard edition or any other 3rd party tracker that shares data
Which is why the EU has already mandated that. But privacy is a complicated issue, so there are limits to how brief a complete policy can be; just the suggested template[1] is a four page PDF.
One way to do this would be to have privacy standards. EU PP0, PP1, PP2, etc., that would conform to particular uses of one's data.
Such info could be tagged in page head and then you could do things like search for a forum that doesn't (according to policy) use your data for revenue (or share it outside the named business -- perhaps that's "PP0", in analogy to CC0), etc..
One way to do this would be to have privacy standards. EU PP0, PP1, PP2, etc., that would conform to particular uses of one's data.
Or at least have those as standardised starting points that cover the routine points that will be the same for 90% of data processing operations, so you only have to specify additional detail for things that might be unusual or surprising.
If you look at the template privacy policy that SpicyLemonZest linked to, a large proportion of it is boilerplate that covers either reasonable and normally expected data processing or standard notifications required under the GDPR etc. Repeating that more-or-less verbatim on every website someone visits today doesn't help either that person or those websites.
It would simplify things greatly if instead of all that boilerplate, a short list of one-liners is all you need to state if you're only performing normal data processing for common purposes, as defined by official privacy standards along the lines pbhjpbhj suggests but perhaps specific to each common purpose. Then you only need to elaborate on anything unusual or particularly sensitive, and anyone interested in how you're processing data about them can quickly identify such cases (or verify that there aren't any and they don't have anything to worry about).
It would help if privacy policies were brief and clear.
And the way to do that is standardisation.
In many situations, at least here in Europe, you can go about your normal life without worrying too much about tricky contracts catching you out. There are consumer protection rules that restrict what can be done, prohibiting it entirely in some of the most serious cases, but also setting out reasonable expectations in some sense so that any business wanting to violate those expectations has to be clear about their alternative or might find it doesn't stand up if challenged.
One difficulty with the online world at the moment is that because it's very international in nature, even rules that apply across say the whole EU or at federal level in the US don't necessarily provide any guarantees to visitors of websites or recipients of emails because the business or other organisation they're dealing with might not be in the same jurisdiction as them.
On top of that, these big data-hoarding organisations pose an unprecedented threat to our privacy and ultimately to our freedom and way of life because there is an unprecedented amount of data collection and processing going on. Some things didn't really matter much at a small local scale, like the person passing you in the street seeing your face and knowing you were there at that moment in time, yet forgetting you a moment later. The exact same data points can matter a great deal more when we're talking about huge numbers of them being collected and collated by a single entity that can then process a more informative data set in ways that would never have been possible in the simpler case. Now the marketer or the government or the criminal who hacks the marketer or bribes the government official has a detailed record of your normal daily movements and any anomalies, or your spending patterns across everywhere you shop and everything that says about you, and so on.
We need a clear basic framework for what we as a society are and are not willing to permit in these areas, for how we trade off the potential advantages of organisations that might genuinely be trying to help us having access to more data against the potential risks of organisations that are not necessarily acting in our best interests having access to more data, even if in some cases they might be the same organisation using the same data in different contexts.
I personally regard the GDPR as a swing and a miss in this context. The intent might have been good, but it's so complicated and ambiguous that in many ways it creates problems rather than solving them. Crucially, that is particularly true for organisations that were trying to be responsible about how they work with personal data and privacy issues, which might have been looking to the GDPR and the national regulators for clarity about the ethics and legality of different practices with pros and cons.
So there have been some moves in positive directions recently, but right now, if I'm selling you something online then I still have to state in my privacy policy that I'm going to keep records of money you pay me and I'm going to store those records for long enough to comply with my obligations around tax records. Does it really help anyone to declare obvious and indeed legally required behaviour like that, or is it just noise?
