Will this current government's blatant corruption ever cease?
(see above)
The UK government has published its plans for reforming local data protection law which includes removing the requirement for consent for all website cookies – akin to the situation across much of the US. Also notable is the removal of the requirement for a Data Protection Impact Assessment, as well as a new political …
Seems that American-style lobbying by the fatass corporations is alive and well in Blighty. (As an American, I apologize...)
Wonder what the quid for this quo was?
Yes, I know that 'quid' is another word for money (the Pound Sterling, IIANM).
Seriously?
The current (relentless) cookie pop-ups are not a solution to privacy, and the insistence that small companies have to jump through hoops designed to slow down industry behemoths is an insidious harm to new businesses.
This is nothing to do with big businesses "getting their way" (they already have), but a much needed admission that the current regime is a deeply flawed piece of petty bureaucracy that achieves next to nothing.
If you're serious about privacy for the masses (not your personal paranoia), then you shouldn't be advocating for the current idiotic sticking plaster of half baked pop-ups that only serve to obstruct and obfuscate.
I Don't Care About Cookies plus Cookie Autodelete plus blocking third part cookies gives you far more privacy than the cookie law could.
I used to use Cookie Whitelist but the cookie law made it impractical because I need to allow cookies on most sites so the cookies recording cookie consent (or not) can be set.
As for GDPR what I would like to see is exemptions for smaller businesses and organisations that have customer data for internal use. Facebook and Google may need strict regulation but a business with a few thousand customers should not need to worry about GDPR, nor should a parish church maintaining a contact list of its congregation. Both real examples.
"As for GDPR what I would like to see is exemptions for smaller businesses and organisations that have customer data for internal use. Facebook and Google may need strict regulation but a business with a few thousand customers should not need to worry about GDPR, nor should a parish church maintaining a contact list of its congregation."
Wrong. Whilst the impact of a single large organisation may be detrimental to personal privacy the impact of a very large number of small organisations is also likely to be detrimental ("death by a thousand cuts") to an individual.
Also define "internal use" - I would expect that most "smaller businesses and organisations" are using the likes of Microsoft (Office 365, Azure), Google (Gmail, Google Cloud), Amazon (AWS), etc to provide their IT services, it is unlikely to be solely stored on their own computer(s).
These "smaller businesses and organisations" are the only entities that can decide what personal data to keep, how long for, etc (their IT providers cannot) and so that is why they are subject to GDPR, they are the Data Controllers of the personal data.
The government plans new laws to remove the need for websites to display cookie banners to UK residents, permitting cookies and similar technologies to be placed on a user's device without explicit consent.
Good. Max Schrems is a pain in the arse and I curse his name every time I have to click yet another consent-to-cookies button before using a website. Today, everybody, I have been searching for "quick drying varnish".
All those billions made by Google, Amazon and Facebook come out of consumers pockets ultimately, and that almost certainly includes you.
Even if you don't purchase on t'internet, everyone's bottom lines are affected by how these corps work, and that is passed on to you always.
Your nose is raw, you've just forgotten the world when it wasn't
Assumed consent is already there and the absolute worst has been the shift of much of the data-grab and tracking into "legitimate consent".
The problem is that the Internet and and tool people use to interact with it (the web browser) are all big business, absolutely megabucks of money.
whatever is planned to improve privacy and reduce tracking is just a game of whack-a-mole because the scummy corporations make so much money from our data.
Cookie consent has just been one of them. You can reject all cookies except functional but then that list is as long as your arm. Then there is a separate tab for "legitimate interest" that even if you reject all cookies on the first is still enabled.
Then you have to scroll down 1000 lines to find the "Reject All" button.
This is just with enlightened users. The average user of a web browser just clicks the most obvious button within milliseconds of of it being presented. And that takes us full circle, for the 99.9% of people using the Internet, anything about cookie choice is irrelevant. Now that is a ridiculous situation to be in but that is exactly what the companies that control and make their money from "The Internet" want.
