….says the intrusive ‘cookie consent’ popup which requires me to navigate through various pages, puzzle out the jargonerics and fiddle with settings before I can access the content I actually want to read on the site.
Here’s the thing. If your website is infested with trackers, if you are passing my data on to third parties for profiling and analytics, if your privacy info gets a full Bad Privacy Notice Bingo scorecard, then you DON’T take my privacy seriously at all. You have deliberately chosen to place your commercial interests and convenience over my fundamental rights and freedoms, then place the cognitive and temporal burden on me to protect myself. That’s the opposite of taking privacy very seriously, and the fact that you’re willing to lie about that/don’t understand that is a Big Red Flag for someone like me.
If you really took my privacy very seriously, you would use an analytics tool that doesn’t feed a huge surveillance behemoth – for example, Matomo instead of Google Analytics or Quantcast. Or just focus on producing high-quality, navigable content that makes me want to interact with you more without any of that stalkertech.
Your approach to consent would be discreet and respectful, allowing me to enable specific functionalities as and when they are needed, rather than demanding my attention immediately and trying to grab consent for everything straight away. Consent has to be obtained before cookies/trackers are placed/read, yes – but that doesn’t mean you should try and set as many of these as possible as soon as I land on your page.
There are several ‘consent management’ solutions popping up (literally) all over the place, interrupting people’s reading, rendering badly on mobile, requiring lowering of privacy protections to interact with, some even operating in a way which is contrary to law in the first place (I’m looking at YOU, website operators who remove the ‘Reject All’ button from the Quantcast dialogue). Everyone moans about cookie banners and consent dialogues, regarding them as an unwanted intrusion and a pain in the butt. They are both. But here’s the thing – the problem isn’t that site operators are required to inform you about tracking/profiling/mucking about with data on your device, the problem is that this is done at all – on such a large scale by so many and without accountability. Behavioural advertising, demographically-targeted marketing, personal profiling – all these are by nature, inimical to fairness, individual rights and freedoms. There’s a huge industry beavering away in the shadows trying to quantify and categorise and manipulate us for profit; and an even vaster network of ‘useful idiots’ capturing and feeding them the data they grow fat upon. Your data. My data. Your website? Your app?
Now, I accept that this is how much of the world works these days, even though I really don’t like it. I continue to campaign for change by supporting organisations such as the Electronic Frontier Foundation, Privacy International, NOYB, Liberty and the Open Rights Group, by giving professional advice based on ethics as well as risk and technicality (and making it clear which are which) and by doing as much work on educating the general public as I can spare time and energy for. I understand market[ing] forces. What I can’t bear is the slimy, self-justifying PR bullshit that’s spread like rancid butter over the surface of ‘compliance’.
Like saying “we take your privacy very seriously” while actively supporting an ecosystem which is privacy-hostile at best and privacy-abusive at worst. Like saying “we take your privacy very seriously” and then using meaningless copypasta template privacy info which bears no relation to the processing at hand. Like saying “we take your privacy very seriously” and not even bothering to take elementary precautions to limit or protect the personal data being snorted up at every turn.
One lesson I learned from my infosec days is one of distrust – the most likely time for you to hear or read “we take the security of your data very seriously” is in panicked press releases after an avoidable breach of that very data has occurred. Anecdotal, of course, but I see a very strong inverse correlation between loud blustering about how seriously security/privacy is taken, and how rigorously this is actually implemented. Its become a bit of a shortcut to analysis – anyone who feels they have to squawk about it probably shouldn’t be trusted to be actually doing it.
When you don’t “take privacy very seriously”, no amount of gaslighting PR camouflage is going to be a convincing substitute. So maybe just stop saying it eh? No-one believes you anyway.
It’d be so refreshing to see a statement like “There is often a compromise to be made between individual privacy and commercial advantage. We do it like this because it is more [cost]-effective for us to achieve our business objectives, even though it may have an impact on you. Here is all the stuff that the law says we have to tell you:…”. A while back, a bunch of privacy nerds were having fun with the #HonestPrivacyInfo hastag on Twitter – while amusing; this is also worth a read because many of the examples are actually much more transparent and accurate than anything you’ll read in a company’s official ‘privacy policy’.
Just be warned….if you’re going to claim you take my privacy seriously, then I will require you to demonstrate that. And I will make a fuss if you don’t.