Opt In
If they changed the law to make it a requirement that users actively opt in to tracking rather than opt out then I bet Google would make it a damn sight easier to find the settings.
Australian federal court sent a message to Big Tech about its willingness to act on privacy violations when it ruled today that Google had "partially" misled consumers about collecting mobile phone personal location data. For Google to not collect a device's location data, the user needed to let their wishes be known in both …
No I don't think that they (Google) would.
In the old consent form Google had for anyone wanting to use their YouTube service all the settings were set to opt in. With the new look consent form all the options are left blank, neither in or out. So my guess is if you have not positively opted out Google will take that as saying "OK, take all my data to do with as you please."
These people are not to be trusted.
Not really. They would present a single "privacy " page with 100 settings each with a long-winded explanation, plus one handy opt-in-all button.
The trick is to include one or two items that nearly all users want, somewhere in the list. If the only way to make the pussy appear is to opt-in on one obscure thing, most users will opt-in-all.
Some websites already do this with cookie choices.
I wonder (rhetorically) why privacy pundits and regulators only ever seem to go after the big game (that can, incidentally, usually fight back effectively). When we researched GDPR compliance across multiple, jurisdictions, verticals and scales we found that no business in our sample was compliant. The behemoths are not guilty alone.
Could it possibly be that taking the smaller, "easier" cases wouldn't get into the news, and wouldn't cause the bigger corporations to stop and think? It might give them the impression that regulators are too scared to go after them?
Conversely, going after the larger corporations, even if you perhaps don't have the complete victory you hoped for (as in this case) will definitely get into the news and may well cause smaller companies to think, if they can take on the might of Google and win, we don't have a chance - better make sure we're doing things properly in case they come knocking.
Just a thought...
Interesting report of yours, by the way.
M.
There have been several cases in Germany of smaller companies breaching the DSGVO (German name for GDPR - Datenschutzgrundverordnung) and being fined.
The difference between the big companies and the small ones seems to be that the small companies work with the authorities, actively clean-up their act and receive (and accept) smaller fines as a consequence.
The bigger companies kick up a stink, go to court and hope that the lawyers + fine is going to be cheaper than cleaning up their act.
Guess which ones hit the international press? The small companies that comply and pay their fines like chastised children get a small mention in the middle of the new section of specialist IT magazines and portals. The big companies, actually going to court and kicking up a stink get major coverage.
"Could it possibly be that taking the smaller, "easier" cases wouldn't get into the news, and wouldn't cause the bigger corporations to stop and think? It might give them the impression that regulators are too scared to go after them?"
On the other hand, going after the "small fry" helps to build a library of precedents and case law, making it easier to go after the big fish later.
Winning a court case against one company with a lot of customers will have more beneficial effect than winning one against a company with a few customers.
Admittedly BigCo probably puts up more of a fight, and with the same resources you could have fought 10 SmallCoes. But the chances are that BigCo has thousands more users than those 10 SmallCoes put together.
My experience in Spain tells me that the majority of sites think it is OK for site visitors to be told they can limit tracking cookies vie their browser or make it as confusing as possible to opt out.
In fact lately, I visit more US Sites that offer simple opt outs than either UK or European ones.
Perhaps GDPR needs a new set of teeth and regulators who will actively employ them.
I'm seeing more and more that offer "opt-in" options, but the default is almost always show everything turned off but a big, bright "accept everything" button that you are automatically attracted to and a dull grey button that looks like it is disabled for saving your opted-out choices.
"My experience in Spain tells me that the majority of sites think it is OK for site visitors to be told they can limit tracking cookies vie their browser"
Not just in Spain - pretty much everywhere, Unfortunately this breaches the law (not the GDPR but European Directive 2002/58/EC) because the distinction that law makes is between tracking devices (not just "cookies" by the way") strictly essential for the provision of the service and all other tracking devices, and no browser can make this distinction.
The only control you have in the browser is between first and third party cookies (ignoring all other trackers completely). In fact our exhaustive research has found no evidence of any business providing control of non-cookie trackers. Indeed even El Reg, despite having a non-essential cookie opt out, nevertheless carries an automatic doubleclick tracker on every news item on the front page, and you can't block that unless you turn off both javascript and images.
The GDPR applies in to Australian businesses (and businesses anywhere else on the planet) when they process the personal data of subjects "in the Union". That actually means currently present there when the processing occurs, not just "resident" or a "citizen".
I cannot find a reference on the web, but I recall that one of the first prosecutions under the old UK Data Protection Act was of a vicar who used a computer to store details of the pack of Boy Scouts he ran. Just names and addresses, nothing untoward, but a breach as he did not have permission.