To pick a less obvious example, maybe we should have clear defaults about analytics. For example, perhaps a business is allowed to monitor how its customers are using its own hosted systems by default, but activities like accessing users' personal data uploaded to those systems for other purposes, exporting users' personal data from their local devices, or sharing any of this data with third parties requires explicit disclosure and maybe some level of consent.
Privacy policies could indeed be much clearer if only the exceptions to common sense had to be declared in some standardised way, and if an acceptable definition of "common sense" were itself provided somewhere through legislative or regulatory means.
The GDPR isn't a bunch of rules, it's a process. It's no different to your health and safety process. You define your process, what data you have and where it is and any risks.
Personally, with massive PII dumps getting leaked every week I'm not surprised governments are starting to act.
> but right now, if I'm selling you something online then I still have to state in my privacy policy that I'm going to keep records of money you pay me and I'm going to store those records for long enough to comply with my obligations around tax records.
No, you don't. That's covered by the rule "Compliance with a legal obligation" because you have to do it, but only store as much as you need.
Quite: far too many people equate the "consent" basis for holding data as the _only_ basis for holding data. It is not, and and compliance with other laws is also a valid reason which _cannot be overridden by withdrawal of consent_.
Sure, but if we're talking about data usage for marketing and targeted ads, then generally consent would be the only basis that can apply.
If you have a legitimate basis to collect and store personal data for some purpose X, then that doesn't allow you to use the data you collected and stored for anything else - if you want to use the same data for some other purpose (like targeting ads or given them to your "partners" to target ads), then you need consent; and if you give them to your "partners" to allegedly execute that legal need X but it turns out that they're using it to target ads or reselling data, then you're liable for that.
Sure, but if we're talking about data usage for marketing and targeted ads, then generally consent would be the only basis that can apply.
That's debatable. The GDPR itself explicitly notes [Recital 47] that even direct marketing can constitute a legitimate interest.
However, there are specific provisions for that case, particularly the explicit provision [Article 21, para 3] that if the data subject objects to processing for direct marketing purposes then that is black and white and that processing must be stopped.
Yes you do [have to state that in your privacy policy].
Compliance with a legal obligation is valid grounds to store and process data, but the information requirement still applies - you need to inform the customer what you're collecting and why, you just don't need their consent in this case.
E.g. the GDPR article 13.1.d / 14.2.b - you need to inform the data subject about what exactly is your legitimate need that justifies the processing of data; and customers then can judge whether that need (and the collected data for it) seems reasonable or warrants a complaint to the regulator.
The GDPR is an EU regulation. An EU regulation is a bunch of rules that have direct legal effect across the Union.
No, you don't. That's covered by the rule "Compliance with a legal obligation" because you have to do it, but only store as much as you need.
That's a legal basis for processing, which you also have to disclose. It doesn't exempt you from disclosing other required information such as the types of personal data you're collecting or your policy on retention.
>These twenty page privacy policies that I agree to with a flick of the scrollbar and a button click, or these equally boring popovers when I visit a site, are where the governmental innovation needs to happen next.
If the sites are relying on consent as their legal basis for processing personal data then hiding it in those policies is 100% a violation of the GDPR.
Enforcement action is unlikely to make headlines, though as it'd be such an open-and-shut case it won't even make a courtroom. The supervisory authorities will just impose administrative fines.
I get the sentiment, but wouldn’t this apply to something as simple and fundamental to the web as including an image that I don’t host on my webpage? The 3rd party hosting that image could be collecting a decent amount of data about people accessing it - I really have no idea what they’re doing, or any way to verify it.
This ruling feels poorly thought out to me. Activities on the web aren’t totally private, that’s how it’s always been. Getting rid of 3rd party content makes it ... kind of not the web anymore.
That's a very D&D Rulebook type interpretation :). Not that rulings should be ambiguous, but usually some common sense can be applied (and is expected to be reasonably applied).
The Facebook like button is a web tracker, disguised as a social engagement button. If not its primary -, then its secondary function is to (indiscriminately) track users and non-users outside of its walled garden, like some reversed Trojan Horse.
