Data Privacy: Are We Protected By GDPR & Cookie Notices?

Table of Contents

    As wars continue to emerge among Facebook, Apple, Google, and others, it was only a matter of time before I would feel the need to write about data privacy, the General Data Protection Regulation (GDPR), and other things happening around the net these days.

    What is going on?

    For one, Apple is essentially adopting an opt-in approach for all apps that want to share information. This step aligns with GDPR, the California Consumer Privacy Act (CCPA), the Brazilian Data Protection Law (LGPD), and laws in about 120 other countries and regions.

    But Facebook and other publishers do not like what Apple is doing. With one small slice, Apple cut into the data pipeline that runs from their devices to the data coffers of the publishers. Thanks to Apple, it is now up to each individual user to go into each app’s notification settings to enable their search history and other data to be sent to publishers like Facebook. The data, of course, helps provide targeted ads and enables other actions, disclosure of which is typically buried in endless pages of their “Terms of Service” and “Privacy Policies”—which most people never read.

    The seemingly endless verbiage in the Terms of Service is written expressly for two purposes:

    1. To state the company’s rights regarding the ways in which we are allowed to use their device, application/, or service, and
    2. To ensure there is enough content—cryptically written—to dissuade us from reading it and knowing what we are agreeing to.

    Good News, Right?

    In case you are new to the world of the internet or the real world, it’s helpful to point out that any change that tips the scales too much to one side will eventually create some reaction or crash on the other side.

    The Apple/Facebook war has been documented quite clearly, and makes for a good impartial read. The author notes that, without targeted ads (made possible by the data gathered from all of us), other businesses will suffer.

    Are you willing to trade a little of your navigation or app usage history for some ads? If so, opt in. Otherwise, opt out.

    What annoys me most about the absurdity of the millions of dollars of public funding we spend on drafting laws to protect user privacy is the fact that the users—that’s us!—do not want these things imposed on us.

    Need an example?

    Cookies, Cookies Everywhere!

    If the goal of GDPR and other similar regulations is to challenge website owners to waste more internet bandwidth, reduce usability, and generally implement meaningless banners that, much like their Terms of Service, people don’t read but instead simply click on whatever button it takes to make it go away, then, yes, they have succeeded.

    In years to come, those cookie alerts will be looked back upon as the silliest concept ever imposed globally on everyone and as literally serving no purpose.

    It’s the equivalent of a person who is being followed placing a sign on their back that says “Stop Following Me.” It’s like the stickers some of us put in our mailboxes that read “No Publicity,” yet which we see every day as we pull out massive quantities of publicity mail from our mailboxes.

    It is a mechanism created to generate lawsuits, not to protect internet users.

    The waste of resources that goes into ineffectual cookie banners is absolutely staggering. It is especially so when you consider the fact that the top browsers already implement a much better and more secured approach that is not dependent on the website owner’s true compliance or understanding or their sometimes-misleading intentions.

    By working with Googlethe #1 baker of cookies worldwide—they would go much further in their quest of data privacy.

    Which makes us want to ask: Why don’t the laws simply just make it very hard for browser developers to track users and thereby protect privacy?

    The short answer is that they can’t.

    If they did, they’d need to fend off the furor of the software developers themselves, the advertising industry and all those that rely on advertising to run their business. In addition they would see that as an intrusion by government into their software and how they conduct business. 

    So, law makers do what all bad law makers do: Instead of addressing the issue at the minute level which can cost them their job, they impose generic laws to the public that will be hard to regulate due to its lack of clarity and direction, leaving the door open for litigation in all sorts of ways. 

    But Who are “They”?

    So far, I’ve been referring to the lawmakers in the European Union and in countries around the globe that are producing incomprehensible laws that few understand and even fewer follow. But who are “they”? And how did they get into a position to decide that every website in the world needs to have a banner stating some cryptic message like this one:

    website cookies message

    Who or what team of people have decided that, by having this message, the website owner is now safe from prosecution and that the visitor is shielded from tracking? What are “essential cookies”? What does it mean to have a “better browsing experience”? Why would “essential cookies” provide more or less privacy?

    Nobody knows, including the people that have made that banner.

    Who or what team of people have decided that, by having this message, the website owner is now safe from prosecution and that the visitor is shielded from tracking? What are “essential cookies”? What does it mean to have a “betterbrowsing experience”? Why would essential cookies provide more or less privacy?

    Nobody knows including the people that have made that banner.

    The hierarchy of these regulatory bodies are masked within layers of privacy that keep the law makers from being contacted and addressed. Now, that is true privacy!

    And finally what is the point of having all of the above, the endless hours of integration, the cost to tax payers for the “law makers” and the cost to implement these usability horrors, not to mention to the added waste of internet bandwidth? 