Conversely, when an IT expert logged on to Barclays Bank once for some online banking he was surprised that he could view anyone's bank details except his own. When he informed Barclays, they accused him of hacking into their computer system. Barclays was not prosecuted at that time. (Again this is so long ago I cannot find a web article, but I expect other Reg readers will remember .)
But.. but... users won't opt in! They don't know the benefits that constantly tracking and monitoring can get them: personalized ads, pre-approved loans, potency increasing pills, great investment opportunities! Don't forget about protecting them from terrorists and child molesters.
Funnily enough, Google do (definitely) know where I am but these adverts don't. They think I live near my ISP's HQ. I sometimes wonder if the advertisers have paid for location profiling and are getting diddled. Then I remember who they are and what they are advertising and suddenly I cease to give a shit.
If you put your data online, it's gone public. Sooner or later someone is going to hack it, leak it, or get at it via nefarious settings.
The reason why Google go to these lengths is because you want to use these services, but you don't want to pay for them. So they sell advertising and they sell your details to others who wish to advertise to you. If everyone refused to share their details with all online companies, you'd soon find out the real cost of using the sites, apps, etc. that so many take for granted. TANSTAAFL! Look it up people!
I have a sub to at least one website that is not required to view their content but which makes up for the fact that I adblock everything so they aren't getting revenue that way.
They aren't actually asking me to trust them, though I probably would. Instead, they have trusted me and it works.
This post has been deleted by its author
It's a suboptimal minimum, aka a "false minimum" or "rut". Search has stagnated, gone backwards even, it has slid down to the lowest common denominator. Googles focus on apps development flails in the wind because of the indirect feedback caused by the app users being the product instead of the customer.
IMO Google is crimping it own development by getting bogged down in the zero sum data-slurping-advertising game. There is so much more that Google, with all it's talent, should be capable of. To the extent that user privacy becomes law, I think that potential will become apparent.
I do not understand the number of downvotes. Maybe its because the majority of the people posting and downvoting have forgotten that the VAST majority of people who access the internet are not IT specialists and really couldn't (that's could for those across the pond) care less about tracking.
The main impact of GDPR and the other well meaning regulations as far as I can see is to make it more difficult for the average punter to access the site they want.
Please come out of your little IT world and look around at the rest of humanity.
"If you haven't yet stopped Google from collecting personally identifiable location data, you need to switch off "
It's been a while since I read and tested as suggested, but I suspect its the same as it was 2 years ago.
That this only turns off the ability for the user to see the tracking reports.
I think one of the test methods to find this is having google maps on your phone, turned off, tracking turned off, and it will still track you for the "road traffic" which means you are still being tracked, you just don't get to see the report.
If you have a couple people set up like this and they stop in the road, and you are coming up behind them, it will show on your map as traffic stopped ahead.
That is IF its the same as it was
Something like this: https://www.theregister.com/2020/02/03/google_maps_hack_cartful_phones/
(I don't think that story provides evidence that Google continue to track, for traffic jam purposes, even after you've switched off location, but El Reg's article has links to the sort of things you were talking about. Also, I thought the story was very funny and deserves a re-posting every now and then.)
This is a wonderful demonstration of the level of paranoia being generated. What's being tracked here is the phone and by extension a car. Personally I'm quite happy with the idea I'll get a warning that there's an obstacle ahead so I have a chance to avoid it.
However, I do have a perfect solution to the who tracking problem. Dump your smartphone and go back to a feature phone. It can still make phone calls.
just spent frustrating hours going thru all the permissions settings trying to turn off Slurp and Co activities. Definitely Android designed to make one give up trying for a bit of privacy. All the not so obvious places permission to upload data. I do miss the ancient Nokias that just worked. Except for their feral autocorrect that took a fiddle to turn off. Perhaps company law should change so all big tech execs and political friends must have multiple cameras and mics installed in houses, yatchts, except toilets. They are disgusting enough without that.
Already collected personal data can be deleted by the user through their Google Account.
I am more likely to invest trust in a second hand car dealer than Google. I reckon any delete request will simply mean they will mark the data as no longer visible to that user. I found the same with LinkedIn, btw, I once deleted the whole account, but when I recreated it half a year later it was suspicioulsy accurate in suggesting people to connect with.
The fun part came when I also created a fake user, ostensibly working at some well known companies - it was interesting to see the requests coming in for someone who did not even exist.
I am thinking about possibly grabbing a face of thispersondoesnotexist.com and setting upa couple of fake personas, each on a different country of origin (operating via VPN), just to see if I can get a handful of nuts into their gearbox.