@Richard Tobin
Absolutely correct. I long ago proposed an approach whereby only strictly essential cookies would be served by default, and web sites wishing to serve non-essential cookies could only do so if the site visitor consented. That would not require a 'pop up' - just a link somewhere on the page that the user could voluntarily follow should they wish to do so.
The 'cookie pop up' has in fact been essentially used as a means of coercion into accepting non-essential cookies, as evidenced by the obtrusiveness of most - to the extent of blocking access to content unless selection is made (thereby encouraging thoughtless click-through). Indeed in several cases I have inspected, the non-essential cookie acceptance appeared to be unchecked (which is lawful) with styles enabled, but was shown to be ticked by default with styles turned off (illegal). And in all cases 'cookie consent' was provided by a 3rd party serve - surreptitiously engineered to favour the site host at the expense of the user.
The legislators never intended for this to be the case
Absofuckinglutely spot on.
Why are my choices "accept everything" or "do something annoying". Why was "accept minimal" not mandated as an option, and why was it not made a default? Advertisers might not be thrilled with the current disaster, but at least they've managed to subvert it to the point where we think that the consent process is the problem.
It's happening. Many sites, Google included, are being forced to offer a simple reject choice instead of forcing users to go through multi-click processes to reject tracking cookies.
Still nobody forced companies to use cookies dialogs, the could have chhose to honor the do not track flag or make cookies opt in in a separate page. They have chosen that way because they wanted to annoy people as much as they can to force them to accept cookie.
GDPR requires informed consent before tracking. Just as long as you 'work with the industry' instead of setting the required rules to protect citizens' rights, the industry will try to water down any rule as much as they can.
So you don't 'work with'. You listen to their opinions just like any other party involved, and the decide, even if the industry doesn't like it. There is no fundamental right to easy money exploiting others.
"I long ago proposed an approach whereby only strictly essential cookies would be served by default"
There's no such thing as a strictly essential cookie. None of them are essential.
Cookies only exist for two reasons: lazy/stupid web developers and marketing scum.
Any web site that cannot work without cookies is fundamentally broken.
Don't be daft. HTTP is stateless - if you want to maintain any sort of state, you need either cookies or session codes in the URL (which don't survive browser crashes, and don't really bring any benefit over a short lived cookie). Without state we lose the ability to log in anywhere. No shopping carts, no web email, even Reg comments. How do you think you logged in to post this as... er, Anonymous Coward? OK, perhaps that's not a great example.
It's the "bad cookies" I think most of us don't want. Unfortunately they're like bad art, tricky to describe up front but I sure them when I see them.
"HTTP is stateless if you want to maintain any sort of state, you need either cookies or session codes in the URL"
It's true HTTP is stateless. But that's a different thing. Browsers are perfectly able to maintain state - and do that without cookies.
"Without state we lose the ability to log in anywhere."
Nope. State is not needed to login - unless it's to a fucked up, badly designed web site.
"How do you think you logged in to post this"
By typing the username and password while cookies were disabled. It works just fine.
One of the more irritiating things I find is the name "cookies".
The name is deliberate chosen so that less tech savvy people think they are accepting a sweet treat - and not the actual thing being delivered in most cases.
Would your average grandma agree to something that said "Accept All Creepy Stalking Software so we can monitor your web browsing habits and sell that information to AOL?".
It would change the game. Maybe if just a few of us start calling them "Stalkies" the trend will grow.
"One of the more irritiating things I find is the name "cookies". The name is deliberate chosen so that less tech savvy people think they are accepting a sweet treat"
But what most people haven't been told is that cookies are not the only tracking mechanisms, but all tracking mechanisms are covered by the legislation (not fundamentally the GDPR but implementations of European Directive 2002/58/EC (in the UK - The Privacy and Electronic Communications Regulations).