    What is the point when you take a look at the hundreds and thousands of ways that internet users put in place tools to circumvent it because they are truly annoyed by the proliferation of these popups of legal notices. 

    get rid cookie banners
    Source: silktide.com

    Here are just some of the ways you can avoid them:

    I mean, even Google supports this by supporting hundreds of EU cookie blockers.

    cookie consent blockers google
    Source: Google Chrome Web Store

    But maybe the election of government officials that can regulate the internet is an entirely separate topic and cookie notices are just small issues and mere distractions and annoyances.  There are other issues that are more serious such as the Dilemma of the Data Protection Officer…

    The Data Protection Officer Dilemma

    As part of our regular annual data security and privacy audit, ClicData was recently asked why our Data Protection Officer (DPO) is our CEO. We were told that the two positions have “conflicting” interests, so they should be filled by two different people within the organization or, even better, with one person external to the company. It’s a valid question since many GDPR-expert companies recommend that the two positions be held by two individuals, some out of self-interest, others because they feel that is the correct way to handle data privacy.

    In fact, some countries regulate that the DPO must be external to the company to support impartiality. However, this, of course, triggers an additional effort related to bringing someone into the company from outside and giving them access to private data for which a simple NDA will not suffice.

    In case you are new to compliance with standards such as ISO 27001 and Systems and Organization Controls (SOC) as well as GDPR and comparable regulations, it’s important to know that the addition of a supplier or vendor also warrants the auditing of vendor practices. See where this is headed? Since the vendors need to be audited for privacy, they’ll have to have their own DPO, which must be an external one which I turn must also have a DPO which is also an external one, and so forth and so on. Creating a chain of DPOs across the world that eventually will loop back.

    It is neither logical nor sustainable.

    Of course, you could go with an internal employee, one that would have to have access to sensitive data across all departments, including their own. An employee might have a stake in the company, but if a work-related or personal issue were to arise, they could potentially put an entire company at risk. If they quit the company, the company could easily be in a compromised position.

    So why can’t the DPO be the CEO?

    Who else has more to lose and more to gain from getting everyone—from employees to vendors—to adhere to strict privacy regulations? Who is ultimately responsible for the privacy of their customers, employees, and affiliations? Who is ultimately taken to court if those same regulations are not followed?

    The CEO.

    Now, if a CEO wants to place someone else in that position, they should have the right to. On the other hand, if they want to hold that position themselves, it should be entirely within their rights to do so as well since it is their fate and that of their company that are at risk—not the selected DPO employee. And in the end, the person going to jail or being sued is not the employee of the company so why would the CEO put the fate of their safety in the hands of someone else working under them? 

    If cookies were not enough to drive you mad, the DPO Dilemma will at least drive make it harder to run your start up.

    Data Privacy by Design

    In the software development world, the “Secure by Design” practice helps ensure that all software is designed from the ground up with the right security foundations, processes, and tools.

    Data privacy should be no different.

    Advertising has its place on the internet, on retail websites and videos, for example. We need to expect it. Not expecting advertising would be like walking into a store and not being addressed by a salesperson, not seeing the shelf signs promoting products, or not allowing the store owner to announce discounts.

    If a person wants privacy, it must be done at the person level, not at the website level, imposing itself on everyone. The mechanism by which we surf—the browsers and apps we use to access potential sites that might or might not track us—need to be that frontline of detection, assessment, and, of course, permission.

    This would allow for a much better web experience, where, as a person, you might want to be tracked on your favorite retail store but not on others.

    Data privacy needs to be implemented by those tracking the data, such as Facebook, Google, and others. Even if you allow your data to be shared with Department A (Customer Support), that is not meant in any way to constitute permission for Department B (Sales) to use it. And there is no cookie banner that will tell you exactly where that data ends up.

    In fact, cookie warnings are giving malicious companies the green light to use that data internally in any way they see fit, as long as the user clicked on a button.

    So, the regulators need to do a little more legwork. They need to try to reach an agreement with some real heavyweights as opposed to just throwing a cookie banner regulation over the wall and asking the world to comply with it.

    Summary

    Data privacy is a highly charged subject, but ultimately, the “right to be forgotten” must be available to all.

    There are no regulations that are effective in supporting this right to date. We are at the mercy of companies’ intentions to ensure that our data is important and that it remains confidential. It should not be sold and bartered like a company asset, and it should not be misused by the very same company you entrusted with your email, phone, and name.

    Companies need to be audited. Privacy (and safety) by design must be added to every available tool to surf the internet. Cookie banner laws and similar laws and regulations serve little use; in fact, they are detrimental as they delay taking real, effective actions to protect the privacy of internet users. They also give website owners the power to use collected data due to permission given by users who did not bother to read the details and are essentially unaware of how their data is being used. With these laws, those website owners have a legal standing to defend themselves in court against breaching privacy laws.

    And that is how the cookie crumbles.