Follow

Ok so yesterday I decided to start sending e-mails to every website I visit that doesn't comply with when using etc. (things like: "by using this website you agree to...")

And the first one I contacted replied today to tell me it's fixed now 😁 They ended up removing Google Analytics all together.

You should try this too! 😄

Basically what I write is:

1. You're not complying with GDPR by not letting your user opt out of analytics (you need consent first!)
2. Will you please consider fixing this?
3. Fixing this should also be in your interest, since *anyone* can send a complaint to your DPA.

Maybe next time I'll add a note about cookieless alternatives, such as Plausible :)

@sigsegv I wonder how many sites have Google analytics but don't look at the data anymore.

@LovesTha @sigsegv I dont care if anyone is looking at analytics from own site. I care if google is looking at my activity without my consent but with help of zilions of websites using GA "for free" ( i pay with my privacy).

@miklo @LovesTha Yes, the most disappointing is to see that so many public institutions take part in this.. Such as Norway's public broadcaster.

@sigsegv but they never would have done it without you saying

so a well done is still needed. it is inspiring

you could even do a boilerplate email so others could copy & paste. but that's just an idea

🖤

@lewlepton thanks, glad to hear that! 😁
And yes, that's a good idea!
I will try to write down something this weekend 🙂

@sigsegv these websites annoy me so much. It's great you had such an immediate & positive response. I'm going to try this now.

I gather this wouldn't work with non-European websites/companies?

@GwenfarsGarden @sigsegv non-European websites are still subject to GDPR as long as European citizens can access them. Which is why Google and Facebook aren't allowed to throw tracking cookies all over the place without explicit consent from every single person they're tracking.

@zatnosk @GwenfarsGarden Yes, but I guess it's slightly more complicated? In EU you can report GDPR violations to a local DPA, but for US companies you might have to go directly to EU? (if so, smaller US companies don't risk as much when violating GDPR).

But I'm not an expert, so please let me know if I misunderstood something here 😅

@sigsegv @GwenfarsGarden non-EU companies are required to have an appointed representative in EU, so the authorities can go through that representative.

gdpr.eu/article-27-representat

I'm not fully on top of all the conditions for when this triggers, but non-EU companies don't get to do anything less than EU companies are required to do.

@GwenfarsGarden Wrong! It applies to any company that does business with EU customers, according to europa.eu “These rules apply to both companies and organisations (public and private) in the EU and those based outside the EU who offer goods or services in the EU”.
You can read more here: europa.eu/youreurope/citizens/

@vortex_cynbel wait, so does it apply to private people or not? I mean, not that I'd add google analytics to my website, or any unnecessary js, for that matter, but I'm curious.

@Riedler I am not sure. All I know is consent is needed when collecting personal data from EU citizens. I am not sure if this applies for #bigtech companies only or not. If you have a website and collect data I would suggest seeking legal advice on that matter.

@sigsegv congrats on making the world a better place, thank you :blobcat:

@weltsnake@mastodon.technolog Thanks, I'm glad people are willing to listen :D

@sigsegv Congratulations! I wish I had the same luck as you. I tried doing that to Freedom 24. Apparently if you don’t accept the use of cookies, you can’t use their website, which according to #GDPR should not be the case. I sent 3 emails to their support but never heard back. I contacted their live chat agent multiple times over the span of a month. Again to no avail. How do you think I should proceed?

@vortex_cynbel Wow, well bless you for trying so hard!
I guess if they don't listen then the only alternatives are to give up or to report them 😓
But Freedom 24 is American, right? To be honest, I'm not sure what's the best way to report a non-EU company, but since they have a department in Germany you might be able to contact a german DPA (Data Protection Authority)? It seems like there are several in Germany though: dlapiperdataprotection.com/ind

@sigsegv I will try that, thanks! I might also try contacting the Greek DPA, since that’s where I’m from and Freedom24 seem to have a Greek department. Never done this before and it feels like a total nightmare to deal with it on your own. #GDPR was supposed to simplify things for real people that use the internet but some terms are so ambiguous that even lawyers aren’t sure how to interpret… I think it’s time for a #GDPR 2.0 or something.

@vortex_cynbel Good luck with that! :D
And hopefully it will get better with the new ePrivacy regulation in a few years! It will have more clear rules for cookie consent etc.

The current rules are interpreted in so many creative ways in different countries. In Norway, you apparently don't really need to ask the user for consent 🙄

@sigsegv Yes, I’ve seen your other toot about this. I don’t get it though. According to the official website (europa.eu/youreurope/citizens/) under “What about cookies?” it says that you must ask for consent. There are a few exceptions, like strictly necessary or transmission cookies, but that does not apply for the rest. Any official sources about Norway being the exception?

@vortex_cynbel Yes, I think it's partly because of their very creative interpretation of the word "consent". Also, I suspect that maybe that website you linked might have been updated after an EU court in 2019 concluded that a *proper* consent is needed, while Norway's authorities (NKOM) is still in the process of considering if their rules need to be adjusted 🙄

@vortex_cynbel Here's the info from our own NKOM btw: nkom.no/internett/informasjons (in Norwegian)

They state that a browser setting for accepting cookies (which is usually ON by default in most browsers) is considered as a "consent", and they only require the website to have information about how cookies are used available somewhere.

So many website choose to interpret this as: The user need not be informed nor given a choice about cookies. They automatically accept it by using the website.

@vortex_cynbel Oh, and here's a horror example from our own PUBLIC news provider, founded by our tax money: nrk.no/retningslinjer/informas

translated: "By using our services you consent to us installing cookies in your browsers".
Dear NRK, don't tell me what I consent to please 😠

@sigsegv Wow… I’m lost for words… But to be fair, most modern browsers block 3rd party cookies by default. Wouldn’t that be enough to stop tracking?

@vortex_cynbel I think that's mostly for cross-site cookies? I don't think other unnecessary cookies like the ones used by Google Analytics are blocked by default in most browsers.

@sigsegv Welp, on Safari, 3rd party cookies are blocked by default. It actually shows you exactly the domains it has blocked. I can see that Google analytics and many more are blocked. BUT there are many people who don’t block 3rd party cookies.

@vortex_cynbel Aha, that's nice! 😄
I just checked with Google Chrome (which I obviously don't use haha) and they don't block 3rd party cookies by default. Otherwise, I guess Google Analytics would have been dead long ago 😅

@sigsegv Erlebnis gestern: IT-Systemhaus mit WIX-Seite 🙈 hat die Feedback E-Mail zur Webseite ungelesen gelöscht. 😤

@sigsegv There is @tracktor however it is currently only available in German, but if some of your German speaking friends need a comply generator or maybe can help translating it(Idk if there is a translation project yet) here might be the place for them.
codeberg.org/rufposten/trackto

@Lamdarer @sigsegv

Yeah, help would be very appreciated. We started translations already, but main work wouldn't be the language translation.

We rely heavily on the more powerful e-Privacy-Regulation, which is transformed into local laws unlike #GDPR. So main work would'nt be the language translation but a one time transfer of the legal core argumentation to the other European countries and test them out with the local authorities and their workflows/needs.

@Lamdarer @tracktor Thanks for the suggestion! I didn't know about these.
Oh, and they are on codeberg! Das ist toll :D

@sigsegv Have you tried @tracktor for it? Pretty handy tool for those mails. #träcktor

Sign in to participate in the conversation
FLOSS.social

For people who care about, support, or build Free, Libre, and Open Source Software (FLOSS).