As browsers typically only have (minimal) control over cookies in the literal sense but not over other tracking entities (e.g. javascript widgets), the whole argument about cookie pop-ups has always been fairly devoid of meaning.
But even if the only issue were with cookies in the literal sense, the fundamental problem with reliance on cookie controls in browsers as HMG are proposing is that the purpose of the cookie (essential for delivery of the service or for some other purpose e.g. tracking) can not be determined by the browser. Only the origin is detectable, and as 'serverless' delivery is increasingly implemented, it's probable that some third party cookies will be essential for delivery of the service, but of course others (maybe the majority) will be for other non-essential purposes. So how is the browser to distinguish between them? It can't, so the proposed change to the legislation will legalise uncontrolled tracking of all and sundry, as site publishers will rapidly work out how to prevent sites being usable unless all cookies are permitted regardless of their purpose.
If I were cynical, I might suspect that the proposal is intended to achieve this in aid of what was referred to in the 'Digital Regulation: Driving growth and unlocking innovation' consultation (July 2021) as an intent to 'take a deregulatory approach' i.e. to make things easier for the big players to monetise us.
So how do you think the browser is telling the server that you are logged in next time you go there? By magic?
No, it is not by magic: it is by sending a little bit of data which the server looks at and says 'oh, that is that nice coward person again, they have authenticated themselves with me, I need not ask them again'. You can call this little piece of data and elephant, or a fish if you like, but what it is is state.
Yes, you can use HTTP headers and you can also pass encoding session info in the URL - I made that point in my original post. But close (or crash) your browser and reopen and URL encoded state, or Authentication header state is gone. As for localStorage, they're worse than cookies - third party scripts running on your page (eg ads, social media links) have access to it. Cookies are the correct tool for this job, and remain useful when not abused by third parties.
If you have a web site that requires a log in, or a shopping site with a shopping cart feature, then cookies are a reasonable solution.
And by logging in, or adding something to a shopping cart, you should be consenting to cookies for those purposes.
But most sites shouldn't need cookies.
Any web site that cannot work without cookies is fundamentally broken
If you have a website that uses some combination of identification, authentication and authorisation, you need somewhere to store the token(s) that represent your present authentication status and level of access. You can of course encode that in a URL, but it makes bookmarking a bit of a pain and it simply turns your browsing history into a cookie jar by another name.
The real issue is with cookies belonging to a domain other than the page origin and, whereas it might be attractive to block them completely, as long as you accept the need for websites to have multiple IP addresses (load balancing, redundancy, CDNs...) there will always be DNS games you can play to at least partially circumvent the block.
If you have a website that uses some combination of identification, authentication and authorisation, you need somewhere to store the token(s) that represent your present authentication status and level of access.
That may well be the case. This doesn't mean that somewhere must be a cookie. It often is because web developers are so lazy or stupid, they see any sort of identification, authentication and authorisation issue as a cookie-shaped nail that can only be hit with a cookie-shaped hammer. Instead of actually thinking about the problem that needs solving, they just reach for the cookie jar.
This doesn't mean that somewhere must be a cookie
Cookies are just local state. They are the only local state that all browsers offer, so I'm not sure where else a web developer, regardless of talent or work ethic, might think to store this data. You can easily turn off the persistent storage of local state in your browser and that should perhaps be the default, but that's not within the control of the web developer.
Any other local state would have exactly the same issues - you don't solve the problem by changing its name.
"Any web site that cannot work without cookies is fundamentally broken."
Am I right in thinking you've never developed any website that needs to maintain session information? Which these days tends to be *most of them*. However, most of the time you shouldn't need to serve the user more than one cookie for that (although it starts to get more complicated when the friendly page you serve your user is pulling content from several different places).
I wouldn't mind so much if once I've said "no to all cookies" that was it but it never is, every month or so (and El Reg is not an exception) up comes the stupid pop-up I suppose just in case I've changed my mind.