Hotlinking an image is just that: hotlinking an image. Facebook relies on us and lawmakers to say: "We just can't ban third party content!", while we perfectly could leave innocent third party content alone, and focus our sights on the spy button. It isn't reasonable, nor common sense to conflate the two: even if similar in syntax, the context is vastly different.
> That's a very D&D Rulebook type interpretation :). Not that rulings should be ambiguous, but usually some common sense can be applied (and is expected to be reasonably applied).
You can't build a business on assumptions made on an ambiguous ruling. And while common sense seems reasonable there it has no definition. Why should investors take the risk?
Lots of businesses, investor-backed and otherwise, currently operate within the “frontier areas” of the law. Some of them step a little too far and get whacked, others stay in the gray area for decades making money. Legal due diligence is not about guaranteeing 100% you’re above board. It’s about weighing the risks.
> Getting rid of 3rd party content makes it ... kind of not the web anymore.
This is what the web used to be like, every site hosted it's own content and the only third party content was typically limited to ads. Embedding third party content was considered a dick move at best, illegal at worst and larger sites would frequently block deep linking or being embedded in frames/iframes. Third party hosting only became prevalent when the web became bloated javascript.
> Bitkom, a German trade federation for online businesses criticised the ruling, saying it would heap costly bureaucracy on firms without enhancing consumer protection.
Swap "costly" for "mildly inconvenient" and then I could almost see where they're coming from but I think they're missing the forest for the trees here. Let the "like button" die, rulings like this take the wind out from beneath it and eventually it's a metric you'll never be burdened with.
They're not 'missing' anything. They're trying to convince others to agree with them.
Either they take a stand against holding all businesses liable for transfer of data, or those who pay them a membership fee will see an increase in liability or a decrease in the perceived precision of advertising data.
They're not missing the forest for the trees. They're busy logging the forest for the trees, and would very much like everyone to hear their call to action and join their side.
For context: Bitkom is pretty much a lobby organization and usually takes the most company friendly standpoint they can find, that's quite normal at this point.
> Under EU data protection law, therefore, a European retailer and the US platform are jointly responsible for gathering the data
I really hope this means that Facebook and all those stats/ads providers can be held responsible if they don't take adequate measures to ensure that only data from users who have given valid consent is sent.
Going after individual site operators is a fight against windmills. It would be much more effective if they could go after a company that provides an Ad SDK to hundreds of thousands of apps, but just tells the app developers in the fine print "by using this SDK you confirm that you have gotten consent from your users" - and as a result, knowingly accepts that nobody will care and data from non-consenting users will be collected.
I hope it applies to CDN's, I suspect data collection is the very reason they exist and that many are already collecting data, but even it tech circles it flies under the radar. On top of this there's potential issues with any third party and we'll need stronger guarantees from cloud hosts, data centers and the like.
CDN's are especially nefarious when it comes to privacy because they make it so hard to block third party content while retaining functionality.
It is interesting how with the many copyright and data protection acts and rules, that the EU is, in effect creating a whole new type of decentralised firewall for content for want of another way of perceiving it all.
Though this is a firewall for the people against business practice/malpractices. Which is a good thing. I'm sure there will be many cases of this causing issues, but on the whole, it does fall in the favour of the end-user, us the people.
I say firewall, more an IDS that reacts to breaches. But it is good how they are at least not ignoring and overlooking such details and this is a fine example of it being well thought out.
How much value does like and other sharing buttons provide to anyone other than Facebook/Google/Twitter these days? I’d argue very little.
I used to work for one of the larger social sites in the UK with many millions of unique users and we found that the social buttons got next to no engagement. Before I left we began the conversation about removing them entirely as they were just dead space on the page.
this is a great point. it would be awesome if indeed sites had to gain my permission before showing me an advertisement - or at least a custom one. someone should sue!
