GDPR Wrong

The GDPR is a new EU wide legislation that harmonizes the handling of personal data for all EU citizens. You can read an a decent executive summary from ZDNet or you can read about it from the EU.

In general the basic concept is this: If you accept data from your users, you have to:

  1. Be upfront about what you're using it for outside of expected business purposes
  2. Gain their explicit consent before using it for any other purpose (don't pre-fill 'yes')
  3. Notify them in a timely manner if their data gets leaked

Seems pretty easy right?

It seems like this is the sort of thing we really shouldn't need regulations around right? I mean, businesses want to treat their customers well don't they?

For an eye opening look, check out this study on web design anti-patterns by the Norwegian goverment.

This is a personal example of how not to comply with the GDPR.

I recently clicked through on google news to westernjournal.com (not linked).

I was presented with this screen:

That's nice, they value my privacy
That's nice, they value my privacy

Nice. So far so good, a big old "I do not accept button."

However, clicking on the button leads to this page:

I guess they don't value my privacy?
I guess they don't value my privacy?

Which also included over 3,000 lines of javascript code.

It also set all these cookies:

# HTTP Cookie File for westernjournal.com by Genuinous @genuinous.
# To download cookies for this tab click here, or download all cookies.
# Usage Examples:
#   1) wget -x --load-cookies cookies.txt "https://www.westernjournal.com/consent/"
#   2) curl --cookie cookies.txt "https://www.westernjournal.com/consent/"
#   3) aria2c --load-cookies cookies.txt "https://www.westernjournal.com/consent/"
#
www.westernjournal.com	FALSE	/ct/lib-asks-man-america-great-1-answers-heard	FALSE	1532599690	crfgL0cSt0r	true
www.westernjournal.com	FALSE	/consent	FALSE	1532601297	crfgL0cSt0r	true
.westernjournal.com	TRUE	/	TRUE	1563530877	__cfduid	dbfce454d17e032255460a1d8e01d90641531994876
.westernjournal.com	TRUE	/	FALSE	1595068496	_ga	GA1.2.991361300.1531994877
.westernjournal.com	TRUE	/	FALSE	1532082896	_gid	GA1.2.1861682707.1531994877
.westernjournal.com	TRUE	/	FALSE	1531998296	__asc	5362c90b164b202ad7381221a20
.westernjournal.com	TRUE	/	FALSE	1563618896	__auc	5362c90b164b202ad7381221a20
www.westernjournal.com	FALSE	/	FALSE	0	_cmpQcif3pcsupported	1
.westernjournal.com	TRUE	/	FALSE	1595066877	__gads	ID=e69e6f0e460284ac:T=1531994877:S=ALNI_MaHAB4xWxvI-vFNqfu8m4oRTByNFw
www.westernjournal.com	FALSE	/	TRUE	0	GED_PLAYLIST_ACTIVITY	W3sidSI6ImgveGUiLCJ0c2wiOjE1MzE5OTQ4OTAsIm52IjoxLCJ1cHQiOjE1MzE5OTQ4NzcsImx0IjoxNTMxOTk0ODkwfV0.
www.westernjournal.com	FALSE	/	FALSE	1532601277	crfgL0cSt0r	true
.www.westernjournal.com	TRUE	/	FALSE	1565692495	eupubconsent	BORI95iORJB0WAKADAENAAAAAAAAAA
View this gist on GitHub

This is after I said I don't want to be tracked. It also set cookies for the following domains:

What happens if you say yes?
What happens if you say yes?

It's unlikely that this company has any presence in the EU, so they really didn't need to comply with the directive at all, but if you're going to do so, why spend all that time and money and then just make it a charade.

As it stands now, this site is not compliant with the directive. You aren't allowed to block someone because they didn't want to give you data that isn't necessary to provide them with the service.

That's the end of my rant.. Thanks for reading.