I wonder if you select "yes to all cookies" do you still get the cookie message at the same interval or are they deliberately making it as irritating as possible for those who opt out?
When I exit my browser it zaps cookies. I can't ask it to remember things (eg logins) when I then tell it to forget things.
People (lazy sods that they are) want the computer to do the work for them. Most don't care about cookies, don't care about their web activity being tracked, and see the popups asking "will you accept cookies" as an annoyance.
What you, and a lot of the others on this forum seem to want is "remember things that make it easier for me and forget the rest" but the problem comes from the fact that the computer has to remember what to forget - woops.
Websites should not be allowed to set any non-essential cookies without the user opting in
They shouldn't but they do because you're just another revenue stream. Straightorward solution? Block all cookies, not just third party. You don't need them unless you're logging on to a website. Mozilla warns me that disabling all cookies will break websites but that's a load of BS - websites all work fine unless you need to log on. I cheerfully click 'Accept All Cookies' on websites that prompt me then check browser cookies - empty.
https://addons.mozilla.org/en-US/firefox/addon/cookiesnew/
This Mozilla browser extension toggles acceptance/blockage of all cookies. I enable cookies to login/shop/bank then remove them but otherwise all cookies are blocked.
No one cares about your privacy except you.
Much as I agree, I think the whole cookie popup thing is a disaster. It should never have been that each individual site is responsible for deciding the wording and interface for opting in and out of cookies, and writing all the code to manage it.
Instead, there should be clearly designated types of cookies (essential, third party, tracking, etc.) as web standards, each site then only need designate when creating a cookie what type it is. The interface to opt in or out, or select what to do with each type of cookie would be built into the browser itself.
Of course this would only apply to browsers created going forward, but at least users would get a consistent interface regardless of site, because lets face it, it's a shit show now where every site you visit gives you options in different parts of the screen, in different colours and fonts, with different wording and options.
Furthermore, it makes far more sense to push the workload for implementing this to browser makers, of which there are very few, than instead expecting every web site on the internet to create their own custom code to manage this, or have to install some plugin or other code. This way, each site only needs to add an attribute to each cookie designating what type it is, and the browser takes care of presenting the choice to the user and accepting/rejecting cookies.
A big part of the problem is that the average ordinary Joe doesn't understand what the implications of accepting or rejecting these different "flavours" of cookie will be.
And, to avoid being patronising here, they shouldn't have to.
When you plug your toaster into the socket, you don't need to check a box to confirm that there is 240V AC 50Hz in the wires; and if you didn't specifically opt out you'll get 100000V on the line.
We in IT are still in the wild west era, like electricity was 100+ years ago. We need to develop our own equivalents to fuses, circuit breakers and overload protection, so anyone can use the internet without a "shock".
But when all the incentives point in the other way, so having live wires poking out everywhere means you make a shed load more money, it's going to be a long time before we get there.
-- A big part of the problem is that the average ordinary Joe doesn't understand what the implications of accepting or rejecting these different "flavours" of cookie will be. --
Fully agree - neither do I and I've never seen any one of these security and privacy spell it out in terms that might be understandable. Ooooo they'll collect your browsing data and monetize it - yeah what does that ACTUALLY mean to me - does it put up the cost of a loaf of bread or what?
A big part of the problem is that the average ordinary Joe doesn't understand what the implications of accepting or rejecting these different "flavours" of cookie will be.
Or perhaps those "implications" aren't nearly as awful as the tin-hatted brigade would like us all to think.
@Richard Tobin “Websites should not be allowed to set any non-essential cookies without the user opting in, nor should they be allowed to put up blocking banners. If they want more cookies they can just have a link to an opt-in page.without the user opting in, nor should they be allowed to put up blocking banners. If they want more cookies they can just have a link to an opt-in page.”