Do facebook Like button really matter anymore? I mean my page has over 5000 likes but there's almost nil traffic on my blog through my page. I have removed like button from my website and nothing has been impacted
It matters for Facebook tracking users in exchange for the "opportunity" of increasing traffic. Of course most of this traffic only occurs if you pay for it.
One thing that bugs me, is you cannot promote groups directly... you have to create a Page for your group... even if the page is a useless placeholder.
Ha true. and you HAVE to download facebook's app on your phone (500MB app) to prove your not a russian troll. Do not even bother with the page, pages are facebook's way to trick you into paying endlessly to "boost your post"
Will EU regulate mobile apps and the two dominant platforms too? On web I'm safe using blockers, no JS etc. But on my phone I lack alternatives to suppress privacy abusers.
Even on the Google Play Store, there's a browser called Firefox that supports the concept of "add-ons".
I know these are a novelty on Android where most people use Chrome because it's pre-installed - but add-ons are small, self-contained downloadable additions to your browser. There are multiple such add-ons that will block ads for you. They also work in-app where the Firefox WebView/custom tab is used.
I don't think the GDPR separates apps or websites, but the difference is that with apps you often agree to their terms by downloading/buying it whereas with websites you really can't agree until after you open it.
Sure, but that's already covered - you need to have a data processing contract with Google to use GA while being GDPR compliant. You'll have to do the same with Facebook for their buttons now, FB will provide an agreement and you sign it pro forma and that's it, I guess.
you need to have a data processing contract with Google to use GA while being GDPR compliant
That is true...unless you are not based in the EU and don't "envisage" (a term used in the GDPR) serving EU customers. Then you don't have to deal with any of this nonsense and are free to add whatever like buttons/analytics solutions you would like. A US site that doesn't offer translations in European languages, doesn't accept EU currencies, and doesn't use an EU domain extension, is not subject to GDPR - even if EU users can access it.
"Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union."
What bugs me, is most sites dealing with the issue throw up an "Accept" button with whatever blurb in place, but they're already including the metrics/etc scripts before accept happens.
I mean, I get it... but the whole point was to stop the behavior, not side step it.
For those that want to show official Share Counts on their Share Buttons while maintaining User Privacy, take a look at Shareaholic's Share Count Proxy -
I'm not sure a company that says "Imagine being able to capture, analyze, and re-target any person on any ad platform that clicks on any of your links on any marketing channel" is one that should be trusted with anyones privacy.
Shareaholic offers many different types of marketing tools. The product that you're referring to is the URL shortener, which is independent of the Share Count Proxy product -- https://www.shareaholic.com/link-manager/retargeting
This URL Shortener service is also GDPR compatible as retargeting pixels are not set for EU subjects regardless of what customers want to set. In the roadmap is to add an opt-in message on the redirect.
I get that you offer different types of tools, but my point is that trusting one company that markets tracking to anonymize the tracking of another company that markets tracking seems backwards regardless of if you say that this specific product actually does tracking or not.
Coming in cold, that's a very fair concern/comment. I generally believe that products can be privacy-first but still serve the needs of marketers while providing consumer choice. Consumer choice is the key in my opinion. Shareaholic tools do what the customer sets them to do, with opinionated safeguards to prevent customers from missteps with regards to GDPR and consumer choice. For example, Shareaholic is one of the very few that also respects DNT signals (even though DNT is now defunct).
Btw, Share Count Proxy is also whitelisted by Firefox which provides the added advantage of share counts actually showing on Firefox if you use the proxy while direct calls to Facebook.com, Pinterest, etc are blocked.
a side effect of the ruling is that now facebook is NOT liable for that consent, and google is not liable for analytics / adsense. Will the EU start going after the little guys now?
what's really missing in all this GDPR and privacy discussion is a technical way to enforce it. If you have a large multinational company with 50 TLD's you might have several hundred (including all the subdomains) that are Internet facing.
