And the first one I contacted replied today to tell me it's fixed now 😁 They ended up removing Google Analytics all together.
You should try this too! 😄
Basically what I write is:
1. You're not complying with GDPR by not letting your user opt out of analytics (you need consent first!)
2. Will you please consider fixing this?
3. Fixing this should also be in your interest, since *anyone* can send a complaint to your DPA.
Maybe next time I'll add a note about cookieless alternatives, such as Plausible :)
@sigsegv but they never would have done it without you saying
so a well done is still needed. it is inspiring
you could even do a boilerplate email so others could copy & paste. but that's just an idea
@lewlepton thanks, glad to hear that! 😁
And yes, that's a good idea!
I will try to write down something this weekend 🙂
@sigsegv these websites annoy me so much. It's great you had such an immediate & positive response. I'm going to try this now.
I gather this wouldn't work with non-European websites/companies?
@zatnosk @GwenfarsGarden Yes, but I guess it's slightly more complicated? In EU you can report GDPR violations to a local DPA, but for US companies you might have to go directly to EU? (if so, smaller US companies don't risk as much when violating GDPR).
But I'm not an expert, so please let me know if I misunderstood something here 😅
I'm not fully on top of all the conditions for when this triggers, but non-EU companies don't get to do anything less than EU companies are required to do.
@GwenfarsGarden Wrong! It applies to any company that does business with EU customers, according to europa.eu “These rules apply to both companies and organisations (public and private) in the EU and those based outside the EU who offer goods or services in the EU”.
You can read more here: https://europa.eu/youreurope/citizens/consumers/internet-telecoms/data-protection-online-privacy/index_en.htm
@vortex_cynbel wait, so does it apply to private people or not? I mean, not that I'd add google analytics to my website, or any unnecessary js, for that matter, but I'm curious.
@vortex_cynbel Wow, well bless you for trying so hard!
I guess if they don't listen then the only alternatives are to give up or to report them 😓
But Freedom 24 is American, right? To be honest, I'm not sure what's the best way to report a non-EU company, but since they have a department in Germany you might be able to contact a german DPA (Data Protection Authority)? It seems like there are several in Germany though: https://www.dlapiperdataprotection.com/index.html?t=authority&c=DE
@sigsegv I will try that, thanks! I might also try contacting the Greek DPA, since that’s where I’m from and Freedom24 seem to have a Greek department. Never done this before and it feels like a total nightmare to deal with it on your own. #GDPR was supposed to simplify things for real people that use the internet but some terms are so ambiguous that even lawyers aren’t sure how to interpret… I think it’s time for a #GDPR 2.0 or something.
@vortex_cynbel Good luck with that! :D
And hopefully it will get better with the new ePrivacy regulation in a few years! It will have more clear rules for cookie consent etc.
The current rules are interpreted in so many creative ways in different countries. In Norway, you apparently don't really need to ask the user for consent 🙄
@sigsegv Yes, I’ve seen your other toot about this. I don’t get it though. According to the official website (https://europa.eu/youreurope/citizens/consumers/internet-telecoms/data-protection-online-privacy/index_en.htm) under “What about cookies?” it says that you must ask for consent. There are a few exceptions, like strictly necessary or transmission cookies, but that does not apply for the rest. Any official sources about Norway being the exception?
@vortex_cynbel Yes, I think it's partly because of their very creative interpretation of the word "consent". Also, I suspect that maybe that website you linked might have been updated after an EU court in 2019 concluded that a *proper* consent is needed, while Norway's authorities (NKOM) is still in the process of considering if their rules need to be adjusted 🙄
@vortex_cynbel Here's the info from our own NKOM btw: https://www.nkom.no/internett/informasjonskapsler-cookies (in Norwegian)
They state that a browser setting for accepting cookies (which is usually ON by default in most browsers) is considered as a "consent", and they only require the website to have information about how cookies are used available somewhere.
So many website choose to interpret this as: The user need not be informed nor given a choice about cookies. They automatically accept it by using the website.
@vortex_cynbel Oh, and here's a horror example from our own PUBLIC news provider, founded by our tax money: https://www.nrk.no/retningslinjer/informasjonskapsler-_cookies_-1.11109868
translated: "By using our services you consent to us installing cookies in your browsers".
Dear NRK, don't tell me what I consent to please 😠
@sigsegv Wow… I’m lost for words… But to be fair, most modern browsers block 3rd party cookies by default. Wouldn’t that be enough to stop tracking?
@vortex_cynbel I think that's mostly for cross-site cookies? I don't think other unnecessary cookies like the ones used by Google Analytics are blocked by default in most browsers.
@sigsegv Welp, on Safari, 3rd party cookies are blocked by default. It actually shows you exactly the domains it has blocked. I can see that Google analytics and many more are blocked. BUT there are many people who don’t block 3rd party cookies.
@vortex_cynbel Aha, that's nice! 😄
I just checked with Google Chrome (which I obviously don't use haha) and they don't block 3rd party cookies by default. Otherwise, I guess Google Analytics would have been dead long ago 😅
@sigsegv Erlebnis gestern: IT-Systemhaus mit WIX-Seite 🙈 hat die Feedback E-Mail zur Webseite ungelesen gelöscht. 😤
Yeah, help would be very appreciated. We started translations already, but main work wouldn't be the language translation.
We rely heavily on the more powerful e-Privacy-Regulation, which is transformed into local laws unlike #GDPR. So main work would'nt be the language translation but a one time transfer of the legal core argumentation to the other European countries and test them out with the local authorities and their workflows/needs.
For people who care about, support, or build Free, Libre, and Open Source Software (FLOSS).