The solution is more straightforward than that. Websites should not be allowed to set any non-essential cookies. The end, no opt-in option, no asking for consent. Consent cannot be given because:-
a) The person giving consent may not be able to give informed consent e.g. a child.
b) The person giving consent can only give consent for themselves not for others that may use the device. How can the websites know that the person using the device 10 mins later is the same person that gave consent?
You're always a ray of sunshine, aren't you.
Show us another - any other - nation that, in the majority of its population, is any different or has any real ability to make any difference whatsoever. Any nation that is not prone to political self-indulgence. Any nation whose populace is immediately able to challenge, affect and indeed override any decision made by their government.
And no, protest don't usually make a difference. Governments that allow them by and large acknowledge then ignore them.
"they are derailing the core purpose of data protection which is to protect rights and freedoms" Rowenna Fielding
I (probably among others) hugely stressed this possibility in my response to the public consultation. The result is protection of data only, not protection of persons in respect of the processing of their data, so the entire original intent of the legislation as currently enacted is rendered void. Those to curb whom the legislation was conceived will be laughing all the way to the bank, and there will probably be plum jobs waiting at the data slurpers for ex-ministers to take up when they leave government office.
Sadly, as other countries continue to model their data protection legislation on the GDPR as the best of kind so far, the UK appears to have decided to abandon it and throw human rights to the wind.
Agree with this. GDPR is far from perfect and the cookie banners are annoying but the processing part and its impact on rights is the bigger issue.
The decisions that are made by the algorithms based on the data collected is the real problem. Not thinking of today but tomorrow when insurance companies profile you based on your browsing habits and adjust your premium automatically or the private hospital provider automatically refusing to engage you as a client because of your profile. They can't do it now because of GDPR, they can if the processing requirements are slackened.
In other news, big business continually avoid paying taxes by the use of offshoring and highly creative accounting...
It's unlikely to be taxes, and rather more likely to be a more direct route between cash-strapped corp and politician's wallet.
I fully agree with cookie consent requirements in principle, I don't believe the requirements should be lifted.
In practice, unfortunately, most people have no idea what they are consenting to, and it has just put people in the habit of blindly clicking 'Accept' on anything that pops up on a website, which means they also blindly give consent to websites to bombard them with pop-up notifications, which leads to me getting phone calls from people who think they have "a virus or something"
"I fully agree with cookie consent requirements in principle, I don't believe the requirements should be lifted."
It seems to me that lifting the requirements will incur costs to the website because they have to spend time either stripping out the code, or re-coding so UK visitors no longer see the consent pop-ups that the EU will continue to see. Leaving things as they are ought to be cheaper since that money has already been spent implementing the cookie consent pop-ups.
Lots of comments about cookie banners but we really should be more interested in not being able to challenge automated decision making and the other stuff they've buried in this bill.
Friends don't let friends be Express readers.
* Actual Express headline.
We don't care about bleeding trade! This is Britain! We won World War 2 single handed and have made literally no strategic errors thanks to 900 years of unbroken conservative government. Trade is a type of cooperation, and cooperation is for girly swots. Onwards to victory! Crush the saboteurs! Send em back! Hanging's too good for them! Wait what was the question again?
@JimmyPage
"not great for trade then ..."
Not sure if your referring to the EU cutting itself off through imposition of the regs or the US companies not considering the EU regs worth complying with.
In the end the usual trade situation occurs where people targeting foreign visitors will meet the requirements of that foreign country, otherwise it aint worth doing.
People who bleat about "rights" forget that you ONLY have the "rights" society chooses to grant, and society can change its mind at any time. There is no such thing as a "natural" or "inherent" right that you are truly guaranteed.
Anyone who thinks otherwise need only consider their so-called right to "freedom" and what happens to it when they get locked up for committing a crime.
The world would be a much better place if people stopped banging on about "rights" and looked at the issues from the other direction, as "duties". For example, instead of saying a certain category of people have a right to something which helps them, we should say that people not in that category have a duty to ensure that the others get help.