For a company on that scale to remain compliant to things like cookie law (mention every cookie and what it does for opt-in) there is no easy way to see if you're compliant. We need some standard (like security.txt) which defines how cookie data, impressum or other site specific links are expected which has to be machine readable. Right now every company creates it's own mess of html which is no fun scraping to figure out if the company is compliant or not. (yet scraping is what everyone in compliance expects to happen).
I wonder how these laws can be enforced without creating a huge administrative backlog.
for this there's a e-privacy regulation in the works[1] but it already took a lot of time... GDPR only got as much support as it did because the snowden leaks happened shortly before the vote.
As I understand it, it will include things like Do-Not-Track and a better cookie banner legislation, which makes the banners less common.
Enforcement is trickier. Let's wait for a few more rulings and see if that's enough.
”Right now every company creates it's own mess of html which is no fun scraping to figure out if the company is compliant or not.”
I fail to understand how anybody could scrape a web site to figure out whether it is compliant with the GDPR. For example, if I claim my site encrypts your data at rest, how do you verify it by scraping the site? If I say I don’t share your data with third parties, how do you verify it by scraping the site? If I say I throw away the encryption key when you delete your account, how do you verify it by scraping the site? if I say that, after deleting your account, all data is gone after at most 30 days, how do you verify it by scraping the site?
Good. The sooner the like button and all the other 'social media' plug ins disappear the better. It's trivial to host the button and the link on your own pages. That way only the actual likes get counted.
IMO, decent websites have been using something like that for a long time (the small subset of them that have like buttons, that is), so nothing will change for them.
That's already covered, FB is now treated more like GA in that you need to have a valid data processing agreement with FB if you're embedding their like buttons or you're not GDPR compliant.
I think GDPR requires website owner to inform users what exactly is being processed and by who. The problem for website owners is that Facebook won't really tell what data they process and who will they share it with or they do not seem to allow to revoke consent.
What exactly is the data being transferred? It is that the user has visited the site, correct?
The only way the third party site can know that is via third party cookies, or attempting fingerprinting as a third party iframe. Do you see any other way?
I thought that the EU already realized that this is a matter of cookies - in this case third party cookies of a site that you HAVE logged into. Browser makers should just let the user make a decision whether they want the requests to be automatically sent with third party cookies in this case — OR to explicitly approve every single time they log in using oAuth or want to share something.
Whatever happened to this proposed law from 2017, which correctly realized that it’s the Browser’s responsibility to let the user select the cookie policy they want:
The important crux of the problem is that the current model for all “like”/“social” buttons is that simply including the link grossly violates your user’s privacy.
Why should I have to surrender my privacy to read an article on your site? Why do you think that it’s ok?
The only time a your site should be sending tracking information to someone your user’s have not explicitly stated they want you specifically to share is when they have actually interact with the bottom. Not a mouse over, not a resource load, not an invisible overlay.
The use has to consciously opt to do that.
If you can’t ensure that your site isn’t abusing users/readers you need to gate all your pages with a page stating that you will be providing other companies with tracking information that provides your browsing history. You should also list all of the companies you will be sending that data to.
If you don’t want to do that because it will hurt “engagement” or “conversion” that’s your problem.
Alternatively you could have a banner that says “you’ve used our site so we sent information about your browsing history to these companies, and there is no support for deleting that information. We recognize that you may not like that but we don’t care about your privacy, and have no intention to preserve it”
> Bitkom, a German trade federation for online businesses criticised the ruling, saying it would heap costly bureaucracy on firms without enhancing consumer protection.
What cost is involved by not embedding third party bescons on your website?
How does it not improve consumer protections? It's literally stopping doing the thing that is causing harm.
> “With its decision, the ECJ places enormous responsibility on thousands of website operators – from small travel blogs to online megastores and the portals of large publishers,” Bitkom CEA Bernard Rohleder said.