Sadly "duty" is seen as an archaic concept, after years of Labour politicians telling us that only "rights" matter. :-(
The War on Cookies is a good example of "be careful what you wish for," though. With cookies now easily defeated by the average consumer, adtech is moving their tracking to server-side where it's much harder to detect and block.
I followed the link you provided and found a reasonably clear description of how the marketing industry keeps tabs on potential customers.
Please explain why server-side activity is harder to keep in check than client-side? In order for information to be processed and stored on the server it first must be allowed free passage from the client. Cannot that passage be blocked in similar manner to inward intrusions such as scripts?
I suppose everybody commenting here already implements one or more of the free to use 'apps' and browser add-ons available for blocking intrusions from 'commerce' on their personal devices. For some years I have managed a cookie-restricted, free from pop-ups, and 'ad-free' existence. For most interactions with the Internet little more than basic configuration of these protective utilities suffices. Sometimes, when sites by default push a large number of ancillary connections it is desirable by trial and error to identify which can be blocked e.g. script injecting sites.
Perhaps, the generality of mankind deploys at most limited scope tools bundled with the MS Windows Home Edition and some may buy programs and suites offered on the Windows 'Market Place'. Because recent Windows Home incarnations have become marketing and entertainment places, ordinary users have limited control, but still can use the free tools alluded to above. Maybe some proportion of these users enjoy garish 'ads', 'pop-ups', tailored 'ads', and notifications; I doubt the Windows user interface would be so 'busy' were not that the case.
Nevertheless, many users of Windows and Android devices are unaware of the power they have to curtail intrusions. Legal restriction on cookies etc. are almost irrelevant when a device is properly configured; the only truly annoying feature for which seemingly there is no workaround yet is the the permission seeking overlay which can deny access unless acknowledged.
Almost universally in Internet connected schools across the globe Windows devices are used some of the time as teaching aids. Pupils generally have Windows PCs and laptops for home use and Android phones are ubiquitous in the West. Presumably all pupils are exposed to some general teaching about computer technology and IT; that is the point at which protection against commercial intrusion can be introduced. So far as I know, schoolteachers in the UK retain some flexibility concerning how a syllabus is approached. Should not teachers with IT knowledge accept as professional responsibility need to acquaint pupils with how to curb commercial intrusion? This particularly in context of Windows and Android devices. Given Microsoft's cleverly concocted dominance of educational computer use in schools and colleges, it may be too much to ask for pupils to be introduced to operating systems (primarily Linux variants) not inherently designed to service commercial marketing.
I doubt it is going to make much difference to the number of cookie consent banners you are going to see on a daily basis, sure UK websites that only server UK users can get rid of them. But if you have EU visitors then you are still obliged for them to consent to the cookies you want to use them.
So i expect most websites will still keep them to err on the side of caution. After all many US websites have them and their is no legal requirement in the US for cookie consent banners, and that is a much larger user base than little old Britain and our 'taking back control'.
Many US websites have them. I may be wrong, but I am pretty sure they only pop up when they detect an IP address which resolves to an EU geographic location.
The same would apply to the UK if this change goes through - cookie consent banners will be automatically displayed to visitors to a UK website whose IP address is within the EU, but not to those located elsewhere (including those located in the UK).
Privacy law is one of the best weapons governments have to build walls on the net and fence off their turf in a deglobalised internet. If you don't comply with a nation's privacy laws, the state will block your site. At a stroke, the internet for UK surfers ends at Dover, aside from the huge, mainstream sites.
That said, I would vote for anything that means I don't have to keep clicking 'Agree' on every damned website I go to. It is a pointless waste of time.
Cookies ARE NOT THE PROBLEM!
Take a look at various organisations which are aggregating personal information for profit:
- Palantir (about to aggregate ALL medical records in the UK)
- Acxiom
- ClearViewAI
....not to mention the more obvious candidates (Google, FB, GCHQ, NSA.........)