Yes, this is exactly how serious this situation is. I'm glad you're getting a handle on just how damn huge this problem really is. Aren't you glad we're finally doing something about it?
> He warned that the decision would go beyond Facebook and effect all social media plug ins, which are important for many firms to expand their reach on the web
Uh, yes, that's the the idea? Your firm's right to expand their reach does not overrule my right to privacy.
People can still share and like your links on the social platforms. It doesn't require me to be forced into it.
Mind that Bitkom claims to represent German IT companies, but its leading members are (among others) Google (Google Commerce Limited, Google Germany GmbH), Facebook Germany GmbH, Microsoft (Microsoft Deutschland GmbH, Microsoft Ireland Operations Limited, LinkedIn Germany GmbH) https://www.bitkom.org/Bitkom/Mitgliedschaft/Mitgliederliste
The board (Präsidium) includes the CEO of Microsoft Germany, IBM, Heweltt-Packard, Samsung as well as SAP (they are at least German), Vodafone, Deutsche Telekom, etc. https://www.bitkom.org/Bitkom/Organisation/Praesidium
Bitkom is know to promote weak privacy rules and big data analysis.
This is totally sane. I don't ever want my browser to contact Facebook and Twitter when I'm visiting unrelated websites. This was bullshit from day one. Please do continue!
edit: I hope that this will also hold for Google with reCAPTCHA and Analytics.
That part won't change, though. It's now just that the website owners need either your consent or legitimate interest as defined in GDPR + they need to have a data processing agreement with Facebook. It adds a formality, but it won't have a lasting impact.
It’s more than a formality, it means that either party could get sued if they violate the terms of the agreement.
Having contractual relationships in place is common in this type of legislation. HIPAA regulations require formal contractual relationships with suppliers and contractors.
Well, I hope that at least some websites will opt for using an image they host themselves instead of adding this formality. This has to hurt user experience, no?
On the other hand, I guess this is only one more checkbox to tick among the checkboxes we already have to tick.
A self-hosted image + link adds friction, so I don't think that a lot of the mainstream sites (that aren't privacy conscious and do it already) will do it. And, of course, many shops already use Facebook tracking pixels to target visitors that didn't buy anything, so they have very little interest in keep FB out.
> the website owners need either your consent or legitimate interest as defined in GDPR
Well the part companies doesn't seem to "get" is that this consent should be informed and voluntary, which means opt-in and not only available after 3 minutes of jumping through ridiculous hoops to opt out.
The problem is the or part. They will generally claim legitimate interest ("we need this to fund our operation, FB helps") just as they do with analytics and ads. When they can show legitimate interest, they don't need consent, they only need to inform about the collection and inform you about your rights.
I'm with you that consent before action would be the right way to go. But since we can't rely on sites to be ethical, it'll stay the browser's business to protect the user.
I don't know how other countries are doing, but Germany's officials are apparently very understaffed, so complaints will regularly sit for months and they won't have a lot of time to understand the details, so I don't put my trust in oversight for the foreseeable future.
"It makes us more profitable, tough" is patently not a legitimate interest, and would fail the balancing test (the individual's interest overrides the legitimate interest). If it were as simple as "it helps fund our operation", the whole of the GDPR would be instantly rendered toothless as why else would they gather unnecessary data? It would open a "loophole" that lets everything through.
As far as I am aware, and I'm fairly certain about this: funding is not a valid legitimate interest under GDPR. If it was it would be a loophole big enough for a medium sized planet ;-)
Funding is a legitimate interest, it's at the very foundation of legitimate interests: companies need to make money to exist. "We need this to make money" is basically all they have to say - it's why Google/FB Remarketing, Cross-Network ID-Sync so all the networks have a unique ID of you when they talk to each other etc is still a thing.
The difference is that they now have to inform you that they are doing it, who is involved and who to direct requests for information / deletion to.