Cookies......don't make me laugh!!!!
Agreed. Cookies are just a distraction. What's more alarming is the proposal that the government have greater control over the ICO. The ICO and other supervisory authorities should be able to hold governments to account. They're supposed to work for the citizenry as a whole, not for governments.
You do see banners with a "Reject all" button. That's supposed to accept only the essential cookies. It should be the other way around, though. Put a little link at the bottom of the page to show the cookie preference centre, so that people really are making a choice to accept them.
Of course, a large number of sites that do have a "Reject all" button still aren't compliant, as it's only a dummy.
It's the new Anarchy.
I do like GDPR cookie popups, not that I believe it makes a bit of difference if I do choose to 'Reject all' - a bit like voting.
It's the 'Partner' data slurpers I like to see - many run to 300+ That tells me all I need to know about the ethos of the site. 'Spartan sites' I call them, ironically, but no-one laughs..
Of course. vanishingly few are going to manually run down switching off 300+ 'partner' cookies & trackers; but It's a good way to decide to reject all that site offers and never return.
The lovely caveat to 'Reject all' is 'Except necessary', but that's not user defined; so whither cookies when the 300+ have been deemed necessary... just like voting, or policy proposals..
U-Blok-All : install and run on your nearest Government department today.
I totally agree with UKGOV that cookie consent banners should be removed and replaced by default opt-out, a website can provide a link to page the describes what each cookie does and who will receive the data and that explicit consent has to be given. Simple, clear and rules that only a lawyer can understand.
reforming local data protection law
In case I was mis-remembering what "reform" means. I looked it up.
Dictionary.com puts it simply at https://www.dictionary.com/browse/reform
Reform means the precise opposite of what the government does every time it talks about "reforms".
As normal, this is specifically intended to make the system less effective.
I accept all cookies either with a plugin or manually where it doesn't work. It doesn't seem to be doing me any harm, so why are folks commenting on this forum so worried about cookies? Are there really virtual criminals using the information from cookies to data-mine browsing history, and if so should I care?
So the next review of risk questions ...... Are there buyers? How much would they get for it? How could they monetize it? Would it have any detrimental consequences for me? Why haven't I noticed them in the 28 years I have been using web browsers and not worried by cookies.
Do some people really not understand the implications of all your personal data being held in a database on somebody elses server:- web visits, types of site you look at, things you buy, things you comment on and quite likely harvesting of personal details from your device relating to addresses, bank accounts, contacts, and quite likely passwords too (those doing the harvesting don't tell anyone openly exactly what they are harvesting and how they are storing it.). The build a profile which clearly identifies you and singles you out as an individual.
They will claim it is 'anonymised', but this is claptrap - one of the main uses of this data is to feed supposedly relevant adverts at you, so it is quite blatantly obvious that it isn't anonymised; it points directly at you via identifying cookies, your IP address or identifying the profile of your device (formed from all the data you have allowed them to take).
The risk is when other organisations (other than just a slingers) may start buying this data and using the profiles constructed from it to determine whether they provide you with (for example) insurance or healthcare.
Then there is the risk that at some stage some miscreant finds a way to hack into the database of all this information and finds sufficient specific data to steal your identity. If you think this is trivial, I suggest researching the experiences of those who have had a brush with identity theft (and consider how you get it back when all the usual markers that prove who you are now point at somebody else).
Sounds far-fetched perhaps?, but is nonetheless perfectly possible - do you know who all the entities draining your data from your device are? Do you know exactly what data they are mining from you? Do you know their data security arrrangements for keeping your data safe and secure? Do you know what other entities or individuals they are selling your personal information on to (or for what purpose)?
The internet is not a nice, warm, friendly social club. It is more akin to the type of public house you might come across in some of the less salubrious areas of inner cities, which you would not feel safe entering unless you were already known and accepted by the locals (and in all probability would not feel safe entering even if you WERE already known and accepted by the locals).