Yes, and I've also talked about this on multiple occasions with a lawyer friend who works in privacy law. A typical claim to legitimate interests would be for optimizing the website and ads on the website for example. It's so commonly used exactly because it's a very simple one-size-fits-all approach.
I have not heard statements going against this from any lawyers.
This is asinine. If you don't like websites including resources from a 3rd party you can block third-party connections, install a blocking extension. We don't need an authoritarian government to make these decisions for us.
Mark my words. This is going to have enumerable unintended consequences and the Internet will suffer for it. Fuck the EU.
> We don't need an authoritarian government to make these decisions for us.
Yeah man, just like people self-regulated to only drive at safe speeds, always wear seat belts, not hand over money to scammers.
Pray tell, how is the EU authoritarian? You do know that every EU government members is elected, either directly or indirectly, by the EU citizens, right?
I agree; if you do not want cookies then you can just disable it in the client, and if you do not want it to load third-party scripts or images, then you should disable that, and so on; the cookie warnings and all of that stuff is not helpful.
(Perhaps a better requirement would be to require the browser distributors to include warning labels about such features if they are done automatically.)
That is not quite what I meant. What I meant is independent of opt-in or opt-out, but is rather saying that such features in the browser should be and must be configurable, and that is separate from the issue of consent. (Maybe they should be disable third party cookies by default, or whatever, but it will work either way.)
What they will do with the data you give to them, is a separate issue than the web browser. The company you are dealing with still needs to have a proper policy for that, but that is different than the issue of the client configuration.
Requiring a warning message about cookies on the web page is not helpful, because that is the wrong place to put it; the browser can provide its own such warning, and the user can configure it. (Lynx provides the possibility to ask when a cookie is received.)
So, the actual problem is the browser providers designing them stupid, and making them such complicated that it is difficult to make up a new one which is actually good.
@oblio I self regulate on all those things. I don't need some bureaucrat in an ivory tower to do it for me at the threat of punishment (fines and/or cages) for not doing it. You're just a common bootlicker.
Is it also sufficient to you if the other guy that's crashing into your car's rear end at insane speeds promises to "self-regulate" his top speed next time?
> According to the European Court of Justice ruling, a site that embeds the Facebook “like” icon and link on its pages also sends user data to the US web giant.
This is categorically false. The site that embeds the like icon is sending absolutely nothing to Facebook. The user's browser is the one sending information. You have control over your browser. You can do something about it if you don't like it.
The EU's regulations infantilize the public and removes consumer choice.
The execution of the Javascript does not occur on the company's resources. It occurs on the visitors computer, over their own Internet connection. Both which are in their full control.
Many sites who just don't want to deal with the regulation will simply not offer anything from a 3rd party on their site. That is least risky approach and most businesses paying attention will do that.
Yeah, stupid business people abound. If those offers are really interesting to the users, those sites will be replaced by better run ones, who correctly calculate the risks.
EU shooting themselves in the foot with all these data rulings. Innovation will never happen there, US tech products will slowly suck the wealth out of European nations, much like China manufacturing sucked the wealth out of the us manufacturing sector.
Needing consent for sending data to Fb is only consequential and consistent with the law's goals. It's been good practice on decent German sites for a long time to present social media buttons as greyed-out icons to indicate tracking code by those third parties is only embedded on the linked page.
Interesting, I would have thought that one of the few UI conventions that is fairly universal is that buttons are greyed out if they are inactive. I'm certain that many people will never click a greyed out button for this reason.
Not quite greyed-out as in disabled. Not sure merely using a b/w logo without logotext will work out with today's flat designs and usage habits. I remember it being used when minimal design wasn't as common as today, and the icons would stand-out (or rather fade into the background).
I think you're putting too much weight behind the like button here. It will be replaced by something else or stripped down to a version without any identifying properties, which I see as a win-win.
Add an image on your own website that links to Facebook. Problem solved. You keep your like buttons, their servers are no longer involved in serving your web page.
reply